UniFi Dream Machine (UDM, UDM Pro, UDM Pro SE) admin lockout

I’ve emailed Ubiquiti support about this, created a forum post, included screenshots and verbose SSH client logs.   I’m writing this as I sit without access to a clients firewall because of this bonus feature in these products.

The result of my diving into the packets and testing thoroughly is that, whenever there is a failed SSH login attempt it causes the firewall to go into a “block any attempts” mode.   This is unlike any other server out there, which might rate-limit the offending connection or blacklist after so many failed attempts.    Ubiquiti products prevent any login, even legit connections.    The connection establishes just fine, but it just seems to drop.    So if you’re experiencing this — where any attempts to SSH into a firewall just end with a dropped connection, you may well be dealing with this yourself.

The only solution is to go to the firewall’s settings and modify the rule that you have for SSH forwarding.   You’ll have to lock it down to whatever IP address you’re coming from at this time, and then wait 5-10 minutes for the server to become accessible again.    Then going forward, if you don’t want to have to deal with this you’ll have to go into the settings each time and modify that IP to whatever your source is.   

Here’s hoping that they fix it sometime soon.   It always gets me at the most inopportune times, last time I did not have any UI access due to the internal web server failing to communicate.   Also, the firewall was showing “offline” on the UniFi management portal.  So I was left to repeatedly click to attempt the connection until finally I was able to get a connection in.

If it’s not clear, the reason this happens is because there is some random port-scanner that is trying to use JimBob to log in.   Result: everyone locked out for a period of time.     Could be a bad scenario if this begins to be used intentionally as a type of DoS tool.  

Oh, and the screenshot I included is another fun variant of its’ behavior.   It will finally connect after 150 tries, only to hang on the login banner.   Sending a Break here causes the session to terminate (unlike Break at a shell prompt).    So yeah, pretty neat all around!

–Josh

Leave a Reply

Your email address will not be published. Required fields are marked *