Hello, I installed 2 days ago on a new server running Ubuntu 20.04 using the full automatic installation the perfect server with ISPConfig to move away of a previous VPS. (Centos 7 with ISPConfig setup running fine for a couple of years) Everything was working but after removing the ispconfig.crt and .key to replace them by a symlink to the certificates of my domain containing subdomains (panel.domain.com/mail.domain.com) to which postfix and other services are symlinked (postfix>ispconfig>domain) as I did on my previous server, I noticed the Overview was showing that services are offline. Excepted DNS-Server all of them are shown as offline whereas they seem to work. (postfix/dovecot/apache/mariadb/pure-ftpd-mysql). I checked all of them were running, restarting them, rebooting the server and I also tried to force an update of ISPConfig to launch a reconfiguration of the services but without success. I don’t see any errors with the certificates when trying the different services and I didn’t make any change to the ports numbers of these services. I noticed prior to this is when restarting Apache sometimes it takes a lot of time but without any error message. Also I don’t know if it is linked to the problem but if I ask systemctl to show me the failed services it shows: After restarting netfilter-persistent it didn’t change anything, and the other won’t restart. What could I do to fix the problem with the services status not good? Btw is it the best way to do to use these let’s encrypt certificates with symlinks or is there any risks to see for example the ispconfig.key symlink being replaced by a new certificate when the let’s encrypt runs ? I saw a couple of solutions but I wasn't sure which one would be the best. Thank you.
It checks if the port of those services are online. To create a symlink for your certificates, see guides like https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
Hi, thanks for the info. For the let's encrypt guide that was exactly the one I was unable to find but had in mind as I used it in the past. About the ports what I don't understand is how this may have changed for all these services as excepted the certificates I didn't do any manual modifications to the default configuration. For Apache for example netstat -anp | grep apache: from a command line as root I ran: curl localhost and it loads the html of the default apache page. edit : After a reboot I was unable to log to SSH, the connection was refused, from my VPS provider panel I was able to force flush the iptables to get the access to the server again, but as soon as I reboot it, the problem comes back. While it was accessible I removed and added again the rules in ISPConfig, after that UFW shows the right ports in it's list but after a reboot the server can't be reached again. To get the access back (all services were unreachable http/mail/ssh..) I tried to flush iptables without success then I did a reboot then flush again iptable and I was able again to connect to the server but it shows ufw as inactive. I checked the following post and everything seems to be configured as the solution that was in the thread: https://www.howtoforge.com/community/threads/issue-with-ufw-and-ispconfig.73283/ I tried to purge ufw then install it again followed by updating ispconfig to trigger a reconfiguration of it, but no success, to gain the access back to the server I've to trigger the flush iptables restart the server the flush again iptables but once I can reach my server, ufw is shown running with all the ports which seems to be well configured. (all ports configured in ISPConfig are shown) I also noticed netstat -tnulp | grep pure-ftpd doesn't return anything even after restarting pure-ftpd-mysql whereas I didn't change anything to it's configuration. Could these problems be linked to the first one ?
After struggling with it, it works again without any idea how excepted I'm still having a problem with the firewall that blocks the connection at reboot whereas ufw is configured in ISP Config and also I need to restart postfix a couple of times before it works. I don't see any error in /var/log/mail.log or when doing systemctl status postfix. here is what iptables -L reports after access is possible again: Code: Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- anywhere anywhere tcp dpt:ssh ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ssh.iv.lt anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:submissions ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:1103 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:sieve ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy ACCEPT tcp -- anywhere anywhere multiport dports 40110:40210 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:2812 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
