This error occurs when the SSH server closes the connection before the key exchange process completes. It's typically caused by server-side restrictions, resource limits, IP blocking, or SSH daemon issues.
The 'ssh_exchange_identification: Connection closed by remote host' error means the SSH daemon on the remote server abruptly terminated the connection before the identification and authentication process could begin. This happens at the protocol level, before your credentials are even evaluated, indicating either a server-side policy enforcement, resource constraint, or daemon malfunction. The connection is severed during the initial TCP handshake or early SSH protocol phase.
Run your SSH command with maximum verbosity to see exactly where the connection is failing:
ssh -vvv user@hostnameLook for output like:
- 'debug1: Local version string: OpenSSH_X.X'
- 'debug1: Remote protocol version X.X, remote software version OpenSSH_X.X'
- 'debug1: match: OpenSSH_X.X'
If you don't see 'Remote protocol version', the server is closing before SSH negotiation completes.
Log into the server (or ask your administrator) and examine the TCP wrapper rules:
cat /etc/hosts.deny
cat /etc/hosts.allowIf you see lines like 'sshd: ALL' in hosts.deny or specific IP restrictions in hosts.allow, your IP may be blocked. Ask your administrator to add your IP to hosts.allow:
# Add to /etc/hosts.allow
sshd: YOUR_IP_ADDRESS
sshd: 192.168.1.0/24If you have server access, check the Fail2ban status:
sudo fail2ban-client status sshdTo view banned IPs:
sudo fail2ban-client set sshd banipTo unban your IP:
sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESSIf this is a repeated issue, ask your administrator to adjust Fail2ban sensitivity or whitelist your IP range in /etc/fail2ban/jail.local.
On the remote server, verify the SSH daemon is running:
sudo systemctl status sshdRestart the SSH service to clear potential stuck connections:
sudo systemctl restart sshdExamine SSH logs for clues:
# Debian/Ubuntu
sudo tail -f /var/log/auth.log
# RHEL/CentOS/Fedora
sudo tail -f /var/log/secure
# Look for messages like:
# sshd[xxxx]: Connection closed by authenticating user
# sshd[xxxx]: fatal: setgroups: Cannot allocate memory
# sshd[xxxx]: Connection reset by peerExamine /etc/ssh/sshd_config for overly restrictive settings:
sudo grep -E 'MaxStartups|MaxSessions|LoginGraceTime|UseDNS' /etc/ssh/sshd_configIf MaxStartups is too low (default is 10:30:100), increase it:
# Edit /etc/ssh/sshd_config
MaxStartups 30:30:100Reload SSH configuration:
sudo systemctl reload sshdIf DNS lookups are slow or failing, they can cause sshd to drop the connection. Add this to /etc/ssh/sshd_config:
UseDNS noThen reload SSH:
sudo systemctl reload sshdThe server might be out of memory or system resources. Check:
free -m # Check available memory
df -h # Check disk space
top -bn1 | head # Check CPU and memory usageIf the server is low on resources, try to free up space or memory. Then restart the SSH daemon:
sudo systemctl restart sshdCorrupted host keys can cause connection drops. Check if they exist:
ls -la /etc/ssh/ssh_host_*If they're missing or corrupted, regenerate them:
# Debian/Ubuntu
sudo dpkg-reconfigure openssh-server
# RHEL/CentOS/Fedora
sudo ssh-keygen -AThen restart SSH:
sudo systemctl restart sshdThe 'Connection closed by remote host' message during ssh_exchange_identification indicates the server-side sshd process is terminating the connection before the SSH protocol negotiation phase completes. This is different from authentication failures which occur later in the handshake. Common advanced scenarios include: (1) SELinux or AppArmor policies preventing sshd from binding to ports or accessing required libraries - check 'sudo ausearch -m avc' for SELinux denials; (2) systemd socket activation misconfiguration where ListenAddress directives don't match sshd_config; (3) Connection rate limiting via 'iptables -t filter -I INPUT -p tcp --dport 22 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT'; (4) IPv6 vs IPv4 mismatch - ensure 'AddressFamily any' is set if you need both; (5) On containerized systems, ensure sshd is properly initialized and not hitting the container's connection limits. For production troubleshooting, enable debug-level logging: 'sshd -d' for a single connection, or set 'LogLevel DEBUG' in sshd_config and check logs immediately after the failed connection attempt.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH