This is a joke, I didn’t really lock myself out

  • piefood
    link
    fedilink
    English
    621 day ago

    Before you make a change, do this in a screen-session:

    sleep 300 && iptables-restore old_fw_rules.bak

      • piefood
        link
        fedilink
        English
        8
        edit-2
        1 day ago

        Fun fact: When you do iptables-save, you have to redirect the output if you want to save it to a file. But when you use iptables-restore, you don’t need to pipe it back in, you can just use the filename!

          • piefood
            link
            fedilink
            English
            321 hours ago

            Totally! I still catch myself doing that sometimes. Old habits die hard

  • @[email protected]
    link
    fedilink
    951 day ago

    even worse. I regularly have to get up out of my chair and go down 2 stairs.

    Also this took a while to find, but : https://sourceforge.net/p/shorewall/svn/HEAD/tree/branches/4.2/Samples/one-interface/shorewall.conf

    ADMINISABSENTMINDED=Yes

    Is an actual setting in the config for the (now apparently unmaintained) Shorewall Firewall software/tool for linux.

    If I remember correctly, it always checks on firewall rule changes if there is an active connection on port 22, and adds a special rule at the end to maintain that connection.

    They don’t build them like they used to anymore.

    • @[email protected]
      link
      fedilink
      8
      edit-2
      1 day ago

      They don’t build them like they used to anymore.

      Well if we did, the way it works would be by telling a chatbot to enable ssh on port 22 at the end.

  • randint
    link
    fedilink
    English
    551 day ago

    Almost the same thing happened to me. I accidentally fucked up the internet connection in my home while in Japan, and I had to video call my mom to have her fix it. It was a pain for both of us, but thankfully it went rather smoothly. Thank you mom!

  • VeryFrugal
    link
    fedilink
    English
    1352 days ago

    Happened to me once. Had a little Pi at my parent’s house and that was a nice excuse to visit them.

  • null
    link
    fedilink
    English
    752 days ago

    Doing this is a right of passage.

  • @[email protected]
    link
    fedilink
    431 day ago

    What’s really fun is hearing “oh shit” from the UPS maintenance tech followed by darkness and silence.

    • qazOP
      link
      fedilink
      English
      57
      edit-2
      2 days ago

      I’d rather plug in a screen with VGA than deal with HPE iLO 4

      • NeilBrü
        link
        fedilink
        English
        3
        edit-2
        1 day ago

        Networking noob here, what, pray tell, is HPE iLO4… or do I want to even know?

        Edit: Never mind. Found it. HP… shudders

        • @[email protected]
          link
          fedilink
          51 day ago

          “In December 2021 Iranian researchers at Amnpardaz security firm have discovered rootkits in HPE’s iLO (Integrated Lights-Out) management modules.”

          Because of course lol

      • @[email protected]
        link
        fedilink
        English
        41 day ago

        I keep a Windows 2008 w Java 6 VM on ice for administering old Java console shit like that.
        The VM is unsafe as hell. Completely virgin unpatched. The only protection is that I don’t give it a gateway or dns, and I shut it down when its not in use.
        And it works. Old Java shit can still be used.

      • @[email protected]
        link
        fedilink
        52 days ago

        To be honest, HPE iLO 6 isn’t too bad, if you’re using the GUI. It’s the API that remains really broken in many places.

        • qazOP
          link
          fedilink
          English
          11 day ago

          I remember there being the option of using HTML or a Java applet, I chose the former

          • @[email protected]
            link
            fedilink
            31 day ago

            If you have the HTML5 option you should be on a pretty recent firmware.

            Interesting that you’d prefer going (literally) analog connection rather than over the IPMI.

            • qazOP
              link
              fedilink
              English
              119 hours ago

              The latest version of iLO4 is from 2023

              • @[email protected]
                link
                fedilink
                218 hours ago

                You know, I wanted to say “Bet!” and proove your wrong as I couldnt believe they never went past 2023 for the firmware.
                Turns out that was the latest.

                But I do know they have more recent firmware uploads for the UEFI than 2023. ^(A year younger but no less nore recent/s)

  • @[email protected]
    link
    fedilink
    English
    131 day ago

    This is the NetAdmin’s problem. And he’s got 3 ways to get into the datacenter, so he goddamn well better have an answer that doesn’t involve airfare. Worst case, he’s gotta use remote hands, but that would be embarrassing, and I’d not let him forget it. Nobody forgives me when I screw up a server cluster, so he gets no latitude when he takes a datacenter offline.

  • @[email protected]
    link
    fedilink
    30
    edit-2
    2 days ago

    Don’t practically all commercial hosting providers provide remote console access?

    This seems a combo of an extremely newb mistake in an extremely unusual scenario - worthy of Gru I guess.

      • @[email protected]
        link
        fedilink
        61 day ago

        Yes, I also used to run an “on premise” server - in my kitchen, not 500km away. I sometimes might need to admin it remotely, but never critical setup work.
        And the meme makes it sound like they have to drive there specifically to fix it, like nobody is actually living nearby.

        • @[email protected]
          link
          fedilink
          English
          9
          edit-2
          1 day ago

          I mean it’s a pretty realistic scenario. I happened to be the unlikely remote hands for the company I work for just a few weeks ago.

          Company: an industrial cleaning company with about 1500 AD users and about 8000 employees, historically had 2 corporate offices, currently has three as it’s transitioning one corporate office across the country

          Server and mistake in question: old admin who’s no longer with the company setup the ESXI 6.0 cluster in the server room at the office without documenting the root password to access it. This cluster happens to host the companies critical services including AD so being unable to access the host has been blocking the office migration. Old admin had also not fixed the ESXI backups which have been broken for over 3 years so no backups to restore from. Also the out of band access to the servers was never correctly setup

          I happening to be close to this office and having IT experience was poked to go in and with physical access to modify the shadow file and set the root password to be blank. Had I not been available they would have had to fly someone in from the office 2000 miles away or hire a very expensive local contractor to come in after hours to do the same thing

        • @[email protected]
          link
          fedilink
          71 day ago

          Well, I have my server running in my parents basement, because they have fiber, and I don’t.

          It’s not quite a 500km drive, but still a long enough distance for this scenario to be a major inconvenience.

          But since I have wireguard running on their router though this specific scenario is not something that could happen to me

              • @[email protected]
                link
                fedilink
                110 hours ago

                Please forgive the ignorance here. What are you trying to do? I thought you were trying to reboot an offline server. I’m probably just confused!

                • @[email protected]
                  link
                  fedilink
                  19 hours ago

                  Well, the original post (as in the image) is about locking yourself out of a remote server by changing a firewall rule, thus needing to drive to the server to access it locally.

                  By using wireguard to tunnel into the router, you can remotely enter the LAN, thus bypassing the firewall, as if you were accessing the server locally.

        • @[email protected]
          link
          fedilink
          English
          41 day ago

          Could be they were configuring the actual network firewall and got a couple of rules out of order so they blocked all of their out of band access

        • @[email protected]
          link
          fedilink
          English
          11 day ago

          I hate it when my boss says that. Or he will call it “D-RAC”. Annoys the hell out of me.
          It’s iDRAC.
          Yes, there are components that are called RAC, but the Dell out of band management system is called iDRAC.
          … but that’s not as dumb as when he calls the SuperMicro system “iLO”. That’s IPMI. We don’t even own any HPE. I’ve no idea why he’s stuck on iLO.

          • @[email protected]
            link
            fedilink
            11 day ago

            It’s iDRAC.

            I’d say that RAC is the overarching term for different Dell Solutions, see Dell Remote Access Configuration Guide

            DRACT supports the following types of RACs that support RACADM commands:

            • Integrated Dell Remote Access Controller 8 (iDRAC8)

            • Integrated Dell Remote Access Controller 7 (iDRAC7)

            • […]

            • Chassis Management Controller (CMC) for Dell PowerEdge M1000e and PowerEdge VRTX

            • […]

            And it’s just shorter and easier to say ¯\_(ツ)_/¯

            but that’s not as dumb as when he calls the SuperMicro system “iLO”. That’s IPMI. We don’t even own any HPE. I’ve no idea why he’s stuck on iLO.

            Perhaps his first encounter with remote management was with iLO and he just thinks that this is how it’s called. It’s “integrated Lights Out”, and “Lights-Out Management” as well as “Remote Access Controller” both are generic terms (and I suspect that this is why Dell adds an “iD” in front of its product names).

            But we are way to close to the “GNU/Linux Copypasta” than I would like.

            • @[email protected]
              link
              fedilink
              English
              123 hours ago

              Mmm. Ya ya. No argument. But its iDRAC. I’ve had to sit through enough propaganda. I’m pretty sure about this.

    • qazOP
      link
      fedilink
      English
      9
      edit-2
      2 days ago

      Yeah, all the ones I’ve used had remote access

  • @[email protected]
    link
    fedilink
    22
    edit-2
    1 day ago

    Since that happens to the best of us, I envision writing a wrapper script around {n,}pfctl that asks for confirmation upon detecting that you’re logged in via ssh through a specific port AND detecting that the new rules would block that port.

    • @[email protected]
      link
      fedilink
      English
      11 day ago

      VMware does this with its virtual networking. If a change takes it offline, it automatically rolls it back. It can be frustrating at times, but mostly its saved my ass.

  • Björn Tantau
    link
    fedilink
    342 days ago

    Classic.

    Love Hetzner. If something like that were to happen to me they can hook up a remote console accessible through their web interface.

    • qazOP
      link
      fedilink
      English
      112 days ago

      They had a hardware failure but close enough

      • unalivejoy
        link
        fedilink
        English
        41 day ago

        Would misusing the dd command be considered a hardware failure?

        • Rikudou_Sage
          link
          fedilink
          41 day ago

          Yes. Everything is a hardware failure because where does the software run? That’s right, on hardware. So software bug = hardware failure.