Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Why Can't I Log In to My Linux ECS?

Updated on 2025-01-27 GMT+08:00

Symptom

A Linux ECS cannot be logged in to due to some reasons. For example, the network is abnormal, the firewall does not allow access to the local port for accessing the remote desktop, or the ECS vCPUs are overloaded.

This section describes how to troubleshoot login failures on a Linux ECS.

If you cannot log in to your Linux ECS, follow the instructions provided in Checking the VNC Login. Then, locate the login fault by referring to Fault Locating.

Checking the VNC Login

Check whether you can log in to the ECS using VNC on the management console.

  1. Log in to the management console.
  2. Under Computing, choose Elastic Cloud Server.
  3. In the Operation column of the target ECS, click Remote Login.

  4. (Optional) When the system displays "Press CTRL+ALT+DELETE to log on", click Send CtrlAltDel in the upper part of the remote login page to log in to the ECS.
    NOTE:

    Do not press CTRL+ALT+DELETE on the physical keyboard because this operation does not take effect.

If the VNC login still fails, record the resource details and fault occurred time for further fault locating and analysis.

Fault Locating

If you can log in to the ECS using VNC but cannot log in to the ECS using a remote desktop connection, locate the fault as follows.

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped.

Make sure that the ECS is in the Running state. For details, see Checking the ECS Status.

The entered username or password is incorrect.

The default username for Linux ECSs is root. For details, see Checking the Login Mode.

The ECS is overloaded.

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur. For details, see Checking Whether the ECS Is Overloaded.

The ECS has no EIP bound.

To log in to an ECS using RDP or MSTSC, ensure that the ECS has an EIP bound. For details, see Checking Whether an ECS Has an EIP Bound.

The access is blocked by the ISP.

Check whether you can access the ECS using another hotspot or network. For details, see Checking Whether the Network Is Normal.

The security group of the ECS denies inbound traffic on the remote login port.

Check whether the security group allows inbound traffic on the remote login port. For details, see Checking Whether the Security Group Is Correctly Configured.

The remote access port is incorrectly configured.

Check whether the remote access port is correctly configured on the local computer and the ECS. For details, see Checking Whether the Remote Access Port Is Correctly Configured.

An IP address whitelist for SSH logins has been configured.

Check whether an SSH login IP address whitelist is configured after HSS is enabled. For details, see Checking the IP Address Whitelist for SSH Logins (with HSS Enabled).

An OS fault has occurred.

The file system is damaged. For details, see Checking Whether an OS Fault Has Occurred.

The access is blocked by third-party antivirus software.

Disable or uninstall the third-party antivirus software and try again. For details, see Checking Whether the Access Is Blocked by Antivirus Software.

The cause is displayed in the error message.

If an error message is displayed during remote login, check the operation guide based on the error information. For details, see Checking Whether an Error Occurred During a Remote Login.

Checking the ECS Status

Check whether the ECS is in the Running state on the management console. If the ECS is stopped, start it and try to log in to the ECS again.

Figure 1 Checking the ECS status

Checking the Login Mode

Check the login mode you set when you created the ECS.

Figure 2 Login Mode
  • Key pair
    • For the first login, use an SSH key. For details, see Logging In to a Linux ECS Using an SSH Key Pair.
    • For a non-first login, if you want to use the remote login function (VNC) provided by the management console, log in to the ECS using the SSH key and set the password.

Checking Whether the ECS Is Overloaded

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Linux ECS Running Slowly?

  • If the login failure is caused by high CPU usage, perform the following operations to reduce the CPU usage:
    • Stop certain processes that are not used temporarily and try again.
    • Restart the ECS.
    • Reinstall the ECS OS. Back up important data before the reinstallation.
    • If the ECS OS cannot be reinstalled due to important data, replace the disk attached to the ECS. To do so, back up data on the original disk, detach the disk from the ECS, attach the new disk to the ECS, and copy data to the new disk.

    You can also upgrade the vCPUs and memory by modifying the ECS specifications.

  • If the login fails because the bandwidth exceeds the limit, perform the following operations:

    For instructions about how to increase the bandwidth, see Modifying an EIP Bandwidth.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether an ECS Has an EIP Bound

If you need to use a remote login tool (such as PuTTY or Xshell) to access the ECS, bind an EIP to the ECS.

For details, see Assigning an EIP and Binding It to an ECS.

Checking Whether the Network Is Normal

Use a local PC in another network or use another hotspot to access the ECS. Check whether the fault occurs on the local network. If so, contact the carrier to resolve this issue.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Security Group Is Correctly Configured

Check whether the local host can access port 22 on the ECS.

Run the following command to check whether port 22 is accessible:

telnet ECS private IP address

If port 22 is inaccessible, check whether port 22 is opened in the security group rule.

On the ECS details page, click the Security Groups tab and check that port 22 is configured in the inbound rule of the security group.

Figure 3 Checking remote access ports

For details about how to modify a security group rule, see Modifying a Security Group Rule.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Remote Access Port Is Correctly Configured

Check ECS settings.
  1. Check whether the sshd process is running.
  2. Check whether your local PC is denied by the ECS.
    1. Log in to the ECS and run the following command:

      vi /etc/hosts.deny

    2. If the IP address of the local PC is in the hosts.deny file, the ECS denies connection attempts from the local PC. In such a case, delete the IP address from the file.
  3. Open the /etc/ssh/ssh_config file in the local PC and view the default login port. Then, open the /etc/ssh/sshd_config file in the ECS and check whether the SSH port is the default port 22.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking the IP Address Whitelist for SSH Logins (with HSS Enabled)

After HSS is enabled, you can configure an IP address whitelist for SSH logins as required. The IP address whitelist controls SSH access to ECSs, effectively preventing account cracking.

After you configure the allowlist, SSH logins will be allowed only from IP addresses in the allowlist.

  1. On the Events page, check whether a local host IP address is intercepted due to brute force cracking.
  2. Check whether the IP address whitelist for SSH logins has been enabled. If it has been enabled, ensure that the IP address of the local host has been added to the IP address whitelist.
    CAUTION:
    • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the allowlist. Otherwise, you cannot remotely log in to your ECS through SSH.
    • Exercise caution when adding a local IP address to the allowlist. This will make HSS no longer restrict access from this IP address to your ECSs.

Checking Whether an OS Fault Has Occurred

  • Password injection failure

    The password failed to be injected using Cloud-Init.

  • File system damaged after a forcible stop

    There is a low probability that the file system is damaged after a forcible stop, which causes the ECS fails to be restarted. For details, see Why Does a Forcibly-Stopped Linux ECS Fail to Be Restarted?

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Access Is Blocked by Antivirus Software

Third-party antivirus software may lead to a failure in accessing the ECS.

If third-party antivirus software is running, check whether the remote connection is blocked by the software. If the remote connection is blocked, add the EIP bound to the ECS to the whitelist of the antivirus software and try to access the ECS again.

You can also disable or uninstall the third-party antivirus software and try to remotely log in to the ECS again.

Checking Whether an Error Occurred During a Remote Login

If an error message is displayed during remote login, check the operation guide based on the error information.

If the fault persists, record the resource details and fault occurred time, and contact technical support for assistance.

If the fault persists after the preceding operations are performed, record the resource details and fault occurred time, and contact customer service for technical support.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback