Why can't i telnet my aws instance?

Question

Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200

But not from my pc.

This is my security group

What am I doing wrong?

Are you able to telnet any other port like 80 or 22 from outside the instance (local computer)? — Bruno Rubin, May 02 '17 at 23:22

score 2 · Answer 1 · answered May 06 '17 at 09:37

2

You can check your Network ACL configurations. It looks like there is some other firewall in between your PC and server which is blocking you on 9200.

answered May 06 '17 at 09:37

Shubham Bansal

391
1
9

denov · Answer 2 · 2017-05-09T19:19:02.300

If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.

EC2 instances use security groups for their firewall

Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.

score 1 · Answer 3 · edited May 23 '17 at 12:02

1

You can have a look at this telnet-to a cloud instance from outside

The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"

As well make sure that the instance is residing in a public VPC

edited May 23 '17 at 12:02

Community

1
1

answered May 03 '17 at 06:46

Arafat Nalkhande

11,078
9
39
63

score 1 · Answer 4 · answered May 04 '17 at 01:14

Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.

Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:

// List iptables access rules
sudo iptables -L -v

// List access rules via ufw
sudo ufw status

score 0 · Answer 5 · answered Jun 19 '19 at 13:43

You said: "This is my SG", but...which way? Inbound or outbound? It can simply be that your host can't reply to your PC. Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.

Otherwise, like the others said, look at one level up, VPC-level (network ACL).

JARC · Answer 6 · 2019-12-17T14:30:02.297

0

You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.

Run lsof -i:9000 if on unix.

If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).

COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    2777 ubuntu  148u  IPv6  26856      0t0  TCP localhost:afs3-callback (LISTEN)

edited Dec 17 '19 at 14:30

answered Dec 17 '19 at 11:10

JARC

5,288
8
38
43

The question says `9000` not `1234` and the screenshot shows that it is on `0.0.0.0/0` – Quentin Dec 17 '19 at 11:14
@Quentin This is unrelated to the SG, you can have your SG open, but if the server:port you have opened within the instance is not on 0.0.0.0 then it will default to loopback access only. – JARC Dec 17 '19 at 13:43

score -1 · Answer 7 · answered Apr 29 '17 at 22:17

-1

A Telnet service is not installed by default on an Amazon Linux AMI.

If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.

However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia

answered Apr 29 '17 at 22:17

John Rotenstein

241,921
22
380
470

2

You can use telnet to check that a port responds, though. `telnet google.com 80`, for example – ceejayoz Apr 29 '17 at 22:27
1

Correct. I have a service that runs and listens on port 9200. I can telnet it from inside the machine. But not from outside. – Bick Apr 30 '17 at 10:09

score -1 · Answer 8 · answered May 09 '17 at 12:28

-1

Just a thought, check firewall of your PC.

answered May 09 '17 at 12:28

Zeni

947
1
12
24

score -2 · Answer 9 · answered Nov 22 '19 at 20:44

-2

Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:

ssh-add -K <yourkeyname>.pem

ssh ubuntu@<yourdns or ip>.com   == or ==  ssh ec2-user@<yourdns or ip>

answered Nov 22 '19 at 20:44

Andrew

253
2
14

1

The question says **telnet**, not SSH. – Quentin Dec 17 '19 at 11:14
Right, and I was assuming the user wasn't foolish enough to open the ACL for unencrypted connection simply so they could access via telnet. It's not wrong as you would be executing a SSH via a telnet session. The question didn't exclude this option, nor did it specifically say "I want to connect via an insecure connection to my instance". There's a lot of assumptions being made here. – Andrew Dec 18 '19 at 13:57

Why can't i telnet my aws instance?

9 Answers9