On my Ubuntu 20.04 machine, I have ufw enabled and allowing ssh connections.
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
However, I get a timeout when trying to connect.
But if I then do the following:
sudo ufw default allow outgoing # deny outgoing also works, I've discovered
it immediately starts accepting my connection. This is confusing to me -- it seems like just running some ufw command kicks the firewall into allowing incoming connections.
This is unfortunately not workable, as the state is not persisted across a reboot -- so I cannot use the computer remotely yet: I have to redo the sudo ufw default allow outgoing from the local terminal after restart.
I have tried purging and re-installing ufw. I'm interested in understanding where to look to figure out why the firewall does not allow ssh, even when the status indicates it should.
I never was able to solve the problem, but did come up with a workaround. I created a start-up script to run the no-op (since it is already the setting) ufw default allow outgoing. This seems to kick the firewall into accepting incoming connections.
$ cat /usr/local/bin/ping-ufw.sh
#!/bin/bash
ufw default allow outgoing >> /root/ping-ufw.out
$ cat /etc/systemd/system/ping-ufw.service
[Unit]
After=network.service
[Service]
ExecStart=/usr/local/bin/ping-ufw.sh
[Install]
WantedBy=default.target
sudo systemctl daemon-reload
sudo systemctl enable ping-ufw.service
The problem is with incoming and outgoing traffic.
Check the output of the command ufw status verbose:
Default: deny (incoming), allow (outgoing), deny (routed)
This would deny any incoming traffic, including your ssh
Here is the solution for your case
sudo ufw allow incoming
sudo ufw allow outgoing
sudo ufw allow from (your rules here)
sudo ufw limit ssh (if you want to be safe)
sudo ufw deny from any
Either deny incoming or outgoing would result in a denial of ssh.
Related
Since I received a email warning letter from google says "Action required: Critical problem with My First Project" saying my server has some abnormal outgoing activity , I tried to implemented ufw in my debian server.
For my ufw setting, I've done the following:
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow ssh
sudo ufw allow 22
sudo ufw allow http
sudo ufw allow https
After I restart my server , I can't connect to my server with the error "Connection Failed: We are unable to connect to the VM on port 22. Learn more about possible causes of this issue."
I followed the following instruction https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh but it still not working:
I tried gcloud to create default-allow-ssh
my firewall-rules list picture
I tried to use serial console to login but I haven't set password to my root account so I can't login.
I tried to add "/usr/sbin/ufw disable" to startup-script in Custom metadata and restart server many times but it seems the command is not executed so still not working
my gcp startup-script picture
I found the correct answer in this website.
https://www.jhanley.com/google-cloud-recovering-from-ufw-lockout/
Method 2 in the website solves this problem
So I just installed the latest version of rabbitmq and I've been trying to get it to work. The server is running and I've restarted it once just to be sure it's a consistent problem.
If I telnet localhost 5672, I get
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
As you can see, the connection is accepted but rabbitmq does not accept any input. The connection is closed immediately. No further information shows up in logs.
rabbitmqctl works without any problems.
This is running on Windows Subsystem for Linux / Ubuntu. I don't have any other options for a local dev environment because I'm on a work computer which is locked down pretty tightly.
I ran into the same issue, using Ubuntu(16.04) as a subsystem on Windows and rabbitmq 3.7.8. I noticed that when running sudo rabbitmqctl status the listeners showed the following:
{listeners,[{clustering,25672,"::"},{amqp,5672,"::"}]}
I fixed this issue by creating a rabbitmq config file and specifying the localhost and port 5762
Here is what i did step by step.
Using sudo && vim, I created a 'rabbitmq.conf' file, located in
/etc/rabbitmq/
sudo vim /etc/rabbimq/rabbitmq.conf
I specified the localhost(127.0.0.1) and port(5672) for the default
tcp listener in the rabbitmq.conf file
listeners.tcp.default = 127.0.0.1:5672
Restart rabbitmq
sudo service rabbitmq-server stop
then
sudo service rabbitmq-server start
Check sudo rabbitmqctl status and look at the listeners, you should see your new tcp listener with the localhost ip sepcified
{listeners,[{clustering,25672,"::"},{amqp,5672,"127.0.0.1"}]}
Here is the config docs from rabbitmq that may help clarify some of these steps.
Telnet lets you confirm the system is listening and allows incoming connections.
But even an "out of the box" install of RabbitMQ expects credentials for connections.
rabbitmqctl list_users to see which users are configured.
If guest present, typical creds are guest / guest
Either install management plugin (or confirm it is installed),
or script your test, most languages have a package available for connecting to RabbitMQ.
I have following Security Group attached to AWS instance.
I installed Apache When I try to access it from browser I see This site can’t be reached
following is some useful info to debug what is issue.
root#ip-172-31-31-29:~# netstat -atn |grep :80
tcp6 0 0 :::80 :::* LISTEN
EDIT
Here is updated screenshot of the Security Group.
It looks like you're allowing IPv6 traffic. Is this what you desire? I would change your security group to allow 0.0.0.0/0 for http.
If you do desire IPv6 I would start with running curl locally and see what it tells you
curl -k localhost
From there you then should ensure IPTables is properly configured and that SELinux is properly configured.
I was setting up a firewall with UFW in Ubuntu server, I skipped the step sudo ufw allow ssh and instead run the command sudo ufw enable. Rebooted the VPS but now when I try to connect using ssh, I get the following error ssh: connect to host {IP Address} port 22: Operation timed out.
I am using Google Cloud Compute Infrastructure and I'm not understanding details in this article https://cloud.google.com/compute/docs/ssh-in-browser#ssherror
Is there a way I can rollback?
You can login to your instance using the serial console. After logging in you should run the command: sudo ufw allow ssh, for allowing ssh access to your instance.
See Interacting with the Serial Console for more information
I am not able to access Amazon EC2 instance via ssh as i am behind a firewall.
So, i thought of running ssh on port other than 22, like 80 or 443.
I tried starting Amazon EC2 instance via Web Management Console with following 'user data':
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 80/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
The idea being that the above script would execute on instance startup and switch ssh from port 22 to port 80. (Ref: http://alestic.com/2010/12/ec2-ssh-port-80)
But ssh is still not accessible on port 80.
Apparently 'user data' script is not being executed on start up?
I can 'only' start stop instances via Web Management Console, not from command-line (being behind firewall)
Any ideas?
To connect to an AWS instance through ssh from a port different than default 22:
Open the security group of your instance so that it allows connections to that port from the source that you choose (0.0.0.0/0 for any source).
In your instance:
It is a new instance you could use an user-data script like this one:
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 443/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
Please note that this only works if you are launching a new instance:
User data scripts and cloud-init directives only run during the first boot cycle when an instance is launched.
If it is not a new Instance, edit the /etc/ssh/sshd_config file adding/changing Port 22 to the port that you want (i.e: Port 443) to connect through ssh and then do service ssh restart and you should be done.
Note: I did this with an Ubuntu instance, with another Linux instances may be slightly different.
The amazon firewall blocks all ports other than 22. You first have to enable port 80/443/whatever.
HOWTO:
Go to "security groups" -> click on the group you chose for your instance, then on the "Inbound" tab.
There you can add your ports.
EDIT: If by chance you also installed apache or some other webserver, port 80 will be used and cannot be used by sshd. I do not know which operating system is installed on your server, but maybe some webserver is already included?
EDIT 2: As per the last comment, it seems nowadays all ports are blocked by default. So you will have to open port 22 if you need it. Wasn't the case eight years ago, but configurations change ;)
Here is what I came up with to run sshd on 443 and 22 having rhel8 on ec2
make sure your security groups allow connection from your network/ip to the desired ports (in my case 22 and 443)
tcp 443 1.2.3.4/32 #allow access to 443 from IP 1.2.3.4
tcp 22 1.2.3.4/32 #allow access to 22 from IP 1.2.3.4
Login to the EC2 and
#install semanage with
sudo yum install -y policycoreutils-python-utils
#delete 443 from http ports
sudo semanage port -d -t http_port_t -p tcp 443
#add 443 to ssh ports
sudo semanage port -m -t ssh_port_t -p tcp 443
Edit /etc/ssh/sshd_config
Port 22
Port 443
Restart sshd
sudo service sshd restart