When you try to connect to a server via SSH, you receive:
$ ssh user@192.168.1.100
ssh: connect to host 192.168.1.100 port 22: Connection refusedThis error means nothing is listening on port 22, or a firewall is actively rejecting connections. Unlike a timeout (which suggests network issues), "connection refused" indicates the server received and rejected your TCP handshake.
Quick Diagnosis
First, verify you can reach the server at all:
ping -c 3 192.168.1.100If ping works but SSH fails, the issue is specifically with SSH. If ping fails, you have a network connectivity problem.
Try connecting with verbose output:
ssh -v user@192.168.1.100The output will confirm the connection refused error occurs immediately, not after authentication.
Check if SSHD is Running
Log into the server directly (console, IPMI, or through your cloud provider's web console) and check the SSH daemon status:
sudo systemctl status sshdOn Ubuntu/Debian systems, the service might be called ssh:
sudo systemctl status sshIf the service is inactive or failed:
sudo systemctl start sshd
sudo systemctl enable sshdCheck why it might have failed:
sudo journalctl -u sshd -n 50Common reasons sshd won't start include configuration errors:
sudo sshd -tThis tests the configuration file syntax. If there's an error, it will be reported:
/etc/ssh/sshd_config: line 25: Bad configuration option: PermitRootLogins
/etc/ssh/sshd_config: terminating, 1 bad configuration optionsFix any syntax errors in /etc/ssh/sshd_config and restart.
Verify SSHD is Listening
Check if sshd is actually listening on port 22:
sudo netstat -tlnp | grep :22Or using the more modern ss:
sudo ss -tlnp | grep :22Expected output:
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1234,fd=4))If sshd is running but not showing here, it might be configured to listen on a different port.
Check the Configured Port
Examine the SSH configuration:
sudo grep -E "^Port" /etc/ssh/sshd_configIf this shows a different port:
Port 2222Connect using that port:
ssh -p 2222 user@192.168.1.100If no Port directive exists, SSH defaults to port 22. You can add it explicitly:
echo "Port 22" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshdCheck Firewall Rules
Firewalls often block port 22. Check iptables:
sudo iptables -L -n -v | grep 22For firewalld (CentOS/RHEL/Fedora):
sudo firewall-cmd --list-allIf SSH isn't listed, add it:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadFor ufw (Ubuntu):
sudo ufw statusAllow SSH if needed:
sudo ufw allow ssh
sudo ufw reloadFor iptables directly:
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4Check if SSH is Bound to the Right Interface
SSHD might be listening only on localhost. Check the configuration:
sudo grep -E "^ListenAddress" /etc/ssh/sshd_configIf you see:
ListenAddress 127.0.0.1SSH will only accept local connections. Either remove this line or add your external IP:
# Comment out or remove the restrictive ListenAddress
sudo sed -i 's/^ListenAddress 127.0.0.1/#ListenAddress 127.0.0.1/' /etc/ssh/sshd_config
sudo systemctl restart sshdCheck TCP Wrappers
Some systems use /etc/hosts.deny to block connections:
cat /etc/hosts.denyLook for lines like:
sshd: ALL
ALL: ALLIf SSH is blocked here, comment out the lines or add an exception in /etc/hosts.allow:
echo "sshd: ALL" | sudo tee -a /etc/hosts.allowVerify from Another Machine
Test from a different network location to rule out local firewall issues:
telnet 192.168.1.100 22A successful connection shows the SSH banner:
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3If telnet isn't available, use netcat:
nc -zv 192.168.1.100 22Check for Port Knocking
Some servers use port knocking for security. The SSH port remains closed until you "knock" on specific ports first. Check if knockd is running:
sudo systemctl status knockdIf it is, you need to knock before connecting:
knock 192.168.1.100 7000 8000 9000
ssh user@192.168.1.100Resolution Checklist
- 1.SSHD service running:
systemctl status sshd - 2.SSHD listening on port 22:
ss -tlnp | grep 22 - 3.Firewall allows port 22:
firewall-cmd --list-allorufw status - 4.SSHD not restricted to localhost: check
ListenAddress - 5.TCP wrappers not blocking: check
/etc/hosts.deny - 6.Configuration syntax valid:
sshd -t
Most often, the issue is simply that sshd isn't running or a firewall is blocking the port. Start with those checks first.