I am trying to ssh into an EC2 instance (1.1.1.1) from another EC2 instance (2.2.2.2) and yet another EC2 instance (3.3.3.3).
In the instance 2.2.2.2, I can successfully connect to 1.1.1.1
~$ ssh ubuntu#1.1.1.1 -i mykey.pem
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0664 for 'mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
However, in instance 3.3.3.3, the connection fails with a time out.
~$ ssh ubuntu#1.1.1.1 -i mykey.pem
ssh: connect to host 1.1.1.1 port 22: Connection timed out
The 2.2.2.2 and 3.3.3.3 instances are both Ubuntu 18.04.4. They have the exact same inbound and outbound rules.
Why does the ssh connection fail in 3.3.3.3?
###############################################################
Edits(2021-02-18):
The instance 1.1.1.1 and instance 3.3.3.3 are in the same VPC.
SSH connection from 1.1.1.1 to 3.3.3.3 had a timeout.
SSH connection from 3.3.3.3 to 1.1.1.1 had a timeout.
SSH connection from either 1.1.1.1/3.3.3.3 to 2.2.2.2 works and vice versa.
I have tried to launch a new instance 4.4.4.4 in the same VPC as 2.2.2.2. The connection between them works.
So, there must be some problems with the VPC of 1.1.1.1 and 3.3.3.3.
Below are the security rules of the network of that VPC:
Inbound Rules
Outbound Rules
Related
Running an AWS EC2 instance with Ubuntu 22.04. I am also running a jupyter server for python development there and connecting to that from my local Ubuntu laptop with ssh tunneling.
#!/usr/bin/env bash
# encoding:utf-8
SERVER=98.209.63.973 # My EC2 instance
# Tunnel the jupyter service
nohup ssh -N -L localhost:8081:localhost:8888 $SERVER & # 8081:Local port 8888:remote port
However, I never opened port 8888 of the ec2 instance by a security group rule. How come the port forwarding is working in that case? Should not it be blocked?
When using ssh -L, ssh will listen to local port 8081 and will send that traffic across the SSH connection (port 22) to the destination computer. The ssh daemon that receives the traffic will then forward the traffic to localhost:8888.
There is no need to permit port 8888 in the EC2 instance security group because it is receiving this traffic via port 22.
An SSH connection does more than just sending the keystrokes you type. It is a full protocol that can pass traffic across multiple logical channels.
So I have two instances, instance A is part of a security group sg-1 and instance B is part of another security group sg-2.
sg-1 has settings to allow all outbound traffic
sg-2 has settings to allow traffic from sg-1 on port 80, 9200 and 9300:
Yet, when I SSH onto instance A and try to curl instance B on port 9200, I get an error: Failed to connect to <Instance B Private IP> port 80: Connection refused
Not sure what I am doing wrong here?
I am using cygwin which has ssh configured.
I am using a windows machine
Path to keypair file : C:\cygwin64\home\suhelkhan.ssh\kworld_kp1.pem
The EC2 instance is Red Hat Enterprise Linux (RHEL) 6
The EC2 is correctly mapped to the keypair
The security group associated with this EC2 instances allows for SSH
connection.
I am using the following command to connect
suhelkhan#DTDVD0003009PR ~/.ssh
$ ssh -vvv "kworld_kp1.pem" ec2-user#ec2-52-63-yyy-zz.ap-southeast-2.compute.amazonaws.com
output:
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016
debug2: resolving "kworld_kp1.pem" port 22
ssh: Could not resolve hostname kworld_kp1.pem: Name or service not known
Checking with telnet gives the following:
suhelkhan#DTDVD0003009PR ~/.ssh
$ telnet 52.63.141.40
Trying 52.63.141.40...
telnet: Unable to connect to remote host: Connection refused
The Telnet cmd gives out the following:
suhelkhan#DTDVD0003009PR ~/.ssh
$ telnet HOST 22
Can't lookup hostname HOST
I just redid the whole thing (New instance with appropriate security group, Proper Key-Pair match up and new cygwin installation [http://thecoatlessprofessor.com/programming/installing-amazon-web-services-command-line-interface-aws-cli-for-windows-os-x-and-linux-2/ ]) .Also added my Public IP to the inbound tab of the security group i am using.. all works.. thanks for the all the help
I'm configuring a NAT instance that should redirect all incoming requests on port 2222 to port 22 of a server in a private subnet on my virtual private cloud, so I can connect with SSH straight to my private instance. I have opened port 2222 on the NAT Instance's security group and 22 on my private instance's security group, as well as added on
/etc/ssh/sshd_config
the following lines:
Port 22
Port 2222
nmap on NAT instance shows that port 2222 is open:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
2222/tcp open EtherNet/IP-1
I also added this following iptables rule on my NAT instance, hence any packages that comes on port 2222 should be redirected to 10.0.2.18:22 (10.0.2.18 is the private instance IP):
sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 10.0.2.18:22
The problem is that I can't reach port 2222 of my NAT instance, if I try this:
ssh -p 2222 -i mykey.pem ec2-user#my_nat_ip
or this:
nc -zv my_nat_ip 2222
I get a connection time out.
Thanks in advance any help.
A few things for you to check out (assuming you have already ruled out Security Groups):
Check if you haven't denied traffic on your Network ACLs (NACL).
Check if the Route Table for your private subnet is sending traffic to the NAT instance.
Check if you have disabled the Source/Destination Check on your NAT instance.
Also, you might want to enable VPC Flow Logs on your VPC to help you find where those packets might be getting dropped.
And then, another suggestion: you might want to consider an alternative to port forwarding, as this is basically exposing your instance in the private subnet to the dangerous internet. A common approach is to have what is commonly referred to as a Bastion Host. Or a Jump Host. Some people use a NAT instance for this purpose. A few ways to do this would include: (1) use SSH local port forwarding; (2) use SSH dynamic proxy; (3) use the ProxyCommand option on your SSH client. There are plenty of answered questions about all these subjects on StackOverflow and other StackExchange sites, you'll definitely find many ways to do it!
two instances:
1.- Orion with 192.168.x.1, public like 130.a.b.c
2.- Keystone with 192.168.x.2. Port 8000 opened and tested from localhost
3.- instances have the same routing rule group.
I edit my security group rules adding port 8000 with a cidr 192.168.x.2/32. Now i test it with telnet from my computer:
telnet 130.a.b.c 8000
result: Connection time out.
i'm wrong? how can i connect to port 8000 from my computer to my second instance using the public Ip (configured in first instance) ? Or need a second public Ip?
There are many ways to do this: IPForwarding with iptables, haproxy, etc.
However, I thinK that the easiest way to do this would be SSH Port forwarding in your host with the public IP:
ssh -f -N -o ServerAliveInterval=30 -L 0:8000:192.168.x.2:8000 $YOUR_USER#192.168.x.1:8000
-L 0:8000:192.168.x.2:8000 means that It'll listen every network interface (0:8000) and will send every query to 192.168.x.2:8000
If you don't have a password to your user or ssh is not configured to accept passwords, you could consider either adding a new authorized key (so you can locally login) or connecting your public IP using -A so your credentials can be forwarded:
*ssh -A -i $PRIVATE_KEY_FILE $YOUR_USER#130.a.b.c