Encountering the message "ssh connect to host port 22: connection timed out" is a common yet frustrating experience for system administrators and developers. This specific error indicates that your client successfully initiated a network connection to the target server's IP address, but the SSH daemon (sshd) did not respond within the expected timeframe. Unlike a "connection refused" error, which implies no service is listening, a timeout suggests a network blockage or a daemon that is entirely unresponsive, leaving the connection hanging until the client-side timer expires.
Diagnosing the Network Path
The first step in resolving this issue is to verify basic network connectivity and rule out simple routing issues. You should treat the network path as a series of checkpoints, starting from your local machine. Before diving into complex server configurations, ensure your local machine can physically reach the remote host.
Utilize standard network diagnostics tools to map the journey your packets take. The `ping` command is useful for verifying that the host is up and responding to ICMP requests, though many servers are configured to block ping for security reasons. For a more detailed analysis of the route, the `traceroute` (or `tracert` on Windows) command reveals each hop along the path, helping you identify where the signal stops progressing, which is often the first clue in a "connection timed out" scenario.
Verifying the SSH Service Status
Is the Daemon Actually Running?
Assuming the network path appears clear, the next logical checkpoint is the server itself. The most direct cause of this error is that the SSH daemon process is not running. If the server rebooted unexpectedly, crashed, or the service was manually stopped, there would be no listener on port 22 to acknowledge your request. To verify this, you generally need console access via a physical server, a web-based VPS control panel (like Vultr or AWS EC2), or a separate out-of-band management interface. Once you have access to a command line on the target machine, checking the service status is straightforward. On systems using systemd, the command `systemctl status sshd` provides a clear view of the process state, indicating whether it is active and listening or inactive and failed.
Confirming the Listening Port
Even if the service appears to be running, it is worth confirming that sshd is actually bound to the network interface and port you expect. Misconfigurations can sometimes direct the daemon to listen on a non-standard port or a specific internal IP address rather than the public one.
Investigating Firewall Restrictions
Firewalls are the most frequent culprits behind connection timeouts, acting as security gatekeepers that silently drop packets. A timeout occurs when a firewall along the network path discards the connection request without sending a "port unreachable" message, forcing your client to wait indefinitely.
On the server, you must inspect the host-based firewall rules. If the server uses `ufw` (Uncomplicated Firewall), the command `ufw status verbose` reveals which ports are allowed. For `iptables`, the command `sudo iptables -L -n -v` provides a detailed policy list. You are ensuring that inbound traffic on port 22 is explicitly accepted. Furthermore, if the server is behind a cloud provider, you must check the security group or Network ACL settings in the cloud console, as these infrastructure-level firewalls often block traffic independently of the server's own software firewall.
