SARK Debian Accidental Lockouts
Contents
SARK V5.0.0 Debian accidental lockouts and how to deal with them
SARK V5 has both strong login security and an onboard firewall. It is possible to lock yourself out of the system in a couple of ways, either because you have mis-set the firewall or because you have lost or forgotten the admin password. Here is a guide to unlocking the system if you should find yourself in one of these situations.
Firewall Lockouts
You've set the firewall in such a way that it will no longer allow you access on HTTPS and/or SSH
HTTPS lockout (SSH still available)
SSH to the box (or you can use WinSCP if you prefer) and find the SARK shorewall rules in /etc/shorewall/sark_rules
cat /etc/shorewall/sark_rules ACCEPT net:$LAN $FW tcp 5060 - - # TCP SIP ACCEPT net:$LAN $FW tcp 5061 - - # TCP SIP ACCEPT net:$LAN $FW tcp 80 - - # HTTP ACCEPT net:$LAN $FW tcp 22 - - # SSH ACCEPT net:$LAN $FW udp 123 - - # NTP ACCEPT net:$LAN $FW tcp 389 - - # LDAP ACCEPT net:$LAN $FW udp 389 - - # LDAP ACCEPT net $FW udp 4569 - - # IAX2 ACCEPT net:$LAN $FW udp 5060 - - 4/min:5 # SIP ACCEPT net:$LAN $FW udp 10000:20000 - - # RTP
Add back or correct the rules and either reboot the box or, if you are using ssh, you can simply restart the firewall with the following command
shorewall restart
HTTPS AND SSH lockout
This is a more difficult scenario because you cannot get to the box at all. The drive is going to have to come out and attached to another computer to correct the firewall rules. If the SARK is a SARK200 you can simply remove the SD Card and slot it into a USB CFcard reader. For conventional drives you will probably need to use a USB SATA caddy of some description. The procedure for accessing the data is different depending upon whether you have a Linux machine available or a Windows box.
= Linux procedure
Depending upon your Linux distro you may find the external drive caddy will automount on your box. In which case you can just modify the firewall rules without further ado. If it doesn't automount, then you can use dmesg to see which device linux has allocated to it and mount the device manually.
dmesg . . . [18728740.570834] usb-storage 2-1.5:1.0: USB Mass Storage device detected [18728740.571011] scsi host39: usb-storage 2-1.5:1.0 [18728741.568149] scsi 39:0:0:0: Direct-Access Generic STORAGE DEVICE 0819 PQ: 0 ANSI: 6 [18728741.568481] sd 39:0:0:0: Attached scsi generic sg3 type 0 [18728741.711336] sd 39:0:0:0: [sde] 8011776 512-byte logical blocks: (4.10 GB/3.82 GiB) [18728741.712470] sd 39:0:0:0: [sde] Write Protect is off [18728741.712472] sd 39:0:0:0: [sde] Mode Sense: 23 00 00 00 [18728741.713592] sd 39:0:0:0: [sde] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA [18728741.719012] sde: sde1 sde2 [18728741.722769] sd 39:0:0:0: [sde] Attached SCSI removable disk [18728742.010920] usb 2-1.5: reset high-speed USB device number 53 using ehci-pci
In the example above, we can see that Linux has allocate /dev/sde to the attached drive. We want the second partition do we will mount sde2.
mount /dev/sde2 /media/imagels /media/image/ bin dev home lost+found mnt proc run selinux sys tmp var boot etc lib media opt root sbin srv tftpboot usr
...and now we can go ahead and make the changes to the firewall as we did in the first example. Once saved, reinstal the drive into the SARK box and reboot it.