Get SSH port of an ec2-instance

Question

In my company, we have an ec2-instance, of which I didn't have any knowledge about. My predecessor would have created that and didn't provide any information about that.

Now suddenly something stopped working, and on the investigation, found out that php-fpm has stopped on that instance. Now I have to log in to that instance and restart the service. The issue is I don't have the .pem file or ssh port for that server.

For pem file, I created an AMI and started a new server from that image with a new PEM file. Now I have got the pem file but I don't know the ssh port. I tried all the default and other ports which are used in my company, but nothing works.

sh-3.2#ssh -i company_sydney.pem -p  22  ec2-user@xx.xx.xx.xx
ssh: connect to host xx.xx.xx.xx port 22: Connection refused

Now I want to find the ssh open port to that server. I tried to search for any such utility, but no success.

This is my brute force approach for the problem to find ssh port

for i in {1..65535} 
do
    ssh -i company_sydney.pem -p  $i  ec2-user@xx.xx.xx.xx
done

Is there any other way to get this done or any such utility already available.

Edit My question in not about missing PEM file, I do have the file. I am looking for tools and help in port searching.

Output of nmap

sh-3.2$ nmap xx.xx.xx.xx
Starting Nmap 7.50 ( https://nmap.org ) at 2018-12-12 12:59 IST
Stats: 0:02:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 48.85% done; ETC: 13:04 (0:02:55 remaining)
Nmap scan report for ec2-xx-xx-xx-xxx.ap-southeast-2.compute.amazonaws.com (xx.xx.xx.xx)
Host is up (0.34s latency).
Not shown: 571 closed ports, 426 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
53/tcp open  domain
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 532.29 seconds

Security Group Details:

Port 21 is not the SSH Port

Edit 2 I found out the ssh port using the brute force method. But I am still curious for tools like Nmap or something else, which could have been used for this purpose. Is there any tool, that does the same thing as my small shell script.

If you managed to access the disk of the VM you can look at the sshd config file. — Gerald Schneider, Dec 12 '18 at 06:44
@GeraldSchneider : I have the pem file, I only need ssh port. I too thought about the disk option, but kept it as a last resort. — dilettante_aficionado, Dec 12 '18 at 07:21

score 2 · Answer 1 · answered Dec 12 '18 at 06:54

2

If you have access to the AWS console, get into EC2 check which security group the instance belongs to check all ports - the previous admin may have labelled the SSH port.

Or use nmap to scan the ports on your instance.

nmap <IP_Address>

If ICMP is blocked, try

nmap -Pn <IP_Address>

For more details on the services running on the discovered ports, try

nmap -v -A <IP_Address>
nmap -v -A -Pn <IP_Address>

answered Dec 12 '18 at 06:54

Melvin C. Varghese

41
6

From my office IP, all ports are open, I also looked there in the first place. Lets try the nmap – dilettante_aficionado Dec 12 '18 at 07:17
I have added the output of nmap, but I think it searches only for default ports. – dilettante_aficionado Dec 12 '18 at 08:13
have you checked the security group of the instance? – Melvin C. Varghese Dec 12 '18 at 08:42
A portscan is completely useless in this instance. If no security group allows access to the port, the portscan won't find it. Look it up in the security groups, or on the disk. – Gerald Schneider Dec 12 '18 at 08:45
yes, it is possible that the port is not open in the security group... – Melvin C. Varghese Dec 12 '18 at 08:47
I found out the port using the brute force. And I was running the shell script and nmap both from same machine. So if my script was able to connect to ssh port, nmap should also be able to scan the port. – dilettante_aficionado Dec 12 '18 at 09:10
nmap -v -A – Melvin C. Varghese Dec 12 '18 at 09:34
1

By default `nmap` will only scan commonly used port numbers. If you want to scan all port numbers you have to tell it so by passing a port range on the command line. – kasperd Dec 12 '18 at 16:04

score 0 · Accepted Answer · answered Dec 14 '18 at 15:54

The following command does exactly what I am doing with the shell script, but this command takes too much time.

nmap -p 1-65535 <IP ADDESS>

Output of following command

Nmap scan report for ec2-xx-xx-xx-xxx.ap-southeast-2.compute.amazonaws.com (xx.xx.xx.xx)

Host is up (0.22s latency).

Not shown: 62854 closed ports, 1678 filtered ports

PORT      STATE SERVICE
21/tcp    open  ftp
53/tcp    open  domain
80/tcp    open  http
22777/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 11840.36 seconds

The commands given in other answer didn't provide me with the 22777 port, which I was searching for.

Other useful nmap commands

Get SSH port of an ec2-instance

2 Answers2