Why does my ubuntu server become unavailable from remote access after about 10 hours?

[Regnar]

While setting up my raspberry pi with apache2, shh and more at a new address I've encountered a problem.

My setup consists of a router (provided by my ISP, Sagemcom F@ST 3890) with port forwarding 80, 443 and 22 to my RPI's static local IP, ethernet connection. Everything runs smoothly for a while. I'm able to connect via HTTP, HTTPS and SSH through my domain pointing to my static remote IP. After about 10 hours it does, however, start to misbehave. If I do a `sudo reboot` on the RPI the setup works fine for about 10 hours.

- When checking ports through canyouseeme.org all previously open ports seem to have closed.
Error: I could not see your service on xxx.xxx.xx.xx on port (80/443/22) Reason: Connection timed out

- The apache server is still running and can be accessed through its
local IP. Same goes for ssh.

sudo nmap localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2018-05-24 14:34 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00049s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
3306/tcp open mysql

Apache2 and SSH are listening on their ports.
regnar@wserver:~$ sudo lsof -iTCP -sTCP:LISTEN -P
[sudo] password for regnar:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1162 root 3u IPv4 12110 0t0 TCP *:22 (LISTEN)
sshd 1162 root 4u IPv6 12112 0t0 TCP *:22 (LISTEN)
vsftpd 1171 root 3u IPv6 14735 0t0 TCP *:21 (LISTEN)
mysqld 1175 mysql 16u IPv4 15391 0t0 TCP localhost:3306 (LISTEN)
apache2 1233 root 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 1233 root 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
master 1491 root 12u IPv4 13109 0t0 TCP localhost:25 (LISTEN)
master 1491 root 13u IPv6 13110 0t0 TCP ip6-localhost:25 (LISTEN)
smbd 1498 root 34u IPv6 15584 0t0 TCP *:445 (LISTEN)
smbd 1498 root 35u IPv6 15585 0t0 TCP *:139 (LISTEN)
smbd 1498 root 36u IPv4 15586 0t0 TCP *:445 (LISTEN)
smbd 1498 root 37u IPv4 15587 0t0 TCP *:139 (LISTEN)
apache2 11103 www-data 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 11103 www-data 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
apache2 11104 www-data 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 11104 www-data 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
apache2 11105 www-data 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 11105 www-data 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
apache2 11106 www-data 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 11106 www-data 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
apache2 11107 www-data 4u IPv6 12169 0t0 TCP *:80 (LISTEN)
apache2 11107 www-data 6u IPv6 12173 0t0 TCP *:443 (LISTEN)
cupsd 15513 root 10u IPv6 107704 0t0 TCP ip6-localhost:631 (LISTEN)
cupsd 15513 root 11u IPv4 107705 0t0 TCP localhost:631 (LISTEN)

UFW shouldn't be blocking the incoming connections. I've tried
disabling it as well.
regnar@wserver:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
Samba ALLOW Anywhere
Apache ALLOW Anywhere
Apache Full ALLOW Anywhere
Apache Secure ALLOW Anywhere
OpenSSH ALLOW Anywhere
Postfix ALLOW Anywhere
Samba (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
Apache Secure (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
Postfix (v6) ALLOW Anywhere (v6)

- I CAN ping my domain / remote IP from outside but I can't connect
through HTTP, HTTPS or SSH.
- I have tried restarting the router
- I have tried using another local IP

The setup (with a different router and different ISP) has been working for a long period at my previous address, but with the new connection / router the small setup seems to be having some trouble.

Anyone out there got a possible solution?

Kind Regards

 

[ColinTaylor]

Check the logs on both the router and the pi.

 

[Regnar]

Thanks for your answer.
Just cleared the the router log, so I can have a look at it in ~10 hours.
What logs would you recommend checking out on the RPI?

 

[ColinTaylor]

I would look at any files in /var/log that have messages from around the time the problem occurs. But particularly syslog and auth.log.

 

[Regnar]

Alright, thank you. I'll get back with an update when I've checked out the logs.

 

[sfx2000]

The setup (with a different router and different ISP) has been working for a long period at my previous address, but with the new connection / router the small setup seems to be having some trouble.

Anyone out there got a possible solution?

IMHO, sounds like the router - if the ports are closed when they were previously open...

Your Pi - are you running a true static IP on that host, or running as a DHCP reservation on the Sagemcom device?

 

[Regnar]

Yeah, that's what I'm thinking as well..
The RPI's local IP is set up in network/interfaces and as a DHCP reservation.

 

[Regnar]

From my auth.log it seems someone (or rather something) is trying to login with random user/pw entries.
Kind of disturbing but shouldn't really be the problem though?

May 28 23:38:23 wserver sshd[7125]: Invalid user 1234 from 100.68.204.64
May 28 23:38:23 wserver sshd[7125]: input_userauth_request: invalid user 1234 [preauth]
May 28 23:38:23 wserver sshd[7125]: pam_unix(sshd:auth): check pass; user unknown
May 28 23:38:23 wserver sshd[7125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 28 23:38:25 wserver sshd[7125]: Failed password for invalid user 1234 from 100.68.204.64 port 56428 ssh2
May 28 23:38:25 wserver sshd[7125]: Received disconnect from 100.68.204.64 port 56428:11: Normal Shutdown, Thank you for playing [preauth]
May 28 23:38:25 wserver sshd[7125]: Disconnected from 100.68.204.64 port 56428 [preauth]
May 28 23:39:01 wserver CRON[7132]: pam_unix(cron:session): session opened for user root by (uid=0)
May 28 23:39:02 wserver CRON[7132]: pam_unix(cron:session): session closed for user root
May 28 23:40:53 wserver sshd[7195]: Invalid user bruce from 100.68.204.64
May 28 23:40:53 wserver sshd[7195]: input_userauth_request: invalid user bruce [preauth]
May 28 23:40:53 wserver sshd[7195]: pam_unix(sshd:auth): check pass; user unknown
May 28 23:40:53 wserver sshd[7195]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 28 23:40:55 wserver sshd[7195]: Failed password for invalid user bruce from 100.68.204.64 port 45452 ssh2
May 28 23:40:55 wserver sshd[7195]: Received disconnect from 100.68.204.64 port 45452:11: Normal Shutdown, Thank you for playing [preauth]
May 28 23:40:55 wserver sshd[7195]: Disconnected from 100.68.204.64 port 45452 [preauth]
May 28 23:40:55 wserver sshguard[916]: Blocking 100.68.204.64:4 for >630secs: 40 danger in 4 attacks over 151 seconds (all: 40d in 1 abuses over 151s).
May 28 23:54:22 wserver sshd[7219]: Invalid user bill from 100.68.204.64
May 28 23:54:22 wserver sshd[7219]: input_userauth_request: invalid user bill [preauth]
May 28 23:54:22 wserver sshd[7219]: pam_unix(sshd:auth): check pass; user unknown
May 28 23:54:22 wserver sshd[7219]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 28 23:54:24 wserver sshd[7219]: Failed password for invalid user bill from 100.68.204.64 port 56873 ssh2
May 28 23:54:26 wserver sshd[7219]: Received disconnect from 100.68.204.64 port 56873:11: Normal Shutdown, Thank you for playing [preauth]
May 28 23:54:26 wserver sshd[7219]: Disconnected from 100.68.204.64 port 56873 [preauth]
May 29 00:00:01 wserver CRON[7233]: pam_unix(cron:session): session opened for user root by (uid=0)
May 29 00:00:01 wserver CRON[7233]: pam_unix(cron:session): session closed for user root
May 29 00:03:33 wserver sshd[7243]: Invalid user gyuro from 100.68.204.64
May 29 00:03:33 wserver sshd[7243]: input_userauth_request: invalid user gyuro [preauth]
May 29 00:03:33 wserver sshd[7243]: pam_unix(sshd:auth): check pass; user unknown
May 29 00:03:33 wserver sshd[7243]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 29 00:03:35 wserver sshd[7243]: Failed password for invalid user gyuro from 100.68.204.64 port 53254 ssh2
May 29 00:03:35 wserver sshd[7243]: Received disconnect from 100.68.204.64 port 53254:11: Normal Shutdown, Thank you for playing [preauth]
May 29 00:03:35 wserver sshd[7243]: Disconnected from 100.68.204.64 port 53254 [preauth]
May 29 00:03:35 wserver sshguard[916]: Blocking 100.68.204.64:4 for >945secs: 40 danger in 4 attacks over 553 seconds (all: 80d in 2 abuses over 1511s).
May 29 00:09:01 wserver CRON[7259]: pam_unix(cron:session): session opened for user root by (uid=0)
May 29 00:09:01 wserver CRON[7259]: pam_unix(cron:session): session closed for user root
May 29 00:17:02 wserver CRON[7321]: pam_unix(cron:session): session opened for user root by (uid=0)
May 29 00:17:02 wserver CRON[7321]: pam_unix(cron:session): session closed for user root
May 29 00:25:21 wserver sshd[7352]: Invalid user tamina from 100.68.204.64
May 29 00:25:21 wserver sshd[7352]: input_userauth_request: invalid user tamina [preauth]
May 29 00:25:21 wserver sshd[7352]: pam_unix(sshd:auth): check pass; user unknown
May 29 00:25:21 wserver sshd[7352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 29 00:25:23 wserver sshd[7352]: Failed password for invalid user tamina from 100.68.204.64 port 46846 ssh2
May 29 00:25:23 wserver sshd[7352]: Received disconnect from 100.68.204.64 port 46846:11: Normal Shutdown, Thank you for playing [preauth]
May 29 00:25:23 wserver sshd[7352]: Disconnected from 100.68.204.64 port 46846 [preauth]
May 29 00:26:59 wserver sshd[7360]: Connection closed by 100.68.204.64 port 33112 [preauth]
May 29 00:32:02 wserver sshd[7368]: Invalid user informix from 100.68.204.64
May 29 00:32:02 wserver sshd[7368]: input_userauth_request: invalid user informix [preauth]
May 29 00:32:02 wserver sshd[7368]: pam_unix(sshd:auth): check pass; user unknown
May 29 00:32:02 wserver sshd[7368]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=100.68.204.64
May 29 00:32:03 wserver sshguard[916]: Blocking 100.68.204.64:4 for >0secs: 40 danger in 4 attacks over 402 seconds (all: 120d in 3 abuses over 3219s).
May 29 00:32:04 wserver sshd[7368]: Failed password for invalid user informix from 100.68.204.64 port 60086 ssh2

 

[ColinTaylor]

I was expecting to see that unless you were using non-standard ports and using PAT to translate to your internal ones.

I thought the firewall might start blocking all incoming connections but it seems to be doing in selectively, which is good. So at the moment everything looks normal.

NB If you really need SSH access from the WAN I highly recommend that you change its external port to something non-standard. At the very least it will cut down the "noise" in the logs.

 

[Regnar]

Ahh, I see.
I'll try having ufw deny incoming shh (port 22) connections if that's the best way only allowing local shh? Might as well just close the port forwarding on the router instead, eh?
In my syslog I get a lot of the following:

May 29 11:46:46 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:48:16 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:48:51 wserver kernel: [ 6007.917290] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:82:91:40:00:01:02:c1:97 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=33425 DF PROTO=2
May 29 11:48:51 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:50:21 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:50:56 wserver kernel: [ 6132.928191] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:89:54:40:00:01:02:ba:d4 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=35156 DF PROTO=2
May 29 11:50:56 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:52:26 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:53:01 wserver kernel: [ 6257.939805] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:92:9e:40:00:01:02:b1:8a SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=37534 DF PROTO=2
May 29 11:53:01 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:54:31 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:55:06 wserver kernel: [ 6382.950876] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:9c:1a:40:00:01:02:a8:0e SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=39962 DF PROTO=2
May 29 11:55:06 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:56:36 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:57:11 wserver kernel: [ 6507.961510] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:c4:c1:40:00:01:02:7f:67 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=50369 DF PROTO=2
May 29 11:57:11 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 11:58:41 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 11:59:16 wserver kernel: [ 6632.973553] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:f5:0b:40:00:01:02:4f:1d SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=62731 DF PROTO=2
May 29 11:59:16 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 12:00:46 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 12:00:01 wserver CRON[2029]: (root) CMD (test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew)
May 29 12:01:21 wserver kernel: [ 6757.984946] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:21:79:40:00:01:02:22:b0 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=8569 DF PROTO=2
May 29 12:01:21 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 12:02:51 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 12:01:23 wserver kernel: [ 6759.828392] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:60:03:08:ed:95:ba:08:00:46:00:00:20:e3:5d:00:00:01:02:9f:c9 SRC=192.168.0.13 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=58205 PROTO=2
May 29 12:02:09 wserver kernel: [ 6805.715630] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:60:03:08:ed:95:ba:08:00:46:00:00:20:ad:d9:00:00:01:02:d5:4d SRC=192.168.0.13 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=44505 PROTO=2
May 29 12:03:26 wserver kernel: [ 6882.997411] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:43:f7:40:00:01:02:00:32 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=17399 DF PROTO=2
May 29 12:03:26 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 12:04:56 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 12:05:31 wserver kernel: [ 7008.009196] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:a0:39:ee:ab:0f:88:08:00:46:00:00:24:52:ee:40:00:01:02:f1:3a SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=21230 DF PROTO=2
May 29 12:05:31 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 12:07:01 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
May 29 12:07:22 wserver rsyslogd-2007: action 'action 10' suspended, next retry is Tue May 29 12:08:52 2018 [v8.16.0 try http://www.rsyslog.com/e/2007 ]

Might these ufw blocks have anything to do with my problem?

 

[ColinTaylor]

Might as well just close the port forwarding on the router instead, eh?

If you don't need SSH from the WAN, definitely.

Might these ufw blocks have anything to do with my problem?

I think it's unlikely. It's just blocking local multicast traffic.

 

[sfx2000]

Yeah, that's what I'm thinking as well..
The RPI's local IP is set up in network/interfaces and as a DHCP reservation.

The other thing to look at on the Sagemcomm device - check the port triggering rules, might have something to do with the ports dropping after a while...

with SSH - ufw has the "limit" rule, which helps out quite a bit with the port scanners - using certificates there is always a good approach, and some people suggest moving the port from 22 to something else...

 

[Regnar]

Thank you all your replies.
After shutting down WAN access to SHH the setup runs smoothly without problems.
I'll keep your tips regarding remotely accessible SHH in mind if I should decide to open it again.
Thanks guys!