I'm trying to monitor amazon server from my local server,I installed and configured snmpd but I can't arrive from my local server to amazon server using snmpwalk.
I check it with the command:
snmpwalk -Os -c public -v 2c XX.XX.XX.XX
from amazon server the snmp is working correctly but from local server is not working.
The SNMP configuration in amazon server is:
agentAddress udp:0.0.0.0:161
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
rocommunity public 0.0.0.0
The configuration in /etc/default/snmp is:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
and the security group in amazon server I opened UDP to anywhere:
Custom UDP Rule - UDP - 161 - 0.0.0.0/0
-- Netstat result:
root## netstat -an | grep 161
udp 0 0 0.0.0.0:161 0.0.0.0:*
-- In my firewall i added this rule:
# cat rules | grep 161
ACCEPT loc:ip_local_server net:ip_amazon_server udp 161
I don't know what I have to check more.
any suggestion?
Thank you!
Lunching tcpdump I see this result in amazon server when I lunch snmpwalk in my local server:
17:38:23.591513 IP 1-1-1-1.ea.com.35403 > .snmp: GetNextRequest(25)
17:38:23.591690 IP .snmp > 1-1-1-1.ea.com.35403: GetResponse(114) system.sysDescr.0="Linux ip-17-3-2-2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64"
17:38:24.592491 IP 1-1-1-1.ea.com.35403 > .snmp: GetNextRequest(25)
But the result in local server is:
Timeout: No Response from 1.1.1.1
Related
I have 3 machines:
1. An application which uses different databases and other services.
2. Proxy (mitmproxy) (192.168.56.51)
3. Server with all databases and services which are required for the application. (192.168.56.50)
All 3 machines are in the same local network running Centos 7.
Right now machine 1 is using databases and services on machine 3.
My task to use the machine 2 as it would be a machine 3 and show all the traffic. I.e. I need to be able to listen to all ports on machine 2 and redirect traffic on equivalent ports on machine 3.
I made port redirects to mitmproxy port (8080) on machine 2 in iptables:
-A PREROUTING -i eth0 -p tcp -m multiport --dports 23:8079 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth0 -p tcp -m multiport --dports 8081:65000 -j REDIRECT --to-ports 8080
Also, added forwarding to machine 2:
/etc/sysctl.d/mitmproxy.conf :
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.send_redirects=0
Then I started mitmproxy on machine 2:
mitmproxy --rawtcp
Then I tried to run an application, but mitmproxy shows a warning when something is trying to connect to a database. An example:
Warn: 192.168.56.1:51204: HTTP protocol error in client request: Bad HTTP request line: b'\x04\x00\x00\x00\x01...
What am I doing wrong?
May I know how to open port 11211 for EC2 instance memcached server?
I'm trying to connect from Rails server to memcached server. However something is wrong with my security group setting.
What I did so far is
To launch 2 instances. One is Rails server, the other is memcached server.
To set up security groups
Rails server : Outbound => All traffic , All protocol, All port
memcached server : Inbound =>
ssh TCP, port 22, All source
Custom TCP Rule port, 11211, Rails server IP address
When I login to Rails server and execute below command, it looks working for port 22
$ telnet <memcached private IP address> 22
Trying <IP address>...
Connected to <IP address>.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4```
But when I check port 11211, it doesn't work.
$ telnet <memcached private IP address> 11211
The first question is why only port 22 is working? Even if I've set almost the same thing into security group???
When I login to memcached server and check the status, it looks working.
$ sudo /etc/init.d/memcached status
● memcached.service - memcached daemon
Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-02-14 14:23:40 UTC; 19h ago
Main PID: 7569 (memcached)
Tasks: 6
Memory: 628.0K
CPU: 2.093s
CGroup: /system.slice/memcached.service
└─7569 /usr/bin/memcached -m 64 -p 11211 -u memcache
$ sudo netstat -ltup4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:11211 *:* LISTEN 6486/memcached
udp 0 0 *:11211 *:* 6486/memcached
Could you let me know what should I do?
you need to add the security group of you rail server in the memcached server inbound rule.
Add a new rule, select your protocol and port range. For "Source", type or select your security group.
I have an EC2 instance which is running with the following security groups:
HTTP - TCP - 80 - 0.0.0.0/0
Custom UDP Rule - UDP - 1194 - 0.0.0.0/0
SSH - TCP - 22 - 0.0.0.0/0
Custom TCP Rule - TCP - 943 - 0.0.0.0/0
HTTPS - TCP - 443 - 0.0.0.0/0
However, when I try to access http://{PUBLIC_IP} or https://{PUBLIC_IP} in the browser, I get a "{IP} refused to connect" error. I'm new to AWS. Am I missing something here? What should I do to debug?
One way to debug this particular class of problem is to use netcat in order to determine where the problem lies.
If you run netcat against port 80 on the public IP address of your instance and just get a hang (no output at all), then most likely your security group isn't allowing traffic through. Here is an example from an EC2 instance that is in a security group that doesn't allow port 80 traffic inbound:
% nc -v 55.35.300.45 80
<just hangs>
Whereas if the security group is changed to allow port 80, but the EC2 instance doesn't have any process listening on port 80, you'll get the following:
% nc -v 55.35.300.45 80
nc: connectx to 52.38.300.43 port 80 (tcp) failed: Connection refused
Given that your browser gave you a similar "connection refused", most likely the problem is that there is no web server running on your instance. You can verify this by ssh'ing into the instance and seeing if you can connect to port 80 there:
ssh ec2-user#55.35.300.45
% nc -v localhost 80
nc: connect to localhost port 80 (tcp) failed: Connection refused
If you get something like the above, you're definitely not running a webserver.
I'm not sure if it's too late to help but I was stuck with a similar issue with my test server
SG Inbound: ssh -> 22
HTTP -> 80
NACL: default allow/deny settings
but still couldn't ping to the server from my browser, then I realize there's nothing running on the server that can serve the request, and I started httpd server (webserver) and it worked.
sudo yum -y install httpd
sudo service httpd start
this way you can test the connectivity if you are playing with SGs and NACLs and of course it's not the only way, just an example if you're figuring your System N/W out.
Have you installed webserver(ngingx/apache) to serve your requests. If so please share your the config files. (So that it will help to troubleshoot)
I think the reason is probably that you did not set up a web server for your EC2 instance, because if you try to access http://{PUBLIC_IP} or https://{PUBLIC_IP}, you need to have a background server to serve the http request as #Niranj Rajasekaran said.
By the way, by simply pinging the {PUBLIC_IP}, you could see if your connection to your EC2 instance is normal or not.
In command prompt or terminal, type
ping {PUBLIC_IP}
In my case, the server was running but available on just 127.0.0.1 so it refused connections from external hosts. To see if this is your situation, you can run
netstat -an | grep <port number>
If it says 127.0.0.1:<port number> instead of 0.0.0.0:<port number>, you have this problem.
Usually there's a flag or an argument in your server code somewhere to set the host to 0.0.0.0:
app.run(host='0.0.0.0') # flask example
However, in my case, I had already set this so I thought that couldn't possibly be the issue, which is how I ended up on this thread, which asks more generally about the problem. Unfortunately, I was using docker, and had set 0.0.0.0 on the container but was mapping that explicitly to 127.0.0.1 on the host in the docker-compose port-mapping:
ports:
- "127.0.0.1:<port number>:<port number>"
Changing that line to remove the host IP specification fixed the problem upon re-deploy:
ports:
- "<port number>:<port number>"
I'm running jboss5 in centos6.7 docker contrainer.
JBoss running using run.sh -b 0.0.0.0 command
Container running using docker run -i -t -p 8080:8080 my/jboss /bin/bash
This is what I see in container
[root#e44f2bbab31a bin]# netstat -alnt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN
This is what I see on host
15:04:17:(~)$ sudo docker ps
[sudo] password for c0rp:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e44f2bbab31a my/jboss "/bin/bash" 4 hours ago Up 4 hours 0.0.0.0:8080->8080/tcp thirsty_franklin
When I'm trying to access jboss application from host by localhost:8080 I see ERROR 404: Not Found.
When I'm checking localhost:8080 from inside container using wget I see same error ERROR 404: Not Found.
Everything is ok if I'm using ip address of container. Question is how can I bind host localhost:8080 to container ip_address:8080 ?
localhost is a alias for 127.0.0.1. This address used for loopback. It means what your request will returned to the same machine on Network OSI model layer(through lo0 interface in ifconfig command). But you can get access to your container using request to localhost:
!!!Very-very dirty hack!!! Don't use it. Just for understanding of localhost issue. You can edit hosts file (example for Mac):
sudo nano /private/etc/hosts
You will see something like this:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
Just replace 127.0.0.1 by ip of your container. I'm repeating: it's just for understanding of localhost
You can run NGINX instance on your localhost machine. You can configure it for sending all requests from localhost:8080 to containerIp:8080 (best variant without any configuration with routing)
I found that running
FROM registry.access.redhat.com/jboss-eap-7/eap71-openshift
that I also needed to open the management port, so you (or rather, someone in the future coming across this thread) should try this:
docker run -dit -p 8080:8080 -p 9990:9990 [image name]
I'm working on a web services architecture. I've got some software that I need to run on the native host machine, not in Vagrant. But I'd like to run some client services on the guest.
Vagrant's config.vm.forwarded_port parameter will open a port on the host and send the data to the guest. But how can I open a port on the guest and send the data to the host? (It's still port forwarding, but in the reverse direction.)
When you run vagrant ssh, it's actually using this underlying command:
ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=ERROR -o IdentitiesOnly=yes -i ~/.vagrant.d/insecure_private_key vagrant#127.0.0.1
SSH supports forwarding ports in the direction you want with the -R guestport:host:hostport option. So, if you wanted to connect to port 12345 on the guest and have it forwarded to localhost:80, you would use this command:
ssh -p 2222 -R 12345:localhost:80 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=ERROR -o IdentitiesOnly=yes -i ~/.vagrant.d/insecure_private_key vagrant#127.0.0.1
As Eero correctly comments, you can also use the command vagrant ssh -- -R 12345:localhost:80, which has the same effect in a much more concise command.
In the book Vagrant: Up and Running (Pub. date: June 12, 2013), written by the creator of Vagrant, he mentioned that it is not possible for guest machine to access services running on the host machine.
Instead of using Forwarded Ports, you could set up a private network using Host-Only Networks.
Pros of using Host-Only Networks over Forwarded Ports
Guest machines may access the services running on host machine
This feature would solve your problem.
Guest machines may access the services running on other guest machine
This feature is very useful to separate services onto multiple machines to more accurately mimic a production environment.
Secure
Outside machines have no ways to access the services running on the guest machines
Less work
No need to configure every single Forwarded Port
How to configure Host-Only Networks
config.vm.network :"hostonly", "192.168.0.0" # Vagrant Version #1
config.vm.network :private_network, ip: "192.168.0.0" # Vagrant Version #2
Having this line in your Vagrantfile will instruct vagrant to create a private network that has a static IP address: 192.168.0.0
The IP address of the host is always the same IP address but with the final octet as a 1. In the preceding example, the host machine would have the IP address 192.168.0.1.
You can access ports on the host machine through the default gateway inside the guest OS. (Which typically has an IP of 10.0.2.2.)
For example, if you have a webserver running on port 8000 on your host machine...
echo 'Hello, guest!' > hello
python -m SimpleHTTPServer 8000
You can access it from inside the Vagrant VM at 10.0.2.2:8000 (provided 10.0.2.2 is the ip of the guest's default gateway):
vagrant ssh
curl http://10.0.2.2:8000/hello # Outputs: Hello, guest!
To find the IP of the default gateway inside the guest OS, run netstat -rn (or ipconfig on a Windows guest) and look for the row with a destination IP of 0.0.0.0 (or the field labeled "Default Gateway" on Windows):
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
You can extract this IP programmatically with netstat -rn | grep "^0.0.0.0 " | tr -s ' ' | cut -d " " -f2.
Sources: How to connect with host PostgreSQL from vagrant virtualbox machine; Connect to the host machine from a VirtualBox guest OS?
Add following to your ~/.ssh/config on the host machine:
Host 127.0.0.1
RemoteForward 52698 127.0.0.1:52698
It lets you access a service on host machine port 52698 from Vagrant, as long as you logged in via vagrant ssh.
You can confirm it works by running netstat -lt on vagrant VM and taking a note on the following lines:
tcp 0 0 localhost:52698 *:* LISTEN
tcp6 0 0 ip6-localhost:52698 [::]:* LISTEN
I can access services running on my host machine via its local IP address (not its loopback address). I tested by creating an http server on port 80 (and then on port 987) and curling 197.45.0.10:80 and 197.45.0.10:987 (actual ip address changed to protect the innocent). It worked both times, and I don't have any special vagrant configuration (no public_network, no forwarded_port) and while I do have some ports forwarded via PuTTY, I don't have ports 80 and 987 forwarded. So maybe try using the host machine's local or public IP address.
And if you want to access (ssh into) one guest vagrant instance from another, you can enable public_network as well as forwarding from port 22 in the Vagrantfile like this:
config.vm.network "public_network"
config.vm.network "forwarded_port", guest: 22, host: 2200
Then as long as that port is open (ie do some more port forwarding in your router config) you can access that machine from anywhere, even the outside world.