Updated on 2024-07-24 GMT+08:00

Why Can't I Log In to My Linux ECS?

Symptom

A Linux ECS cannot be logged in to due to some reasons. For example, the network is abnormal, the firewall does not allow access to the local port for accessing the remote desktop, or the ECS vCPUs are overloaded.

This section describes how to troubleshoot login failures on a Linux ECS.

If you cannot log in to your Linux ECS, follow the instructions provided in Checking the VNC Login. Then, locate the login fault by referring to Fault Locating.

Checking the VNC Login

Check whether you can log in to the ECS using VNC on the management console.

  1. Log in to the management console.
  2. Under Computing, choose Elastic Cloud Server.
  3. In the Operation column of the target ECS, click Remote Login.

  4. (Optional) When the system displays "Press CTRL+ALT+DELETE to log on", click Ctrl+Alt+Del in the upper part of the remote login page to log in to the ECS.

    Do not press CTRL+ALT+DELETE on the physical keyboard because this operation does not take effect.

If the VNC login still fails, record the resource details and fault occurred time for further fault locating and analysis.

Fault Locating

If you can log in to the ECS using VNC but cannot log in to the ECS using a remote desktop connection, locate the fault as follows.

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped.

Make sure that the ECS is in the Running state. For details, see Checking the ECS Status.

The entered username or password is incorrect.

The default username for Linux ECSs is root. If the password is incorrect, reset the password on the management console. For details, see Checking the Login Mode.

The ECS is overloaded.

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur. For details, see Checking Whether the ECS Is Overloaded.

The ECS has no EIP bound.

To log in to an ECS using RDP or MSTSC, ensure that the ECS has an EIP bound. For details, see Checking Whether an ECS Has an EIP Bound.

The access is blocked by the ISP.

Check whether you can access the ECS using another hotspot or network. For details, see Checking Whether the Network Is Normal.

The security group of the ECS denies inbound traffic on the remote login port.

Check whether the security group allows inbound traffic on the remote login port. For details, see Checking Whether the Security Group Is Correctly Configured.

The remote access port is incorrectly configured.

Check whether the remote access port is correctly configured on the local computer and the ECS. For details, see Checking Whether the Remote Access Port Is Correctly Configured.

An IP address whitelist for SSH logins has been configured.

Check whether an IP address whitelist for SSH logins has been configured after HSS is enabled. For details, see Checking the IP Address Whitelist for SSH Logins (with HSS Enabled).

An OS fault has occurred.

The file system is damaged. For details, see Checking Whether an OS Fault Has Occurred.

The access is blocked by third-party antivirus software.

Disable or uninstall the third-party antivirus software and try again. For details, see Checking Whether the Access Is Blocked by Antivirus Software.

The cause is displayed in the error message.

If an error message is displayed during remote login, check the operation guide based on the error information. For details, see Checking Whether an Error Occurred During a Remote Login.

Checking the ECS Status

Check whether the ECS is in the Running state on the management console. If the ECS is stopped, start it and try to log in to the ECS again.

Figure 1 Checking the ECS status

Checking the Login Mode

Check the login mode you set when you created the ECS.

Figure 2 Login Mode
  • Password: Check whether the login password is correct. If you forgot your password, reset the password. After you reset the password, restart the ECS for the new password to take effect.
  • Key pair
    • For the first login, use an SSH key. For details, see Logging In to a Linux ECS Using an SSH Key Pair.
    • For a non-first login, if you want to use the remote login function (VNC) provided by the management console, log in to the ECS using the SSH key and set the password.

Checking Whether the ECS Is Overloaded

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Linux ECS Running Slowly?

  • If the login failure is caused by high CPU usage, perform the following operations to reduce the CPU usage:
    • Stop certain processes that are not used temporarily and try again.
    • Restart the ECS.
    • Reinstall the ECS OS. Back up important data before the reinstallation.
    • If the ECS OS cannot be reinstalled due to important data, replace the disk attached to the ECS. To do so, back up data on the original disk, detach the disk from the ECS, attach the new disk to the ECS, and copy data to the new disk.

    You can also upgrade the vCPUs and memory by modifying the ECS specifications.

  • If the login fails because the bandwidth exceeds the limit, perform the following operations:

    For instructions about how to increase the bandwidth, see Changing an EIP Bandwidth.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether an ECS Has an EIP Bound

If you need to use a remote login tool (such as PuTTY or Xshell) to access the ECS, bind an EIP to the ECS.

For details, see Assigning an EIP and Binding It to an ECS.

Checking Whether the Network Is Normal

Use a local PC in another network or use another hotspot to access the ECS. Check whether the fault occurs on the local network. If so, contact the carrier to resolve this issue.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Security Group Is Correctly Configured

Check whether the local host can access port 22 on the ECS.

Run the following command to check whether port 22 is accessible:

telnet ECS private IP address

If port 22 is inaccessible, check whether port 22 is opened in the security group rule.

On the ECS details page, click the Security Groups tab and check that port 22 is configured in the inbound rule of the security group.

For details about how to modify a security group rule, see Modifying a Security Group Rule.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Remote Access Port Is Correctly Configured

Check ECS settings.
  1. Check whether the sshd process is running.
  2. Check whether your local PC is denied by the ECS.
    1. Log in to the ECS and run the following command:

      vi /etc/hosts.deny

    2. If the IP address of the local PC is in the hosts.deny file, the ECS denies connection attempts from the local PC. In such a case, delete the IP address from the file.
  3. Open the /etc/ssh/ssh_config file in the local PC and view the default login port. Then, open the /etc/ssh/sshd_config file in the ECS and check whether the SSH port is the default port 22.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking the IP Address Whitelist for SSH Logins (with HSS Enabled)

After HSS is enabled, you can configure an IP address whitelist for SSH logins as required. The IP address whitelist controls SSH access to ECSs, effectively preventing account cracking.

After you configure the allowlist, SSH logins will be allowed only from IP addresses in the allowlist.

  1. On the Events page, check whether a local host IP address is intercepted due to brute force cracking.
  2. Check whether the IP address whitelist for SSH logins has been enabled. If it has been enabled, ensure that the IP address of the local host has been added to the IP address whitelist.
    • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the allowlist. Otherwise, you cannot remotely log in to your ECS through SSH.
    • Exercise caution when adding a local IP address to the allowlist. This will make HSS no longer restrict access from this IP address to your ECSs.

Checking Whether an OS Fault Has Occurred

  • Password injection failure

    The password failed to be injected using Cloud-Init.

  • File system damaged after a forcible stop

    There is a low probability that the file system is damaged after a forcible stop, which causes the ECS fails to be restarted. For details, see Why Does a Forcibly-Stopped Linux ECS Fail to Be Restarted?

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Access Is Blocked by Antivirus Software

Third-party antivirus software may lead to a failure in accessing the ECS.

If third-party antivirus software is running, check whether the remote connection is blocked by the software. If the remote connection is blocked, add the EIP bound to the ECS to the whitelist of the antivirus software and try to access the ECS again.

You can also disable or uninstall the third-party antivirus software and try to remotely log in to the ECS again.

Checking Whether an Error Occurred During a Remote Login

If an error message is displayed during remote login, check the operation guide based on the error information.

If the fault persists, record the resource details and fault occurred time, and contact technical support for assistance.

If the fault persists after the preceding operations are performed, record the resource details and fault occurred time, and contact customer service for technical support.