in-browser SSH - IP address range - google-cloud-platform

One of the options to ssh into the instance is in-browser ssh. It only works if I allow SSH from 0.0.0.0/0 IP range.
Is there a way to get the range of specific IP address range(s) from where GCP will establish in-browser SSH?
P.S.: I am not talking about SSH from my laptop. I am talking about in-browser SSH.

The Handling "Unable to connect on port 22" error message documentation states that you can get Google's IP address range using the public SPF records.
Per the documentation, you'll need to run the three commands below from a linux VM instance:
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
You may need to install dnsutils on the vm instance to be able to use dnslookup.
I just tested it and got various ranges for IPv6 and IPv4. I believe this are the ranges you are searching for.

I also wanted to restrict SSH access to in-browser only and found this
The client IP address in the SSH connection will be part of the range 35.235.240.0/20. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.
(from https://cloud.google.com/community/tutorials/ssh-via-iap)

In order to allow SSH access from your laptop GCP console browser, you need to find your public IP address or external IP address of your LAN. You can check it in this link.Once you have your external IP address you need to create a FW to allow SSH access just from that external IP address.
Example:
gcloud compute firewall-rules create test-ssh-example \
--action allow \
--direction ingress \
--target-tags=[TAG] \ [You can specify a tag to apply this FW rule just to the VMs with the same tag. (optional)]
--rules tcp:22\
--source-ranges \
--priority 1000
With this option, only from that IP address you will be able to have SSH access to a VM instance.

Why don't you run the command who on your ssh session, to see where the connection is originating from?
The search the excellent Cloud Platform documentation to see if an automation to allow this already exists. Otherwise write one.
This is not the best place to do your firewalling from, as its one more configuration to keep up to date. I would recommend an application firewall, or just adding a rate limit to your existing firewall. The chances of someone logging into your servers if you use keys, is virtually 0, even with a 14 character random password, and rate limited new connections. If you use keys or a password manager (as you should), use fail2ban.

Related

How to use the same static IP address with different ISPs?

I have a database server configured on AWS and I want to restrict access to it only from my computer's IP.
The problem is as IP addresses get assigned dynamically by the ISPs, I manually need to whitelist my IP address before accessing the server from my computer, everytime I switch from my home network to some other network.
I have been able to set a static IP address for my machine, but when I try to change my ISP from local broadband to mobile internet's hot-spot or to another network different from my broadband, the connection seems to fail. Is there any way to make my machine use the same static IP while using different ISPs ?
Here's a script I use:
IP=`curl -s http://whatismyip.akamai.com/`
aws ec2 authorize-security-group-ingress --group-name GROUP-NAME --protocol tcp --port 22 --cidr $IP/32 --output text
In this example, it is adding my current IP address to the security group for use with SSH (port 22). You can modify it for your needs.
Please note that there is a maximum number of security group rules, so you will need to "empty it out" after you've hit the limit.

How to connect to Amazon EC2 instance?

After I created a ubuntu VM(Amazon EC2 instance), I see below entry in "view instances":
I see public dns as Public DNS: ec2-13-58-17-118.us-east-2.compute.amazonaws.com
Instance: i-08c551d9713dfcd06 (ubuntu_VM)
Security groups: sg_ubuntu. view inbound rules. view outbound rules
To connect to this Amazon EC2 instance(ubuntu VM), am using below syntax from my ubuntu laptop:
ssh -i "ubuntu_key.pem" ubuntu#ec2-13-58-17-118.us-east-2.compute.amazonaws.com
and it works, but I do not know the reason, for its working
I understand that ec2-13-58-17-118.us-east-2.compute.amazonaws.com is domain name
1) What is ubuntu in ubuntu#ec2-13-58-17-118.us-east-2.compute.amazonaws.com?
2) Why Amazon EC2 instance creation process does not ask for assigning hostname to the EC2 instance, on aws website? after sshing, I see some dynamic hostname assigned(ip-172-31-30-203) which is not good for me...
3) What is security group? amidst creation of EC2 instance...
1) ubuntu is the username of that particular ec2 instance. In this case, since your instance is using Ubuntu, then by default you get that username. If you had created an instance using Amazon Linux 2, it would of have been ec2-user. You can check more here.
If you intend to change this username, you can in fact. Just like you would in any Linux OS, except for a few extra steps you need to follow in order to connect using SSH with this new username.
2) Each time you stop and restart your Amazon EC2 instance (unless you are using an Elastic IP address), the public IPv4 address changes, and so does your public DNS name, system hostname, and shell prompt. This is found in the user guide. If you want to have a static IP, you must create an Elastic IP address, although, it has a cost.
3) The security group, is a set of rules of how to access (inbound rules) your instance and what can your server reach (outbound rules). By default, if not mistaken, in your inbound rules, you should only have your SSH connection available.
ubuntu is the username on the server
I'm not sure why this is, but you are able to change it using the command sudo hostnamectl set-hostname your-desired-hostname. You can read more in the AWS UserGuide
Security groups are firewall rules that you can use to protect your VM from the outside world. You can block access to specific ports, only allow access to specific ports from an IP address or IP range. For example, you can use it to restrict access to SSH only to your office IP address to prevent anyone else from logging into your EC2 instance.

Cannot connect to EC2 - ssh: connect to host port 22: Connection refused

I am currently overseas and I am trying to connect to my EC2 instance through ssh but I am getting the error ssh: connect to host ec2-34-207-64-42.compute-1.amazonaws.com port 22: Connection refused
I turned on my vpn to New York but still nothing changes. What reasons could there be for not being able to connect to this instance?
The instance is still running and serving the website but I am not able to connect through ssh. Is this a problem with the wifi where I am staying or with the instance itself?
My debugging steps to EC2 connection time out
Double check the security group access for port 22
Make sure you have your current IP on there and update to be sure it hasn't changed
Make sure the key pair you're attempting to use corresponds to the one attached to your EC2
Make sure your key pair on your local machine is chmod'ed correctly. I believe it's chmod 600 keypair.pem check this
Make sure you're in either your .ssh folder on your host OR correctly referencing it: HOME/.ssh/key.pem
Last weird totally wishy washy checks:
reboot instance
assign elastic IP and access that
switch from using the IP to Public DNS
add a : at the end of user#ip:
Totally mystical debugging sets for 6 though. That's part of the "my code doesn't work - don't know why. My code does work - don't know why." Category
Note:
If you access your EC2 while you are connected to a VPN, do know that your IP changes! So enable incoming traffic from your VPN's IP on your EC2 security group.
In AWS, navigate to Services > EC2.
Under Resources, select Running Instances.
Highlight your instance and click Connect.
In Terminal, cd into the directory containing your key and copy the command in step 3 under "To access your instance."
In Terminal, run: ssh -vvv -i [MyEC2Key].pem ec2-user#xx.xx.xx.xx(xx.xx.xx.xx = your EC2 Public IP) OR run the command in the example under step 4.
Just check if your public ip that you get when you are on VPN is configured as a source address in the SG inbound entry that opens up port 22.
You can check your ip using https://www.google.co.in/search?q=whats+my+ip, when connected to your VPN.
I tried everything in this and several other answers, also in some aws youtube videos. Lost perhaps five hours over a few sessions trying to solve it and now finally..
I was getting the exact same error message as the OP. I even rented another EC2 instance in a nearer data centre for twenty minutes to see if that was it.
Then I thought it might be the router or internet provider in the guest house where I am staying. Had already noticed that some non-mainstream news sites had been blocked - and that was it!
You can check if the router is blocking port 22:
https://superuser.com/questions/1336054/how-to-detect-if-a-network-is-blocking-outgoing-ports
cardamom#neptune $ time nmap -p 22 portquiz.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-03 20:43 CET
Nmap scan report for portquiz.net (27.39.379.385)
Host is up (0.028s latency).
rDNS record for 27.39.379.385: ec2-27-39-379-385.eu-west-3.compute.amazonaws.com
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
real 0m0,212s
user 0m0,034s
sys 0m0,017s
Then, the question of why someone would want to block the ssh port 22 is addressed in at length here:
https://serverfault.com/questions/25545/why-block-port-22-outbound
Had the same problem after creating some instances on a new VPC. (If internet SSH worked before this solution may not work for you)
When creating a new VPC, make sure you create an internet gateway (VPC -> Internet Gateways)
And also make sure that your VPC's routing table (VPC -> Route Tables) has an entry which redirects all IPs (or just your IP) to the internet gateway you just created.
For me, it was because of this:
NOT ec2-user#xx.xx.xx.xx
BUT THIS =>>> ubuntu#xx.xx.xx.xx
Watch the image of EC2 instance!
Instead of
ssh -i "key.pem" ubuntu#ec2-161-smth.com
use
ssh -i "key.pem" ec2-user#ec2-161-smth.com

How to access monitoring web UI when running spark on AWS

I'm running spark from AWS EC2. As the spark documentation said
"Each driver program has a web UI, typically on port 4040, that displays information about running tasks, executors, and storage usage. Simply go to http://:4040 in a web browser to access this UI"
My question is: what is this "driver-node"?
I thought it's the public IP of the driver node xx.xx.xxx.xx. But I kept getting page not found error when I user http://xx.xx.xxx.xx:4040
Please help.
Remember to create a security group and assign to it and open the inbound port such as 0.0.0.0/0 with port 4040
Then you should be fine to access it with its public IP, such as:
http://54.xx.xx.xx:4040
0.0.0.0/0 is opened to all, you can change it to your own IP or other ip ranges to limit the traffic.
I had the exact same question as you. Eventually, the should be replaced by your IP address.
But not the IP address after you google "what's my IP address". You should execute ipconfig in command line and use that IP address in the URL.
And if you don't have a valid sparkContext (sc) running, the UI will return error
Alternatively
ssh tunnel to the remote/ec2 port, e.g.,
ssh -i "c:\path\to\keypair.pem" -N -L \
4040:ec2-##-###-###-##.us-east-2.compute.amazonaws.com:4040 \
ec2-user#ec2-##-###-###-##.us-east-2.compute.amazonaws.com
Then just connect your browser to http://localhost:4040/

Configuring AWS using ISP assigned IP?

I'm trying to host a website on AWS and I came across this:
If you are connecting through an ISP or from behind your firewall
without a static IP address, you need to find out the range of IP
addresses used by client computers. If you don't know this address
range, you can use 0.0.0.0/0 for this tutorial. However, this is
unsafe for production environments because it allows everyone to
access your instance using RDP.
My intention was to host my personal website. I connect through an ISP and do not have a static IP address and I'm not sure about the range of IP addresses.
Is there another way to solve this or would I be best to use a different web host such as godaddy, name.com, etc..?
The recommendation is that you don't allow RDP (or ssh if you go with a linux-based server) from the internet in general (i.e. 0.0.0.0/0).
Instead, you should restrict access to your ip (1.2.3.4/32). The problem with this is that when your ISP-provided IP address changes, you will be locked out until you adjust your security rules.
Now, for a personal web site, if you're not accessing it a lot, that's probably not a big deal. Chances are that your ip address doesn't actually change that often, and when it does you can remember to update the security group.
If you want to automate it, you can do this from a script that would query one of the many services that provide this, and then update the security group via the aws cli.
Finally, another option is to set up a VPN between your AWS VPC and your local network. This is probably overkill for your problem, but is something to consider when you want to extend your local network into AWS.
Here is a script that can automate the additional of an IP address to Inbound Security Group rules:
IP=`curl -s icanhazip.com`
aws ec2 authorize-security-group-ingress --group-name "RDS-SG" --protocol tcp --port 22 --cidr $IP/32