I have my free-tier EC2 containing my Scala application. The app is running on port 8080 but I have declared redirection from port 80 to port 8080. Security group of EC2 includes inbound rules of port 8080 and 80 to all IPs. Nonetheless, I couldn't access the service with browser.
Outputs from netstat and iptables
Security group
Browser returns ec2-35-157-211-142.eu-central-1.compute.amazonaws.com refused to connect.
I'd really appreciate if someone could help me.
Thanks.
Ensure that your EC2 instances are located in public subnets. If that's fine, then ensure that they have public IPs assigned, otherwise they won't be accesible from the internet.
If they have public IP, then you should check that the security group has outbound rule allowing those ports for all IPs (or at least the ones you want to allow to connect). If you have inbound rule but no outbound rule your instance won't be able to serve traffic, so please define the outbound rule the same way that the inbound rule.
If that's properly set, then ensure that the network ACL allows inbound/outbound rules for the same ports (and of course: it does not deny them).
I hope this helps :).
If you're able to connect locally but not remotely, chances are that you aren't binding your server to the external interface. To bind to all interfaces, just make host = "0.0.0.0" similar to the following:
For Spray:
IO(Http) ! Http.Bind(service, "0.0.0.0", port = 8080)
For Akka HTTP:
Http().bindAndHandle(route, "0.0.0.0", 8080)
Related
I need help port forwarding my webserver from my local ip to external ip.
I have already tried setting up rules in my router for port 8080 (this is the current port for local ip as well (http://localhost:8080)) (Image Attached)
I am using Huawei Router: HG8145V5
I cannot access the webpage from my external ip it shows site cant be reached took too long to respond.
I'm sure its something wrong or extra needed with the port forwarding but cannot find out why.
The webpage is running on apache2.
Port Forward Rules
Webpage Running on 192.168.1.13:8080
I just found out i needed to unable dmz in forwarding rules to enable networking port forwards.
So I have an EC2 instance on AWS and it runs Mongodb. I have been having issues with hackers for a few months now and I can't seem to figure out how to keep them out. Luckily, I don't have anything important on there.
I did notice that my security group on AWS is basically open to all. For example, my inbound rules:
Port 80, tcp, 0.0.0.0/0
Port 8080, tcp, 0.0.0.0/0
Port all, tcp, 0.0.0.0/0
Port 22, tcp, 0.0.0.0/0
Port 27017, tcp, 0.0.0.0/0
Port 443, tcp, 0.0.0.0/0
If i change the source is there a convention I should follow? How should I set the source? I am new to this as I did not set up my security groups. Just trying to figure out how I can keep out the hackers. They have been going at it for a while now.
The0.0.0.0/0 means that the port allows connection from anywhere on the internet.
If you set the source, only the source (whether it's an IP or a range of ups) will be able to access the port.
How are you going to set the source really depends on your needs.
your data source should ideally allow access only from trusted internal IPs. remove full access of all tcp ports. only keep 27017 and map it to the IP address which is accessing your system. For web access, it's best to configure a reverse proxy and access it via that proxy.
If you are the only one accessing the EC2 instance, you can edit your security group and choose "My IP" as the Source, and then only you would be able to access it and the hackers will not.
It is best practice to limit command and control ports (22, 3389, etc) to only be accessible from known networks, such as your home, VPN IP pool, or corporate network.
(I've searched SO, AWS support and more widely without success.)
I've just successfully deployed a MEANjs application to a Bitnami MEAN instance on EC2, following Ahmed Haque's excellent tutorial on scotch.io. As part of the tutorial/deployment I altered the AWS Security Group to include port 27017 for MongoDB traffic. The CIDR notation for the port 27017 was 0.0.0.0/0 - which AFAIK means 'allow access from any IP address'.
Question: Why does MongoDB port 27017 need to be opened in AWS EC2
Security Group for a 'production' type environment? Surely this is directly exposing the DB to the
Internet. The only thing that should be talking to Mongo is the
"/server/api" code, which is running on the same instance -
and so shouldn't need the port opening.
If I change the Security Group rule for port 27017 by closing off 27017, changing the source to: localhost, the internal IP address, the public IP address, or hack a CIDR to be equivalent to any of those - then the web app hangs (static content returns but no responses to db backed api calls). Changing the SG rule back to 0.0.0.0/0 almost immediately 'fixes' the hang.
All is otherwise sweet with my install. I've closed port 3000 (the node app) in the Security Group and am using Apache to proxy port 80 traffic to port 3000. Set up like this, port 3000 does not need to be open in the Security Group; to me this implies that on-instance traffic doesn't need ports to be externally exposed - so how come that's not true of the Mongo port?
I cant see anything in the '/client' code which is talking direct to Mongo.
What am I missing?
Thanks in advance - John
OK, after further investigation and overnight/red wine reflection I think I have an answer for those learners like me following the above tutorial (or similar). Following the Agile principle that 'done' means 'working code in a production environment' I was trying to understand the last 5 meters as a developer trying to get code working in a representative production environment (which wouldn't have unnecessary ports open) - this answer is written from that perspective. (Builds welcome from wiser readers.)
What's Happening
The step in the tutorial which (a) changed the Mongo bind IP address from 127.0.0.1 to 0.0.0.0, and (b) specifies a connection URL which uses the external IP address of the same instance, appears to have two effects:
It makes the MongoDB on the instance you're configuring potentially available to other instances (0.0.0.0 tells Mongo to "listen on all available network interfaces".)
It means that the IP traffic from your MEAN app /server component on the same instance will talk to Mongo as though it was coming from off-instance (even though it's on the same instance). Hence the Security Group needs to make port 27017 open to allow this traffic to flow. (This is the nub of the issue in terms of MEANjs stack component interaction.)
Fix
On a single instance MEANjs server, if you change the Mongo bind IP address back to 127.0.0.1 and the Mongo connection url to be 127.0.0.1:27017 then you can close off port 27017 in the EC2 Security Group and the app still works.
To share one MongoDB across more than one MEANjs app server (without wanting to stray into serverfault territory):
Change the Mongo bind IP address to 0.0.0.0,
Use the private IP address of the Mongo server in other app/instance connection strings
Add a EC2 Security Group CIDR rule of private IP address/24, or private IP address/16 to allow access across instances in the specified internal IP address range.
The above is developer 'hack', not a recommendation for good practice.
I am trying to make my XAMPP server public on the internet. But when i try to access it using my ip adress it says connection refuzed. I have followed lots of tutorials but most of them are for older versions. I have set the 80,443 ports on and have added them as a firewall exception but it still not working. Can you please give me some sugestions?
The idea is the same no matter the version of XAMPP you are using.
It's not clear if you configured port forward on your router (all connections on ports 80 or 443 will be forwarded to the XAMPP "server"). You should do this orderwise the incoming connection will never be redirected properly.
I am not sure if ISPs can block external access to ports 80 or 443, but you can also configure an alternative port, like 8000, to be forwarded to 80 internally, then you access your server using http://[your_public_IP]:8000
There are some sites you can use to check your public IP, like: http://whatismyipaddress.com/.
Is it possible to use port 80 for non http traffic ? For example I'm making a small script that will communicate with a friends computer through the internet, however they must port forward it to get past the router. Is there a problem with using port 80 in the script so it will be let through automatically ? Is there some part of this i don't understand that will not let non http data through ? Please explain :)
there is no problem doing that. in fact, skype's default behaviour is to use port 80 and port 443 to transport voice!
There are a lot of ISPs that actually block port 80, so you might want to try a different port if you are having a problem (still needs to be forwarded)
The firewall on the computer also needs to be set to allow the incoming traffic.
This will work fine, but your friend may still need to setup port forwarding
If your friend's PC is the one listening on Port 80, he will need to setup port forwarding. Otherwise, how would the router/NAT know which computer in the house to bridge the connection to?
But if your friend's PC is the one making the outbound connection, then likely no port forwarding is needed at all on his end.
In other words, port forwarding (for TCP) is only for inbound connections. The router/NAT will automatically setup a port mapping scheme for outbound connections (as it does it with all web traffic).