RDP to Rocky EC2 Instance

Greetings from a Rocky n00b…

I have set up a Rocky EC2 instance, which ssh’s just fine. I also installed Gnome and xrdp, and set up the security group for tcp/3389. But I am still not able to connect.

One thought is that the Rocky AMI has no password for the ‘rocky’ account (yes, using keypair for ssh) so perhaps it needs one.

Beyond that, might someone spot me a clue as to what I can try next?



Please provide the output of the following:

systemctl status xrdp


netstat –atnp | grep 3389

Also if you may need to add a rule to firewalld:

firewall-cmd --add-port=3389/tcp --permanent

Or if needs to be IP specific:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="ip,add.re.ss" port port=3389 protocol=tcp accept'

Thanks Tom.

In AWS the Security Group - which I have allowing tcp/3389, tcp/22 and tcp/80, takes the place of firewalld. The Rocky AMU image doesn’t even start it.

[root@ip-172-31-24-100 ~]# systemctl status xrdp

  • xrdp.service - xrdp daemon
    Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor preset: disabled)
    Active: active (running) since Mon 2021-08-23 03:14:47 UTC; 6s ago
    Docs: man:xrdp(8)
    Main PID: 2248 (xrdp)
    Tasks: 1 (limit: 10895)
    Memory: 1.2M
    CGroup: /system.slice/xrdp.service
    `-2248 /usr/sbin/xrdp --nodaemon

Aug 23 03:14:47 ip-172-31-24-100.us-west-2.compute.internal systemd[1]: Started xrdp daemon.
Aug 23 03:14:47 ip-172-31-24-100.us-west-2.compute.internal xrdp[2248]: [INFO ] starting xrdp with pid 2248
Aug 23 03:14:47 ip-172-31-24-100.us-west-2.compute.internal xrdp[2248]: [INFO ] address [] port [3389] mode 1
Aug 23 03:14:47 ip-172-31-24-100.us-west-2.compute.internal xrdp[2248]: [INFO ] listening to port 3389 on
Aug 23 03:14:47 ip-172-31-24-100.us-west-2.compute.internal xrdp[2248]: [INFO ] xrdp_listen_pp done

And this image seems not to like your netstat command, but I see no evidence that 3389 is open.

Thanks, that’s a start.


Ah, found it:

[root@ip-172-31-24-100 ~]# ss -antp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32* users:((“dnsmasq”,pid=1665,fd=6))
LISTEN 0 2* users:((“xrdp-sesman”,pid=2247,fd=9))
LISTEN 0 128* users:((“sshd”,pid=1184,fd=5))
LISTEN 0 5* users:((“cupsd”,pid=1091,fd=10))
LISTEN 0 2* users:((“xrdp”,pid=2248,fd=11))
LISTEN 0 128* users:((“rpcbind”,pid=839,fd=4),(“systemd”,pid=1,fd=29))
CLOSE-WAIT 32 0 users:((“gnome-shell”,pid=1487,fd=46))
ESTAB 0 52 users:((“sshd”,pid=2065,fd=5),(“sshd”,pid=2034,fd=5))
LISTEN 0 128 [::]:22 [::]:* users:((“sshd”,pid=1184,fd=7))
LISTEN 0 5 [::1]:631 [::]:* users:((“cupsd”,pid=1091,fd=9))
LISTEN 0 128 [::]:111 [::]:* users:((“rpcbind”,pid=839,fd=6),(“systemd”,pid=1,fd=33))
[root@ip-172-31-24-100 ~]#


Sorry forgot netstat needs installing.

Also please provide the output of:

firewall-cmd --state


firewall-cmd --list-all

Thanks Tom.

The ‘ss’ is newer, more able alternative for ‘netstat’.

To see actual rules in kernel:

sudo nft list ruleset

As said, cloud instances rarely have any rules, because the hypervisor provides filtering.