Encountering an "ssh connect to host connection refused port 22" message is a common yet frustrating hurdle for system administrators and developers. This specific error indicates that your client successfully reached the network path to the target machine, but the SSH daemon (sshd) was not available to accept the connection on the standard port 22. The refusal usually stems from the service not running, a firewall blocking access, or a fundamental misconfiguration of the network or SSH settings.
Diagnosing the Core Causes
The first step in resolving this issue is moving beyond frustration to diagnosis. You must determine whether the problem lies with the remote host, the network infrastructure, or your local client configuration. A connection refusal is fundamentally different from a timeout; refusal implies an active device (like a firewall or the host itself) is explicitly telling your client, "I'm here, but I'm not listening on this port." This distinction is critical for identifying the correct solution.
Service-Level Issues
The most direct cause is that the SSH service on the remote server is down or has crashed. This can happen unexpectedly due to system crashes, improper shutdowns, or resource exhaustion. Alternatively, the daemon might be configured to listen on a non-standard port, which is common for security through obscurity or in multi-service environments. If the service is simply not running, no amount of client-side tinkering will yield a successful connection until it is started.
Network and Firewall Restrictions
Network security appliances are frequent culprits behind this error. Cloud security groups, on-premise firewalls, or local host-based firewalls (like `iptables` or `ufw`) can be configured to drop incoming traffic to port 22. Unlike a port being filtered, a refusal packet (RST) is sent back, confirming the port is closed. You should verify the firewall rules governing the target server's network interface to ensure inbound TCP traffic on the intended port is explicitly allowed.
Verification and Troubleshooting Steps
To systematically isolate the issue, you can perform a series of checks from your local machine. These steps help narrow down the problem space from a broad network issue to a specific service misconfiguration.
ping [hostname]
Checking the Remote Service
If you have console access (via a cloud provider dashboard, physical access, or a different jump host), you must log into the server directly. Once inside, use commands like `systemctl status sshd` (on systemd systems) or `service ssh status` to confirm the daemon is active. Checking the listening ports with `ss -tuln` or `netstat -tuln` will show you exactly which interfaces and ports the server is actually monitoring.
Resolving the Connection Refusal
With the diagnosis complete, you can apply the appropriate fix. If the SSH service was down, starting it with `sudo systemctl start sshd` is the immediate solution. However, to prevent recurrence, you should ensure it is enabled to start on boot. Furthermore, if the service is listening on a non-standard port, you must specify that port in your client command using the `-p` flag (e.g., `ssh user@host -p 2222`).
