SFTP to EC2 Windows Instance - security

So i've setup a windows instance, but can't seem to FTP into it. After much research, i've discovered SFTP is the way forward.
I've setup my security group, adding the following rule:
SSH tcp 22 22 0.0.0.0/0
Using the public DNS name supplied in the console, i try to SFTP in using Filezilla & Cyberduck, but they just time out.
I know the next step is sorting out the key pairs, but i doubt that'll do me any good if my server isn't even accepting connections.
Any idea what i've missed?
EDIT:
Looking at the Filezilla logs, its looks like the server isn't responding to the connection requests...
12:51:29 Status: Connecting to ec2-122-248-248-178.ap-southeast-1.compute.amazonaws.com...
12:51:29 Response: fzSftp started
12:51:29 Command: keyfile "D:\Users\berling\Lacie Fuj Sync\Freelancing\AWS_Public_Key.ppk"
12:51:29 Command: open "greg#ec2-122-248-248-178.ap-southeast-1.compute.amazonaws.com" 22
12:51:49 Error: Connection timed out
12:51:49 Error: Could not connect to server
Do i need to install an SFTP/SSH server on the server? I was under the impression it was already setup for Amazon servers for some reason... am i wrong about that?

The rule you have set up - SSH tcp 22 22 0.0.0.0/0 - where is that? Your firewall, or at the EC2 end? And why 0.0.0.0? I would recommend using real IP addresses.
Check why the connection is timing out - is SFTP getting past your firewall? Is it getting blocked at the EC2 end - firewall or network logs will be your friend here.
Have you confirmed it is timing out before starting the handshake? Check SSH logs.
Do you have an SFTP server running and configured correctly? Some require all configs to be set before they are happy - your comment that you haven't yet sorted key pairs makes me wonder if this one only accepts certificate auth.
Check those and see how you do.

Install WinSSHD on your EC2 instance. It provides RDP, SFTP, Console access - all over port 22.
Install Tunnelier on your client.

I haven't tried this particular package, but Cygwin, and Services for Unix provide OpenSSH version.
Copssh claims to install openssh, and allow migration/configuration of users:
http://sourceforge.net/projects/sereds/files/Copssh/4.0.4/

Related

Access Azure VM from behind a NAT

So I am pretty new to all of this and currently learning about ssh and NAT.
So I have a VM setup on Azure and in order to connect to it I need to ssh into it. But the problem is I am unable to ssh into it because I am behind a NAT as I am currently studying in a University, hence getting "connection timed out" error all the time.
Also I have tried changing the default port(22) to 443 or 80 still same error which confirms I am behind a NAT.
So currently the only way to ssh is to use a VPN which works fine.
But after researching a bit I found that I can also use Reverse SSH Tunneling to achieve the same but couldn't figured out a way of how to do it. I know it is a bit riskier than using a VPN only but anyway just wanted to try.
So can anyone help me?
An outgoing SSH connection (your machine -> Azure VM) should not be affected if you are behind a NAT. NAT usually blocks incoming SSH access to your machine not out from it.
Also I have tried changing the default port(22) to 443 or 80 still the same error which confirms I am behind a NAT.
You changed the default port on which machine, you or the Azure VM? Changing the default port on your machine will not affect the outgoing SSH connection as it is only for incoming SSH connection to the SSH server on your machine (if you have one running locally).
Your best bet would be to actually look at the security groups of the Azure Virtual Network you VM is located in. Make sure it allows incoming SSH connection on port 22 to your VM.

Access database on Windows server through VPN from nodejs running on Linux

I'm kind of lost in my current project. From a linux machine (Ubuntu server), running a code in nodejs I have to connect to a windows server, through VPN, and access a mySQL server running on it.
About the VPN server I only know it's Windows and I can easily connect to it by using the VPN conector on another Windows machine, I do not have access to that machine or know its parameters.
All I have is the IP of both VPN and database server inside that VPN, and username/password for VPN and database as well. Also I know that the VPN uses ms-chap v2.
I'm trying to use openvpn like that:
sudo openvpn --remote vpnIP --dev tun --ifconfig 127.0.0.1 dbIP
This does not show any error message but never request VPN's username/password
And what should I do from nodejs to access the database once VPN is created?
As I've said, I'm very lost on that! Any tip will be welcome!
Unless something else is specified, a Windows based VPN almost always uses PPTP. You can not connect with OpenVPN. You have to use a PPTP client.
The Ubuntu package is pptp-linux.
There is a detailed explanation on how to configure it here.
In a nutshell (I assume you have no GUI on a server),
you can create a tunnel with :
pptpsetup --create my_tunnel --server <server_address> --username <username> --password '<password>' --encrypt
Configuration files will be created in /etc/ppp. You can then connect (in debug mode) with:
pon my_tunnel debug dump logfd 2 nodetach
or simply (once it work) :
pon my_tunnel
and stop it with :
poff my_tunnel
If the server is a gateway, you may need to add a route, something like :
ip route add 192.168.1.0/24 dev ppp0
You may want Network Manager with a plugin network-manager-pptp, also see this wiki
https://help.ubuntu.com/community/VPNClient#PPTP

AWS EC2 Error: The site can't be reached - ec2.us-west-1.compute.amazonaws.com took too late to respond. Deploy NodeJS

I currently have an EC2 instance up and running with Amazon Linux running and transferred my project (which contains both React/NodeJS/Express) onto the EC2 instance via SFTP using FileZilla.
For the EC2's Security Groups, I opened a port for 3000 (protocol: tcp, source: 0.0.0.0/0), which is how my Express is defined as well.
So I sshed into EC2 instance and ran the project's Express, and sees it listening to port 3000 within the terminal. But once I hit the Public DNS with ec2...us-west-1.compute.amazonaws.com:3000, it says The site can't be reached - ec2...us-west-1.compute.amazonaws.com took too late to respond.
What could be the issue and how can I go about from here to connect to it?
Thank you in advance and will upvote/accept answer.
Just check if your Node.js server is running on the EC2 instance.
Debugging:
Check first if It working locally properly.
Check for the node.js server in EC2.
sudo netstat -tulpn | grep :3000
try to run server with --verbose flag i.e npm run server --verbose
it will show logs of the server while starting.
Check for the security group Setting for the EC2 instance.
try to connect with the ip:port i.e 35.2..:3000
If still it not working and response taking long time.
that means some other service is running on the same port.
try this in ec2:
sudo killall -9 node
npm run server
And connect with using IP(54.4.5.*:3000) or public DNS (http://ec2...us-west-1.compute.amazonaws.com:3000).
Hope It will help :)
You may be encountering an issue with outbound traffic. You may be inside a company's network, either physically connected or VPN'd in. In some instances, your VPN isnt set up to handle split traffic, so you must abide by your company's outbound restrictions.
In a situation like this, you would want to use a proxy to access your site. when locking down your security group, make sure you use your proxy's public IP (not your company's).
Usually, when we have connectivity issues, it is something basic or a firewall. I assume you have checked whether a firewall is running on either end, eg. iptables -L -n. Also, any protocol analyzer like wireshark or tcpdump would tell you where packets to port 3000 are visible.

Can my chef-server and workstation be on different clouds ..?

Say .. I have a scenario where my workstation is in my local network and my chef server is in AWS . In knife.rb ,i gave the AWS Public IP in the chef server url. Will this work or not for open source chef .??
i tried doing that.i am getting the following error:-
ERROR: Network Error: Error connecting to https://xx.xx.xx.xx/cookbooks?num_versions=all - Connection timed out - connect(2)
Check your knife configuration and network settings
can some one help me out in this.
Sure, as long as your workstation (usually your PC/Mac) has IP connectivity to the Chef server that's how it works. Given your output, it looks like access to port 443 is not allowed (or you entered the wrong IP of your chef server).

linux command to connect to another server using hostname and port number

what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAILĀ FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.

Resources