aws ec2 ssh error: `ssh: connect to host x port 22: Operation timed out`

1
votes

I'm trying to connect to a EC2 instance via SSH. When I try to connect to the instance, using ssh -i "test.pem" [email protected] I get the error: ssh: connect to host xx.xx.xx.xx port 22: Operation timed out.

EC2 instance config

Platform: Amazon Linux

AMI: ami-0841edc20334f9287

Instance type: t2.micro

Public IPv4: associated Elastic IPv4

EC2 instance associated VPC subnet config:

Route Table: (Destination - Target)

10.0.0.0/24 - local

0.0.0.0/0 - igw-...

ACL: (Type - Protocol - Port range - Source)

Inbound

SSH - TCP - 22 - 0.0.0.0/0

Outbound

HTTPS - TCP - 443 - 0.0.0.0/0

Security Groups: (Type - Protocol - Port range - Source)

Inbound

SSH - TCP - 22 - xx.x.xxx.xxx/xx (My IP)

Outbound

HTTPS - TCP - 443 - 0.0.0.0/0

Attempts:

  1. Followed this AWS article (solution #3) in which they propose adding this script to the instance’s user data:
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type:
    text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
iptables -F
service sshd restart
--//

Which resulted in the same error: ssh: connect to host public.ip port 22: Operation timed out

  1. Chaning ssh user:

ssh -i "test.pem" [email protected]

ssh -i "test.pem" [email protected]

Which resulted in the same error: ssh: connect to host public.ip port 22: Operation timed out

  1. I tried using my public subnet within the same VPC and I was able to connect to ec2 via ssh. When comparing the public and private subnets, the only difference was that the public subnet's NACL allowed all traffic inbound traffic.

  2. Connecting with EC2 Instance Connect on the console resulted in a blank terminal window even after 10 minutes or so.

1
amazon-web-servicesamazon-ec2ssh
Can you telnet <vm ip> 22 ?paltaa
NACL should be the issue. can you try allowing all the traffics in the NACL. this is because the ephemeral ports should be allowed for the inbound and outbound rules. That is usually the ports between 1024-65535. you can read more about ephemeral ports here docs.aws.amazon.com/vpc/latest/userguide/…Arun K
Also in the outbound NACL, you are not allowing the ssh outgoing traffic. NACLs are stateless and you should allow the return traffic as wellArun K
@ArunK Thank you for both of your suggestions. Adding the inbound/outbound NACL rules to account for the ephemeral ports fixed the problem.Marshallm
@ ArunK If you want to write up your comment as a suggested answer, I'd be more than willing to approve it as the accepted answer.Marshallm

1 Answers

1
votes

Your NACL has the inbound rules for ssh. you should also allow the return ssh traffic in the outbound NACL rules. Because the NACL's are stateless unlike the security groups.

In addition to that, you should also allow ephemeral port ranges for the inbound and outbound NACL rules. Ephemeral ports are random ports ranging between 1024 and 65535 that a client initiating the request chooses as the source ports.

NACL Ephemeral Ports