SSH connection refused

alexhopeoconnor · May 23, 2023, 11:42am

I have setup Gitea on an Ubuntu server using this docker-compose config:

version: '3.9'
services:
  db:
    image: docker.io/bitnami/postgresql:15
    volumes:
      - 'db_data:/bitnami/postgresql'
    environment:
      - POSTGRESQL_DATABASE=gitea
      - POSTGRESQL_USERNAME=gitea
      - POSTGRESQL_PASSWORD=gitea

  gitea:
    image: docker.io/bitnami/gitea:1
    volumes:
      - 'gitea_data:/bitnami/gitea'
    environment:
      - GITEA_DATABASE_HOST=db
      - GITEA_DATABASE_NAME=gitea
      - GITEA_DATABASE_USERNAME=gitea
      - GITEA_DATABASE_PASSWORD=gitea
      - GITEA_ADMIN_USER=example
      - GITEA_ADMIN_PASSWORD=example
      - GITEA_ADMIN_EMAIL=admin@example.com
      - GITEA_APP_NAME=Example Technologies
      - GITEA_DOMAIN=gitea.example.com
      - GITEA_SSH_DOMAIN=gitea.example.com
      - GITEA_SSH_PORT=22
      - GITEA_ROOT_URL=https://gitea.example.com/
      - GITEA_SMTP_ENABLED=true
      - GITEA_SMTP_HOST=smtp-relay.gmail.com:25
      - GITEA_SMTP_FROM=server@example.com
    ports:
      - '5050:3000'
      - '22:2222'

volumes:
  db_data:
  gitea_data:

My regular ssh service runs on port 1026, so should be no port conflicts, here is my UFW status:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere                  
Anywhere on docker0        ALLOW IN    172.17.0.0/16             
1026/tcp                   ALLOW IN    Anywhere                  
22/tcp                     ALLOW IN    Anywhere                  
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)             
1026/tcp (v6)              ALLOW IN    Anywhere (v6)             
22/tcp (v6)                ALLOW IN    Anywhere (v6)

When trying to connect from a remote machine I get the following:

ssh git@gitea.example.com
ssh: connect to host gitea.example.com port 22: Connection refused

However testing locally on the server, over ssh on port 1026, I get this when executing the same command on the server:

ssh git@gitea.example.com
git@gitea.example.com: Permission denied (publickey).

So I am really not sure what is going on, its like incoming remote traffic to port 22 is being blocked, but even with UFW disabled I still recieve “Connection refused” when trying to connect in a remote machine.

I have also tried using tcpdump to see what is happening but can only see that nothing responds on port 22 to the incoming packets from a remote connection, again when connecting over port 22 locally on the server running gitea, I see normal TCP traffic for initiating an SSH connection.

I have looked through IP tables and the only lines referencing port 22 I could find began with ACCEPT.

Can anyone provide any advice what might be going wrong here or how I can go about getting to the bottom of it?

Thanks

devjj · May 24, 2023, 12:41pm

Please notice these lines:

- GITEA_SSH_PORT=22       # your sshd is listenning on port 22 of your container
    ports:
      - '5050:3000'
      - '22:2222'                         # but you mapped the host port 22 to 2222 on your container

Change it to 22:22 and try again

alexhopeoconnor · May 25, 2023, 10:06am

Hey from my gitea container logs I can see that the SSH server seems to be starting correctly on port 2222:

gitea-gitea-1  | 2023/05/25 09:57:29 ...s/graceful/server.go:62:NewServer() [I] [646f3109-19] Starting new SSH server: tcp::2222 on PID: 1
gitea-gitea-1  | 2023/05/25 09:57:29 cmd/web.go:220:listen() [I] [646f3109-27] Listen: http://0.0.0.0:3000
gitea-gitea-1  | 2023/05/25 09:57:29 cmd/web.go:224:listen() [I] [646f3109-27] AppURL(ROOT_URL): https://gitea.example.com/
gitea-gitea-1  | 2023/05/25 09:57:29 ...s/graceful/server.go:62:NewServer() [I] [646f3109-27] Starting new Web server: tcp:0.0.0.0:3000 on PID: 1

Also from the config cheat sheet:Config Cheat Sheet | Gitea Documentation

* `SSH_PORT`: **22**: SSH port displayed in clone URL.
* `SSH_LISTEN_PORT`: **%(SSH_PORT)s**: Port for the built-in SSH server.

So I am fairly certain it is configured and running on the correct port inside the container.

Thanks,
Alex.

alexhopeoconnor · June 20, 2023, 2:50pm

I managed to fix this with information from here:

Basically I added the following rule to ufw:
172.20.0.2 2222/tcp ALLOW FWD Anywhere # allow gitea-gitea-1 2222/tcp gitea_default

Topic		Replies	Views
SSH connection refused - gitea and nginx on different hosts Install/Maintain/Configure	2	995	May 31, 2023
Setup w/ postgreSQL error: "connect: no route to host" Install/Maintain/Configure	2	802	April 21, 2023
Gitea docker-compose certbot Install/Maintain/Configure	5	1532	August 21, 2023
Gitea install with postgres - dial tcp 127.0.0.1:5432: connect: connection refused Install/Maintain/Configure	1	2428	January 20, 2022
Trying to setup SSH, but getting 'Too many authentication failures' Install/Maintain/Configure	3	416	April 13, 2024

SSH connection refused

Related Topics