How strange. Today, once again, I suddenly find myself locked out of my websites. I cannot connect from my phone or my laptop. Both are on the same wifi, so both have the same IP number, and temporary 10min lockouts are a sign of fail2ban adding the IP number to the firewall rules. This usually happens when a single IP overloads the server. Hm… This does sound familiar.
Oh, here it is:
Recently I have noticed that I’m sometimes banned from my own websites. That is, the site is not reachable, but when I check any of the “is the site down for everybody or is it just me?” sites, it’s always just me. I also cannot SSH to the machine unless I use the IPv6 address directly. – 2020-01-31 Banning myself with fail2ban
2020-01-31 Banning myself with fail2ban
While I wrote the above access came back. Let’s investigate!
As it turns out, my website is reachable again but ssh still refuses. How weird!
But IPv6 works:
ssh -p 882 root@2a02:418:6a04:178:209:50:237:1
Strangely enough, the IPv4 isn’t mentioned in the fail2ban logfile:
grep 178.209.50.237 /var/log/fail2ban.log
My IP number is also not listed in any of the firewall rules:
fail2ban-client status fail2ban-client status alex-apache fail2ban-client status recidive fail2ban-client status sshd
Nothing suspicious.
But this is still the situation: I can now visit my sites using the web (ports 80, 443), Gemini (port 1965), but not SSH (port 882). I’m guessing that the tools I use (curl, Firefox, Elpher) all use IPv6?
alex@melanobombus ~> ssh sibirocobombus ssh: connect to host alexschroeder.ch port 882: Connection refused alex@melanobombus ~> ssh -p 882 178.209.50.237 ssh: connect to host 178.209.50.237 port 882: Connection refused alex@melanobombus ~> ssh -p 882 2a02:418:6a04:178:209:50:237:1 Linux sibirocobombus 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Fri Jul 30 00:06:04 2021 from 85.195.244.167
Ah! I checked my “~/.ssh/config” file:
Host sibirocobombus HostName alexschroeder.ch Port 882 User alex AddressFamily inet
That “AddressFamily inet” is part of the answer: it mandates IPv4. The default is “any”. So now ssh works again.
Back to check the phone. Yes, I can connect again. I guess… I guess there was an IPv4 traffic hiccup somewhere?
#Administration
(Please contact me if you want to remove your comment.)
⁂
I like to trace the route in such situations to at least see at which point along the way the problem is.
– deshipu 2021-07-30 09:16 UTC
---
Good point! Must remember that for next time.
– Alex 2021-07-30 09:23 UTC