Sorry for the basic question but im a complete noob on those matters.
I have a cloud server where i run a jup[yter notebook server, which normally is run on port 8888.
However when i try to connect to it from work, it doesnt work, which i suspect is due to the firewall.
I can connect from work to a regular ssh session through port 22 or 443.
However the jupyter notebook refuses to be run on those ports, probably because they are allocated already.
I tried to run PortQry to get the open ports on my work server (which is windows) and it reurned port 50248. I tried to have my jupyter server to listen on that one but it didnt work.
I also tried to scan the open port of my work server, but i received a warning from AWS! And the few ports that were returned as seemingly opened didnt work either when i set up my jupyter notebook to listen on them.
I would like to understand:
On my own server: How can i identify which port the jupyter server program can listen on?
On my work machine: How can i identify which one of my own server port would be let through the firewall of my work?
You need to use SSH local port forwarding.
https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
You will open a SSH connection to your server but a local port, lets say 4444, will connect over the SSH connection and resolve to 8888 on the remote server.
With this you'd be able to open a browser locally and go to localhost:4444 and it would resolve to your remote hosted site. The command for this locally would be something like -
ssh -L 4444:localhost:8080 yourremoteserveraddress
An alternative option would be to use a SOCKS proxy via dynamic forwarding but this would involve needing to reconfigure your browser.
Always keep in mind any company policies around this type of thing. Even though 22 and 443 are open to the internet, use of them in this manner may break a policy and there is always the possibility of the company using a MITM proxy to monitor for this type of usage, specifically on 443.
Related
I am running Xdebug extension on PHP webserver (IIS), and VSCode on different development machine.
When I start listening for Xdebug session in VSCode (with Felix Becker's PHP Debug) without proxy, everything works as expected.
Now I am trying to use dbgpProxy because there are multiple devs on the development machine.
I have tried to run dbgpProxy on the webserver and register to it by activating proxy settings in VSCode, but it fails with Connection refused. At the same time, Xdebug connects to the proxy just fine and proxy tries to forward incoming session based on IDE key but of course cannot find it because the registration failed.
So I tried running dbgpProxy on the development machine. This time VSCode registered successfully with the proxy, but when Xdebug tried to connect to the listening proxy, it failed.
I was pretty sure I knew what I was doing, ports were open, everything SHOULD work but it didn't.
It turned out to be a problem in the IP addresses.
I ran the proxy with default settings, which is localhost (127.0.0.1) for both server and client part with respective ports 9000 and 9001. Which was wrong (for my situation).
To listen to the incoming connections from another machine, proxy has to be configured with real IP address of the machine it is running on, otherwise it won't listen.
In my case I have decided to run the proxy on the server, so I run it with just one parameter for the incoming client connections and leave the server parameter default (which is 127.0.0.1:9000 and of course configure XDebug in php.ini to this address and port).
dbgpProxy.exe -i 10.123.54.76:9001
Currently I am accessing my VS code instance through it's remote feature. Sometimes it's SSH, sometimes K8s pod, sometimes remote Docker instance.
After I am able to attach VSCode to that remote instance, I can connect to some resources behind that instance ( Database, internal services... ). The configuration is like this
MyLocalPC -------------------------> RemoteVSServer -------------------------> Database
I can see that in VSCode there is a feature where ports on the [RemoveVSServer] can be forwarded to [MyLocalPC]
Here I can access RemoveVSServer:3000 from MyLocalPC:3000
My question is that is there any feature where I can access [Database]:9999 from [MyLocalPC]. By VSCode default or a plugin/extension/small application
Finally I installed HAProxy on the instance that run VSCode Server
The HAProxy map remote port 9999 to VSCode Server's port 9999
From there I can do one more port-forward from VSCode Server's port 9999 to my local PC's port 9999
A simple config for HA Proxy can be found here
I have setup a simple HTTP java server running locally on port 8000. It simply prints a message "Hello world" when a request comes. When I try to ping it from the browser by running http://localhost:8000/test I get my message printed.
I want to get the same results from another computer that is not local. When I try to use my public IP lets say http:/43.xxx.xxx.xxx:8000/test (even from the same machine) I get an ERR_CONNECTION_REFUSED .
I probably suspect that has something to do with the firewall. Can anyone guide me a little more because I lack the experience?
Thanks in advance
You don't specify what host OS your server/firewall is running so I'll keep this generic...
Without knowing your application, it seems like the server is sending a reset (RST packet) when the first SYN packet shows up indicating that the port (on that interface [your external]) is closed. You can do a quick port scan from here (https://mxtoolbox.com/PortScan.aspx) if you don't have access to a remote machine to test with. Odds are, TCP/8000 will not be open.
If it is, in fact, closed, you'll have to look at the firewall that your host OS is running and find out how to allow TCP/8000 to your host. In a major firewall vendor, your rule would look similar to this:
Source: Any
Destination: Your Public IP Address
Service: TCP/8000
Action: Allow
Logging: Full
That being said, you mentioned this was a PC so look into "iptables" (if you're running *nix) or the Windows Firewall (if you're running Windows) on adding firewall rules (Unfortunately I just joined and can't ask questions/comments, yet).
If you really want to find out what packet is being sent, run a tcpdump on your external interface (let's say eth1) (assuming your remote IP is 1.2.3.4 and your home public IP is 4.5.6.7):
tcpdump -nn -vvv -e -s 0 -X -c 100 -i eth1 host 1.2.3.4 and host
4.5.6.7 and port 8000
Here you're looking for the SYN/SYN-ACK/ACK for a successful TCP negotiation or SYN/RST if there is a firewall rejecting (not dropping) the TCP stream to the port.
Once the port is open on the host OS firewall, take a look at the application to make sure it's configured properly. If this were a standard webserver, you could take a look at the configuration files for the "Allow from" directives to make sure that everyone can access the site. If this is a custom application that you've created, you'll have to check this yourself.
I finally solved my problem. I needed to open a forwarding port in my router that maps my local ip address to the public. My router is TP Link so this what I did:
http://www.tp-link.com/us/faq-72.html
Also in order for this to work every time and not to have to reconfigure this every time I reconected to the router (because I get a new local IP), I have created a static local ip for my server following this guide:
http://www.tp-link.com/us/faq-182.html
Thanks for all the replies.
The Preamble
I start up my local SSH terminal at work behind a firewall, and connect to a remote server all the time without any problem.
The way Xdebug works, correct me if I'm wrong, is that it sends an "unsolicited" request to my network's port 9000. I actually initiated that action by sending the remote server an HTTP request through my browser with a POST/GET/COOKIE variable instructing xdebug to start up. But my network doesn't know that. All it knows is that it is getting a request on port 9000 from the internet. It doesn't know which computer in its private network to forward it to (without setting up port forwarding on the router), and can only ignore the request.
So if you can't do port forwarding, another option (and a much better one from what I can tell), is SSH tunneling. My computer sends the SSH request, the server responds. My router knows which computer in its network to route these responses to. Piggybacking on that SSH connection allows those "unsolicited" port 9000 requests from the remote server to get to me.
I think I understand that much.
I finally got tunneling to work, thanks to stackoverflow, but how it works is still fuzzy to me.
On the remote server, I tell Xdebug to connect to localhost (not to my ip via xdebug.remote_host=173.123.45.56, and not to xdebug.remote_connect_back=1 which also would end up at my IP) on port 9000. Connecting to localhost seems a bit weird, since I picture that as the server sending messages to its own IP address, as if it is sending messages into itself (but I think that connecting to localhost is probably fundamentally different than connecting to any other IP... I don't think the message gets routed out and back in to localhost).
On my computer at work, I open up an SSH connection on port 22, specifying a tunnel to/on port 9000, and remote port 9000. I've seen some explanations of the various settings here but still don't understand them. Some even seem to involve three machines. What seems to be happening though, is I'm connected as usual via port 22, but I've told the remote machine that I want to receive its port 9000 communications. I've specified "localhost" in my tunnel, and I suppose that might need to match the localhost in my xdebug.remote_host value. I wonder if I specified my IP address in both places (i.e. xdebug.remote_host=173.123.45.56 on the remote server, and same IP in my SSH terminal), would that work too?
So Xdebug on the remote server sends me a request to initiate a debug session. It comes through my port 22, but my SSH tunnel somehow makes it seem that it is coming in on port 9000. So my IDE that is listening on port 9000 receives the request and sends a response (also on 9000), which my SSH tunnel intercepts somehow and sends back to the remote server on port 22, where it is similarly spoofed into looking like port 9000 to xdebug.
The Crux
So what I'm really not clear on is, what exactly is the localhost in my SSH tunnel configuration referring to? Does it relate directly to the xdebug.remote_host=localhost value? Can I change them both to my IP address?
Are all of the remote server's outgoing communications on port 9000 being forwarded to me, or just some of them? E.g., if someone in Chattanooga initiates a debug session in their browser, will I receive Xdebug's response?
Are all of my outgoing communications on port 9000 being forwarded to that server? I.e. can I debug two applications on two different servers at the same time, with some of my port 9000 communications going one way and some the other, or would I need one port per local application? (I can use Google Chrome and Firefox browsers at the same time, both on port 80, for example.)
The tunnel consists of an SSHD listening to port 9000 (as well as 22) at your end and an SSHD listening to port 22 at the other end. When you connect your XDebug to your local 9000, the SSHDs intercommunicate and the remote SSHD connects to port 9000 at the remote. Thereafter your local port 9000 behaves identically to the remote port 9000: all data written to either end appears at the other end.
All connection attempts on RhodeCode on CentOS 6.3 are refused except from localhost.
Note that iptables is not running, and I am only trying to visit the web interface.
I have googled the exact error message below and looked around SO. I have yet to find a solution.
abort: error: No connection could be made because the target machine actively refused it
If the firewall is down, and I am not trying to modify any repository, what else is preventing me from connecting? EDIT: See #5 below. Not sure how to address it yet.
Things tried and other info
Using localhost, 127.0.0.1 and hostname in production.ini
service iptables stop
Connected over HTTP successfully. In other words, connections are accepted outside RhodeCode.
Made sure no authentication methods were enabled or configured in production.ini
Although the server accepts connections on localhost, netstat -l does not show that port 5000 is listening. Port 5000 is set in production.ini and ps uax | grep paster confirms the server is running. No other software tries to grab port 5000.
Ok, apparently I have been misunderstanding the host configuration. I was running on the assumption that host should be set to 127.0.0.1 or localhost in production.ini for RhodeCode to know what host to look for for another service. This was a faulty presumption on my part, since I am used to pointing web applications to local systems to look for databases.
It turns out that host binds the application to a specific address for access, meaning that it RhodeCode was supposed to only respond to local requests, regardless of what other system policies say. The setup docs did not make this clear because it did not specify that external connections would be refused. All it said was:
This command [paster serve] runs the RhodeCode server. The web app should be available at the 127.0.0.1:5000. This ip and port is configurable via the production.ini file created in previous step
The problem was fixed by binding RhodeCode to 0.0.0.0, which opened it to outside connections. Kudos to Ćukasz Balcerzak for pointing this out in the RC support google group.