Used to be able to ssh into droplet, now operation times out

February 4, 2017 256 views
Networking Ubuntu 16.04

Hi, I set up an Ubuntu 16.04 droplet and nginx one or two days ago - all the setup was done via ssh from my os x machine, and I encountered no problems (yay DigitalOcean!)

However, today, attempts to ssh into my droplet reliably fail with "Operation timed out"

I can still access my droplet without issue via the DigitalOcean "console" feature. I have rebooted my Droplet several times through the web console. I have now put my droplet behind cloudflare. I still see the following failure when I try to ssh into my droplet from my home machine:

$ ssh -vvvv root@xxx.xxx.xxx.xxx
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/AKA/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: connect to address xxx.xxx.xxx.xxx port 22: Operation timed out
ssh: connect to host xxx.xxx.xxx.xxx port 22: Operation timed out

...when I try:

sudo systemctl status ssh

I see that the ssh.service is Active and running (I can't select text on the web console, sadly).

Any help would be greatly appreciated; I'd love to not have to destroy the droplet and start all over, but I guess that's what I'm going to try next.

Thanks,

AKA

1 Answer
jtittle February 4, 2017
Accepted Answer

@akamediasystem

From the console, run:

ufw status

... to see if the firewall is active. If it is, you can run ufw disable to disable the firewall and that should prevent the block (if it is indeed firewall related).

If that doesn't work, was the Droplet setup with an SSH Key or did you receive an e-mail with a root password?

  • Doing

    sudo ufw disable
    

    allowed me to ssh back in, thank you! I'm going to research how to set up ufw to allow nginx and ssh, but it's great to have access again.

    FWIW, I followed this excellent tutorial, but I didn't realize I was going to be locking myself out of ssh in the process.

    Thanks again for a helpful response on a Saturday in under 15 minutes,

    AKA

    Nginx is one of the most popular web servers in the world and is responsible for hosting some of the largest and highest-traffic sites on the internet. It is more resource-friendly than Apache in most cases and can be used as a web server or a reverse proxy. In this guide,...
    • @akamediasystem

      I can help you there :-).

      Start with the command below. This will reset ufw back to its original state without any sort of accept/deny policies in place.

      sudo ufw reset
      

      While ufw is still disabled, we can set it up to handle connections as needed. We need to allow Port 22 for SSH, Port 80 for HTTP, and Port 443 for HTTPS, so we'll start there.

      First thing I do is setup defaults. This blocks all incoming, allows all outgoing. This won't cause you to drop your connection as long as ufw is still disabled, so if you enabled it again, make sure you run sudo ufw disable again before running the next few commands.

      Simply copy and paste the multi-line commands directly in, hit enter, and allow them to run.

      sudo ufw default deny incoming \
      && sudo ufw default allow outgoing
      

      With those in place, we can go ahead and setup the three ports mentioned above.

      sudo ufw allow 22/tcp \
      && sudo ufw allow 80/tcp \
      && sudo ufw allow 443/tcp
      

      Then enable ufw using sudo ufw enable, type in y and hit enter.

      • Thank you! I jumped ahead and did something slightly different - please let me know if I should undo what I did and follow this (again, much appreciated!) advice instead.

        I took a hint from the tutorial and did

        sudo ufw app list
        

        and got

        Available applications:
          Nginx Full
          Nginx HTTP
          Nginx HTTPS
          OpenSSH
        

        ...so I then did

        sudo ufw allow 'OpenSSH'
        

        ...in addition to the already-done

        sudo ufw allow 'Nginx HTTP'
        

        ...then I did

        sudo ufw enable
        

        and got a prompt warning me I might interrupt current SSH connections, to which I said OK.

        ...now, even after exiting, I'm able to ssh back into my droplet (I had to remove a line in ```
        ~/.ssh/ssh_config

        because I had also tried resetting the Droplet's SSH key.)
        
        ...I know I'm still not going to be able to do HTTPS like this, but I'm planning on adding that and getting a cert later tonight or tomorrow, so it's not critical for me yet.
        
        If I did something inadvisable, or if I should just follow the advice you've offered, please let me know!
        
        Thanks again,
        
        AKA
        
        Nginx is one of the most popular web servers in the world and is responsible for hosting some of the largest and highest-traffic sites on the internet. It is more resource-friendly than Apache in most cases and can be used as a web server or a reverse proxy. In this guide,...
        • @akamediasystem

          The way I've set it up in my previous reply, I'm setting up ufw to block all incoming connections on all ports and only allow connections to the ports that I specify. I'm then allowing all outgoing connections.

          I find that this is a better standard setup than simply defining a few ports and turning on the firewall as it ensures only the ports I define are allowed without exception.

          As for how you define the actual ports, you can use the app list or you can define the ports using port/conn_type where port is 80, 443, 22, etc and conn_type is either tcp or udp.

Have another answer? Share your knowledge.