Encountering an "ssh connect to host port 22 connection refused" message is a common yet frustrating hurdle for system administrators and developers. This specific error indicates that your client application successfully reached the network location of the target server, but the SSH daemon was not available to accept the connection on the standard port. The refusal usually signifies that the service is not running, is blocked by a firewall, or is listening on a different port entirely.
Diagnosing the Core Issue
The first step in resolving this problem is to move beyond the generic error and gather specific data about the server's state. You need to verify whether the SSH process is active and if the port is open to listening network connections. This initial diagnosis helps narrow down the potential causes from a list of possibilities to the actual root issue affecting your session.
Checking Service Status and Port Listening
Before diving into complex network configurations, confirm the basic health of the SSH service on the remote machine. If you have console access or another management channel, you can check if the daemon is running. Simultaneously, verifying which ports are actively open provides a clear picture of whether SSH is listening on the expected endpoint.
Use `systemctl status sshd` (or `ssh`) on the server to verify the service is active.
Check local firewall rules on the server with `ufw status` or `iptables -L` to ensure port 22 isn't being dropped locally.
Network and Firewall Configuration
Once the server-side service is confirmed to be running, the "connection refused" error often points to network-level blocking or misrouting. Firewalls, whether on the host, network, or cloud provider level, are the most frequent culprits for dropping or refusing specific TCP packets.
Examining Access Control Lists and Security Groups
Modern infrastructure often relies on distributed firewall rules that exist outside the operating system itself. A common scenario is the Linux `ufw` or `iptables` being correctly configured, while the cloud provider's Security Group or Network ACL is blocking the traffic. You must audit both layers to get a complete view of the network path.
Alternative Scenarios and Misconfigurations
Not every "connection refused" scenario is caused by a block. Sometimes the issue lies in the configuration mismatch between the client's expectations and the server's reality. Administrators might change the default port for security through obscurity, or the server might be configured to listen only on specific network interfaces.
Verifying Non-Standard Ports and Binding Interfaces
If the SSH daemon is configured to listen on a port other than 22, attempting to connect on the default port will result in a refusal. Similarly, if the server has multiple network interfaces (e.g., public and private IPs), the daemon might be bound only to the internal network interface, making it inaccessible from the internet. Adjusting the client command to target the correct port and ensuring the interface binding matches your network path are critical troubleshooting steps.
