Encountering a "connection closed by port 22" message is a common yet frustrating hurdle for system administrators and developers working with remote servers. This specific error indicates that the client initiated a handshake with the server's SSH daemon, but the connection was terminated before any authentication could occur. Unlike a timeout, which suggests the server is unreachable, this response implies the server is actively listening but refusing the connection at the protocol level. Diagnosing this requires a systematic approach to differentiate between configuration mismatches, network security policies, and service availability issues.
Understanding the SSH Protocol Handshake
To effectively troubleshoot port 22 errors, it is essential to understand the standard SSH connection lifecycle. When a client attempts to connect, it first establishes a TCP handshake with the server's SSH port. If the port is open and accepting traffic, the server sends a banner identifying its protocol version. The "connection closed by port 22" error typically occurs after this banner exchange, during the key exchange algorithm negotiation. At this stage, the server might drop the connection if it does not support the client's proposed algorithms or if the server's host keys are invalid or missing.
Common Causes of the Error
The root cause of a premature connection closure is rarely singular; it usually stems from a misconfiguration or a security restriction. Below are the most frequent contributors to this specific error message.
Incorrect SSH Port: The client might be attempting to connect to a non-standard port while the server is configured to listen only on the default port 22.
Firewall Restrictions: A network firewall or cloud security group might be silently dropping packets or sending RST (reset) packets instead of allowing SYN-ACK responses.
SSH Service Down: The sshd daemon might be stopped, crashed, or not yet initialized, leaving the port closed despite the server being online.
Diagnostic Strategies and Tools
Relying solely on the client-side error message is insufficient for resolution. Administrators must utilize network diagnostic tools to observe the traffic flow and server state. The process begins with basic connectivity checks and escalates to packet analysis if necessary.
Step-by-Step Verification
Start by verifying the physical layer and IP reachability. Pinging the server confirms if the network layer is operational, although ICMP packets are often deprioritized by network hardware. The next step is to verify the port state using tools like telnet or nc (netcat). If the connection fails immediately with "Connection refused," the service is down. If the screen hangs, the port is likely filtered by a firewall. For deeper analysis, tcpdump on the server allows you to inspect the raw packets arriving on port 22, revealing whether the server sees the SYN request at all.
ping [server_ip]
telnet [server_ip] 22
sudo tcpdump -i eth0 port 22
