What's Happening
When you try to SSH to a server, you get an immediate "Connection refused" error:
ssh: connect to host 192.168.1.100 port 22: Connection refusedThis is different from a timeout. A refused connection means the server is reachable, but nothing is listening on port 22—or a firewall is actively rejecting the connection.
Check If sshd Is Running
First, verify the SSH daemon is actually running on the server:
# On the server
systemctl status sshd
# Or on Debian/Ubuntu
systemctl status sshIf it's not running:
sudo systemctl start sshd
sudo systemctl enable sshdVerify sshd Is Listening on Port 22
Check what port and address sshd is bound to:
sudo ss -tlnp | grep :22
# Or
sudo netstat -tlnp | grep :22You should see something like:
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))If sshd only listens on 127.0.0.1, external connections won't work. Check /etc/ssh/sshd_config:
# Make sure it's not restricted to localhost
#AddressFamily any
#ListenAddress 0.0.0.0
Port 22Check Firewall Rules
The server firewall might be blocking port 22.
Using iptables:
sudo iptables -L -n | grep 22If you see a DROP or REJECT rule for port 22, that's your issue.
Using ufw (Ubuntu):
sudo ufw status
sudo ufw allow 22/tcpUsing firewalld (CentOS/RHEL):
sudo firewall-cmd --list-all
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reloadTest from Another Location
Sometimes the issue is your local network. Try connecting from:
- A different machine on the same network
- A different network entirely (e.g., mobile hotspot)
- The server's console or cloud provider's web terminal
SELinux Issues (CentOS/RHEL)
On systems with SELinux enabled, check if SSH is allowed:
getsebool -a | grep ssh
# If ssh_connect_any is off:
setsebool -P ssh_connect_any 1Verify It Works
After making changes:
ssh -v user@serverThe -v flag shows verbose output. You should see:
debug1: Connecting to server [192.168.1.100] port 22.
debug1: Connection established.