18

I have activated UFW firewall in an EC2 ubuntu server 12.04 instance, but I forgot to allow access to port 22. Now I can't connect to the instance via SSH. This instance is EBS backed.

How can I recover SSH access to a amazon EC2 instance after UFW firewall activation by accident?

starball
  • 20,030
  • 7
  • 43
  • 238
mnesarco
  • 2,619
  • 23
  • 31
  • 1
    I'm having the same problem with ec2 instance Ubuntu 22.04 and just got resolved by 2nd answer, THX A LOT FOR ASKING THIS HERE. This post literally made my upcoming year, Merry Christmas, Happy New Year, GOD BLESS YOU ALL. – Vipertecpro Dec 26 '22 at 13:58

3 Answers3

27

Well, thanks to EBS there is a solution.

  1. Stop your instance
  2. Attach your EBS volume to another instance. if you don't have one, create a micro instance.
  3. Mount yor EBS volume somewhere ie. /opt/recover
  4. List item
  5. Edit {your-ebs-mount}/etc/ufw/ufw.conf and change enabled=yes to enabled=no
  6. Umount the EBS
  7. Detach from the temp instance
  8. Reattach to the original instance. (make sure to attach as root)
  9. Restart the instance

Now you firewall is disbled in your instance, so you can access it via ssh.

Muhammad Shoaib
  • 745
  • 5
  • 23
mnesarco
  • 2,619
  • 23
  • 31
18

Step 1: Open view/change user data in instance settings.
Step 2: Add the script(mentioned below) and save it.

#cloud-config
bootcmd:
- cloud-init-per always fix_broken_ufw_1 sh -xc "/usr/sbin/service ufw stop >> /var/tmp/svc_$INSTANCE_ID 2>&1 || true" 
- cloud-init-per always fix_broken_ufw_2 sh -xc "/usr/sbin/ufw disable>> /var/tmp/ufw_$INSTANCE_ID 2>&1 || true"

Step 3: Restart the instance:(machine ip will be changed) Script will executed on boot, ufw will be disabled.

Now we can connect the instance through ssh.

Reference(step by step with screenshot): https://github.com/ibrahim45/configuration/blob/master/boot_script_instance.md

Ibrahim Kasim
  • 1,414
  • 1
  • 10
  • 9
4

Another way, super easy: Easiest way is to update the instance's user data

Stop your instance

Right click (windows) or ctrl + click (Mac) on the instance to open context menu, then go to Instance Settings -> Edit User Data or select the instance and go to Actions -> Instance Settings -> Edit User Data

If you're still on the old AWS console, select the instance, go to Actions -> Instance Settings -> View/Change User Data

And paste this

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
ufw disable
iptables -L
iptables -F
--//

Once added, restart the instance and ssh should work. The userdata disables ufw if enabled and also flushes any iptable rules blocking ssh access

Ruben Rosemary
  • 164
  • 14