I have an ubuntu server running on a EC2 AWS server. I am testing a hello world Nodejs app that I set to listen on port 9000. If I use the GUI in the AWS console to open incoming 9000 TCP port the app runs fine. But if I try and use the command line sequence shown below it wont allow connections.
sudo su
ufw allow 9000/tcp
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 8080/tcp
ufw allow 443/tcp
ufw enable
ufw status
I ran these before doing any security group things inside my AWS EC2 instance and no luck. I am doing a school project that we only have CLI access to an EC2 thru SSH so I wanted to try and open ports through the CLI if possible. Thanks in advance for any help
If by the GUI in the AWS console you mean security groups then you should know that it does not configure ufw. Instead security groups modify firewall rules in AWS networking equipment (either the router or switch or firewall appliance assigned to your network). In some cases you will need to configure both ufw and AWS security groups to allow access especially when you use distros with a restrictive default firewall (Debian and by extension Ubuntu does not enable the firewall by default).
If you want to configure security groups from the command line or in a script you will need to use aws cli. With the aws cli installed you can do:
aws ec2 authorize-security-group-ingress --group-id $group_id --protocol tcp --port 9000 --cidr 0.0.0.0/0
Note that the aws cli does the same thing as going to your browser and configure the security group in the console but via an API. As such it does not matter where you install the aws cli. You don't need to install it on the EC2 instance. You can install it on your personal Windows or Linux or Mac machine.
There is even an app that you can install on Android and iOS to configure the security group if you are interested.
Related
On Ubuntu if I use the command: sudo disable ufw then it can access my server on any port.
Once I enable firewall again then I run command: sudo ufw allow 9090/tcp then I start my spring boot website on port 9090. Now I use the command: curl http://server_id:9090 => It still block me. If I disable firewall then It can run
Who know root cause? How can I enable firewall and allow on a particular port.
Thanks
I have installed nginx on my AMI by yum
sudo yum install nginx
And then, I open all port in my AMI security group
All traffic - All - All - 0.0.0.0/0
And then, I start nginx by command
sudo service nginx start
And then, I access my nginx web service by http://public-ip
but I cannot access by this way.
I try to check the connection in my server.
ssh my_account#my_ip
And then,
wget http://localhost -O-
And It worked fine.
I cannot figure out what is the root cause, and then I change nginx port from 80 to 8081 and I restart the nginx server.
And then, I try to access again. It worked fine. WTH...
http://public-ip:8081
I don't know exactly what is going on?
Could you tell me what is the problem.
I see a few possibilities:
You are blocking the connections with a firewall on the host.
Security Group rules disallow this access
You are in a VPC and have not set up an Internet Gateway or route to host
Your Nginx configurations are set to explicitly listen on host and port combinations such that it responds to "localhost" but not to the public IP or host name. You could post your Nginx configs and be more specific about how it doesn't work when you try remotely. It is timing out? Not resolving? Receiving an HTTP response but not what you expected?
I know a little about Linux. Today I created a VPN server on my Ubuntu installation according to Set up a simple IPsec/L2TP VPN server for Ubuntu, Arch Linux and Debian.
But when I finish the installation, I use my iPhone to connect the IPsec VPN, bur it shows the VPN Server has no response.
The GitHub document shows
Ports 1701, 500 and 4500 must be opened for the VPN to work!
So I have tried to open these ports on my Ubuntu server.
I use the iptables command to open these ports, but it failed. Maybe I don't known how to use this command correctly. How can I open these ports on my Ubuntu server?
And if these ports have been opened successfully, can it be proved by the Windows CMD window through telnet'ting the port?
Ubuntu these days comes with UFW - Uncomplicated Firewall. UFW is an easy-to-use method of handling iptables rules.
Try using this command to allow a port:
sudo ufw allow 1701
To test connectivity, you could try shutting down the VPN software (freeing up the ports) and using netcat to listen, like this:
nc -l 1701
Then use telnet from your Windows host and see what shows up on your Ubuntu terminal. This can be repeated for each port you'd like to test.
If you want to open it for a range and for a protocol
ufw allow 11200:11299/tcp
ufw allow 11200:11299/udp
I am wondering if the vanilla installation of MongoDB on Ubuntu can be accessed by the outside world? I have sensitive information thats being written to the database via Node.js (all running on the same box) and want to make sure it is safe.
I would recommend using UFW - Uncomplicated Firewall
Install UFW and enable, enter:
sudo apt-get install ufw
Check the status:
sudo ufw status verbose
Allow MongoDB and HTTP services (assuming default Mongo port):
sudo ufw allow 27017
sudo ufw allow 80
Enable the firewall:
sudo ufw enable
If you do not need connections from another instance, set the following in the configuration (which is probably the default anyway):
bind_ip = 127.0.0.1
If you need access (for example to connect to the database from your own machine for debugging,...) you can either use an SSH tunnel or set up a firewall rule (if you have a static IP; you'll obviously need to disable bind_ip).
Firewalling is a good idea in general, but if your service does not need remote connections, simply disable them. And probably use a firewall with default deny.
I would like to run a node.js TCP server on port 80 on an Amazon EC2 instance of Amazon Linux. I have added 80 to the security group, but the problem is letting node.js bind to port 80, which normally requires root permission.
The easiest solution seems to be using authbind, but it isn't accessible from the EC2 yum repo. Is there an equivalent utility for Amazon Linux? Or some other workaround for this distro ? Or is it actually a bad idea to use authbind?
I ended up binding to a higher port and then using iptables to forward port 80 traffic to that port. Another option was to use an AWS load-balancer from incoming port 80 to a higher port on the ec2 instance.
It's a little tedious, but if you install gcc you can compile it from source. You can go here to get the 2.1.1 release. Click the link that says "Snapshot" to get a tar.gz file. I couldn't seem to download it directly using wget (had to download from web browser and then upload), YMMV.
If using systemd, you can use AmbientCapabilities to allow a service to bind to a lower port.
This is done through your service configuration file in the /etc/systemd/system directory:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
...