All Products
Search
Document Center

Connect to the target Linux instance

Last Updated: Sep 23, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

This article describes cases where you cannot remotely log on to a Linux instance and the troubleshooting methods.

 

Description

Alibaba Cloud reminds you that:

  • If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
  • If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
  • If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.

This topic describes how to remotely log on to a Linux instance.

 

Error cause

IfCommon error casesIf the problem persists, follow the steps below to troubleshoot the problem.

Note:

  • The following operations have been tested in the CentOS 6.5 64-bit operating system, and may be different in other Linux releases. For details, please refer to the official documentation for the corresponding Linux release.
  • You can use SSH to connect to a Linux instance from a client. PassManagement terminalIt can be used for temporary O & M operations or troubleshooting when an SSH logon exception occurs on the client.
  • The following figure shows the factors associated with SSH logon. As you can see, when you cannot remotely log on to a Linux instance through SSH, many factors may be involved.

 

Security group check

Check whether the security group configuration allows remote connection ports.

  1. ReferenceQuery security group rulesTo view security group rules. If the remote connection port is not configured, seeSet security group rules for Linux instances after enabling SSHConfiguration.
  2. Check whether the ECS instance cannot be pinged. The ping fails after Iptables and nic ip configuration are rectified and the system is rolled back. The default Internet rules of the ECS instance security group have been deleted. In this case, you need to reconfigure the Internet rules of the security group. For more information, seeThe default Internet rule of the ECS instance security group is deleted and cannot be pinged.. If it does not exist, go to the next step.

 

Intermediate network

The intermediate network includes port check and network check.

 

Port check

After the network is checked, further check whether the port is normal.

  1. Log on to the instance using the management terminal and run the following command to edit the SSH configuration file:
    #/etc/ssh/sshd_config
  2. Locate the row where "# port 22" is located, and check whether the default port 22 is modified and whether the preceding "#" is deleted. If not, delete the preceding "#". change port 22 to another port. Save the settings and exit.
    Note: Service listening can use ports ranging from 0 to 65535. If the listening port is configured incorrectly, the remote desktop service listening fails.
  3. Run the following command to restart NTP:
    /etc/init.d/ssh restart
    Note: You can also run the following command to restart the SSH service:
    service sshd restart
  4. Use the Web server that comes with Python to temporarily create new listening ports for testing.
    python -m SimpleHTTPServer [$Port]
  5. If the logon method is changed or the modified port number is not allowed in the ECS Security group rules, follow these steps to allow the modified port number.
    Note: By default, the ECS Security group rules allow port 22. After modifying the port of the remote desktop, you must allow the modified port in security group rules.
    1. Log on to the ECS console.
    2. Locate the instance and clickManagementGo toInstance detailsPage and switch toSecurity GroupTab, clickConfigure rules.
    3. On the Security Group Rules page, click Add Security Group Rule.
    4. On the displayed page,Port rangeEnter the modified remote desktop port number. Authorized ObjectEnter the public IP address of the client. For example, if the modified remote desktop port number is 2222,Port rangeEnter "2222/2222". ClickOK.
  6. Run the following command to test whether the Port obtained in the previous step is normal: If the Port test fails, seeDescription of port availability test when the ping command is used but the port is disconnectedFor troubleshooting.
    telnet [$IP] [$Port]
    Note:
    • [$ IP] indicates the IP address of a Linux instance.
    • [$ Port] indicates the SSH Port number of a Linux instance.
    The command output is as follows:telnet 192.168.0.1 22Command. Normally, the system returns the SSH software version number on the server.

 

Network check

If you cannot remotely connect to a Linux instance, check whether the network is normal.

  1. Use the computer connection comparison test in other network environments (different network segments or different operators) to determine whether it is a local network problem or a server problem. If the problem is caused by the local network or carrier, contact the local IT personnel or carrier. If the NIC driver is abnormal, reinstall it. Troubleshoot local network faults and proceed to the next step.
  2. Run the ping command on the client to test the network connectivity with the instance.

 

If you cannot connect to the instance by using the remote connection function provided by Alibaba Cloud, restart the instance. Restarting an instance may disrupt your business traffic. Proceed with caution.

Tips: Before restarting an instance, you must create a snapshot for the instance to back up data or create an image. For more information about how to create a snapshot, seeCreate a snapshot.

  1. Log on to the ECS console, clickInstance.
  2. At the top of the page, select a region and clickMore > Instance status > RestartAnd clickConfirmYes.

 

Client troubleshooting

If you cannot log on to the client normally, use different SSH clients to perform the logon test based on the same account information. If you can log on normally, it is determined that the client configuration is incorrect. You need to troubleshoot and analyze the client configuration or software running status. For more information about how to log on to a Linux instance by using an SSH client, seeConnect to a Linux instance.

 

Step 1: log on to the instance by using the management Terminal

If you cannot connect to the instance remotely for any reason, try to use the remote connection function provided by Alibaba Cloud to make sure that the instance is still responding and is not completely down, and then troubleshoot the fault by reason.

  1. Log on to the ECS console, clickInstance. On the instance List page that appears, clickRemote connection.
  2. When you connect to the instance for the first time or forget the password, clickChange the VNC connection passwordTo modify the password for the remote connection.
  3. Then, connect to the instance by using the remote connection password.

 

Step 2: Check whether the local network of the client is abnormal.

Check whether there is a local failure that the user cannot connect to the Internet.

  • If yes, check the NIC driver. If yes, reinstall the driver. Use the management TerminalLog on to an instance, View/etc/hosts.denyFile to check whether an blocked IP address exists. If yes, delete the IP address configuration.
  • If it does not exist, go to the next step.

 

Step 3: Restart the instance

Make sure that the logon password is correct and you have reset the password before. Check whether the instance password has not been restarted after the instance password is reset. If there is a record of instance password modification but no record of instance restart, follow these steps to restart the instance.

  1. Log on to the ECS console, clickInstance.
  2. At the top of the page, select a region and clickMore > Instance status > RestartAnd clickConfirmYes.

 

Check CPU load, bandwidth, and memory usage

  • Check whether the CPU load is too high. If yes, follow this step to solve the problem. If no, go to the next step.
    Tips: You cannot actively monitor the running status of the internal system, but you can use CloudMonitor to view the status.
    1. Log on to the CloudMonitor console and chooseHost Monitoring > Process Monitoring.
    2. Check the running status of applications and eliminate the cause of high CPU load. For more information about how to check the CPU load, seeTroubleshooting for high CPU usage of ECS instances in Linux.
      Tips: High CPU load may cause remote connection failure during a certain period of time. We recommend that you check whether the program or instance resources do not meet the existing requirements.
  • The failure of remote connection may be caused by insufficient public network bandwidth. The Specific Troubleshooting method is as follows. To solve this problem, restart the ECS instance and restart it. For more information, seeManual renewalOrAuto-renew.

    1. Log on to the ECS console.
    1. Locate the instance and clickManagementGo toInstance detailsPage to view the network monitoring data.
    1. Check whether the server bandwidth is "1 K" or "0 K". If you did not purchase a public network bandwidth when purchasing an instance, then upgrade the public network bandwidth, and did not select the required bandwidth when purchasing the instance, the bandwidth becomes "1 K".
  • After you enter the password to log on to the remote connection, the desktop cannot be displayed and you can exit without any error messages. This problem may be caused by insufficient memory on the server. Check the memory usage of the server. The procedure is as follows:
    1. Use the consoleRemote connectionFunction to log on to a Linux instance.
    1. View memory usage. For more information, seeHow to View physical CPU and memory information for ECS instances in Linux.

 

System settings check

If you cannot log on normally after troubleshooting and handling according to the preceding problem scenarios, We recommend that you perform troubleshooting and analysis as follows:

  1. Use different client SSH andManagement terminalConduct a comparative access test to determine whether the problem is caused by the configuration of individual clients or software running.
  2. SeeIntermediate network problemsFor more information, test network connectivity.
  3. Log on to the ECS instance. Run the following command to view related logs while performing access tests on the client:
     tailf /var/log/secure
  4. Refer to the following command, for example:ssh -v 192.168.0.1Command to obtain detailed SSH logon interactive logs in the Linux environment.
    ssh -v [$IP]
  5. Log on to the Linux instance through the management terminal and follow these steps to check the running status of the SSH service.
    1. Run the following command to check whether TableStoreInner is enabled:
      service sshd status
      service sshd restart
      Normally, the running status and process ID of the SSH service are returned. A similar output is displayed:
      [root@centos ~] # service sshd status
      openssh-daemon (pid 31350) is running...
      [root@centos ~] # service sshd restart
      Stopping sshd: [OK]
      Starting sshd: [OK]
    1. Run the following command to check whether TableStoreInner is enabled:
      netstat -anop | grep 0.0.0.0:80
      Normally, the corresponding port listening information is returned. The command output is as follows:
      tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
    1. Log on to the Linux instance through the management terminal and run the following command: If the logon is successful, it is inferred that the configuration of the system firewall or external security group policy is abnormal, causing the client to log on to the system.
      ssh 127.0.0.1

 

Common error cases

The following are common cases in which you cannot remotely log on to a Linux instance through SSH. You can select different solutions for troubleshooting based on the actual error message.

 

PAM security framework

The PAM security framework of the Linux system can load relevant security modules to control access to account policies and logon policies of ECS instances. If the related configuration is abnormal or the related policies are triggered, SSH logon may fail. Based on different error messages, see the following common cases to solve the problem.

 

Linux environment configuration

If an exception occurs in a Linux system environment, such as poisoning, account configuration, and environment variable configuration, the SSH logon may also fail. Based on different error messages, see the following common cases to solve the problem.

 

SSH service and parameter configuration

The default configuration file for the SSH service is/etc/ssh/sshd_config. The related parameters in the configuration file are incorrectly configured, or related features or policies are enabled, it may also cause the SSH login to fail. Based on different error messages, see the following common cases to solve the problem.

 

SSH service Associated directory or file configuration

For security reasons, the SSH service checks the permission configuration and group of related directories or files during running. If the permission configuration is too high or too low, the service may run abnormally and the client may fail to log on. Based on different error messages, see the following common cases to solve the problem.

 

SSH service key configuration

The SSH service uses asymmetric encryption technology to encrypt the transmitted data. The client and server exchange and verify the validity of the relevant key information. Based on different error messages, see the following common cases to solve the problem.

 

Application scope

  • ECS