cannot telnet to a linux server

Jason Yu
Jason Yu used Ask the Experts™
on
I have a new linux server with CentOS 7 isntalled with Chef software. The ip address of this server is 172.16.177.177. I was able to telnet on to port 443 on this server, please see below.

[root@jboss-testvm ~]# telnet 172.16.177.177 443
Trying 172.16.177.177...
Connected to 172.16.177.177.
Escape character is '^]'.



However, when I go to a window server on the same network, I couldn't telnet on the port 443 on this server. I thought the firewall may block the communication between these two servers, but my network admin told me since they both on the same subnet, there is no firewall between, it won't be the firewall's issue. Could you experts here help me out?

firewall is disbaled.
[root@jboss-testvm ~]# service iptable status
Redirecting to /bin/systemctl status  iptable.service
● iptable.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)



[root@jboss-testvm ~]# lsof -i :443
COMMAND  PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx    794    root   14u  IPv4  16823      0t0  TCP *:https (LISTEN)
nginx   1025 opscode   14u  IPv4  16823      0t0  TCP *:https (LISTEN)
nginx   1026 opscode   14u  IPv4  16823      0t0  TCP *:https (LISTEN)
nginx   1027 opscode   14u  IPv4  16823      0t0  TCP *:https (LISTEN)
nginx   1028 opscode   14u  IPv4  16823      0t0  TCP *:https (LISTEN)
[root@jboss-testvm ~]# netstat -an | grep 443 | grep LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
[root@jboss-testvm ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:4321          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:42822           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:5672          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9680            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9683            0.0.0.0:*               LISTEN
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9462          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9463          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:15672         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:11001         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:11002         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:16379         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:59355           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:34175           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 127.0.0.1:8983          :::*                    LISTEN
tcp6       0      0 ::1:5432                :::*                    LISTEN
tcp6       0      0 ::1:25                  :::*                    LISTEN
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
Scott SilvaNetwork Administrator

Commented:
What does the windows server show when you try to telnet from it?
Any errors?
Steven CarnahanAssistant Vice President\Network Manager

Commented:
Are both machines on the same switch?  If not then perhaps its a route issue on the router.
Jason Yu

Author

Commented:
scott, it shows as below:

C:\Users\adm-yuj>telnet 172.16.177.177 443
Connecting To 172.16.177.177...Could not open connection to the host, on port 44
3: Connect failed
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Find out now!
Jason Yu

Author

Commented:
HI, Pony:

I can ping the linux box from my windows server without problem. I did a trace route, the result shows it doesn't pass any router.

C:\Users\adm-yuj>tracert 172.16.177.177

Tracing route to 172.16.177.177 over a maximum of 30 hops

  1     1 ms     2 ms     3 ms  172.16.177.177

Trace complete.

C:\Users\adm-yuj>
Jason Yu

Author

Commented:
There is only one hop from the tracert result.

Thanks.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
Since telnet does not support HTTPS it is unlikely that you can make a connection to port 443 which is commonly used for HTTPS.  One of the features of HTTPS is that the secure connection is made before any data is transferred.  You really should not have been able to connect to your Linux server.  It should not respond to anything other than HTTPS on port 443.
Jason Yu

Author

Commented:
Hi, Dave:

I agree with you, thanks of the analyse. If I cannot use telnet to diagnose, what should I do to trouble shoot it?

Thanks.
Jason Yu

Author

Commented:
Here is the result from nmap command:

[root@jboss-testvm ~]# nmap -sT -O localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-24 14:43 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
4321/tcp open  rwhois
5432/tcp open  postgresql
8000/tcp open  http-alt
9090/tcp open  zeus-admin
9999/tcp open  abyss
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=2/24%OT=22%CT=1%CU=43102%PV=N%DS=0%DC=L%G=Y%TM=56CE07D
OS:4%P=x86_64-redhat-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A
OS:)OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5
OS:=MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=AAAA%W2=AAAA%W3=AAAA%W4=AAAA%W5=AAAA%W
OS:6=AAAA)ECN(R=Y%DF=Y%T=40%W=AAAA%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds
[root@jboss-testvm ~]#
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
You should  be able to ssh to your Linux server, if you don't have an ssh client, try PuTTY.
Jason Yu

Author

Commented:
yes, I can ssh to my linux server from the beginning. How could I know which application is listenning on port 443. From the nmap result, it shows the port 443 is open. But I install JBOSS and other applications on this server, I want to check which application is listening to port 443. From the nginx configuration file of Chef, there is no 443 port showing there.

please help, thanks.
Jason Yu

Author

Commented:
I found lsof command, I used it to check which application is listening on port 443, here is the result.

[root@jboss-testvm ~]# lsof -i :443
COMMAND PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   762    root   14u  IPv4  14023      0t0  TCP *:https (LISTEN)
nginx   954 opscode   14u  IPv4  14023      0t0  TCP *:https (LISTEN)
nginx   955 opscode   14u  IPv4  14023      0t0  TCP *:https (LISTEN)
nginx   956 opscode   14u  IPv4  14023      0t0  TCP *:https (LISTEN)
nginx   957 opscode   14u  IPv4  14023      0t0  TCP *:https (LISTEN)
[root@jboss-testvm ~]#
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
nginx is the webserver, https has a default port of 443
Jason Yu

Author

Commented:
then why I couldn't access the web server from another windows machine.

I am gonna install xming gui and see if I can open the web server locally.
Scott SilvaNetwork Administrator

Commented:
Did you set nginx to listen to port 443?
Steven CarnahanAssistant Vice President\Network Manager

Commented:
So what do you get when you try to browse (IE, chrome, etc) to https://172.16.177.177
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
>> then why I couldn't access the web server from another windows machine.
Can you access it from the local machine? You can try: "lynx https://localhost".
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
And do you have an SSL/TLS certificate to support HTTPS on that machine?
Topic Advisor
Most Valuable Expert 2016
Commented:
Which Chef setup did you install?

From the Chef system requirements:
Firewalls and ports — If host-based firewalls (iptables, ufw, etc.) are being used, ensure that ports 80 and 443 are open. These ports are used by the nginx service
Jason Yu

Author

Commented:
no, nginx was installed with Chef software. I checked nginx configuration file, there is no definition for port 443. I attached the configuration file.
nginx.conf.txt.txt
Jason Yu

Author

Commented:
Chef Server, On-premises, the standalone installation.
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
>> no, nginx was installed with Chef software.
Requirements clearly state "ports are used by the nginx service", why do you doubt? If you did not change configuration manually then nginx is using port 443.

From your config file:

   # Chef HTTPS API
    include /var/opt/opscode/nginx/etc/chef_https_lb.conf;
Jason Yu

Author

Commented:
Hi, Dave:
No, I don't, do I need install one for this webserver to work?

"And do you have an SSL/TLS certificate to support HTTPS on that machine?"
Jason Yu

Author

Commented:
Dear experts, thank you very much for your active replies. I really appreciate your help.

right now, I got xming reflector installed on  my desktop. And I successfully open the web site through browser, please take a look. so, I believe the web server is on on my server. I just need resolve why i cannot open the webserver from other hosts.

Do I need change the port definition in ngxin configuration file?

thanks.
Steven CarnahanAssistant Vice President\Network Manager

Commented:
Without a cert you should still get a security warning when attempting to connect.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
For https you do need a certificate to connect from any place. ... An invalid cert may still give you some popup warnings. That going to change soon, as the browsers will get more pickey about certificates.

Now do systems use proxy's to connect to websites, and can your proxy in that case reach your server?

Anything in the logging of NGINX? How about a wireshark trace from a successful system and from a failing system.
Both a trace from the server side as well as from the client side...
That would help to see what does reach...
Jason Yu

Author

Commented:
finally, I got it. there is a daemon call "firewalld", i should stop it first.

this daemon is different than iptable firewall. I really don't know the existence of this thing. is it new to Centos 7 core?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
it is an intermediate between iptables & systemd. And it is needed for systemd .
Jason Yu

Author

Commented:
Thanks for all the experts who helped me out for this issue. The issue was caused by the new "firewalld" service which was the default service for CentOS 7.  After I ran the following two commands, the website showed up immediately on other computers' browser.

[root@jboss-testvm ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
[root@jboss-testvm ~]# systemctl stop firewalld

thanks a lot for all these promptly replies, this is the reason I love experts-exchange!
Jason Yu

Author

Commented:
hi, Noci:

What is systemd ? is it a daemon for system?

thanks.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
systemd is the new startup system. It has had a blindingly acceptance across various distributions.
With causing quite some disturbance. The software should be 100 foolproof, but has some issues.
If you need reliable systems, systemd is imho still experimental. (At least as long as it still corrupts journals and introduces a complex system for the basic function needed from the init process.)
As you can see i'm no fan of systemd. I need to deliver systems which guarantee 99.999% uptime for 365.25 * 24.
For those systems startup time is rather irrelevant, they should not restart regularly.
And loosing logfiles/journals IS a problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial