Introduction
You have a Debian instance running in Google Cloud Compute Engine. You connect to this instance via SSH. One day you decide to enable the UFW firewall and your SSH connection drops. You cannot reconnect.
Problem
Enabling the UFW firewall blocked SSH access.
Solution
This article shows three methods of solving this problem.
- Create a startup script that disables the UFW firewall.
- Connect to the instance’s serial port and disable the UFW firewall.
- Attach the boot disk to another instance and modify the file
/etc/ufw/ufw.conf
.
Method 1: Create a startup script that disables the UFW firewall
This method disables the UFW firewall. Optionally you can leave the UFW firewall enabled and only enable SSH access.
Step 1:
Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance. Click on the Edit button.
Step 2:
Scroll down to the section Custom metadata. For Key enter startup-script
. For Value enter:
1 2 |
#! /bin/bash /usr/sbin/ufw disable |
Click the Save button
Note: An option is to enable SSH in the startup script.
1 2 |
#! /bin/bash /usr/sbin/ufw allow ssh |
Step 3:
Reboot your instance. During the reboot, the startup script will run disabling the UFW firewall. Log into your instance using SSH.
Step 4:
Repeat Step #2 except this time, delete the startup script. Otherwise, the firewall will be disabled each time your instance boots.
Method 2: Connect to the instance’s serial port and disable the UFW firewall
STEP 1:
This step enables the VM instance serial port.
- Shut down your instance with the UFW problem.
- Login into the Google Cloud Console.
- Go to Compute Engine -> VM instances.
- Click on the instance.
- Click Edit.
- Under the Remote access section, toggle the Enable connecting to serial ports checkbox.
- Save your changes.
STEP 2:
This step creates a recovery user with a password.
Note: normally you do not want password-based logins. SSH key pairs are more secure.
- Click the Edit button again.
- Scroll down to the section Custom metadata. For Key enter
startup-script
. For Value enter:
1 2 3 4 |
#! /bin/bash adduser recovery echo recovery:password | chpasswd usermod -aG google-sudoers recovery |
Note: replace the password with a secure value.
- Save your changes.
STEP 3:
This step starts the VM instance. You will log in via the serial port. Then disable the UFW firewall.
- Go to Compute Engine -> VM instances.
- Click on the instance.
- Click the START / RESUME button near the top of the window.
- Wait for the VM instance to complete the startup.
- Under the Remote access section, click on the down arrow and select Serial port 1 (console).
- An SSH window will open. Click on the window. Press the ENTER key. This should cause a login prompt to display.
- Enter your username (recovery) and the password.
- You are now logged into the VM instance.
- Switch to the root user: At the Linux shell prompt enter the command: sudo bash.
STEP 4:
This step disables the UFW firewall.
- At the Linux shell prompt enter the command: /usr/sbin/ufw disable or /usr/sbin/ufw allow ssh.
You should now be able to connect to the VM instance normally using SSH.
Method 3: Attach the boot disk to another instance and modify the ufw.conf
This step is more complicated. The boot disk is removed from the VM instance and attached to another VM instance.
Knowing how to move attached disks between instances is useful in cases where the repairs are complicated and require a running system. An example is a root disk that runs out of free disk space and the root file system becomes corrupted. This requires running a file system check using the Linux command fsck from a system that is booted normally with free disk space.
STEP 1:
Shut down your instance with the UFW problem. Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance and make note of the “Boot disk” name. This will be the first disk under “Boot disk and local disks”.
STEP 2:
Create a snapshot of the boot disk before doing anything further. While still in Compute Engine -> Disk. Click on your boot disk. Click on “CREATE SNAPSHOT”.
STEP 3:
Create a new instance in the same zone. A micro instance will work.
STEP 4:
Open a Cloud Shell prompt (this also works from your desktop if gcloud is set up). Execute this command. Replace NAME with your instance name (broken system) and DISK with the boot disk name and ZONE with the zone that the system is in:
1 |
gcloud compute instances detach-disk NAME --disk=DISK --zone=ZONE |
Make sure that the previous command did not report an error.
STEP 5:
Now we will attach this disk to the new instance that you created.
Make sure that the repair instance is running before attaching the second disk. Sometimes an instance can get confused on which disk to boot from if more than one disk is bootable.
Go to Compute Engine -> VM instances. Click on your instance. Click Edit. Under “Additional disks” click “Add item”. For name enter/select the disk that you detached from your broken instance. Click Save.
STEP 6:
SSH into your new instance with both disks attached.
STEP 7:
Follow these steps carefully. We will mount the second disk to the root file system. Then change the contents of /mnt/repair/etc/ufw/ufw.conf
to disable the firewall.
- Become superuser. Execute
sudo -s
- Execute df. Make sure that
/dev/sdb1
is not mounted. - Create a directory for the mount point:
mkdir /mnt/repair
- Mount the second disk:
mount /dev/sdb1 /mnt/repair
- Change directories:
cd /mnt/repair/etc/ufw
- Edit
ufw.conf
- Change
ENABLED=yes
toENABLED=no
- Shutdown the repair system:
halt
STEP 8:
Now reverse the procedure and move the second disk back to your original instance and reattach using the command below. Then start your instance and connect via SSH.
Note: To reattach the boot disk you have to use gcloud with the -boot
option.
1 |
gcloud beta compute instances attach-disk NAME --disk=DISK --zone=ZONE --boot |
Photography Credits
I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Adam Kontor at Pexels.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
Leave a Reply