Encountering an "ssh connect to host port 22 connection timed out" message is a common yet frustrating hurdle for system administrators and developers. This specific error indicates that your client successfully initiated a network request but received no response from the target server on the standard SSH port. Unlike a "connection refused" message, which implies the server is actively rejecting the connection, a timeout suggests a fundamental breakdown in network communication. The problem often lies outside the SSH service itself, pointing to network infrastructure, firewall rules, or server availability issues that prevent the initial handshake.
Diagnosing the Network Path
The first step in resolving this issue is to verify basic network connectivity. Before diving into SSH-specific configurations, you must confirm that the target host is reachable. A simple ping test provides the initial data point, checking if the server responds to basic internet control messages. While a successful ping is a good sign, it only confirms that the server is on and has a working network interface. A failed ping indicates a deeper network problem, such as routing failure or the server being completely offline or blocked by a firewall at the network perimeter.
Using Traceroute to Identify Failure Points
To understand where the connection dies, utilize the traceroute command (or tracert on Windows). This tool maps the path your packets take to reach the destination, listing each router (hop) along the way. By analyzing the output, you can pinpoint where the packets stop progressing. If the trace stalls at a specific hop, it usually indicates a network congestion issue, a misconfigured router, or a security device blocking ICMP or traceroute packets. This diagnostic is crucial for distinguishing between a local network problem and an issue within the remote network’s infrastructure.
Examining Firewall and Security Group Rules
Firewalls are the most frequent culprits behind port 22 timeouts. Network firewalls, whether physical appliances or cloud-based security groups, are designed to filter traffic based on strict port policies. If the firewall protecting the target server does not have an explicit rule allowing inbound TCP traffic on port 22, any connection attempt will be silently dropped. Unlike a refusal, which sends a packet back, a drop results in a timeout, leaving your client waiting indefinitely. You must verify the firewall configuration on both the network edge and the host operating system to ensure the port is open and accessible from your IP address.
Verifying the SSH Daemon Status
Assuming the network path is clear and firewall rules are permissive, the next logical check is the SSH daemon (sshd) running on the target machine. It is possible for the server to be up and the firewall to be open, yet the SSH service itself is not running. This can happen due to a recent crash, a misconfigured startup script, or a manual shutdown. If you have console access, such as through a cloud provider's dashboard or physical access, you must log in directly and check the service status. Ensuring sshd is active and listening on the correct interface is fundamental to resolving the connection timeout.
Addressing Common Configuration Errors
Misconfiguration is another prevalent cause of this specific error. You should confirm that you are connecting to the correct hostname or IP address. Typos in the command are surprisingly common and lead to attempts to reach non-existent servers. Additionally, verify that the server is actually listening on port 22. Administrators sometimes change the default port for security through obscurity, and if you attempt to connect to the standard port on a non-standard service, the connection will time out. Double-checking the SSH configuration file (sshd_config) for the ListenAddress directive ensures the daemon is bound to the correct network interface your client is trying to reach.
