Link to home
Start Free TrialLog in
Avatar of Marthaj
MarthajFlag for United States of America

asked on

Unable to connect to EC2 instance via ssh to start Apache2 service

I have a ec2 instance in which I can no longer connect to via ssh from a terminal window. Every thing was fine until I enabled the firewall which I should not have done.

I know Apache service is not active/running because when I enter this:

http://My-Public-IPV4-DNS

Open in new window

It does not return the Ubuntu/Apache Welcome page. 

 I have tried to understand how to connect by using the serial console but it's beyond my understanding at this point.

My AWS CLI still works. Can I use AWS CLI to restart the Apache2 service and to disenable the firewall?

If so, how? 

Any help appericated.

Avatar of Mlanda T
Mlanda T
Flag of South Africa image

Did you download the key file for logging onto your EC2 instance? You should be able to connect to your instance through SSH. 

ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name

Open in new window

That gets you into your instance. This gives a more detailed step by step process https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html 


When you say you enabled the firewall, which firewall is this... In the instance? Since you have Network Security Groups and NACLs on your VPC subnet, those are usually how you lock things down. I would suggest disabling the Ubuntu firewall at this stage. 



Avatar of Marthaj

ASKER

Thank you for responding. Your coding is how I had been ssh into the server and it worked very well. The problem is now it does not after I had enabled the Apache firewall and disconnected from my ssh session. It will not connect anymore, nor does it display the Ubuntu/Apache It Works page (using the Public IPV4 DNS).

   In my mind, that is a good indicator that for whatever reason, Apache2  is not running or not reachable.

 What I am trying to figure out is how to check Apache2 status and then start it if it is not running via AWS Cli.

My AWS Cli is working.

 But I have not been able to figure out how to construct the command, if it is possible, via AWS Cli. 

I have read about the bash file that is available to install Apache2 etc but that is not what I need.

I know about the serial console but I do not understand all the instructions etc. Beyond me.


 

Did you also include the port 22 for ssh when you enabled the firewall for apache ? Maybe temporarily the firewall, test that you can connect and if that works verify that you have included the correct rules in your firewall rule.  

Avatar of Marthaj

ASKER

Thank you for responding. Not including port 22 when I enable the firewall was the mistake I made. Now, it's how to undo it and connect again. I am pretty sure Apache isn't running because of not being able to display the Ubuntu/Apache2 It works page.



Do you know where you created the firewall rule ? At the VPC level or the instance level ?


If you just attached a firewall rule to the ec2 instance do this to update the rule to include port 22 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#adding-security-group-rule


If you attached the firewall at the VPC lever try this https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-updating.html



When you say you enabled the firewall, which firewall is this... In the instance? Since you have Network Security Groups and NACLs on your VPC subnet, those are usually how you lock things down. 


If you used the security group or the NACL, then you can quickly update the rules and you will be able to access the Apache server. It will be helpful if you provide clarity on which firewall you configured your rules. 

Avatar of Marthaj

ASKER

Thank you for responding. The security groups were updated to allow ssh from specific IP address to port 22 in the eC2 Console. when the instance was created.

The ip's using ssh are dedicated ip's so I know it is not because they might have changed.  They didn't, I checked.  I had been connecting via ssh in a terminal window just fine many times. I was checking on the status of Apache, Mysql  and PHP version. I checked the firewall using this:

sudo ufw status

Open in new window

I then enabled it. 

sudo ufw enable

Open in new window

I checked  the status of Mysql and  exited my terminal session.

Now I can not connect via ssh in a terminal window again.

The Ubuntu/Apache page does not display when I use this:

http://My-Public-IPV4-DNS 

Open in new window

And it did before I screwed up. I know I screwed up when I issued the 'udo ufw enable' . 

My AWS Cli still works. 

Does AWS Cli have a command to disable the ufw and check the status of Apache2 ? That's what I haven't been able to find out.



You can try using the aws cli with the ssm command to try and send a command to the instance, or You can run system commands using system Manager agent if you have it installed on your ubuntu server.  

https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

or using the aws cli to send a simpel comand using the AWS-RunShellScript document 

https://docs.aws.amazon.com/systems-manager/latest/userguide/walkthrough-cli.html#walkthrough-cli-example-1 


if your ubuntu machine is on the list of AMIs that have the SSM installed you can you that to run commands against the ec2 instance. 

https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html 


Try going to the ec2 instance in the ec2 dashboard and selecting Connect under the Actions dropped down menu. Under that you will see 4 different option to connect to the instance. ( EC2 instance Connect , Session Manger, SSH client, and EC2 Serial console. If you see the Session Manager try connecting via that, if that is not setup follow these steps to get Session manager enable on the instance https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html then you will be able to ssh into the instance using the aws console. Also, if you have the Session manager install you can set

ASKER CERTIFIED SOLUTION
Avatar of Mlanda T
Mlanda T
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

With SSM, you can try to re-enable the firewall

aws ssm send-command \
    --instance-ids "instance-ID" \
    --document-name "AWS-RunShellScript" \
    --comment "ufw disable" \
    --parameters commands='ufw disable' \
    --output text

Open in new window

This assumes that you have access to the "AWS-RunShellScript" document in SSM. The commands or scripts specified in Systems Manager documents run with administrative permissions on your EC2 instances.
Avatar of Marthaj

ASKER

Thank you for responding.

Mlanda T - I have to laugh because I was just getting ready to post the very same coding you did as a solution!  I used exact coding in users data. Seems to have resolved the problem....whew! Not going to do that again- lol!  Just glad this server is not in production yet.

Adelaido - Your input has been very helpful too. Very good resources and I am digesting them. Sometimes there is so much information on the Internet, it is hard to sort out the valid and correct information. 

Again, thank you both - you both provided very good information. :)

Avatar of Marthaj

ASKER

Important Note: I used this script below instead of the original posted. Reason being was that when I recreated the 'problem' by enabling the ufw, the original script failed on second attempt.

Notice that the user-data is broken into two sections and the removal of 'sudo'.

Worked every time!  Another learning experience - lol!


Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
ufw disable
iptables -L
iptables -F

Open in new window

--//

Open in new window