SSH and HTTP connect timeout

March 25, 2016 2.5k views
Configuration Management System Tools Monitoring

I am trying to connect over SSH and HTTP (On Apache Tomcat port 8080) and i'm getting timeout error.
In console view it works fine.
I already connected over SSH and HTTP Apache tomcat 8080 days ago and it worked fine.

Someone can help me???

1 Answer

Sounds like a firewall / routing issue. Please run iptables --list -n on the server.

  • I'm new in Linux/Servers, so I read about iptables now (because you talk about). It means something??:

    Chain INPUT (policy ACCEPT)
    target propt opt source destination

    Chain FORWARD (policy ACCEPT)
    target propt opt source destination

    Chain OUTPUT (policy ACCEPT)
    target propt opt source destination

    • That looks fine. What happens when you run tracert <ip droplet> on your client?

      • tracert 104.131.48.225

        Rastreando a rota para 104.131.48.225 com no máximo 30 saltos

        1 1 ms <1 ms <1 ms 192.168.0.1
        2 60 ms 7 ms 7 ms 10.14.0.1
        3 10 ms 11 ms 9 ms bb16006e.virtua.com.br [187.22.0.110]
        4 9 ms 8 ms 10 ms bb160064.virtua.com.br [187.22.0.100]
        5 10 ms 10 ms 9 ms embratel-G1-2-ngacc02.sts.embratel.net.br [200.228.244.25]
        6 15 ms 9 ms 9 ms ebt-G5-0-0-dist04.sts.embratel.net.br [200.230.219.43]
        7 20 ms 19 ms 19 ms ebt-T0-6-0-8-tcore01.rjo.embratel.net.br [200.230.0.50]
        8 124 ms 124 ms 121 ms ebt-B12121-intl02.nyk.embratel.net.br [200.230.252.122]
        9 120 ms 121 ms 122 ms ce-0-10-0-2.r08.nycmny01.us.bb.gin.ntt.net [129.250.202.185]
        10 399 ms 412 ms 247 ms xe-0-9-0-17.r08.nycmny01.us.ce.gin.ntt.net [129.250.204.114]
        11 * * * Esgotado o tempo limite do pedido.
        12 * * * Esgotado o tempo limite do pedido.
        13 * * * Esgotado o tempo limite do pedido.
        14 * * * Esgotado o tempo limite do pedido.
        15 * * * Esgotado o tempo limite do pedido.
        16 * * * Esgotado o tempo limite do pedido.
        17 * * * Esgotado o tempo limite do pedido.
        18 * * * Esgotado o tempo limite do pedido.
        19 * * * Esgotado o tempo limite do pedido.
        20 * * * Esgotado o tempo limite do pedido.
        21 * * * Esgotado o tempo limite do pedido.
        22 * * * Esgotado o tempo limite do pedido.
        23 * * * Esgotado o tempo limite do pedido.
        24 * * * Esgotado o tempo limite do pedido.
        25 * * * Esgotado o tempo limite do pedido.
        26 * * * Esgotado o tempo limite do pedido.
        27 * * * Esgotado o tempo limite do pedido.
        28 * * * Esgotado o tempo limite do pedido.
        29 * * * Esgotado o tempo limite do pedido.
        30 * * * Esgotado o tempo limite do pedido.

        Rastreamento concluído.

        • doesn't seem like I can telnet to 104.131.48.225 on ports 22 or port 8080, which seems to suggest that either the IP address is no longer valid or possibly the services are only listening locally. The command below should show how the ssh and tomcat service are being bound:

          sudo netstat -anp -l | grep -E '(:8080|:22)'
          
          • I opened a ticket and get this answer, but I dont have DNS or NTP service:

            It appears your network was disabled due to participating in a DoS attack.

            The traffic we noticed was a service appeared to be a reflection flood DoS attack (https://en.wikipedia.org/wiki/Reflection_attack) that was being launched from your Droplet against a remote server, not any form of legitimate traffic.

            Generally speaking this is due to a misconfigured service, generally NTP or DNS.

            If you're running either of those and are those services are publicly accessible, you'll want to either configure the services to not respond to the internet at large, or simply firewall off remote access.

            For BIND, you'll want to disable recursive lookups if they are not needed, or implement ACLs or rate limiting to either prevent unauthorized users from utilizing this service or limit the outbound traffic to negate the usefulness of your service in a DoS attack. Take a look at https://www.us-cert.gov/ncas/alerts/TA13-088A for how to implement this restriction on several different DNS implementations.

            For NTP reflection attacks, you'll need to implement firewall rules that prevent access from hosts you do not want to use this NTP service. Take a look at http://www.team-cymru.org/secure-ntp-template.html for instructions on how to do this - you're after the "UNIX NTPD" section.

            Please let us know once you've secured your DNS and NTP services, and we'll be happy to enable networking.

Have another answer? Share your knowledge.