I was logged into my AWS EC2 server via ssh. I ran iptables -P INPUT DROP to check something and I forgot to enable port 22 so that I could keep my ssh connection.
Is there something I can do to regain back the connection?
You can use AWS System Manager Session Manager if your server has the AWS SSM agent installed on the EC2 server and the correct IAM permissions, etc.
Or you could use AWS Systems Manager Run Command to run a single command to fix the iptables, if you have the AWS SSM agent installed on the EC2 server.
Otherwise, you didn't save the iptables rules, so they should reset back to the previous settings if you reboot the server.
Related
I am trying to connect to an EC2 instance from Jenkins via SSH. I always get failure in the end. I am storing the SSH key in a global credential.
This is the task and shell, using SSH agent plugin
This is how I store the key (the whole key has been pasted in)
If I am using SSH connection from my local PC, everything is fine. I am a newbie in Jenkins so this is very chaotic for me.
you need to use SSH plugin . download the plugin using Manage Jenkins and configure
the ec2 in SSH remote.
follow the steps in this link
https://www.thesunflowerlab.com/blog/jenkins-aws-ec2-instance-ssh/
So, I have created an EC2 instance and I'm running a service on port 8088. For now, I'm using SSH to connect to it, with the following command :
ssh -i "~/Downloads/my_key.pem" -L 8087:127.0.0.1:8088 ec2-user#x.xxx.xx.xx
After starting the service on port 8088, I run localhost:8087 on my browser to interact with the service.
However, I want this service to be available to everyone having access to this AWS account. Basically, one shouldn't have to SSH to this and then be able to see it on their browser. I intend to create a URL for accessing this service. How do I achieve this?
I have an EC2 Windows 2019 Server instance in a VPC in the private subnet. I have a bastion instance in the public subnet, and I know the bastion instance works, because it is being used for internet access for my Lambda API. I have VPC endpoints to:
com.amazonaws.eu-west-2.ssm
com.amazonaws.eu-west-2.ec2messages
com.amazonaws.eu-west-2.ec2
I would like to connect with RDP to the EC2 instance to manage my MySQL RDS instance. I have been trying to get Systems Manager Session Manager Port Forwarding to work, following several guides.
I have tried every guide I could find, and everything seem correctly setup.
Is it required to have specific ports setup inbound / outbound on the bastion instance SG, or on the SG the EC2 I want to RDP to is in? I have not been able to see that anywhere.
I have run AWSSupport-TroubleshootRDP and everything pass with "Success" and from the output everything looks good.
When I run the port forwarding command on my machine it starts the session, but I never get "Connection accepted" and the RDP connection fails when I try that.
Can anyone point me to what else I can do to verify that I have the correct network configurations, and to test why I am not getting "Connection accepted", as I have seen I should be getting from the guides.
Thanks in advance.
To test the ability to run RDP via Session Manager Port Forwarding, I did the following:
Launched an Amazon EC2 instance running Microsoft Windows Server 2019 Base
Associated an IAM Role with AmazonSSMManagedInstanceCore permissions
Set the Security Group to no inbound connections (to confirm that connections were being made via Session Manager)
Confirmed that I could use Session Manager to connect to PowerShell on the instance (using the Session Manager console)
Ran the following command on my Mac:
aws ssm start-session --target i-xxx --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["3389"],"localPortNumber":["3389"]}'
Used Microsoft Remote Desktop (which connects via RDP) to connect to localhost
It prompted me for a password. I used Get Windows Password to decode and obtain the password.
It connected successfully
So, yes, you can use Session Manager Port Forwarding to establish an RDP connection with a Windows instance even if it is in a private subnet (which I simulated by removing all inbound rules on the security group).
If you are having further problems, it might be due to your VPC Endpoint configurations.
I am using mac terminal and I want to connect my machine with server instance EC2 in aws with SSH. Since I am using Mac OS X is not necessary to use PUTTY. The problem is that when I download the key it is with extension .ppk but when i need to run it on terminal i need to use a command in which i have to use .pem extension . I tried to run it in that way and it said to me permission denied. Can someone help me what to do in this case? Do i have to change the permission or to convert my key from .ppk to .ppm?
You need to know the .pem file folder you download, and then follow steps below:
download the keypair(.pem file)
cd to keypair(.pem file) location (Note that you can use absolute path name for key pair instead)
chmod 400 [your_key_name].pem (Note that to make SSH work, your key must not be publicly viewable. Use this command if needed.)
ssh -i "[your_key_name].pem" ec2-user#[your ec2 dns name]
You will have to convert your "ppk" file to "pem" file follow this steps.
http://www.ramsmusings.com/2014/02/20/converting-a-putty-ppk-file-to-a-pem-file-for-accessing-aws-ec2-instances/
After you convert connect to the instance using the SSH command and converted "pem" file.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
Quick answer
Instead of working directly with SSH keys I would consider working with AWS ec2-instance-connect.
It saves you the the management of the SSH keys and is much safer then sharing SSH keys for each EC2 machine between team members.
After authentication with the aws credentials (by referring to a profile in .aws/config file or using environment variables ) you can connect to the instance very easily by providing the instance ID:
./bin/mssh <instance-ID>
Installation of this tool can be done via pip or directly from the github repo.
Additional information
Amazon EC2 Instance Connect provides a simple and secure way to connect to your instances using Secure Shell (SSH).
With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies and principles to control SSH access to your instances, removing the need to share and manage SSH keys.
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata.
The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
You can use Instance Connect to connect to your Linux instances using a
browser-based client,
the Amazon EC2 Instance Connect CLI,
or the SSH client of your choice.
(*) Amazon Linux 2 2.0.20190618 or later and Ubuntu 20.04 or later comes preconfigured with EC2 Instance Connect.
For other supported Linux distributions, you must set up Instance Connect for every instance that will support using Instance Connect. This is a one-time requirement for each instance.
Links:
Connect using EC2 Instance Connect
Securing your bastion hosts with Amazon EC2 Instance Connect
Using the Jenkins EC2 plugin, I cannot get my Jenkins master to SSH to my Jenkins slave. The slave spins up and provisions properly, but:
INFO: Connecting to 10.99.3.6 on port 22, with timeout 10000.
Feb 24, 2016 5:13:27 PM hudson.plugins.ec2.EC2Cloud log
INFO: Failed to connect via ssh: There was a problem while connecting to 10.99.3.6:22
Though the Jenkins host claims to be failing when attempting to ssh to the slave node, I am able to ssh from a shell on the Jenkins host without error, and using the same authentication keys as specified in my configuration.
I have additionally attempted to add and id_rsa file containing the same key inputted in the EC2 configuration in a .ssh directory in the Jenkins home dir, and the ec2-user home dir, which also did not work (which wasn't entirely unexpected).
Jenkins - v1.649
Amazon EC2 Plugin - v1.31
Using in-house Centos7.1 AMIs
Additional information: The slave instance ID is listed in the build executor box, but says "offline" next to it, even after I observe the instance in the EC2 console as running and available, and am able to SSH to it manually from the master.
As it turned out, this was an issue using Centos7 and JDK1.8. When using the same configurations with Centos6.5 and JDK1.7, the slaves spun up and connected properly.
Please add id_rsa.pub key from the master host's .ssh folder to authorized_keys on the slave host.
You can debug by some steps below:
Check security group of EC2, to be certain that port 22 was opened.
Use file *.pem to authenticate your EC2 on Jenkins server.