I set up an Azure ubuntu VM, created the network security group, added port 80 and 8888 rules. firewall is inactive. associated nsg to the subnet of the VM. Not able to remote connect to port 8888, but telnet to port 80 ok, and port 8080 also ok, even though there is no rule allowing 8080. I experimented and removed port 80 inbound rule, but still can access port 80.
netstat -ant | grep 8888 shows one process is listening
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN
It just appears that the access is not following my inbound rules but obeying some default. What can it be doing?
As you said, your service is listening on 127.0.0.1, the service is only accessed inside VM.
You should set your service listen on 0.0.0.0 or VM's private IP.
Four reasons:
Firewall on VM level.
No application listening on said ip\port.
Network security group attached to the vm\subnet blocking traffic.
Azure Firewall (highly unlikely, preview feature).
You appear to be rocking case number 3. How to edit NSG.
Related
when i try to do rdp, it doesn't work.
sudo netstat -plnt | grep rdp
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 106888/xrdp-sesman
The above command is supposed to return one more line having port 3389 as open, but it doesn't.
In the NSG, i have opened inbound connections on port 3389, and in a connection test in the azure console, it shows that inbound connections to the port is working.
This doesn't make sense to me.
I assume that you created a Windows/Linux VM from Market Place image, so by default 3389 is allowed inside Windows Firewall, for Linux this port 3389 might be your service running on this port. When you create a NSG rule form traffic outside, you must use private IP of your VM.
You need to make sure that your NSG is associated either to your NIC or SUBNET of VM, so I suggest you to test it using Network Watcher, use the same Remote IP address 200.200.200.200 and port 45654, it is up to you, it must has a public IP and a port from the source. For local IP address and port you put information about your VM (private IP). In my case it is not allowed port 3389.
Another test you can do, in case that you have another VM in the same SUBNET of this one, try to telnet PRIVATE_IP 3389.
I know that ping'ing into Azure VMs is disabled. The following page shows how to use Sysinternals' PsPing to do a TCP-based ping:
https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/
Unfortunately, I cannot get PsPing to work from my premises to the Azure VM I have. I created an inbound rule in the Network Security Group through the Azure portal:
My Azure VM is a Windows 2012 Datacenter server. I added the following rule to its firewall:
Nevertheless, I can't get PsPing to work when targeting port 80. Incidentally, PsPing to port 3389 (the RDP port) works.
What else should I try?
You should check whether your port is listening. According to your description, it seems that port 80 is not listening on your VM. You could use the following command to check.
netstat -ant|findstr 80
Please ensure the port 80 is listening on tcp, the result should be like below:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING InHost
Also, you should check your NSG. NSG could be associated to a subnet or a VM nic.
I've changed RDP port to 8080 in registry on my Azure Virtual Machine (Windows Server). Now it is not accessible from outside, I cant connect it.
Azure VM is managed by Resource Manager (not Classic VM).
UPDATE:
Turning secuiruty rules so allow all not helped.
I've changed RDP port to 8080 in registry on my Azure Virtual Machine
(Windows Server)
We can use CustomScriptextension to check if RDP listening on port 8080.
netstat -ant | findstr "8080"
If your port not listening on Port 8080, we may need to restart RDP service.
If RDP listening on port 8080, we can use CustomScriptextension to disable windows firewall.
netsh advfirewall set allprofiles state off
About Extension, we create a ps1 file with the command, and upload it via Azure portal.
Azure has to know to allow traffic through to your VM. By default, on a Windows VM, only RDP is open. But you (for some reason) changed the RDP port in Windows Server. You need to do this with the network interface as well, via the VM settings (which has nothing to do with Windows itself):
Via Settings, go to Network Interfaces
Select your network interface and go to Network Security Group
From network security group, add an inbound rule for port 8080 (or modify the existing RDP rule to be port 8080).
It used to be possible to change your RDP port in Classic portal using endpoints. but in RM portal you cannot change your RDP port.
If you are trying to secure your box or by pass the security firewall to connect to your box, I recommend using Azure Load Balancer NAT rules, you can create a NAT rule to translate a custom port to 3389, and then you can only allow connectivity from LB to your VM, this a trick I use when I want to by pass the corporate's firewall, for example port 443.
Make sure you attach the LB to your VM from the NAT rule section
To access any port from public ip client -
Enable port in Azure firewall (if installed)
Enable Port in Network Security Group (add inbound rule) rule like 8080 -> 8080 or rule like 80 -> 8080
Enable Port in Windows Firewall of VM (on azure) -- most important if port is other than 80 and 443. - e.g. 8080, 8090 etc..
I have a linux vm on Azure. I opened an inbound rule for port 20212 tcp and furthermore in created a rule in iptables to allow traffic to this port.
But when i do telnet 127.0.0.1 20212 i get a connection refused error and also when i do telnet SERVER-IP 20212 i get the same error. Is there any other step in need in opening a custom port on Azure VMs
There are 3 moving pieces to this puzzle:
Network Security Group allowing a port
Linux VM firewall allowing a port
Application that is running and listening on the port
It appears that you are missing the third one.
I've created Virtual Machines and assigned them the Endpoints.
Question:
Lets assume I have one endpoint:
1 For port 4444 with two acls:
1.1 order=1, action=Permit, ip=3.3.3.3/32
1.2 order=2, action=Deny, ip=0.0.0.0/0
Does it mean that it's possible to connect to this instance only from ip 3.3.3.3 and only to port 4444? All other connections from another IPs or to another ports will be rejected? Including the SSH ones..
This question should be moved to ServerFault, but...
You opened a single endpoint on port 4444. Therefore, only traffic targeted at port 4444 will get through.
You set up a mask with an exact ip address (3.3.3.3/32). That is the only IP address that will be allowed through, on port 4444.
If you set up your VM in Azure, you get an ssh port created for you. You can assign ACLs to that port as well, but each port will have its own ACLs. So your ACL on port 4444 doesn't impact the ssh port.