I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04.
The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned.
I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password).
What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message.
Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open.
I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked.
Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself.
It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence.
This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance.
I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before.
Do you have any ideas?
I'd be happy to provide the instance id and security groups if needed.
Well, I appreciate the suggestion, but the cost of even the most basic technical support (Developer) is significantly more than the cost of running this server, and I run this server primarily to give small businesses an inexpensive (read: free) path to a web presence. I can live without google-authenticator if no one on this forum has any insight. Perhaps I'll subscribe for a limited time, but that can wait.
Well, I hadn't realized that fail2ban was installed and causing the problem.
Thanks for the input.