This blog is in reference to a troubleshooting situation in Amazon Web Services when you have configured firewall setting in your ubuntu ec2 or remote instance and is not able to login via PuTTY through SSH as the instance. Here, we will see how to insert SSH into the instance in a certain situation when you are logged out of that instance.
During configuration of SSL security, we may accidentally or purposely block SSH for the instance to make the instance secure. But, what if we again want the same instance to SSH for certain changes.
Below is the highlighted configuration of the instance. Here, you can see that all the instances have all ports opened to everything.
Here are the configuration changes which you have made on the login into instance:
$ sudo apt-get update $ sudo apt-get install nginx $ sudo apt-get install ufw
Check UFW Status and Rules
At any time, you can check the status of UFW with this command:
$ sudo ufw status verbose
By default, UFW will be disabled so you should see something like this:
Output: Status: inactive
If UFW is active, the output will say that it's active, and it will list the rules that are set. For example, if the firewall is set to allow SSH (port 22) connections from anywhere, the output might look something like this:
Output: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere $ sudo ufw deny ssh $ sudo ufw status verbose Output: Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp DENY Anywhere
If you kicked or logged out of the instance once the changes are done, you will be seeing the below results.
On SSH into the instance with your Public DNS through PuTTY below are the results which you are seeing as an error i.e. Network error: Connection Timed Out
Below error shows that even after all ports were opened outside, the instance is not able to SSH because of firewall software of Ubuntu at the system level. Let’s see how to resolve this kind of system related issue.
Solution to the issue:
Step 1: Take an image of the EC2 instance by selecting the instance ->Image-Create Image
Step 2: Provide specification Image name, tick on no reboot and push the create image button
Step 3: Then Select the image and click on launch
Step 4: Go to instance type, select and click on Next
Step 5: In the configuration instance, write the below commands under Advanced Details and click on next:
#!/bin/bash sudo ufw allow ssh sudo ufw allow 22 sudo ufw allow 443 sudo ufw allow 8080 sudo ufw allow 80 sudo ufw status sudo ufw enable
Step 6: Click next and next tab and add security group similar as provided
Step 7: Review and launch the instance and then try to SSH to the instance through PuTTY. You will be now able to add SSH inside the instance with this and you can terminate the old instance as the new instance with all the setup same as that of the old instance without any issue except the public IP and private IP change.
Best Practices of Firewall Configuration & Port Blocking:
Ensure that the Security Groups will allow a specific IP addresses which are within the VPN Range of the Environment.
Use of NACL for allowing and blocking the IP addresses or subnets for a specific Port by using allow and deny rules. A network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule. This helps to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. We recommend that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules.
Use of Bastion Host for accessing critical servers and environment is always a better option to increase the security of the system or environment.
We hope that this article gave you a clear understanding of how AWS services work. You can understand how cloud computing works by making yourself familiar with these services. To learn more about AWS, you can check out the other blogs and the AWS certification course by KnowledgeHut.
Your email address will not be published. Required fields are marked *