One Missing Port Took Down My EC2: How I Fixed a Complete SSH Lockout
I Locked Myself Out of My EC2 Instance (And How I Fixed It)
If you're setting up a database on EC2 and using a firewall like UFW, there's one mistake that can cost you hours:
π Forgetting to allow SSH (port 22)
I did exactly that.
This article is a simple walkthrough of:
- What went wrong
- Why SSH stopped working
- How I recovered access (without EC2 Serial Connect)
- What you should always do to avoid this
What Happened
I launched an EC2 instance, installed PostgreSQL, and configured UFW like this:
sudo ufw allow 5432/tcp
sudo ufw enable
Everything looked fine⦠until I got disconnected.
After that:
ssh ubuntu@<ip>
Result:
Operation timed out
No SSH. No access. Nothing.
The Problem
I forgot one critical rule:
sudo ufw allow 22/tcp
When UFW is enabled without allowing port 22:
- All incoming traffic is blocked
- SSH stops working immediately
- You lock yourself out of the server
Why This Is Worse on EC2
On local machines, you can still access the system physically.
On EC2:
- No direct access
- No terminal unless SSH works
- If Serial Connect is not enabled β you're stuck
How I Fixed It (Without Serial Connect)
Since I couldn't SSH, I had to recover access using EC2 itself.
Step 1: Stop the Instance
Go to AWS Console β EC2 β Stop the instance
Step 2: Use User Data to Reset Firewall
Edit the instance β Add this script in User Data:
#!/bin/bash
ufw disable
iptables -F
service ufw stop
This ensures:
- UFW is disabled
- All firewall rules are cleared
Step 3: Force User Data to Run Again
By default, user data runs only once. To force it again, use this:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript
#!/bin/bash
ufw disable
iptables -F
service ufw stop
--//--
Step 4: Start the Instance Again
Start the EC2 instance.
Now try SSH again:
ssh -i key.pem ubuntu@<ip>
π It should work now.
Important Gotcha (Learned the Hard Way)
At one point, I added this script:
sudo ufw allow 22/tcp
sudo ufw allow 5432/tcp
sudo ufw enable
But as soon as UFW enabled:
- SSH session dropped again
- Same lockout happened
So I had to:
- Stop instance again
- Remove user data
- Restart
- Try again
Correct Way to Configure UFW
Always follow this order:
# Allow SSH FIRST
sudo ufw allow 22/tcp
# Then allow DB
sudo ufw allow 5432/tcp
# Then enable firewall
sudo ufw enable
Never enable UFW before allowing SSH.
What You Should Always Do
Before enabling UFW on EC2:
- Allow SSH (port 22)
- Double-check rules
- Keep another SSH session open (safety)
- Prefer using Security Groups instead of UFW when possible
Key Takeaways
- EC2 Security Group β OS Firewall
- UFW can still block everything even if SG allows it
- One wrong rule can lock you out completely
- Recovery is possible using User Data
Final Thought
This mistake is simple, but the impact is huge.
If you're setting up backend infra, this is the kind of issue you will face at some point. The important part is understanding what happened and how to recover.
Now you know.
If this saved you time, you're welcome.
Keep Reading
Shubham
Full Stack Developer
