Several days ago, AWS suddenly started blocking my ability to SSH to ANY of the EC2 servers I've setup across multiple accounts.
When I try to connect I get a message about "client_loop" disconnect and Broken Pipe.
But I can't figure out why. It's not the servers themselves. It has to be Amazon somehow. It's not my SSH keys. It's not my IP address alone. It can't be my mac address alone.
I can VPN to another country and SSH in like I normally would do. This made me think IP Address.
I can connect to my phone's hotspot and then I can SSH as usual. Again, made me think IP Address.
I then decided to try my son's PC (I'm on a mac) and just using the home network like my computer uses, his computer can SSH in. This tells me it's NOT the IP Address alone. So the only thing I can figure is that it must be a combo of IP and Mac address. I can't think of anything else that could be blocking it.
But I have several clients with servers in different AWS data centers and none are configured to block the IP address. But all of them are inaccessible.
I'm very confused as to what to try next. Looking for ideas.
Thanks!
Depending on the OS, check against the audit log of the server itself.
AWS will not be blocking based on Mac Address but its possible that the host OS might have. Outside of that give your home machine a reboot and try again.
Related
I set up a cloud instance with Google Cloud Engine; It works well: I can SSH into it and I can use a VNC client in any desktop to connect to it.
However, that causes a lot of trouble. I set the approved addresses as 0.0.0.0/0. This works, but it also leaves my account vulnerable. Even though hackers don't succed to break through, their attempts makes my vnc server to reject new attempts, including mine.
How about changing the approved ip addresses to only my own? The problem with that is that I use an internet provider that constantly changes my ip - it can change multiple times in 5 minutes. As a result, I have to change the approved ip all the time.
I have set up a static ip for my laptop, but the ip that my vnc server sees is the ip set by my internet service provider.
Is there a way to ask GCE to only check the computer's ip?
Is there a way to set my external ip to a static one (without contacting my ISP)?
Is there anything I can do?
Thank you.
You can use IAP for TCP forwarding.
This way your VM doesn't need a Public IP (So it's not exposed to the internet) and IAP for TCP forwarding supports both SSH and RDP
I have a virtual machine instance running on Google Cloud Compute Engine — a preemptible free-tier CPU running Ubuntu 17.04. The end goal is to connect it to a MongoDB running on my local machine, a 2015 Macbook Pro (OS 10.12.6). But first, I've been trying to ensure the VM can reach my Mac via ping.
Running ping <VM's external IP> from my Mac works.
pinging my Mac from another Mac on the same wifi network works.
Running ping <Mac's IP> from the VM via the browser terminal does not work.
I've disabled my Mac's firewall. I've also configured my VM's firewall rules to allow all inbound and outbound traffic, to no avail:
ingress firewall rules, egress firewall rules
How might I get this instance to ping my Mac successfully?
Does your Mac's IP address begin with 10., 192.168., or between 172.16. and 172.32.? These are private addresses only reachable within your Mac's local network, which is (part of) why GCE cannot reach your VM.
This is part of a very common configuration. An ISP only allocates one (or a small number) of IP addresses to your home or business. A router on the network performs NAT to share that IP addess between computers on the local network, which instead use private IP addresses for themselves. As the router doesn't know what to do with the inbound MongoDB traffic, it blocks it.
There are two common ways around this that are usually found in your router settings:
"port forwarding" where you tell the traffic to forward all traffic on port 1234 to your Mac. This can get MongoDB working, but not ping.
If you have whole extra IP addresses, "DMZ" where your router directly forwards an entire extra IP to your instance. If you have only one IP address this is not an option as that IP is needed to be shared for other devices on the Wifi.
You likely also have a firewall on the router. If you use a DMZ or port-forwarding you must make sure that firewall allows traffic through too.
That said, I'm not sure that this is a sensible thing to do. Opening up your local network to the internet can create major security issues, plus it is likely unreliable more expensive (free tier only provides 1GB egress/month, your db traffic could exceed this).
Actually running MongoDB on instances within GCE is almost certainly a better option in every regard for you.
I had been trying to establish a MongoDB database with an exposed REST API (through Crest, then Sleepy Mongoose), but neither of these had been working. I tried to do a minimal sanity test of "Can I connect to that AWS machine or not?", so here's what I tried:
1) I set up a new Amazon instance (Ubuntu 14.04), and I made sure that all incoming TCP connections were accepted.
2) I tried running sudo python -m SimpleHTTPServer 80.
3) This worked when logged into the machine and doing curl http://localhost:80/ and curl http://XX.XX.XX.XX:80/ (the machine's IP address substituted of course). However, on my local machine, the command just timed out.
I'm really looking forward to any guidance here, so I can hopefully go back to what I was originally doing (MongoDB, exposing a REST API, etc.). Really thankful for any suggestions since this has been driving me crazy!!
This is probably a security group issue.
When doing the curl http://XX.XX.XX.XX:80/ on the machine itself, did you try the internal ip (172.x.x.x / 10.x.x.x / 192.x.x.x) or the external ip?
Also, does the machine have an external ip assigned? (I'm guessing it does, otherwise ssh'ing to it would only be possible from another machine in the same subnet.)
Go to the AWS console, open the instance details and check the instance's security groups. Is port 80 open for the world (0.0.0.0/0) ?
I've got a VirtualBox machine set up and it runs fine. But I want to limit it's network access to only computers on my LAN (192.168.2.x). I do not want it to have any type of incoming or outgoing access to the internet at all.
Just remove the Default Gateway in it's IP settings. Or modify the operating systems hosts file.
If your really serious about blocking it though you should block it via a firewall.
I am trying to find a way that I can effectively change the IP and netmask of the computer that my programs are running on. I have to be able to maintain communications with a "box" that the user has access to and can change the IP of that box (but not that of the Linux host). Luckily the box broadcasts its IP over a multicast address. I am able to read that address and communicate to whatever IP the box is broadcasting. However, my problem is that when the box changes IPs outside of the subnet of the Linux host, I lose connectivity (as I would expect to happen).
As a result, I need a quick and dirty way to to change the IP and netmask of the Linux host when it detects that the IP being broadcast is outside it's subnet. I am aware that I can modify/edit the /etc/networking/interfaces file, but I was hoping to have something "live" where I wouldn't need to restart the networking interface or Linux host. Additionally, I would like to maintain all sockets that I have currently open during the change. My main issue is that I have a slew of connections run by other applications that cannot be corrupted as a result of the IP changeover. Also, if possible, I'd like to avoid having to redo having to run the multicast route add command for Linux after the host IP changeover.
Is there anything that I can do to satisfy these requirements? Thanks.
You don't want to change the IP address of the interface, you want to add an additional IP address and subnet to the interface. Search your Linux system documentation for IP Alias functionality.
Here's the HOWTO.