SSHing into Ubuntu EC2 instance post blocking port 22 with UFW - Cloud Computing

Read it in 0 Mins

Last updated on
07th Jun, 2022
Published
27th Jul, 2018
Views
1,799
SSHing into Ubuntu EC2 instance post blocking port 22 with UFW - Cloud Computing

Introduction

This blog is in reference to a troubleshooting situation in 
Amazon Web Services when you have configured firewall setting in your ubuntu ec2 or remote instance and is not able to login via PuTTY through SSH as the instance. Here, we will see how to insert SSH into the instance in a certain situation when you are logged out of that instance.

During configuration of SSL security, we may accidentally or purposely block SSH for the instance to make the instance secure. But, what if we again want the same instance to SSH for certain changes.  

Before proceeding further, read about how to Install Jenkins on Ubuntu.

Below is the highlighted configuration of the instance. Here, you can see that all the instances have all ports opened to everything.


configuration of SSL security


Here are the configuration changes which you have made on the login into instance:

$ sudo apt-get update
$ sudo apt-get install nginx
$ sudo apt-get install ufw
 


Check UFW Status and Rules
 
At any time, you can check the status of UFW with this command:

$ sudo ufw status verbose

By default, UFW will be disabled so you should see something like this:

Output:
Status: inactive

If UFW is active, the output will say that it's active, and it will list the rules that are set. For example, if the firewall is set to allow SSH (port 22) connections from anywhere, the output might look something like this:

Output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN Anywhere


$ sudo ufw deny ssh

$ sudo ufw status verbose

Output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     DENY    Anywhere

If you kicked or logged out of the instance once the changes are done, you will be seeing the below results.

On SSH into the instance with your Public DNS through PuTTY below are the results which you are seeing as an error i.e. Network error: Connection Timed Out  


Below error shows that even after all ports were opened outside, the instance is not able to SSH because of firewall software of Ubuntu at the system level. Let’s see how to resolve this kind of system related issue.



Solution to the issue:

Step 1: Take an image of the EC2 instance by selecting the instance ->Image-Create Image


EC2 instance


Step 2: Provide specification Image name, tick on no reboot and push the create image button

Step 3: Then Select the image and click on launch


reboot and push the create image button


Step 4: Go to instance type, select and click on Next


instance type


Step 5: In the configuration instance, write the below commands under Advanced Details and click on next:

#!/bin/bash
sudo ufw allow ssh
sudo ufw allow 22
sudo ufw allow 443
sudo ufw allow 8080
sudo ufw allow 80
sudo ufw status 
sudo ufw enable


Step 6: Click next and next tab and add security group similar as provided

Step 7: Review and launch the instance and then try to SSH to the instance through PuTTY. You will be now able to add SSH inside the instance with this and you can terminate the old instance as the new instance with all the setup same as that of the old instance without any issue except the public IP and private IP change.

SSH to the instance through PuTTY


Best Practices of Firewall Configuration & Port Blocking:

  • Ensure that the Security Groups will allow a specific IP addresses which are within the VPN Range of the Environment.

  • Use of NACL for allowing and blocking the IP addresses or subnets for a specific Port by using allow and deny rules. A network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule. This helps to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules.

  • Use of Bastion Host for accessing critical servers and environment is always a better option to increase the security of the system or environment.

 We hope that this article gave you a clear understanding of how AWS services work. You can understand how cloud computing works by making yourself familiar with these services. To learn more about AWS, you can check out the other blogs and the AWS certification course by KnowledgeHut.

Profile

Rohan Singh

Blog Author

Rohan Singh is the Devops Engineer Manager and Solution Architect at healthcare product based MNC, he is a technical blogger who shares technical related issues based on real life experiences to motivate IT professionals in putting their efforts for the betterment of  Devops and solution architect field