This error occurs when your SSH client cannot establish a connection to the remote server on port 22. It typically indicates the SSH service is not running, the port is blocked by a firewall, or the server is unreachable.
The SSH connection refused error means that your SSH client attempted to connect to a remote server but received an explicit refusal response. This typically happens when the SSH daemon (sshd) is not listening on the specified port, the network path to the server is blocked, or the service has crashed. Unlike a timeout error, 'connection refused' indicates that the server received your connection request but actively rejected it, meaning the network is reachable but the SSH service is not available.
First, confirm the remote server is reachable on the network using ping:
ping <server_ip_or_hostname>If ping fails, there's a network connectivity issue. Check your network connection, VPN, or firewall rules between your client and the server. If you're connecting through a proxy or jump host, verify that configuration is correct.
Log in to the remote server locally or through another method (console, remote desktop) and check if the SSH daemon is running:
sudo systemctl status sshOr on some systems:
sudo systemctl status sshdIf the service is inactive, stopped, or dead, the SSH daemon is not running and needs to be started.
If SSH is not running, start it immediately and enable it to start automatically on boot:
sudo systemctl start ssh
sudo systemctl enable sshOr use the older service syntax:
sudo service ssh startAfter starting, verify it's running with the status command from the previous step. Then try your SSH connection again.
Check what port the SSH server is listening on. By default it's port 22, but some administrators change this for security:
grep Port /etc/ssh/sshd_configIf it shows a port other than 22, connect using that port:
ssh -p <port_number> user@hostnameAlso check if SSH is actually listening on that port:
sudo netstat -tlnp | grep sshor
sudo ss -tlnp | grep sshThe server's firewall may be blocking SSH connections. Check your active firewall and add a rule to allow port 22:
For UFW (Ubuntu/Debian):
sudo ufw status
sudo ufw allow 22
sudo ufw reloadFor firewalld (CentOS/RHEL):
sudo firewall-cmd --list-all
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadFor iptables (manual rules):
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTNote: This is not persistent across reboots. Consider using UFW or firewalld instead.
Use telnet or nc (netcat) to verify the port is open and listening:
telnet <server_ip> 22or
nc -zv <server_ip> 22A successful response means the port is open. If it times out or refuses, the port is blocked or not listening.
If SSH is running but still refusing connections, check the SSH service logs for configuration errors or crash messages:
sudo tail -f /var/log/auth.logor on Red Hat/CentOS:
sudo tail -f /var/log/secureOr use journalctl:
sudo journalctl -u ssh -n 50
sudo journalctl -u sshd -n 50Look for errors related to port binding, configuration parsing, or permission issues.
Use SSH verbose mode to see detailed connection attempts and identify where the connection fails:
ssh -vvv user@hostnameWith three -v flags, you'll see:
- Connection attempt details
- Which port is being tried
- Protocol negotiation
- Authentication attempts
This output often reveals whether the connection is being refused at the network level or by the SSH service itself.
Cloud VMs (AWS, Azure, GCP): If connecting to cloud-hosted instances, verify that security groups, network security groups, or firewall rules allow inbound traffic on port 22 from your IP. The SSH service may be running, but network-layer security policies can prevent connections from reaching it.
SSH Key vs Password: Connection refused errors apply to both password and key-based authentication. If you recently changed authentication methods, verify the correct keys are deployed and permissions on ~/.ssh are correct (700 for the directory, 600 for private keys).
SELinux or AppArmor: On systems with mandatory access controls, SELinux or AppArmor policies can prevent sshd from binding to the port. Check denial logs: sudo tail /var/log/audit/audit.log for SELinux or sudo journalctl -u apparmor for AppArmor.
Zombie Processes: If sshd processes are stuck (zombie state), kill them and restart: sudo pkill -9 sshd; sudo systemctl start ssh
IPv4 vs IPv6: By default sshd listens on both IPv4 and IPv6. If you can't connect via IPv4 but IPv6 works (or vice versa), check the ListenAddress directives in /etc/ssh/sshd_config.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH