Encountering the message "ssh: connect to host port 22: connection refused" is a common yet frustrating event for system administrators and developers. This specific error indicates that your client successfully reached the network location of the target server, but the SSH daemon was not available to accept the connection on port 22. Unlike a timeout, which suggests network issues, a refusal implies that something is actively blocking the port or the service is down, requiring a systematic approach to troubleshooting.
Understanding the Technical Cause
The error string "connection refused" is a TCP/IP response generated by the target host's operating system. When your computer sends a SYN packet to initiate a connection, the server responds with a RST (Reset) packet rather than a SYN-ACK. This reset packet is the direct cause of the ssh: connect to host port 22: connection refused notification. The most frequent reasons for this reset are the SSH service being stopped, listening on a different port, or a firewall dropping the packets before they reach the service.
Initial Verification Steps
Before diving into complex configurations, verify the basic status of the remote host. Start by checking if the server is powered on and reachable via alternative methods, such as ping or a web interface provided by your cloud provider. While SSH relies on TCP port 22, a simple ping test can confirm layer 3 connectivity, helping to distinguish between a total network outage and a specific service failure.
Checking Port Accessibility
Use command-line tools like telnet or nc (netcat) to test the TCP handshake directly. Running telnet [server-ip] 22 will show whether the port is open and accepting connections or if the connection is actively refused. If the port is filtered by a firewall, you might experience a silent timeout instead of a refusal, which helps narrow down the issue to a firewall rule rather than a service configuration.
Common Server-Side Issues
On the server side, the SSH daemon, usually named sshd , might not be running due to a recent crash, manual stop, or system reboot failure. System administrators should check the service status using systemctl or init scripts. Another common cause is a misconfiguration in the /etc/ssh/sshd_config file, such as a typo in the Port directive, which causes the daemon to bind to a port the client is not attempting to use.
Firewall and Security Group Configurations
Modern infrastructure often places servers behind cloud provider security groups or local firewall software like iptables or ufw . These security layers might block inbound traffic on port 22 based on IP whitelisting rules. It is crucial to verify that the rule allowing traffic on port 22 is applied to the specific instance and that the source IP address matches the client attempting the connection.
