This error occurs when the SSH server abruptly closes the connection during the key exchange phase, before authentication completes. Common causes include firewall blocks, IP bans, misconfigured SSH service, or network issues.
The 'Connection reset by peer' error, often appearing as 'ssh_exchange_identification: read: Connection reset by peer', means the remote SSH server forcefully terminated the connection before establishing a secure session. During the key exchange (KEX) phase—when the client and server negotiate cryptographic keys—something caused the server to immediately close the TCP connection. The term 'peer' refers to the remote server, and 'reset' means the connection was forcefully terminated rather than gracefully closed. This error occurs very early in the SSH handshake, before username/password authentication even begins.
Run the SSH command with -vvv flag to get detailed diagnostic information about where in the handshake the connection is being reset:
ssh -vvv [email protected]Look for the last successful step before 'Connection reset by peer' appears. This tells you if it's failing during algorithm negotiation, key exchange, or immediately upon connect.
From a host with access to the server (console, bastion, etc.), check that sshd is running:
sudo systemctl status ssh
# or
sudo service sshd statusIf not running, start it:
sudo systemctl start ssh
sudo systemctl enable ssh # Enable on bootTest basic connectivity to the server on port 22:
ping server.com
telnet server.com 22
nc -zv server.com 22All three should succeed. If any fail, you have a network or firewall issue preventing access to port 22.
Verify firewall allows inbound SSH. The method depends on your firewall:
UFW (Ubuntu/Debian):
sudo ufw status
sudo ufw allow 22/tcpiptables (Linux):
sudo iptables -L -n | grep 22
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTfirewalld (RHEL/CentOS):
sudo firewall-cmd --list-all
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reloadFail2Ban automatically bans IPs after repeated failed login attempts. From the server, check if your IP is banned:
sudo fail2ban-client status sshd
sudo iptables -L -n | grep <your-ip>If your IP is listed, unban it:
sudo fail2ban-client set sshd unbanip <your-ip>Alternatively, temporarily stop Fail2Ban while troubleshooting:
sudo systemctl stop fail2banCheck the /etc/hosts.allow and /etc/hosts.deny files to ensure your IP or hostname isn't blocked:
sudo cat /etc/hosts.deny
sudo cat /etc/hosts.allowIf your IP is in hosts.deny, remove it or comment it out:
sudo nano /etc/hosts.deny
# Remove or comment the line blocking your IPThen try connecting again.
Test SSH from a different client or IP address to isolate whether the issue is client-specific or server-side:
# From a different machine
ssh [email protected]If connection succeeds from the alternate client, the issue is likely with your original client's network, local firewall, or SSH configuration. If it fails from all clients, the issue is on the server side.
Review /etc/ssh/sshd_config for settings that might reject your connection:
sudo nano /etc/ssh/sshd_configKey settings to check:
- MaxStartups 10:30:100 (limit concurrent connections) - try increasing
- AllowUsers or DenyUsers - ensure you're allowed
- PermitRootLogin - if you need root access
- MaxAuthTries 6 - increase if you have many SSH keys
After changes, validate config and restart:
sudo sshd -t
sudo systemctl restart sshHigh memory usage or CPU load can cause the SSH daemon to reject connections. From the server:
free -h # Check memory
df -h # Check disk
top -b -n 1 # Check CPU and processesIf resources are exhausted, identify and kill memory-hogging processes, or reboot the server. SSH should recover after freeing resources.
sudo rebootReview the SSH daemon logs to see the actual reason the connection was rejected:
# Most systems
sudo tail -f /var/log/auth.log
# Or on some systems
sudo journalctl -u ssh -fLook for error messages corresponding to your connection attempt. The logs often reveal the exact reason (auth failure, max sessions, IP blocked, etc.).
Algorithm Negotiation: If using older SSH clients or servers, algorithm mismatches during key exchange can cause resets. Explicitly specify algorithms on the client if needed:
ssh -oKexAlgorithms=diffie-hellman-group14-sha1 [email protected]Keepalive Settings: If the connection is established but then reset after a period of inactivity, adjust ClientAliveInterval and ServerAliveInterval:
Client (~/.ssh/config):
Host *
ServerAliveInterval 60
ServerAliveCountMax 3Server (/etc/ssh/sshd_config):
ClientAliveInterval 300
ClientAliveCountMax 2Multiple SSH Keys: If you have many SSH keys, the client may exceed MaxAuthTries before finding the correct key. Remove unused keys from ~/.ssh or specify a single key:
ssh -i ~/.ssh/specific_key [email protected]SELinux: On SELinux-enforcing systems, ensure SSH context rules allow connections:
sudo getenforce
sudo semanage port -l | grep sshDocker/Container Networking: If connecting to a containerized SSH server, ensure port 22 is properly exposed and the container isn't crashing on startup.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH