All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Connection refused even though port is open and a service is listening
Hello,
thanks to help of some people I got the idea to install a min.io server. After many hours I managed to install and run it. (Soon I will become a server admin, lol) At least it works via the browser. But the connection is refused when I try to reach it from another server to use it as a S3 storage.
[xxx@centos ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 xx.xx.xxx.xxx:9000 0.0.0.0:* LISTEN 1180/minio
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1177/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1150/master
tcp6 0 0 :::22 :::* LISTEN 1177/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1150/master
[xxx@centos ~]# firewall-cmd --zone=public --add-port=9000/tcp --permanent
Warning: ALREADY_ENABLED: 9000:tcp
success
And I disabled SELinux.
[xxx@centos ~]# setsebool -P httpd_can_network_connect on
setsebool: SELinux is disabled.
So when I try to reach it, it says:
# nc -v xx.xx.xxx.xxx 9000
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection refused.
From my site:
AWS HTTP error: cURL error 7: Failed connect to xx.xx.xxx.xxx:9000; Connection refused (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
I am not sure what else I can do at this point. Maybe the host of my server blocks it? I got a pretty cheap storage VPS deal from here to test out things. I am a beginner and have no clue what I am doing, please help.
Should I contact them? Or what can I do?
Thank you.
Comments
It is a possibility that it's being blocked up stream.
You can also check via https://canyouseeme.org/
I can't use the tool. It doesn't let me enter the server's IP, it takes my IP.
And what does "blocked up stream" mean?
From another VPS, try this:
You may have to install nmap - all major distros have it in their package managers.
You should get something like this if the port is open (obviously, different port/service name):
I tried 3 different ways, not sure which one is correct.
[00:51][xxx@xxx ~]# nmap -p9000 xx.xx.xxx.xxx:9000
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-26 00:52 UTC
Failed to resolve "xx.xx.xxx.xxx:9000"
[00:52][xxx@xxx ~]# nmap -p9000 xx.xx.xxx.xxx
Nmap scan report for xx.xx.xxx.xxx
Host is up (0.030s latency).
PORT STATE SERVICE
9000/tcp filtered cslistener
[00:53][xxx@xxx ~]# nmap -p9000 xx.xx.xxx.xxx 9000
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-26 00:54 UTC
setup_target: failed to determine route to 9000 (0.0.35.40)
Host is up (0.028s latency).
PORT STATE SERVICE
9000/tcp filtered cslistener
Not sure if this will help, but ia there a setting to bind the server to 0.0.0.0:9000 instead of the xxx.xxx.xxx.xxx:9000, that might work?
From the nmap docs:
“ Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. ”
I think you indicated you’re using centos....sorry, I can’t help with firewalld but perhaps someone else can. You could temporarily turn firewalld off to see if that fixes it.
I don't know, you tell me?
I disabled firewalld, still same problem.
Do you think I should not go CentOS? I heard it is safer why I went CentOS but could switch to Ubuntu probably?
SELinux perhaps?
What is the result of 'sestatus'? If it says "enabled" then you can either learn SELinux or disable it. To disable it, edit /etc/sysconfig/selinux and change SELINUX from "enforcing" to either "permissive" or "disabled". You will need to reboot to have this take effect.
If you check my 1st post, SELinux is disabled already.
I am not sure what else to do here. Could it be that my VPS provider is blocking things before hand?
[xxx@centos ~]# sestatus
SELinux status: disabled
What virtualization is it?
CentOS 7
I mean is that a KVM or OVZ?
It’s not a NAT VPS is it?
Just making sure.
Oh, sorry. It is KVM VPS.
What did you get and from who?
Sorry but I think this whole thing would make sense if this was a NAT VPS.
So the other server where you are connecting from, does that also have the same port open?
I mean I am a noob when it comes to server things, so I didn't want to name the hoster, because it might be actually me the problem here. So it would not be fair. It is the 512 GB plan.
Does it need to be? Let me check. It looks like it is.
[00:54][xxx@xxx ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4805/nginx: master
tcp 0 0 127.0.0.1:9991 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 127.0.0.1:9002 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 127.0.0.1:9003 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 19294/memcached
tcp 0 0 127.0.0.1:9004 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 127.0.0.1:9005 0.0.0.0:* LISTEN 4821/php-fpm: maste
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4805/nginx: master
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 19012/pure-ftpd (SE
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1522/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1443/master
tcp6 0 0 :::3306 :::* LISTEN 15495/mysqld
tcp6 0 0 ::1:9200 :::* LISTEN 1529/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 1529/java
tcp6 0 0 ::1:9300 :::* LISTEN 1529/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1529/java
tcp6 0 0 :::21 :::* LISTEN 19012/pure-ftpd (SE
tcp6 0 0 :::22 :::* LISTEN 1522/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1443/master
`
Not sure what it is really. Looks like you’ve got everything the way it should be - at least from what you’ve shown.
Maybe restart MinIO?
Did you
firewall-cmd --reload
after that? I'm guessing you added it to the permanent rule and not the runtime. The runtime is "temporary" you might say, if you reload the firewall, it'll replace the runtime rule with the permanent one.Yeah, like this is how unlucky I am. First time installing something on a first time storage VPS, and I get sth. like this to deal with... Googling for hours a solution... I am not a server guy.
I did restart the server and did restart the minio.service. Are there any other ways to restart?
Tomorrow I'll dig into the min.io logs someone send me in a private pm. But minio runs fine from the browser as I have access, just no access from the server. I think it is something before minio which blocks it.
Also one question, if I type my server IP in my browser, it finds nothing and times out. Is it maybe I didn't allow the main IP (without the port) to have access to sth.? But i have no files on /home folder or something. I dont know.
I think I did but now since you said it, I did again. No change.
Can you
curl xx.xx.xx.xx:9000
in your storage KVM? HostSolutions gave public IP for storage KVMs so NAT shouldn't be an issue.Could be MinIO itself, run some simple service and bind on
0.0.0.0:9000
(e.g.python3 -m http.server --bind 0.0.0.0 9000
) see if that's reachable.[xxx@centos ~]# curl xx.xx.xxx.xxx:9000
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied
<Resource>/</Resource>
<RequestId>165DAAF091A78E83</RequestId><HostId>25eca351-4ec9-48f9-9776-a01427eae071</HostId></Error>
[xxx@centos ~]# python3 -m http.server --bind 0.0.0.0 9000
Traceback (most recent call last):
File "/usr/lib64/python3.6/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec)
....
File "/usr/lib64/python3.6/socketserver.py", line 470, in server_bind self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
firewall-cmd --list-all
, what's the output?[xxx@centos ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 9000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Scratch that, I somehow missed half the thread. After re-reading, it seems you have a problem with the server you're trying to connect from (could be an upstream issue, e.g. someone's blocking HostSolution IPs) instead of the one hosting MinIO . Do you have other servers (ideally from different providers/DCs) you can test from?
Unfortunately I don't have any access to any other server. Only these two. But your point is actually interesting. I didn't think about that. Maybe everything is fine with the storage server, but my real server is the problem.
We already checked if the main server has port 9000 open and it does. Any other idea how to check it or find out?
From where did you check it from, your personal computer? If that is the case, then it's all pointing to the server you're trying to connect from.
https://portchecker.co/
https://www.portcheckers.com/
I checked everything through the server my main website is at. I want to use min.io for storage so I got this storage server. But the main site server can't get a connection to that storage server. I did not use my personal computer to check anything. And I believe those tools are for that.