Introduction

ssh: connect to host port 22: Connection refused indicates that the TCP connection to port 22 was actively rejected, not timed out. This is different from a timeout (which suggests packet dropping). A refusal means the server is reachable but nothing is listening on port 22, or a firewall is actively rejecting the connection. The distinction between Connection refused and Connection timed out is critical for troubleshooting.

Symptoms

  • ssh user@host returns connect to host port 22: Connection refused
  • telnet host 22 returns Connection refused
  • nc -zv host 22 returns Connection refused
  • Other services on the same server work (HTTP, etc.)
  • Error is immediate (not a timeout)

Common Causes

  • SSH daemon (sshd) is not running or has crashed
  • SSH listening on a non-standard port (e.g., 2222 instead of 22)
  • Firewall rule REJECTing (not DROPping) traffic to port 22
  • TCP wrappers (/etc/hosts.deny) blocking the connection
  • Cloud provider security group or network ACL blocking port 22

Step-by-Step Fix

  1. 1.Distinguish between refused and timed out:
  2. 2.```bash
  3. 3.# Connection refused = something actively rejected it
  4. 4.# Connection timed out = packets are being dropped
  5. 5.# This matters for determining the root cause
  6. 6.`
  7. 7.Check if sshd is running on the server (via console):
  8. 8.```bash
  9. 9.sudo systemctl status sshd
  10. 10.# If not running:
  11. 11.sudo systemctl start sshd
  12. 12.sudo systemctl enable sshd
  13. 13.`
  14. 14.Check what port sshd is listening on:
  15. 15.```bash
  16. 16.sudo ss -tlnp | grep sshd
  17. 17.# Or:
  18. 18.sudo netstat -tlnp | grep ssh
  19. 19.# Output shows the actual listening port
  20. 20.# If it shows 2222 instead of 22, connect with: ssh -p 2222 user@host
  21. 21.`
  22. 22.Check firewall rules on the server:
  23. 23.```bash
  24. 24.sudo iptables -L INPUT -n -v | grep 22
  25. 25.sudo firewall-cmd --list-all
  26. 26.sudo ufw status
  27. 27.# If port 22 is blocked:
  28. 28.sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
  29. 29.sudo firewall-cmd --add-service=ssh --permanent
  30. 30.sudo ufw allow 22/tcp
  31. 31.`
  32. 32.Check cloud provider security groups:
  33. 33.- AWS EC2: Check the instance's Security Group inbound rules for port 22
  34. 34.- Azure: Check Network Security Group (NSG) inbound rules
  35. 35.- GCP: Check VPC firewall rules
  36. 36.- Add an inbound rule allowing TCP port 22 from your IP range
  37. 37.Check TCP wrappers:
  38. 38.```bash
  39. 39.cat /etc/hosts.deny
  40. 40.cat /etc/hosts.allow
  41. 41.# If sshd is in hosts.deny, remove it or add an exception
  42. 42.`

Prevention

  • Monitor sshd service status with automated alerts
  • Keep a secondary access method (console, bastion host, alternative port)
  • Document the SSH port and any non-standard configuration
  • Use cloud provider console access as a fallback when SSH is unreachable
  • Implement connection monitoring that tests SSH from multiple source IPs