3

I get a connection refused message when attempting to ssh to my ec2 server while tethering from my android phone.

ssh <server-ip>

I have added my IP address to the EC2 security group associated with the server.

I can ssh in fine when connected to WIFI, just not when I am tethering.

Any help to troubleshoot this would be appreciated.

akhosraviansMBP:~ akhosravian$ ssh -vvv <ip-address>
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/akhosravian/.ssh/config
debug2: ssh_connect: needpriv 0
debug1: Connecting to <ip-address> [<ip-address>] port 22.
debug1: connect to address <ip-address> port 22: Connection refused
ssh: connect to host <ip-address> port 22: Connection refused

If I allow connections from SSH 0.0.0.0/0 I am able to connect. Maybe the IP address I am getting from whatsmyip.com is incorrect? Where can I find my external IP address when tethering from my phone?

Afsheen Khosravian
  • 971
  • 2
  • 8
  • 13
  • May be your carrier is not allowing it. Can you post the output with `-vvv` option? – helloV Oct 09 '17 at 23:02
  • I think the Public IP address when you tethering is wrong. Because when you use tethering, maybe your carrier uses onther IPs to face with your AWS Network => Security Group is not allow. Workaround: open all IP 0.0.0.0/0 in Security Group then try to connect. If it's ok, you will know the problem. – Bui Anh Tuan Oct 09 '17 at 23:50
  • Only Android *development* questions are on topic on SO; Android usage questions belong on Android SE, and network questions have their own sites. – Chris Stratton Oct 10 '17 at 03:30
  • `If I allow connections from SSH 0.0.0.0/0 I am able to connect.`. Well, It seems my prediction is right. You can contact or search the IP range/IP list of your carrier provider, then allow all list – Bui Anh Tuan Oct 10 '17 at 05:41
  • I'm having this problem too!! any answers? Haven't found anything to work. Not even changing to allow from all ip addresses for SSH – rikkitikkitumbo Aug 19 '19 at 13:23

2 Answers2

1

You will need to go into the port settings for the Security Group your instance is apart of. You will then need to set port 22 to 'allow from anywhere'

Due to your ip changing regularly when tethering (as you change mobile towers, location, etc) it will change often.

As you can see in the photo below, you would click where it says custom, type in ssh - which will set it to the default port, being 22, and then set the Source on the far right to 0.0.0.0/0

enter image description here

stktrc
  • 1,599
  • 18
  • 30
  • 1
    Security groups can't cause `Connection refused`. Traffic is discarded, resulting in `Connection timed out` when not allowed by a security group. The problem is somewhere else. – Michael - sqlbot Oct 10 '17 at 03:13
  • My IP has not changed and I still can not ssh. Also, I do not want to allow traffic from anywhere. – Afsheen Khosravian Oct 10 '17 at 03:37
  • @Michael-sqlbot - Can you explain why the connection goes through if the source IP is set to 0.0.0./0, but not if it's not open? Surely that implies it's a security group/firewall issue - (PS you are one of my SO Idols) – stktrc Oct 10 '17 at 07:01
  • @crashlog, thanks :) you're right -- it's unexpected. It's particularly unexpected that the error is `Connection refused`... although an intermediate device could be doing some kind of oddball layer 4-ish proxying that refuses incoming when outgoing times out, and tethering (anecdotally speaking) increases the odds of strange things being in the mix. – Michael - sqlbot Oct 10 '17 at 09:22
  • 1
    ...Or there could be a web proxy. @AfsheenKhosravian temporarily allow access from `0.0.0.0/0` and, once connected, use the command `$ who am i` to try to find what the instance sees as your IP. – Michael - sqlbot Oct 10 '17 at 09:48
  • @Michael-sqlbot When I ssh to the server, when I allow all ssh connections, on the remote server, the `who am i` command shows 107.77.240.95. When I go to whatsmyip.com locally I see 107.77.241.9. – Afsheen Khosravian Oct 10 '17 at 15:07
0

In my case I had to add to the Security Group both computer's and phone's IP addresses.

The phone kept changing quite often as well, so I ended up setting on a very open xxx.yyy.0.0/16 for both, which is not super good but better than "Allow From Anywhere".

Lucat
  • 2,242
  • 1
  • 30
  • 41