Firewall configuration problem

foxyloxy · April 15, 2025, 3:05pm

What type of hardware are you using: Virtual machine
What YunoHost version are you running: 12.0.14
How are you able to access your server: The webadmin
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: disabled firewall via yunohost firewall stop

Describe your issue

My Yunohost server suddenly refused to accept web connections to apps and admin UI. It started doing this without my making any changes to the firewall.

The most recent change was a system update - I usually apply updates as soon as I notice they are available. Here’s the log for the most recent update to this server:

https://paste.yunohost.org/raw/ovecinucax

I discovered this afternoon that I cannot connect to my server admin console or any of the apps via the web browser at all. I managed to connect via the command line and could not see anything wrong with apps and services, but all web requests were immediately refused with ERR_CONNECTION_REFUSE

I found a reference in this forum to the command yunohost firewall stop, and gave it a go, and it fixed the problem! I can now connect to the service via web and use admin UI and all apps as usual

How can this happen? And how can I check the firewall is properly configured?

Since disabling the firewall, I can log into the web admin console, and I can see this is the firewall configuration:

https://imgur.com/a/TSpBgEP

I think that looks fine? It’s worked fine for a long time until today…

I tried restarting my Yunohost server. The firewall restarts on reboot, and once again, I cannot access any apps or the admin web interface. Then, I disabled the firewall via the command line, and everything works as expected.

Thanks in advance for any help on this. I don’t want to leave my server without the firewall!

Share relevant logs or error messages

https://paste.yunohost.org/raw/ovecinucax
https://imgur.com/a/TSpBgEP

Aleks · April 15, 2025, 3:28pm

Hmmmm my best guess is that the issue is not actually the firewall but rather fail2ban banning you after too many authentication failure somehow, and somehow stopping the firewall either stopped/restarted fail2ban or just coincided with the ban expiring (but it’s a rough guess)

if you’re able to reproduce the issue or remember the time / hour at which the issue was there, i would check if somehow your IP is in fail2ban’s logs in Tools > Services > Fail2ban

foxyloxy · April 15, 2025, 10:47pm

Thanks very much @Aleks !

I checked my Fail2ban logs and sure enough my current home network IP address (x-ed out) is there, with this record:

2025-04-15 21:57:25,018 fail2ban.actions        [1698]: NOTICE  [recidive] Restore Ban xxx.xxx.xxx.xxx

This Yunohost web access problem that has been happening for me since yesterday is not limited to one network - I seem to get locked out from mobile, home and work networks, and from differnet machines.

I’m not sure if those bans all happen simultaneously, but my logs do show three Restore Ban lines in a row:

2025-04-15 21:57:25,018 fail2ban.actions        [1698]: NOTICE  [recidive] Restore Ban xxx.xxx.xxx.xx1
2025-04-15 21:57:25,074 fail2ban.actions        [1698]: NOTICE  [recidive] Restore Ban xxx.xxx.xxx.xx2
2025-04-15 21:57:25,082 fail2ban.actions        [1698]: NOTICE  [recidive] Restore Ban xxx.xxx.xxx.xx3

What is a good way way to configure fail2ban to enable reliable access from my own devices? I connect via differnet networks so simply whitelisting IP will probably be only a partial solution.

Maybe there are better ways?

jarod5001 · April 15, 2025, 11:31pm

There is an app that is trying to login with the wrong password. Did you change password on the server?

foxyloxy · April 16, 2025, 12:41am

Thanks @jarrod5001

I have no recent changes to my Yunohost server password or app passwords

Even if there is a misconfigured app trying to log in, would you expect that to prevent all access?

And is there a way to diagnose which app that might be?

otm33 · April 16, 2025, 1:38am

Hi,

Can you check which other jails banned these IPs before the recidive jail did? (And maybe check failed connections in nginx error log)

jarod5001 · April 16, 2025, 6:38am

All http access.

foxyloxy · April 16, 2025, 7:32am

Thanks for your help @jarod5001 and @Aleks and @otm33

I tracked the problem down to a Nextcloud client app on my Mac, repeatedly failing to log into the Dovecot email service.