ss-update ufw about slickstack HOT 6 CLOSED

Okay, I can't reproduce the error anymore... but I noticed that
changing SSH_PORT in ss-config and running ss-update doesnt update sshd_config and firewall's

from slickstack.

(/etc/init.d/php7.2-fpm restart <--- should be remove in ss-update)

The service restart cycles should only exist in ss-restart except in a few places. For now, we can't remove the PHP 7.2 restart command as many SlickStack servers are running old builds, part of the nature of our "live" LEMP stack config (for better or worse).

After running ss-update manually, I rebooted server and got lock out,
I notice that somehow /etc/ufw/user.rules was back to original version,
maybe because of a apt-get update ?

I had to manually
wget -O /tmp/user.rules http://mirrors.slickstack.io/ufw-firewall/user-rules.txt
sed -i "s/@SSH_PORT/${SSH_PORT}/g" /tmp/user.rules
cp /tmp/user.rules /etc/ufw/user.rules

Before submitting this message, I ran again ss-update and /etc/ufw/user.rules got
override by default again, I dont know where exactly in the processus this happen
I will try if I have time today to run the script step by step

Hmm okay interesting. All apt upgrade instances should default to confold meaning the existing config files shouldn't be altered during the upgrade.

Okay, I can't reproduce the error anymore... but I noticed that
changing SSH_PORT in ss-config and running ss-update doesnt update sshd_config and firewall's

Keep in mind that only ss-install is actually adjusting any LEMP module configuration, and the limited ss-update script is really just doing:

A. ensuring the ss-config file is the latest build and force-updating it if not
B. running sudo apt update && upgrade
C. upgrades MU plugins and does some minor cleanup work

The only "critical" config changes that happen are ensuring MySQL is running on 127.0.0.1 to prevent the server from crashing.

Anyway perhaps we can add a few more "critical" checks re: ports, SSH, etc.

from slickstack.

I'm wondering if maybe you misunderstood (thinking that ss-update adjusts config files rather than ss-install) or something like that and perhaps this is a false report as I've never seen UFW configuration be overwritten during the ss-update process. For example if you changed the SSH port in your ss-config file and didn't subsequently run the ss-install script again, you would have thought you were locked out from the server when in fact the "old" port was still active.

Anyway I just need to state that publicly unless others are able to reproduce this conflict, but in the meanwhile I've added a new snippet to the script:

https://github.com/littlebizzy/slickstack/blob/master/ss-update.txt

Ref: 343f6aa

UFW Firewall is now temporarily disabled during apt upgrade process and then UFW config files are reinstalled (in the same way as ss-install does) and then re-enabled.

This change is fairly lightweight although I'd rather not add too much to ss-update if not necessary esp in regard to reinstalling a module. In an abundance of caution I'll leave it like this for now but perhaps in the future we can reassess if it's necessary or not.

from slickstack.

/etc/ufw/user6.rules was intact.
/etc/ufw/user4.rules was reset default

I dont know where in the process this actually happened because I have not
been able to reproduce it.

I am not an expert in ufw, when I type
ufw status only the ipv6 status shows

ufw status
status: active
To Action From

80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
6379 (v6) ALLOW Anywhere (v6)

It has probably nothing to do with it, I will just keep an eye open

from slickstack.

`Just a note, maybe I didn't explain clearly
in user.rules and user6.rules

for rules to persist they absolutely need to be accompanied with a comment

Example : if you allow port ssh

tuple ### allow any @SSH_PORT 0.0.0.0/0 any 0.0.0.0/0 in

-A ufw-user-input -p tcp --dport @SSH_PORT -j ACCEPT
-A ufw-user-input -p udp --dport @SSH_PORT -j ACCEPT

tuple ### allow any @SSH_PORT 0.0.0.0/0 any 0.0.0.0/0 in <--- these comments are mendatory i in user(6).rules

`

comment doesnt show rights in the messages because of the editor replace'#

### tuple ### allow any @SSH_PORT 0.0.0.0/0 any 0.0.0.0/0 in

English is not my primary language sorry if it isn't clear what I say,
to totally see what I mean

first, backup /etc/ufw/user.rules & /etc/ufw/rules

type ufw reload

and cat /etc/ufw/user.rules

you will see everything not accompanied with comments is wiped.

from slickstack.

(/etc/init.d/php7.2-fpm restart <--- should be remove in ss-update)

Update: PHP-FPM restart command now uses a wildcard to support all PHP versions:

/etc/init.d/php*-fpm restart

https://github.com/littlebizzy/slickstack/blob/master/ss-restart.txt

from slickstack.