I am connected to an AWS server, where I want to host an Elasticsearch application. For that to work, I need to open a set of ports. In my AWS security group, I have opened the ones, which I consider as necessary. In order to check, whether that worked, I tried the following:
While connected to AWS via ssh, I typed curl localhost:3002, which outputs:
<html><body>You are being redirected.</body></html>
When I try the same over my local machine, i.e. curl http://ec2-xxxxx.eu-central-1.compute.amazonaws.com:3002, I receive:
curl: (7) Failed to connect to ec2-xxxxx.eu-central-1.compute.amazonaws.com port 3002: Connection refused
Does that mean, that the port 3002 is not open, or could there be another explanation?
Thank you for your help!
Edit:
The configuration in the security group looks as follows:
Ingoing:
80 TCP 0.0.0.0/0 launch-wizard-7
80 TCP ::/0 launch-wizard-7
22 TCP 0.0.0.0/0 launch-wizard-7
5000 TCP 0.0.0.0/0 launch-wizard-7
5000 TCP ::/0 launch-wizard-7
3002 TCP 0.0.0.0/0 launch-wizard-7
3002 TCP ::/0 launch-wizard-7
3000 TCP 0.0.0.0/0 launch-wizard-7
3000 TCP ::/0 launch-wizard-7
443 TCP 0.0.0.0/0 launch-wizard-7
443 TCP ::/0 launch-wizard-7
Outgoing:
All All 0.0.0.0/0 launch-wizard-7
Related
I would like to allow only specific Public IP to use pem file (SSH) .
I have added my ip only for SSH but I am able to connect with the same SSH in different public ip or lets say different computer with different internet.
Edit inbound rules
Type
Protocol
Port range
Source
Description - optional
HTTP TCP 80 0.0.0.0/0 -
HTTP TCP 80 ::/0 -
POP3 TCP 110 0.0.0.0/0 -
POP3 TCP 110 ::/0 -
All traffic All All 0.0.0.0/0 -
All traffic All All ::/0 -
POP3S TCP 995 0.0.0.0/0 -
POP3S TCP 995 ::/0 -
IMAPS TCP 993 0.0.0.0/0 -
IMAPS TCP 993 ::/0 -
SSH TCP 22 42.109.252.7/32 - //This is what I have added to allow myself only to use SSH
SMTP TCP 25 0.0.0.0/0 -
SMTP TCP 25 ::/0 -
IMAP TCP 143 0.0.0.0/0 -
IMAP TCP 143 ::/0 -
DNS (TCP) TCP 53 0.0.0.0/0 -
DNS (TCP) TCP 53 ::/0 -
HTTPS TCP 443 0.0.0.0/0 -
HTTPS TCP 443 ::/0 -
Actually I have a pem file available which I want that it should be accessible others only when I add their ip's from the AWS panel config of security group in inbound rules.
You also have a rule of all traffic from any IP in your security group list.
There is no specific ordering for security group rule evaluations so when this rule is the first evaluated you will find that a target IP is able to access any port on the EC2 host.
If you want to restrict IP addresses who can SSH to the host you will need to remove the following rules:
All traffic All All 0.0.0.0/0 -
All traffic All All ::/0 -
I am setting up a new EC2 with Ubuntu, but I am getting a weird error and it is that I can not access to the public ip, it says refused connection.
My security group has these ports enabled:
HTTP TCP 80 0.0.0.0/0 -
HTTP TCP 80 ::/0 -
SSH TCP 22 0.0.0.0/0 -
SSH TCP 22 ::/0 -
My public is: http://3.16.154.123/
The EC2 interface is running, it's in green and that is the public ip which it gives me... so I wonder what is the problem? why can I not access to the public ip? why does it say refused connection? or more clear this error ERR_CONNECTION_REFUSED
Thanks.
telnet 3.16.154.123 22
Trying 3.16.154.123...
Connected to 3.16.154.123.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^]
Your ssh is working as expected but on port 80 it fails.
telnet 3.16.154.123 80
Trying 3.16.154.123...
telnet: Unable to connect to remote host: Connection refused
Can you check if there is any service running on the host itself using telnet localhost 80 - If this works then it will be worth to check the NACL at the vpc level for any block on port 80.
I've read through this answer but for the life of me, I can't figure out this one out.
I have an Ubuntu 18 EC2 instance running RStudio Server and RStudio Connect, both using default configuration and listening on ports 8787 and 3939 respectively.
Here are my config files:
ubuntu#EC2:~$ cat /etc/rstudio/rserver.conf
# Server Configuration File
#
#
ubuntu#EC2:~$ sudo cat /etc/rstudio-connect/rstudio-connect.gcfg
; RStudio Connect configuration file
[Server]
; SenderEmail is an email address used by RStudio Connect to send outbound
; email. The system will not be able to send administrative email until this
; setting is configured.
;
; SenderEmail = account#company.com
SenderEmail =
; Address is a public URL for this RStudio Connect server. Must be configured
; to enable features like including links to your content in emails. If
; Connect is deployed behind an HTTP proxy, this should be the URL for Connect
; in terms of that proxy.
;
; Address = https://rstudio-connect.company.com
Address =
[HTTP]
; RStudio Connect will listen on this network address for HTTP connections.
Listen = :3939
[Authentication]
; Specifies the type of user authentication.
Provider = password
Here's what I've tried:
Created inbound rules for ports 8787, 3939 and all TCP ports in my security group.
Checked the Network ACL for the subnet the instance is on
Ensured that rstudio-server and rstudio-connect are running and listening on all interfaces and not just localhost
ubuntu#EC2:~$ netstat -ltpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8787 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::3939 :::* LISTEN -
Checked that ufw is inactive
ubuntu#EC2:~$ sudo ufw status
Status: inactive
Created an iptables rule for port 8787
ubuntu#EC2:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:8787
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I still can't access port 8787 or 3939 externally. However I can access them both on the host using Lynx.
If I change RStudio Server's configuration to have it use port 80 instead, I can access it externally but it doesn't work for ports 8787 or 3939.
Any ideas why and how to fix this?
I just figured out the answer myself. There was absolutely nothing wrong with my configuration. Opening up all the TCP ports in my security group was a bit overkill maybe and entirely unnecessary, so don't do that.
The issue was that the corporate network I am connected to blocks outbound traffic to external hosts on certain non-standard ports.
If you're in the same boat as me and need to host 2 services on the same EC2 instance but don't know which ports are unavailable/blocked by your organization then you could use nmap and portquiz.net to figure it out.
nmap is a port scanner and portquiz.net is a service that listens for connections on all TCP ports. You could scan the host using nmap over a range of TCP ports you're interested in using and see which ports show up as open
nmap -v -p0-8000 portquiz.net
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 16:47 IST
Initiating Ping Scan at 16:47
Scanning portquiz.net (5.196.70.86) [2 ports]
Completed Ping Scan at 16:47, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:47
Completed Parallel DNS resolution of 1 host. at 16:47, 0.14s elapsed
Initiating Connect Scan at 16:47
Scanning portquiz.net (5.196.70.86) [8001 ports]
Discovered open port 22/tcp on 5.196.70.86
Discovered open port 80/tcp on 5.196.70.86
Discovered open port 443/tcp on 5.196.70.86
Discovered open port 21/tcp on 5.196.70.86
Discovered open port 4080/tcp on 5.196.70.86
Completed Connect Scan at 16:48, 84.98s elapsed (8001 total ports)
Nmap scan report for portquiz.net (5.196.70.86)
Host is up (0.13s latency).
rDNS record for 5.196.70.86: electron.positon.org
Not shown: 7996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
4080/tcp open lorica-in
Here, I have 4080 and 80 open so that means the corporate firewall isn't blocking outbound traffic to these ports. After configuring RStudio Server and RStudio Connect to listen on ports 80 and 4080 respectively, I'm now able to access both services externally.
I am running apache server within my ec2 instance and I am trying to access a static index.html. When I type http:// , I see the page displayed. However when I type https:// , the page isn't opening. Below is the security group setting. What am I missing?
HTTP TCP 80 0.0.0.0/0
HTTP TCP 22 0.0.0.0/0
Custom TCP Rule TCP 443 0.0.0.0/0
I installed flask on my AWS EC2 machine.
now, from a local machine, the website is supposed to load with localhost and port 5000 but it is not working similarly with http::5000
I tried to add a rule in Security groups as : All TCP, 0.0.0.0/0 -- I am not sure how to allow in-bound traffic to this box.
any help will be appreciated.
Thanks !
I had trouble with this. Until I tried adding an inbound custom tcp rule to my security group associated with the running instance.
Something like:
Custom TCP Rule, Protocol: TCP, Port Range: 5000, Source: 0.0.0.0/0
Custom TCP Rule, Protocol: TCP, Port Range: 5000, Source: ::/0