SFTPGo or MiroTalk SFU not starting because they use ephemeral ports

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Thu, 25 Sep 2025 07:02:58 GMT

joseph — Thu, 25 Sep 2025 07:02:58 GMT

FWIW, I can confirm that on Hetzner/Ubuntu this is the default range.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Thu, 25 Sep 2025 03:20:48 GMT

robi — Thu, 25 Sep 2025 03:20:48 GMT

@girish "32768-60999 range" is not the entire valid range for linux, so I would guess it was a configuration default instead.

Hence the tightening request.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Wed, 24 Sep 2025 05:57:47 GMT

girish — Wed, 24 Sep 2025 05:57:47 GMT

@robi I think the port range comes part of linux/ubuntu setup . I also don't completely know the side effects of making it tighter.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Fri, 19 Sep 2025 06:20:17 GMT

robi — Fri, 19 Sep 2025 06:20:17 GMT

Can you also shrink the ephemeral port range to something tighter @girish ?

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Tue, 09 Sep 2025 09:17:52 GMT

imc67 — Tue, 09 Sep 2025 09:17:52 GMT

@girish said in Server security update reboot: SFTPGo doesn't start:

A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead

Maybe you can explicitly mention in the update notes the default / advised ports? Existing installs will not be moved to the "new" ports and thus keep having issues?

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Tue, 09 Sep 2025 08:56:16 GMT

girish — Tue, 09 Sep 2025 08:56:16 GMT

@imc67 max port is 65535 so it can't be 70000 . A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead . I have also fixed up the sfu package, will be published shortly .

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Tue, 09 Sep 2025 08:50:26 GMT

imc67 — Tue, 09 Sep 2025 08:50:26 GMT

@girish and @James I just updated SFTPGo to 1.1.0, don't see differences, portrange is still 41000 but I also can't change it to ie. 70000, the field becomes RED.

EDIT: I can change it to 61000

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Tue, 09 Sep 2025 08:32:24 GMT

imc67 — Tue, 09 Sep 2025 08:32:24 GMT

@girish good founds! It's also the same issue with MiroTalk (what I know of and experienced) but maybe more apps?

https://forum.cloudron.io/search?term=bind%3A address already in use&in=titlesposts

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Tue, 09 Sep 2025 07:50:12 GMT

girish — Tue, 09 Sep 2025 07:50:12 GMT

@imc67 some blind guess here. I think what's happening is that something in box side (maybe backups code) is occupying that port 41000. This is in turn blocking the containers from using that port.

Digging deeper, this seems possible. The ephemeral port range is

$ cat /proc/sys/net/ipv4/ip_local_port_range
32768	60999

So, 40000 is not a good choice for a container to listen to. @imc67 a quick fix for you is to change sftpgo to use some other port which is outside the 32768-60999 range. In the meantime, I will fix the package to default to some port range outside the ephemeral port range.

I think it would be nice to also warn people when try to run containers in ephemeral port ranges. I will put a note in the docs for a start. @james what do you think?

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Thu, 04 Sep 2025 20:38:25 GMT

imc67 — Thu, 04 Sep 2025 20:38:25 GMT

said in Server security update reboot: SFTPGo doesn't start:

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

@girish is this a bug? There are more topics with the same kind of error message

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 13:21:19 GMT

imc67 — Mon, 01 Sep 2025 13:21:19 GMT

Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!

I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish

BTW: @James please redact my ip's in your message (I just corrected mine)

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 13:57:02 GMT

james — Mon, 01 Sep 2025 13:57:02 GMT

This might have been a lingering connection from one of your IoT devices.

ssh     940 root    3u  IPv6  25971      0t0  TCP [2a03:REDACTED:61f0]:41090->[2a01:REDACTED::2]:telnet (ESTABLISHED)

The program used was ssh so I assume a lingering sftp connection since SFTP uses SSH as the binding agent.
If you can find out what or who 2a03:REDACTED:61f0 and 2a01:REDACTED::2 is you might find the device that had the connection still open.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 08:02:55 GMT

imc67 — Mon, 01 Sep 2025 08:02:55 GMT

Thanks to ChatGPT I could solve it:

"Something" outside Docker was claiming this port

sudo kill 940

Killed this connection, now the restore worked and the app started.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 07:52:43 GMT

imc67 — Mon, 01 Sep 2025 07:52:43 GMT

BTW: I also restarted Docker via the GUI but it also didn't solved it.

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 08:32:42 GMT

imc67 — Mon, 01 Sep 2025 08:32:42 GMT

@james said in Server security update reboot: SFTPGo doesn't start:

You can also run the following on your root:

lsof -i :41090 -S
to see if really anything is using that port.

yes:

~# lsof -i :41090 -S
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ssh     940 root    3u  IPv6  25971      0t0  TCP [2a03:****:5f:dc5:48ba:****:fe45:61f0]:41090->[2a01:4f8:****:1635::2]:telnet (ESTABLISHED)

What could it be? I already stopped MiroTalk and Nextcloud

Reply to SFTPGo or MiroTalk SFU not starting because they use ephemeral ports on Mon, 01 Sep 2025 07:49:00 GMT

james — Mon, 01 Sep 2025 07:49:00 GMT

Hello @imc67
The issue why your SFTPGo is not starting is because 0.0.0.0:41090: bind: address already in use.
I highly suspect this is just temporary and if you stop the app for 2–5 minutes and then start the app again, this will resolve itself.

You can also run the following on your root:

lsof -i :41090 -S

to see if really anything is using that port.