rl614
By:
rl614

Unable to ssh into a ubuntu 14.04 droplet after executing sudo reboot

October 14, 2016 385 views
DigitalOcean Ubuntu

After executing sudo reboot, am unable to ssh into a ubuntu 14.04 droplet which has been created from snapshot of another droplet.

1 comment
  • Output of ssh -vvv username@ipaddress
    OpenSSH7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
    debug1: Reading configuration data /etc/ssh/ssh
    config
    debug1: /etc/ssh/sshconfig line 19: Applying options for *
    debug2: resolving "ipaddress" port 22
    debug2: ssh
    connect_direct: needpriv 0
    debug1: Connecting to ipaddress [ipaddress] port 22.
    debug1: connect to address ipaddress port 22: Connection timed out
    ssh: connect to host ipaddress port 22: Connection timed out

1 Answer

Hi @rl614,

Can you think of what have you done to your server before that reboot?
Did you maybe enabled firewall or changed some SSH settings?

You can try going to Console from DigitalOcean Control Panel. From there, you can see does your Droplet even booted and if it is - you should check SSH configuration and restart SSH by running

  • sudo systemctl restart sshd

While you're there you can check does you enabled ufw firewall by running

  • sudo ufw status

If you want it disabled it should return something in lines ufw is not running or disabled.
If it is enabled it will return status: active and rules list. In that case makes sure on list is OpenSSH or 22 for port and status is ALLOW

If your Droplet is not booted try restarting again via Control Panel and post here so we can instruct you further :)

Addition: Make sure you can ping your Droplet from local PC. If ping is unsuccessful Droplet networking could be down, in that case Support can help you restore networking

  • Thank you!
    These are the iptable commands I had used before rebooting.
    I had also used iptables-persistent to save the rules so that they are applied on reboot. https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently
    sudo iptables -L
    sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    sudo iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    sudo iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
    sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -P OUTPUT ACCEPT
    sudo iptables -P INPUT DROP
    sudo iptables -L -n
    sudo iptables -S
    sudo iptables-save

    Ping does not give any response
    ping ipaddress
    PING ipaddress (ipaddress) 56(84) bytes of data.
    And nothing after this, it stays as it is.

    I had not changed any ssh settings.

    • With rules you posted here I doesn't see any problem. To be honest, I tried to execute them in order as you posted and SSH is working. PING is not working, which is OK with this rules, but SSH should be working flawless.

      You should verify that every rule is on its place. If one rule is missing, problem could occur.
      When you run command bellow on iptables generated using above commands:

      • sudo iptables -L --line-numbers

      Result will be:

      sudo iptables -L --line-numbers
      Chain INPUT (policy DROP)
      num  target     prot opt source               destination         
      1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
      2    DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
      3    DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
      4    DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
      5    ACCEPT     all  --  anywhere             anywhere            
      6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
      7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
      8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
      9    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
      10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
      
      Chain FORWARD (policy ACCEPT)
      num  target     prot opt source               destination         
      
      Chain OUTPUT (policy ACCEPT)
      num  target     prot opt source               destination         
      

      Yet the result of:

      • sudo iptables -S

      Result:

      sudo iptables -S
      -P INPUT DROP
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
      -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      

      After sudo reboot -- when you execute ssh -vvv user@ip it will connect you.
      Yet ping ip will hang out on this:

      ping ip
      PING 107.170.45.240 (107.170.45.240) 56(84) bytes of data.
      

      Just make sure you have right number of rules and everything will be great.
      To access server - use Console -> login to Control Panel and select your Droplet. In right corner you will have Console button. Click it and new window will open. If you see blank screen, press any key to activate console.
      Login with your username/password and you can debug your Droplet.
      Good luck, I hope you will fix it fast :)

Have another answer? Share your knowledge.