Fix the “connection refused” error in Postgres

Written by

CoGuard

The Problem

You are configuring and setting up infrastructure, and just as you think you are finished, with the following error message pops up:

plsql:could not connect to server: Connection refused

How do you troubleshoot this error message?

You are not entirely sure how to troubleshoot it? Rest here, weary traveler, as we are going through the ways you may figure it out.

The Solution

How you troubleshoot this problem depends on which machine you currently have access to?

Can you connect to the Postgres instance?

Start with the IP address of the postgres server. In our example, we assume that:

Postgres instance IP address (server A): 10.0.0.5
Different server instance/container (server B) IP address: 10.0.0.7

Can you ping server A from server B? On server B:

ping 10.0.0.5

And view the results. If the ping is able to connect successfully, you need to verify the exact port that is accessed. The default postgres port is 5432.

On server B:

nc -zv 10.0.0.5 5432

You need to have nc (netcat) installed on your system. It is usually part of common Linux and MacOS distributions, or you can download and install it from NMAP.org.

If the ping or nc commands fail, it is very likely that you need to check the firewall settings (may it be your AWS security groups, your Kubernetes pod-to-pod communication, or your IPTables settings; whatever network control mechanism applies to your case).

Troubleshooting postgresql.conf

The postgresql.conf file contains a setting called listen_addresses (https://www.postgresql.org/docs/current/runtime-config-connection.html).

Check that all origins from where you are expecting connections from are allowed there.

You can also double check the port in that same file to ensure that you are not using a different number there.

Security Sidenote: The listen_addresses should generally be defined to be as narrow as possible for security reasons. CoGuard is a configuration file scanner that includes security best practices and standards and will make suggestions for changes in in your postgresql.conf files to improve security.

Troubleshooting pg_hba.conf

There might be a permission issue in the pb_hba.conf access configuration file.

The pg_hba.conf file is the access control list for Postgres. Client authentication is controlled by this file, it is stored in the database cluster’s data directory. The general format is a set of records, one per line. Blank lines are ignored. Each record specifies the source, the authentication mechanisms and behaviors. When a user tries to connect to the server, this file is analyzed line-by-line, and the first match is used to perform the necessary authentication of the user.

In pg_hba.conf, make sure that you have an entry in the IP addresses list or the masks that allows includes the IP address from server B. Additionally, be aware that of conflicting entries in earlier lines, there should not be any conflicts, as every line should have well-defined ip-ranges. The pg_hba.conf file can be discovered and scanned by CoGuard in your code repository or in your containers. CoGuard contains policies that identify misconfigurations including conflicts in most infrastructure files.

Start By Scanning Your Configuration Files

CoGuard is a code scanner for configuration files. It can be used to discover the configurations and configuration files in your IaC code repositories, on your cloud configurations, or in your file system and the containers. CoGuard provides policies that include the identification of misconfigurations for virtual memory, heap memory and container limitations.

Get started for free today »

‍

Troubleshooting Configurations