I am trying to secure my apache with Let's Encrypt on Ubuntu 18.04,
I ran these commands:
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt install python-certbot-apache
$ sudo ufw enable
$ sudo ufw allow 'Apache Full'
After the last command, The terminal froze, so I decided to close it and reconnect hoping it would really reconnect.
Unfortunately, it returns with a message saying:
ssh: connect to host <...some public ipv4 DNS> port 22: Connection timed out
I checked the security groups to see if SSH is set to Anywhere and yes its set.
My guess is I messed up the ufw configs(or maybe not), but I can't confirm it because I cant ssh to my ec2 instance.
EDIT:
I tried stopping and starting the instance, causing it to change its public ip address, which I still cant ssh to :(
Issue might be because ufw by default doesn't have allow 22 rule set, so before you enable ufw try running sudo ufw allow 22 or sudo ufw allow ssh.
To allow ssh before enabling ufw try running the below command which adds the rule to /etc/ufw/user.rules
sudo ufw allow ssh
So when user enables ufw it reads the already existing rules from the file, and doesn't terminate or block the user out of the access.
And then running the following commands will make it easy for the user to access the instance without any issues.
sudo ufw enable
sudo ufw allow 443
sudo ufw status
However, when coming to cloud provisioned instances, it's more likely and easy to play with security groups which would give a higher level of access to play with a specific instance and their corresponding rules.
Related
I want to open port 80 to allow HTTP connections on my EC2 server. But when I'm entering "telnet xx.xx.xx.xx 80" on a terminal the following is displayed
"Trying xx.xx.xx.xx..."
telnet: Unable to connect to remote host: Connection timed out
In AWS I've opened port 80 by defining an Inbound Rule on the Security group (only one security group is defined for this EC2 server)
I'm using the Public IPv4 address to make a telnet connection
I noticed you have a fresh install -- fresh installs do not have software listening over HTTP by default.
If there is no application listening on a port, incoming packets to that port will simply be rejected by the computer's operating system. Ports can be "closed" through the use of a firewall, which you have disabled, therefore the ports are open just unresponsive which makes them appear closed.
If the port is enabled in the firewall in terminal using
sudo apt-get install ufw
sudo ufw allow ssh
sudp ufw allow https
sudo ufw allow http
sudo reboot
and enabled in the aws console as a rule, the port is open and just not responsive so it's seen as closed. By installing either nginx or something that binds to port 80, external requests to that port will be connected successfully, and the port will therefore be recognized as open. The reason ssh is recognized as open is because 1. it has firewall transparency, and 2. it is always listening (unlike port 80!).
Before installing nginx even though ports are allowed thru firewall:
sudo apt-get install nginx
sudo ufw allow 'Nginx HTTP'
sudo systemctl status nginx
(more nginx info)
After:
Simple port tester tool here
Parastate node requires exposing ports.
30333: Default p2p traffic port. Make sure you expose this port externally.
9933: Default RPC traffic port.
9944: Default WebSocket traffic port.
After I enable ufw on ubuntu and run
$sudo ufw allow 30333
However, when I check here https://www.yougetsignal.com/tools/open-ports/ whether ports are opened I get an answer it is still closed. Any idea why?
I used ufw for that purpose:
sudo ufw enabl
sudo ufw allow 30333
sudo ufw allow 9933
sudo ufw allow 9944
And check whether it worked:
sudo ufw status verbose
Don't forget to start your node before checking ports here: https://www.yougetsignal.com/tools/open-ports/
try to use nmap to check your ports? nmap 127.0.0.1 and if not open,try use iptables command to open your ports
I wrote a very simple spring-boot application and packed it in Docker.
The content of docker file is:
FROM openjdk:13
ADD target/HelloWorld-1.0-SNAPSHOT.jar HelloWorld.jar
EXPOSE 8085
ENTRYPOINT ["java", "-jar", "HelloWorld.jar"]
I pushed it to docker hub.
I created a new EC2 instance on aws. Then I connected to it and typed the following commands:
sudo yum update -y
sudo yum install docker -y
sudo service docker start
sudo docker run -p 80:8085 ****/docker-hello-world
The last command gave many messages on the screen that said that spring-boot application is running.
Looks great. However, when I opened my browser and typed: "http://ec2-54-86-87-68.compute-1.amazonaws.com/" (public DNS of EC2 machine).
I got "This site can’t be reached".
Do you know what I did wrong?
Edit: security groups that regard this machine are "default" and the following group that I defined:
Inside the EC2 machine, I typed:"curl localhost:8085" and got:
"curl: (52) Empty reply from server"
Ensure that your port's inbound traffic is enabled for your local IP address in your ec2 instance security group configuration
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#adding-security-group-rule
Have you allowed inbound traffic for port 8085 in your security group configuration? That should be the first thing to check.
I found the solution.
It was port issues.
Instead of running
sudo docker run -p 80:8085 ****/docker-hello-world
I had to run:
sudo docker run -p 8085:8080 ****/docker-hello-world
This command says: "take the application that runs on port 8080 in the application and put it on port 8085 on docker".
I opened the browser and browsed to: "http://ec2-18-207-188-57.compute-1.amazonaws.com:8085/hello" and got the response I expected.
I am unable to reach EC2 instance after installing NGINX on that EC2 instance didn't get why this happen I just run below commands:
sudo apt update
sudo apt install nginx
sudo ufw app list
sudo ufw enable
sudo ufw allow 'Nginx HTTP'
sudo ufw status
before installing NGINX i am able to take SSH connection of EC2 but after doing this I am not reach to EC2 i cross check everything
SG Inbounds has enable 22 port [trying with all of three MyIp,Custom,Anywhere],
VPC has internet gateway which is properly bind
is there anything that i left?
or
"sudo ufw enable"
command run on my EC2 is creates the issue
Stop the running EC2 instance
Detach its /dev/sda1 volume
Start another EC2 instance, it should be on the same subnet
Attach volume to the new micro instance, as /dev/xvdf
SSH to the new instance and mount the volume to /mnt/tmp
sudo fdisk -l # check volumes and find the volume we wanna mount, in my case it's /dev/xvdf1
sudo mkdir /mnt/tmp
sudo mount /dev/xvdf1 /mnt/tmp
Disable UFW by setting ENABLED=no in /mnt/tmp/etc/ufw/ufw.conf
cd
sudo nano /mnt/tmp/etc/ufw/ufw.conf
Exit
Terminate the new instance
Detach the volume from it
Attach volume back to the main instance as /dev/sda1 Start the main instance
Login as before
Enable ssh connections
sudo ufw allow ssh
sudo ufw enable
Kudos to: https://stackoverflow.com/a/49432706
You should allow SSH connections before enabling the firewall so;
Execute
sudo ufw allow ssh
Before
sudo ufw enable
I've changed default ssh port by performing the following steps;
Edit 22 to 2200 in sudo nano /etc/ssh/sshd_config
restart ssh server by using sudo service ssh restart
Added a ufw rule sudo ufw allow 2200/tcp
Added a rule in EC2 security group in AWS management console to allow TCP 2200 from 0.0.0.0/0
SSH access to public IP using port 2200 and using SSH private key
But it was it was unresponsive.
Any ideas?
You need to restart sshd
sudo service sshd restart
Not the ssh restart because ssh_config controls the behaviour of ssh not sshd