I get a connection refused message when attempting to ssh to my ec2 server while tethering from my android phone.
ssh <server-ip>
I have added my IP address to the EC2 security group associated with the server.
I can ssh in fine when connected to WIFI, just not when I am tethering.
Any help to troubleshoot this would be appreciated.
akhosraviansMBP:~ akhosravian$ ssh -vvv <ip-address>
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/akhosravian/.ssh/config
debug2: ssh_connect: needpriv 0
debug1: Connecting to <ip-address> [<ip-address>] port 22.
debug1: connect to address <ip-address> port 22: Connection refused
ssh: connect to host <ip-address> port 22: Connection refused
If I allow connections from SSH 0.0.0.0/0 I am able to connect. Maybe the IP address I am getting from whatsmyip.com is incorrect? Where can I find my external IP address when tethering from my phone?
You will need to go into the port settings for the Security Group your instance is apart of. You will then need to set port 22 to 'allow from anywhere'
Due to your ip changing regularly when tethering (as you change mobile towers, location, etc) it will change often.
As you can see in the photo below, you would click where it says custom, type in ssh - which will set it to the default port, being 22, and then set the Source on the far right to 0.0.0.0/0
In my case I had to add to the Security Group both computer's and phone's IP addresses.
The phone kept changing quite often as well, so I ended up setting on a very open xxx.yyy.0.0/16 for both, which is not super good but better than "Allow From Anywhere".
Related
I was following an tutorial and by mistake I typed the command listen 127.0.0.1 and restarted sshd service. When I tried to login again, I got:
ssh: connect to host x.x.x.x port 22: Connection refused
Did I lost forever access to my server?
Is there any way to connect on the ec2 instance and fix it?
Restarted server, than the same:
OpenSSH_8.1p1, LibreSSL 2.7.3
...
debug2: resolve_canonicalize: hostname x.x.x.x is address <br>
debug2: ssh_connect_direct debug1: Connecting to x.x.x.x port 22. <br>debug1: connect to address x.x.x.x port 22: Connection refused <br>
ssh: connect to host x.x.x.x port 22: Connection refused<br>
Is there a way to reset the /etc/ssh/sshd_config from was console?
Sorry, probably the problem was not the listen command but PasswordAuthentication yes entry on sshd_config
I believe the solution will be to create a new instance, attach this volume to it, change the file and the return it to previous instance. Is there a simpler solution?
I am trying to connect to an EC2 machine with the following command line on my terminal:
ssh -i id_rsa_aws <ec2_ip_address> -l ec2-user -vvv
Here is the result:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname <ec2_ip_address> is address
debug2: ssh_connect_direct
debug1: Connecting to <ec2_ip_address> [<ec2_ip_address>] port 22.
debug1: Connection established.
debug1: identity file id_rsa_aws type 0
debug1: identity file id_rsa_aws-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
ssh_exchange_identification: read: Operation timed out
My ssh_config file:
Host *
SendEnv LANG LC_*
I know the problem must come from my computer. I have tried using the .pem file and I am getting the same error.
Any help would be appreciated.
Thank you
Things to check:
The instance is running Linux
The instance is launched in a public subnet, which is defined as having a Route Table entry to points to an Internet Gateway
The instance has a public IP address, which you are using for the connection
The Network Access Control Lists (NACLs) are set to their default "Allow All" values
A Security Group associated with the instance that permits inbound access on port 22 (SSH) either from your IP address, or from the Internet (0.0.0.0/0)
Your network permits an outbound SSH connection (try alternate networks, eg home vs work vs tethered to your phone)
See also: Troubleshooting connecting to your instance - Amazon Elastic Compute Cloud
Although my issue looks very generic and common, it doesn't seem to be identical to anything discussed here in stackoverflow. SecurityGroup has been set up with "MyIP" for ssh connection and I have been using correct pub IP to connect. Yet, I'm still getting timeout error as below. Is there something that I need to change in my Mac?
MacBook-Pro ~ % ssh -vvv -i ~/Documents/awsdemo/aws-livelessons.pem ec2-user#18.181.146.195
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 18.181.146.195 is address
debug2: ssh_connect_direct
debug1: Connecting to 18.181.146.195 [18.181.146.195] port 22.
debug1: connect to address 18.181.146.195 port 22: Operation timed out
ssh: connect to host 18.181.146.195 port 22: Operation timed out
Here's my Security Group. You can see that it does have correct protocol and entered with my public IP.
Security Group Screenshot
And I can confirm that it does match when I look up via terminal.
MacBook-Pro ~ % dig TXT +short o-o.myaddr.l.google.com #ns1.google.com
"58.12.38.113"
And the EC2 instance does have this security group attached.
EC2 Instance Screenshot
If there are any other ways to troubleshoot this, I'd really appreciate it.
Based on the comments, the issue was due to use of non-default NACLs. The solution was to allow SSH in the NACLs.
According this AWS doc: Scenario 2: VPC with Public and Private Subnets (NAT) I have my own VPC with two subnets: private and public. In public subnet I have deployed an Ubuntu 16.04 Instance with assigned EIP. It also has next security group inbound rules:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
and outbound accordingly:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
Looks nice, I can ssh it externally from my home. No problem.
In private subnet I have deployed another one Ubuntu 16.04 machine with next security group (inbound rules):
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
and no outbound rules (actually it has 80, 443 outbound ports opened, but its not an interesting part as I guess). And I still can reach this virtual machine using ssh from my bastion.
Right now I just want to make only one simple thing - run ssh port forwarding so I can run localhost:8080 on my home PC browser and see the webpage I published on my private instance. If I understand it correctly from here and here (and from here as well) I have to run something like:
ssh -N -v -L 8080:10.0.1.112:80 ubuntu#3.121.46.99
Which as I guess basically means: just forward a traffic from private subnet instance with IP 10.0.1.112:80 to my localhost:8080 through my bastion VM with username ubuntu hosted on EIP 3.121.46.99.
Debug ends with lines:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai#3.121.46.99: Permission denied (publickey).
I am playing around it few days and I still can't get what am I doing wrong. Its so strange: I can ssh -A (to allow forwarding) to my bastion, I can ssh to my private instance from bastion. But I cant establish SSH tunnel to see my webpage (in the future it will be mongodb) without an error. Need some advice or point to the right direction, please! Thank you.
UPD#1
Ok then. If I make manual forwarding using my local machine and my bastion, I get an expected result. Basically it means run this command on bastion:
ubuntu#bastion: ssh -v -N -L 5000:localhost:8000 ubuntu#10.0.1.68
After that runs command on local/home machine:
matterai#homepc: ssh -v -N -L 5000:localhost:5000 ubuntu#3.121.46.99
When I make a request to localhost:5000 on my local machine, I can see the result page. May I and how if it's possible to combine this two commands? (spoiler: yes, it's possible: see the answer!)
Ok, it's easy. Hope my answer will help somebody.
You need to use ssh -J option to connect through your bastion virtual machine:
-J [user#]host[:port]
Connect to the target host by first making a ssh connection to
the jump host and then establishing a TCP forwarding to the ulti‐
mate destination from there. Multiple jump hops may be specified
separated by comma characters. This is a shortcut to specify a
ProxyJump configuration directive.
Then you need to forward traffic from your destination virtual machine port (:8000) where the app (or database) started to your localhost port (:5001) using ssh -L:
-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket
on the local (client) host are to be forwarded to the given host
and port, or Unix socket, on the remote side. This works by
allocating a socket to listen to either a TCP port on the local
side, optionally bound to the specified bind_address, or to a
Unix socket. Whenever a connection is made to the local port or
socket, the connection is forwarded over the secure channel, and
a connection is made to either host port hostport, or the Unix
socket remote_socket, from the remote machine.
Port forwardings can also be specified in the configuration file.
Only the superuser can forward privileged ports. IPv6 addresses
can be specified by enclosing the address in square brackets.
By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be
used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
Full ssh command will look like:
matterai#homepc: ssh -v -N -A -J ubuntu#3.121.46.99 -L 5001:localhost:8000 ubuntu#10.0.1.112
UPD: Also you can simplify a bit your command. In ~/.ssh/config you can add your jumphost (bastion) and your final destination VM IP:
Host bastion
HostName 3.121.46.99
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ForwardAgent yes
Host server
HostName 10.0.1.112
User ubuntu
Port 22
IdentityFile ~/.ssh/secret.pem
ProxyJump bastion
Now, you can run command:
ssh -v -N -A -J bastion -L 80:localhost:8000 server
Looks much better. Also you can just simply connect via ssh using ssh server.
You seem to have things correctly configured, but the error is saying that it can't find a private key to use for the connection.
To test the port forwarding, start by using the ssh command that logs into your public instance.
Then, take that exact command, and simply add: -L 8080:10.0.1.112:80
If it works for 'normal' ssh, then it will work with port forwarding too.
By the way, in general you should never need to modify the outbound rules of a security group. The default settings permit all outbound traffic. This 'trusts' the apps running on the instance and allows them to communicate outwards to anywhere. You would only need to restrict such rules where you wish to enforce a high-security environment.
I did setup my 1st EC2 instance on AWS on a free tier using Ubuntu as the OS. I followed all the steps and my instance is up.
I´ve build the following security rules:
Ports Protocol Source Personal_SG_NVirginia
80 tcp 0.0.0.0/0 ✔
22 tcp 0.0.0.0/0 ✔
3306 tcp 0.0.0.0/0 ✔
443 tcp 0.0.0.0/0 ✔
-1 icmp 0.0.0.0/0 ✔
I can ping my instance, but cannot connect to it either using PuTTY, ssh on my linux and even on miniterm console.
$ ssh -vv -i "xxxx.pem" ubuntu#52.91.95.205
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 52.91.95.205 [52.91.95.205] port 22
debug1: connect to address 52.91.95.205 port 22: Connection timed out
ssh: connect to host 52.91.95.205 port 22: Connection timed out
Tha same happens if I use DNS name.
Miniterm console error:
Connection to 52.91.95.205: Connection timed out: no further information
I have already restarted the instance and recreated it, but no success at all.
Help appreciatted.
Verify the IP address is valid
$ ssh -vv -i "xxxx.pem" ubuntu#54.210.1133.50
Is this hand-written or did you copy and paste? The IP address is an invalid IP address ("1133" is >255), and doesn't match your debug output. Make sure you're connecting to the correct public IP address of the instance.
Verify you are using the correct user
Are you sure the initial user is "ubuntu"? Some EC2 Linux instances use "ec2-user" for the initial setup.
Try: ssh -vv -i "xxxx.pem" ec2-user#123.123.123.123
Verify default SSH port is not blocked (correct solution)
Per discussion below, it turns out that port 22 was blocked by the user's ISP. Switching to a non-standard port (2022) resolved the issue.