[英]Locked myself out of SSH with UFW in EC2 AWS
I have an EC2 Instance with Ubuntu. I used sudo ufw enable
and after only allow the mongodb port我有一个带有 Ubuntu 的 EC2 实例。我使用了
sudo ufw enable
,之后只允许 mongodb 端口
sudo ufw allow 27017
When the ssh connection broke, I can´t reconnect当 ssh 连接中断时,我无法重新连接
# Update # 更新
Easiest way is to update the instance's user data最简单的方法是更新实例的用户数据
Stop your instance停止您的实例
Right click (windows) or ctrl + click (Mac) on the instance to open context menu, then go to Instance Settings
-> Edit User Data
or select the instance and go to Actions
-> Instance Settings
-> Edit User Data
在实例上右键单击 (windows) 或 ctrl + 单击 (Mac) 以打开上下文菜单,然后转到
Instance Settings
-> Edit User Data
或选择实例并转到Actions
-> Instance Settings
-> Edit User Data
If you're still on the old AWS console, select the instance, go to Actions
-> Instance Settings
-> View/Change User Data
如果您仍然在旧的 AWS 控制台上,请选择实例,转到
Actions
-> Instance Settings
-> View/Change User Data
And paste this并粘贴这个
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
ufw disable
iptables -L
iptables -F
--//
# Old Answer # 旧答案
Detach and fix the volume of the problem instance using another instance使用另一个实例分离并修复问题实例的体积
Launch a new instance (recovery instance).启动一个新实例(恢复实例)。
Stop the original instance (DO NOT TERMINATE)停止原始实例(不要终止)
Detach the volume (problem volume) from the original instance从原始实例中分离卷(问题卷)
Attached it to the recovery instance as /dev/sdf.将其作为 /dev/sdf 附加到恢复实例。
Login to the recovery instance via ssh/putty通过 ssh/putty 登录到恢复实例
Run sudo lsblk
to display attached volumes and confirm the name of the problem volume.运行
sudo lsblk
以显示附加的卷并确认问题卷的名称。 It usually begins with /dev/xvdf
.它通常以
/dev/xvdf
。 Mine is /dev/xvdf1
我的是
/dev/xvdf1
Mount problem volume.挂载问题卷。
$ sudo mount /dev/xvdf1 /mnt $ cd /mnt/etc/ufw
Open ufw
configuration file打开
ufw
配置文件
$ sudo vim ufw.conf
Press i to edit the file.按 i 编辑文件。
Change ENABLED=yes
to ENABLED=no
将
ENABLED=yes
更改为ENABLED=no
Type Ctrl-C and type :wq to save the file.键入 Ctrl-C 并键入 :wq 以保存文件。
Display content of ufw conf file using the command below and ensure that ENABLED=yes
has been changed to ENABLED=no
使用以下命令显示 ufw conf 文件的内容并确保
ENABLED=yes
已更改为ENABLED=no
$ sudo cat ufw.conf
Unmount volume卸载卷
$ cd ~ $ sudo umount /mnt
Detach problem volume from recovery instance and re-attach it to the original instance as /dev/sda1.从恢复实例中分离问题卷,并将其作为 /dev/sda1 重新附加到原始实例。
Start the original instance and you should be able to log back in.启动原始实例,您应该能够重新登录。
I have the same problem and found out that this steps works:我有同样的问题,发现这个步骤有效:
1- Stop your instance 1-停止您的实例
2- Go to Instance Settings
-> View/Change user Data
2- 转到
Instance Settings
-> View/Change user Data
UPDATE: PATH ON NEW AWS CONSOLE UI更新:新 AWS 控制台 UI 上的路径
Right click on your Stopped
instance -> Instance Settings
-> Edit User Data
右键单击已
Stopped
实例 -> Instance Settings
-> Edit User Data
3- Paste this on the option Modify user data as text
and Save 3- 将此粘贴到选项将
Modify user data as text
并保存
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
ufw disable
iptables -L
iptables -F
--//
4- Start your instance 4- 启动您的实例
Hope it works for you!希望它对你有用!
Note: Newer Linux kernels may rename your devices to /dev/xvdf through /dev/xvdp internally, even when the device name entered is /dev/sdf through /dev/sdp.
注意:较新的 Linux 内核可能会在内部通过 /dev/xvdp 将您的设备重命名为 /dev/xvdf,即使输入的设备名称是 /dev/sdf 到 /dev/sdp。
cd ~ mkdir lnx1 sudo mount /dev/xvdf ./lnx1
cd lnx1 sudo vim ufw.conf
Now find ENABLED=yes and change it to ENABLED=no.现在找到 ENABLED=yes 并将其更改为 ENABLED=no。
Be sure to unmount the volume first:请务必先卸载卷:
sudo umount ./lnx1/
Hola !!你好 !! you are good go.
你很好去。
Other approaches didn't work for me.其他方法对我不起作用。 My EC2 instance is based on Bitnami image.
我的 EC2 实例基于 Bitnami 映像。 Attaching volume to another instance didn't work because of marketplace locks.
由于市场锁定,无法将卷附加到另一个实例。
So instead stop the problem instance and paste this script in instanceSettings > view-change user data.因此,请停止问题实例并将此脚本粘贴到 instanceSettings > view-change user data 中。
This approach do not require detaching the volume so it's more straight forward as compared to other ones.这种方法不需要分离卷,因此与其他方法相比更直接。
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
ufw disable
iptables -L
iptables -F
--//
Must stop instance before pasting this, after this start your instance and you should be able to ssh.在粘贴之前必须停止实例,在此之后启动您的实例,您应该能够 ssh。
I know this is an old question but I fixed mine by adding a command in View/Change User Data using bootcmd
我知道这是一个老问题,但我通过使用
bootcmd
在查看/更改用户数据中添加一个命令来修复我的问题
I first stopped my instance我首先停止了我的实例
Then I added this in User Data然后我在用户数据中添加了这个
#cloud-config
bootcmd:
- cloud-init-per always fix_broken_ufw_1 sh -xc "/usr/sbin/service ufw stop >> /var/tmp/svc_$INSTANCE_ID 2>&1 || true"
- cloud-init-per always fix_broken_ufw_2 sh -xc "/usr/sbin/ufw disable>> /var/tmp/ufw_$INSTANCE_ID 2>&1 || true"
#Note: My instance is Ubuntu #注意:我的实例是 Ubuntu
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
set -x
USERNAME="ubuntu"
ls -Al
ls -Al /home
ls -Al /home/${USERNAME}
ls -Al /home/${USERNAME}/.ssh
sudo cat /home/${USERNAME}/.ssh/authorized_keys
ls -Al /etc/ssh
ls -ld /etc/ssh
sudo grep -vE '^$|^#' /etc/hosts.*
sudo sed -i -e 's/^\([^#].*\)/# \1/g' /etc/hosts.deny
sudo sed -i -e 's/^\([^#].*\)/# \1/g' /etc/hosts.allow
sudo grep -vE '^$|^#' /etc/hosts.*
sed '/^$\|^#/d' /etc/ssh/sshd_config
chown -v root:root /home
chmod -v 755 /home
chown -v ${USERNAME}:${USERNAME} /home/${USERNAME} -R
chmod -v 700 /home/${USERNAME}
chmod -v 700 /home/${USERNAME}/.ssh
chmod -v 600 /home/${USERNAME}/.ssh/authorized_keys
sudo tail /var/log/auth.log
sudo ufw status numbered
sudo ufw disable
sudo iptables -F
sudo service iptables stop
sudo service sshd restart
sudo service sshd status -l
--//
After struggling for 2 days I found few easy alternatives, here are those:在苦苦挣扎了 2 天后,我发现几乎没有简单的替代方案,这里是那些:
Use either of these approaches to get into the machine and later you can change the ufw or ssh keys...etc使用这些方法中的任何一种进入机器,稍后您可以更改 ufw 或 ssh 键...等
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.