Please help! I've spent multiple days trying to ssh into my EC2 instance.
I'd been able to do this for the first 24 or so hours. Then as I was adding dependencies to my instance I got booted. Now I'm unable to get back in. At one point my Public DNS changed but I've accounted for this.
My security groups, VPCs, internet gateways, route tables, subnets, firewall, etc. seem to all be in order too.
What is the issue here? Please advise!
Test connectivity to SSH
Create another EC2 instance in the same subnet of the target EC2.
Make sure the egress rule allow all outbound, and inbound to port 22.
Copy the SSH private key to ~/.ssh/ and make sure to remove group/other rw permissions.
Install telnet or nc if not installed in the new EC2.
Test the connectivity to the target EC2 from the new EC2.
telnet ${TARGET_HOST_IP} 22
If this works and you can connect, then SSH server is up and running. If not, SSH server is not running, or the port 22 is not open.
If somehow the SSH server is down, there could be some ways to try to fix.
See User is reporting that they've unable to SSH into an EC2 instance in AWS?
for the options such as mount the root EBS volume to another EC2, or use USEDATA to reconfigure.
Login to EC2 from EC2 console
Connect Using the Browser-based Client
If you can login, then make sure SSH server is up and running. Then make sure ~/.ssh/authorized_key has the public key. Verify /var/log/auth or /var/log/security to verify if login gets denied if try to ssh into the EC2 from outside.
Clone to investigate or to replace
If you can, shut the EC2 instance, take a ELB snapshot of the root volume, then mount it to another EC2 you can SSH into, and investigate dmesg, /var/log files for any errors that may prevent SSH connections. Verify ssh server configuration, ~/.ssh/ files.
Or simply copy the contents you need from the ELB snapshot to a new EC2 instance and replace the original one with the new one.
AWS is clear that to create a snapshot of the root ELB volume, the instance needs to be shutdown. Otherwise the integrity of the snapshot is not assured.
Update
To restore the SSH public key or permission of the ~/.ssh folder, also see [User is reporting that they've unable to SSH into an EC2 instance in AWS?
Related
I am trying to install KafkaMagic on ec2 to manage our kafka cluster. I created an EC2 instance on our VPC and added the following inbound rules to the associated security group:
I then made sure the Network ACL had inbound rules to allow traffic
Where I saw that * is a catch all rule so rule 100 should overwrite this. I then connected to my ec2 instance using EC2 Instance Connect and downloaded KafkaMagic and got it running on localhost:5000 of my ec2 instance. Using the public dns for the ec2 instance i connected to {publicIp}:5000 where publicIp was copy pasted. I was unable to connect.
Im assuming there is a gap in my understanding of what happened. Where did I go wrong along the way setting this up? Im very new to AWS and I might be missing an important concept
I needed to run the application on a non localhost url. I updated the kafka magic url through this link: https://www.kafkamagic.com/download/#configuration to be on 0.0.0.0:5000 and then I was able to use the public ip associated with my instance to run the application on port 5000
I created an Elastic Beanstalk environment from Visual Studio and need to login to service the underlying ec2 vm.
I don't have an credentials for the server, so I wanted to use EC2 Instance Connect.
When I click connect, I get an error message:
We were unable to connect to your instance. Make sure that your instance’s network settings are configured correctly for EC2 Instance Connect. For more information, see Task 1: Configure network access to an instance.
Following the link, I found the instructions:
Ensure that the security group associated with your instance allows inbound SSH traffic on port 22 from your IP address or from your network.
(Amazon EC2 console browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.
How do I connect to the Elastic Beanstalk underlying EC2 via EC2 Instance Connect?
What I've tried:
I created a new security group that contains my client IP address, but that didn't work. Which makes sense, as it's the EC2 Instance Connect app running in the Console making the SSH connection, not my local machine.
Also looked at the the ip ranges json file (https://ip-ranges.amazonaws.com/ip-ranges.json), but not sure what to do with that.
I misunderstood the Set up EC2 Instance Connect instructions. This support article had clearer instructions: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/
Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.
The key was to find the IP for EC2 Instance Connect and then create
a security group to whitelist that ip address.
EC2 Instance Connect IP can be retrieved via PowerShell by using Get-AWSPublicIpAddressRange (or curl). For us-west-2:
> Get-AWSPublicIpAddressRange -Region us-west-2 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix
IpPrefix
--------
18.237.140.160/29
Once I configured my Security Group to use that Source I could connect.
Generally better way then using EC2 Instance Connect is through SSM System Manager. It does not require opening any inbound ports. Instead you should add/modify your install role to allow SSM to work. What's more you can control access to your instance using regular IAM permissions, unlike for EC2 Instance Connect.
Connection through SSM is in the same menu in the AWS console as EC2 Instance Connect. Thus, once you setup your instance role, wait few minutes for the instance to register with SSM, and once this happens you should be able to use SSM System Manager to connect to your instance from the console.
Regarding EC2 Instance Connect IP range. I don't know which range published applies only to EC2 Instance Connect. You would have to filter it by region probably and then find one which works. In worse case scenario its try-and-see approach.
I have read several stackoverflow posts, but none seem to help.
I want to ssh into my ec2 instance, so I downloaded the private key file as stated in the instructions from aws. After executing "sudo ssh -v -i ubuntu#", my ssh server hangs with no success or failure message.
I made sure my ec2 instance can accept ssh connections and that my private key file does have the correct permissions. Any other debugging steps to resolve this issue ?
When an SSH connection times-out, it is normally an indication that network traffic is not getting to the Amazon EC2 instance.
Things to check:
The instance is running Linux
The instance is launched in a public subnet, which is defined as having a Route Table entry to points to an Internet Gateway
The instance has a public IP address, which you are using for the connection
The Network Access Control Lists (NACLs) are set to their default "Allow All" values
A Security Group associated with the instance that permits inbound access on port 22 (SSH) either from your IP address, or from the Internet (0.0.0.0/0)
Your corporate network permits an outbound SSH connection (try alternate networks, eg home vs work vs tethered to your phone)
See also: Troubleshooting connecting to your instance - Amazon Elastic Compute Cloud
I am setting up a new EC2 Amazon Linux 2 AMI and am having a try at setting up EC2 Instance Connect as it's preinstalled on my new instance.
From what I've understood the docs to mean, I should be able to create an IAM user, add a public key to that user and then SSH into the box using the IAM user's (public) key without having to create the .ssh folder on the EC2 instance.
What I've done is:
Create a user on the EC2 instance which my IAM user should map to (let's call him bob)
Uploaded my public OpenSSH key to the IAM user
Created a permission policy which allows the action ec2-instance-connect:SendSSHPublicKey (as per the docs)
Once these are all done, if I try to SSH into the box, it doesn't work and in my /var/log/secure I see a preauth failure.
If I create the .ssh/authorized_keys file and set the permissions correctly, everything works fine.
However, my understanding of the EC2 Instance Connect approach is that it gives me a central way to manage public-key based access to my instances.
Am I correct?
Am I missing something in how I'm setting this up?
I'm finding the documentation a little unclear, so some insight would be helpful.
Thank!
EC2 Instance Connect works as follows:
You issue a command that pushes a temporary public key to the instance, such as:
$ aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --availability-zone us-west-2b --instance-os-user ec2-user --ssh-public-key file://my_rsa_key.pub
You then establish an SSH connection to the instance using the private half of the keypair
Within the instance, the EC2 Instance Connect software interfaces with the ssh process and checks whether the SSH key provided matches the public key that was pushed with send-ssh-public-key (and it is within 60 seconds of receiving that key)
If they match, the SSH session is permitted
See: Connect Using EC2 Instance Connect - Amazon Elastic Compute Cloud
EC2 Instance Connect also provides a web-based interface that can both initiate the above process (using a temporary random keypair) and provide an SSH interface. When doing so, the SSH connection appears to come from within AWS, not your own IP address. This is because the web interface uses HTTPS to AWS, then AWS establishes the SSH connection to the instance. This has an impact on security group configuration.
because i am running an application (airflow) in a python virtual environment on my ec-2 instance and i want to run a command in my default python environment on the same ec2-instance, i thought it was easier to ssh to my own instance and execute the command.
the problem i have is that i cannot connect to my own instance.
i added my security group id of my ec2-instance to my inbound configuration (ssh on port 22) but this did not work.
it does work when i set my ssh inbound configuration on port 22 from anywhere, but i don't want to do that.
my outbound config allows all traffic.
If you are connecting from another EC2 instance in the same subnet, you'll want to allow the private IP of that EC2 instance, not your local address.