Question: How can I allow inbound SSH traffic on a non-standard port when using Amazon Security Groups and also provisioning with Chef?
Amazon EC2: Allow inbound ssh traffic on port 999 instead of 22 by adding this rule to a Security Group.
Custom TCP Rule Port Range: 999
Chef: Create a new server with access to ssh on a non-standard port via:
knife ec2 server create .... -p 999 ....
Ubuntu: Allow ssh access on a non-standard port by editing /etc/ssh/sshd_config
Port 999
Easy enough? Why doesn't it work?
When using knife ec2 server create ... -p 999 ... the instance creates. However it hangs on "Waiting for sshd...". Eventually that errors out. The instance is not available using ssh -p 999 username#ip-address nor ssh -p 22 username#ip-address.
As some of the commenters have said, you are being locked out because the instance is listening on port 22, but your security groups are only allowing TCP connections on port 999.
There is no way to connect to the instance in this state.
There are three solutions to this problem that I can see.
Solution 1: Make a new AMI
Create a new AMI which has sshd configured to listen on 999.
Once you have done so, create your EC2 servers using your custom AMI and everything should work.
There are fancy-pants ways of doing this using cloudinit to let you customize the port later, but it hardly seems worth the effort.
Just hardcode "999" instead of "22" into /etc/ssh/sshd_config
The obvious downside is that for any new AMI that you want to use, you'll have to bake a new base AMI that uses the desired port instead of 22.
Furthermore, this diverges away from the Cheffy philosophy of layering configuration on a base image.
Solution 2: Icky Icky Security Groups
You can hack your way around this by modifying your security groups every time you bring up a new server.
Simply add an exception that allows your machine to SSH into the box for the duration of your bootstrapping process, then remove this from the security group(s) that you are using once you are done.
The downside here is that security groups in EC2 are not dynamic, so you either have to create a new security group for each machine (ick!), or let this open port 22 for your workstation on all of your servers during the bootstrapping window (also ick!).
Solution 3: Tunneling
The last option that I can think of is to allow connections on port 22 amongst your live servers.
You can then tunnel your connection through another server by connecting to it, opening an SSH tunnel (i.e. ssh -L ...), and doing the knife ec2 actions through the tunnel.
Alternatively, you can pass through one of the other servers manually on your way to the target, and not use knife to bootstrap the new node.
The downside here is that you need to trust your servers' security, since you'll have to do some agent forwarding or other shenanigans to successfully connect to the new node.
This is probably the solution that I would choose because it does not require new AMIs, doesn't open port 22 to the outside world, and requires a minimal amount of effort for a new team member to learn how to do.
Related
I have tried everything, this is my last hope before I give up on ever working with AWS again. My security group setting allow port 3000 which is being forwarded to port 80 already. I have rebooted, done a stop start, created a new AWS account, and allowed traffic on port 80. Does anyone know of what else this could be?
My local OS is Ubuntu 20.04.
To make port 80 accessible to a computer on the Internet (assuming that it is working on localhost):
The Amazon EC2 instance should be in a public subnet (if you can SSH to it, then this is true)
A public IP address should be assigned to the instance (again, if you can SSH to it, then this is true)
A Security Group associated with the instance should permit inbound access on port 80 from 0.0.0.0/0 (meaning the whole Internet)
There is no need for the Inbound Rule that references port 3000 since you are wanting incoming traffic on port 80 only (I presume).
If your app is still timing-out with the above configuration, then you'll need to debug what it is attempting to do. You could, for example, temporarily open the Security Group for all ports just to confirm that it is not the cause of the problem.
So I am pretty new to all of this and currently learning about ssh and NAT.
So I have a VM setup on Azure and in order to connect to it I need to ssh into it. But the problem is I am unable to ssh into it because I am behind a NAT as I am currently studying in a University, hence getting "connection timed out" error all the time.
Also I have tried changing the default port(22) to 443 or 80 still same error which confirms I am behind a NAT.
So currently the only way to ssh is to use a VPN which works fine.
But after researching a bit I found that I can also use Reverse SSH Tunneling to achieve the same but couldn't figured out a way of how to do it. I know it is a bit riskier than using a VPN only but anyway just wanted to try.
So can anyone help me?
An outgoing SSH connection (your machine -> Azure VM) should not be affected if you are behind a NAT. NAT usually blocks incoming SSH access to your machine not out from it.
Also I have tried changing the default port(22) to 443 or 80 still the same error which confirms I am behind a NAT.
You changed the default port on which machine, you or the Azure VM? Changing the default port on your machine will not affect the outgoing SSH connection as it is only for incoming SSH connection to the SSH server on your machine (if you have one running locally).
Your best bet would be to actually look at the security groups of the Azure Virtual Network you VM is located in. Make sure it allows incoming SSH connection on port 22 to your VM.
I created a Linux t3a.nano EC2 on AWS, I haven't done anything on the instance other than starting it and connect to it through SSH.
I would like to open 2 ports, port 80, and 3000, for that, I created a Security Group and added both ports to the inbound rules.
Based on AWS documentation that is all you need to do in other to open the ports, but if I connect to the instance and list the ports open none of the ports on my Security Group are listening, only 22, but that is open by default.
I am running this command to list the ports:
sudo netstat -antp | fgrep LISTEN
Other Steps I tried:
Check my ACL, will attach a picture of the configuration below, didn't change anything it looks to be fine.
Checked that the instance is using the correct security group.
Stoped and started the instance.
Created an Elastic IP and associated it to the instance to have a permanent public IP address.
Any suggestions about which steps could I am missing?
You are checking the ports from inside the instance. Security Groups (SGs) work outside of your instance.
You can imagine them as a bubble around your instance. Subsequently, the instance is not aware of their existence. This can be visualized like on the below image, where the SG is a barrier outside of the instance. Only if SG allow traffic in, then your instance can further limit it by using regular software level firewalls.
To open/block ports on the instance itself you have to use a regular a firewall such as ufw. By default all ports on the instance will be opened, at least when using Amazon Linux 2 or Ubuntu.
Therefore, with your setup, inbound traffic for pots 22, 3000 and 80 will be allowed to the instance.
Update - Response
I got to this point thanks to the comments above!
I wanted to open port 3000 to host a web service, so I did all the steps on my original question, the step that I was missing was to run a server to do something on port 3000. After I ran node I was able to see the port open internally and was able to make requests to that port.
The Security Group remains the same, but now if I list the ports this is what I get: sudo netstat -antp | fgrep LISTEN
I run my node.js app on Amazon EC2 (Ubuntu 14.04)
On localhost, it works, but application not available on the internet by this address http://ec2-35-160-4-84.us-west-2.compute.amazonaws.com:3443/ where 3443 is my port.
How can I fix it?
Sounds like you need to go to your Security groups on the server, and update the inbound rules to allow port 3443. I assume this would be a TCP connection so you need to update the Custom TCP put in the port and then choose which IP or if all you want to allow into the system.
To get to Security Groups .. go to your EC2 instance, then look on the left side where the menu is and you will see Security Groups listed. Click there, and make sure you are updating the Security Groups INBOUND rules for the right server.
Hope that works.
may I know how to change ssh port 22 to a custom port in azure resource group vm? I know i can change the endpoints easily on vm classic. But how can i change ssh 22 to other port number for ssh on resource group vm on the new portal? thanks.
You can’t use the new type of VM with a resource manager on old portal so you have no choice but to use the new Azure portal https://portal.azure.com.
Let’s see what you will get when you create a new VM with a resource manager.
By default, you will get the following things when you create a VM but of course, you have an option to choose what to create or what to re-use during the setup.
•Virtual machine
•Network Interface
•Network Security Group
•Public IP Address
•Virtual network
•Storage Account
Choose “Network Security Group” then you will see the setting page that looks similar to Windows Advanced Firewall interface on windows server or desktop.
Click on “Inbound security rules”. This is where you can enable the endpoint of your new VM. Of course, you forget to open the same port in your server OS as well.
First you must do the following steps:
Once you are logged in to the server as root we can begin editing the sshd_config file. As with any modification to an important server file, it is always a good idea to back it up before making any changes:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Now we are ready to modify the file. Open /etc/ssh/sshd_config in your favorite text editor (for this example we will use Vim) and locate the line that specifies the port. If your sshd_config file has not been altered the Port setting will be commented out with a # symbol (example below).
sudo nano /etc/ssh/sshd_config
The # symbol tells the server to ignore anything after it on the same line, so we will need to remove that character and then change the number 22 to something else. Be sure you do not pick a port number that is in use by a different service. If you are unsure, Wikipedia has a list of port numbers and their uses. Try to use a port number that is not listed. For this example, we will use Port 2222 (which is used by Windows servers but not by default on Linux servers).
Remove the # symbol and change the port number
second you must do the following steps:
Go to your azure portal and select all resources
Choose “Network Security Group” then you will see the setting page that looks similar to Windows Advanced Firewall interface on windows server or desktop (see Figure 2).
Click on “Inbound security rules”. This is where you can enable the endpoint of your new VM. Of course, you forget to open the same port in your server OS as well. e same port that you put in the file /etc/ssh/sshd_config in destination port range (see Figure 3).
None of these fully worked for me.
I found a working answer on Youtube
https://www.youtube.com/watch?v=zkr-RMcGuk0
Which involved added the following redirect.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j REDIRECT --to-port 22
Out of curiosity, why do you want to change the ssh port? The approach will depend on why you want to do it, but one way would be as follows:
ssh into the VM on port 22 and make the ssh daemon listen on whichever port you want. This link describes how to do it (you can ignore the part about iptables if you aren't using it): http://support.hostgator.com/articles/hosting-guide/lets-get-started/linux-dedicated-hosting/how-to-change-the-ssh-port-on-dedicated-and-vps
exit your ssh connection and ssh back in on your new port of choice
Alternatively, you could put your VM behind a load balancer that maps some other port to port 22 on the VM (e.g. https://azure.microsoft.com/en-us/documentation/articles/load-balancer-get-started-internet-arm-ps/#create-lb-rules-nat-rules-a-probe-and-a-load-balancer).
One important clarification to the portal answer is to make sure you specify a source-port-range of '*' for your inbound rule and a priority that is lower than the default rules. Typically 100-400 is a good priority range.
Unlike classic deployments, resource manager deployments don't have "endpoints" but rather inbound and outbound "rules" which is really a filter applied to the connection. The result is that the port you want to open to connect to the VM is the "destination-port-range", and the source-port-range specifies the "originating port for this connection", which is typically dynamic -- and thus, for most basic scenarios, should be "any" which is '*'.
The exceptions will be cases in which internally to your vnet you know that the originating port should ONLY be that one port, over there, on that one VM -- in order to be as certain as you can that only that VM/port can connect with this one.
But, in the case in which you want to connect from the internet, it typically needs to be '*'.
you have to add an entry in your ssh_config file
port = 22022
and then restart your sshd
sudo /etc/init.d/ssh restart
or
sudo service ssh restart
and then change the Azure portal NSG rules to allow port 22022 to your IP address or change the default ssh to custom and modify the port no.
and try the command if you are using password-based or password-less
ssh machine#host-ip -p 22022
or
ssh -i location-to-your-pem-file machine#host-ip -p 22022