My Ubuntu Server 11.04 free-tier instance security group opens SSH, HTTP, HTTPS to the public web and nothing else (not even the inter-group TCP/UDP/ICMP ports enabled by the default sec group).
But when I Nmap my server's public dns, it shows HTTP & HTTPS closed, with ftp (21), rtsp (554), and realserver (7070) all open. This would, of course, explain why I can't view the website I'm running on that instance, so I need to fix it.
This is a cross-post from the AWS EC2 forum, but since I've got no replies yet, I'm hoping for better luck here.
my SecGroup (no other rules for UDP or ICMP):
TCP
Port (Service) Source Action
22 (SSH) 0.0.0.0/0 Delete
80 (HTTP) 0.0.0.0/0 Delete
443 (HTTPS) 0.0.0.0/0 Delete
Nmap:
kurtosis#kurtosis-laptop:~/bin/AWS$ nmap ec2-184-73-70-26.compute-1.amazonaws.com
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-14 23:27 PDT
Interesting ports on ec2-184-73-70-26.compute-1.amazonaws.com (184.73.70.26):
Not shown: 994 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp closed http
443/tcp closed https
554/tcp open rtsp
7070/tcp open realserver
Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
Why are http and https closed when my security group specifies they should be open, and why is ftp, rtsp, and realserver open when my security group does not include them at all? Anyone know why the discrepancy?
Are you sure your instance is a member of the security group you're modifying? In the EC2 Console you can see this by clicking on the Instance, it'll list the security groups it's a member of as "sg-12345".
Alternatively it may be an issue with just that instance - try terminating that instance and starting a new one to see if the problem persists.
Related
I have installed the peerjs server on my windows server as per github, and successfully get the message:
“Started PeerServer on ::, port: 9000, path: /myapp”.
I then opened port 9000 in the windows firewall, and find the following two entries in the netstat listing:-
TCP 0.0.0.0:9000 vmBCE3892:0 LISTENING
[node.exe]
TCP [::]:9000 vmBCE3892:0 LISTENING
[node.exe]
My server has 2 different IP addresses for 2 different web applications under IIS.
To check peerjs connectivity I used telnet as follows:-
telnet ipaddress 9000
with each IP address, neither would connect.
I cannot see how to tie the peerjs server to one of the ipaddresses or the corresponding domain name.
It seems that my ISP blocks all ports other than 80 & 443, despite them appearing to be available in my firewall. As for the two IP adresses, either would have reached peerjs server had the port been open.
Trying to post a website via port forwarding but everytime I use an open port check tool it says that the port cannot be reached. I was wondering if someone out there has done port forwarding in this router. Thank you.
These are the settings for my port forwarding:
Protocol: TCP
WAN host start & end IP: Blank
WAN Start and End Port: 8080
LAN host start and end port: 8080
WAN Connection: TR069
LAN host address: my IP
I have set up a static IP address, and even changed the port of httpd.exe to 8080 and 8081 (xampp) because I thought my ISP was blocking port 80.
Any type of help is appreciated. Cheers.
I was battling this over a month only to discover that I have a CGNAT (Carrier given NAT [NAT from ISP]) So no matter what settings I changed on my router my ports will never be opened.
Today finally my ISP removed the NAT from my account and I was able to proceed to open ports.
So I am sharing this info now for any others who may have difficulty opening their ports.
For the ZTE F670L GPON ONT router, you need to login as an admin:
Username: admin -
Password: Web#0063
Proceed to Internet in the main tab and select Security in the left panel then
in the sub tabs select Port Forwarding.
I also have DMZ enabled. Here are the screenshots of my settings.
(Please be sure that your PC/device IP is static)
Screenshot of my static IP on my PC
https://i.imgur.com/Ug51E7k.png
Screenshot of port forwarding settings for port 16000 UDP (I opened both TCP and UDP)
https://i.imgur.com/F3KP6PG.png
Screenshot of DMZ settings. (Not always necessary)
https://i.imgur.com/4MZWP1A.png
If your ports are not opened after just the normal port forwarding settings, you can try to enable DMZ as in the above screenshot. If still no luck, contact your ISP and ask them to remove NAT from your account.
I hope this helps
I kept blaming my poor router when in fact it was just my ISP.
What I did to solve this problem was made a listener request in my case on Linux, using the following command "nc -l -p PORT", before that you need to set up correctly the port forwarding on the F670L, then you go to a web port checker and just fill with your ip, and the port that you opened.
It will work only with the first request, then the port will close.
Hope you can solve it
Before anything else, I have read about 30+ StackOverflow answers and none of them seem to address my particular flavour of this problem. Below I list all the answers I have already tried before asking for more advice.
I am trying to access my ec2 instance via socket in PHP from a different machine via fsockopen, pointed at my ec2 public IP (I have an Elastic fixed IP address 54.68.166.28) and designated port.
Behaviour: I can access the instance and the ChatScript application running inside from within the instance, via the public IP directly on the browser. But if I run the exact same webpage with the exact same socket call on an external machine targeting my instance's IP address (double checked it is the correct one) I get a 500 Internal Server Error when connecting on port 1024 (for my custom TCP connection), another 500 on port 443 (HTTPS). On port 80 (HTTP) it hangs 20+ seconds then gives me status 200 success, except it does not connect properly to the application and responds with nothing.
Troubleshooting:
I have set up my security group rules to accept incoming TCP from anywhere:
HTTP (80) TCP 80 0.0.0.0/0
HTTP (80) TCP 80 ::/0
HTTPS (443) TCP 443 0.0.0.0/0
HTTPS (443) TCP 443 ::/0
Custom (1024) TCP 1024 0.0.0.0/0
Custom (1024) TCP 1024 ::/0
Outbound rules span port range 0 - 65535 with destination 0.0.0.0/0, so should work.
I ssh every time without problems into the instance on port 22. SCP also works fine.
Checked $sudo service httpd status: running, which is why my UI displays there fine.
Checked $sudo /sbin/iptables -L and all my policies are set to ACCEPT with no rules
Checked $ netstat --listen -p and the app I am targeting is listening on port 0.0.0.0.0:1024.
Checked Network Utility and ports 80 and 1024 are registered as open. Port 443 is not. Pinging did not work for any of them, with 100% packet loss.
Checked my instance is associated to the security group with all the permissions - it is. IP is clearly correct or I could neither ssh nor serve webpages... which I can.
I stopped and restarted the instance.
I replaced the instance.
I think this is due diligence before asking for help... now I need it!
I realised my configuration was correct: the problem was that the hosted domain I used for the GUI, like most hosted domains, does not open custom ports, so tcp did not work.
Hello today configured vps on Google Cloud and put Vesta control panel, but the problem is not open one https that is, and the ip server and the domain itself does not open on https. Set up Google Cloud firewall and opened ports 80,443 but https does not open the site itself is not the ip of the server. Checked through online services port 443 is closed but settings of the server and a firewall of Google and ip tables say that port 443 is opened (checked by several services port 443) and in the browser through ip of the server and the domain on https do not open. Please tell me how to open port 443?
Same with ports 8443,8080.
I am not able to comment but here are some steps that might help to isolate the issue:
Check to see if the port is open or closed or filtered using nmap
nmap [ip_address]
Firewall rules are defined at the network level and therefore make sure that you follow this document while creating the firewall rules to allow incoming traffic on TCP port 80 and 443 (same for other ports). In this document in step 11, choose " specified protocols and ports" and enter tcp: 80, tcp: 443.
As you previously stated, you need to make sure there is no firewall running inside the VM blocking those connections.
You also need to verify if the application running on your vps is listening on port 443. To check this, try with this command.
sudo netstat -ntlp | grep LISTEN
In the output, if you don't see the application beside port number, check if your vps is rightly configured to ports for your application.
I was having the same issue with NGinx. And Found the root cause finally to be the Firewall (GCP VM Firewall) having a lower priority for the rule. ie: I had 65534 (which is super low priority) for the "Ingress 443" rule. Which did block the traffic coming into the SSL. Instead when I set this rule to 1, traffic started flowing and issue sorted.
What finally helped me was https://cloud.google.com/vpc/docs/using-firewalls
Thanks #Md Zubayer for the tip.
I have two Ubuntu instances in the EC2 and I want to cluster them.
One ip will be refered as - X (the "net addr" ifconfig displayed IP) and its public ip will be reffered as PX.
the other ip is Y and its public is Y.
So now I did the following on both machines.
installed the latest rabbbitmq.
installed the management plugin.
opened the port for 5672 (rabbit) and 15672(management plugin)
connected to rabbit with my test app.
connected to the ui.
So now for the cluster.
I did the following commands
on X
rabbitmqctl cluster_status
got the node name which was 'rabbit#ip-X' (where X is the inner IP)
on Y
rabbitmqctl stop_app
rabbitmqctl join_cluster --ram rabbit#ip-X
I got
"The nodes provided are either offline or not running"
Obviously this is the private ip, so the other instance cant connect.
How do I tell the second instance where the first is located?
EDIT
Firewall is completely off, I have a telnet connection from one remote to the other
(to ports 5672(rmq),15672 (ui), 4369 (cluster port)).
The cookie on both servers (and the hash of the cookie in the logs is the same).
when recorded tcp when running the join cluster command and watched in wireshark. I saw the following (no ack. )
http://i.imgur.com/PLezLvQ.png
so I closed the firewall using
sudo ufw disable
(just for the tests) and I re-typed
sudo rabbitmqctl join_cluster --ram rabbit#ip-XX
and the connection was created - but terminated by the remote rabbit
here :
http://i.imgur.com/dxJLNfH.png
and the message is still
"The nodes provided are either offline or not running"
(the remote rabbit app is definitely running)
You need to make sure the nodes can access each other. RabbitMQ uses distributed Erlang primitives for communication across the nodes, so you also have to open up a few ports in the firewall. See:
http://learnyousomeerlang.com/distribunomicon#firewalls
for details.
You should also use the same data center for your nodes in the cluster, since RabbitMQ can get really sad on network partitions. If your nodes are in different data centers, you should use the shovel or federation plugin instead of clustering for replication of data.
Edit: don't forget to use the same Erlang cookie on all nodes, see http://www.rabbitmq.com/clustering.html for details.
The issue are probably TCP ports that should be opened.
You should do the following:
1) Create a Security Group for the Rabbit Servers (both will use it)
we will call it: rabbit-sg
2) In the Security Group, Define the following ports:
All TCP TCP 0 - 65535 sg-xxxx (rabbit-sg)
SSH TCP 22 0.0.0.0/0
Custom TCP Rule TCP 4369 0.0.0.0/0
Custom TCP Rule TCP 5672 0.0.0.0/0
Custom TCP Rule TCP 15672 0.0.0.0/0
Custom TCP Rule TCP 25672 0.0.0.0/0
Custom TCP Rule TCP 35197 0.0.0.0/0
Custom TCP Rule TCP 55672 0.0.0.0/0
3) make sure both EC2 use this security group,
note that we opened all TCP between the EC2
4) make sure the rabbit cookie is the same and that you reboot the EC2
after changing it in the slave EC2