The SSH daemon (sshd) fails to start with "fatal: Cannot bind any address" when it cannot listen on the configured address or port. Common causes include address family mismatches, ports already in use, network startup timing issues, and SELinux permission restrictions. Most solutions involve fixing sshd configuration or checking service startup order.
The SSH daemon attempts to bind to one or more addresses when starting (configured via `ListenAddress` directives in `/etc/ssh/sshd_config`). If all configured addresses fail to bind, sshd exits with "fatal: Cannot bind any address." This happens when: - The configured address doesn't exist on the system yet (network not ready at boot) - Another process is already using the port - The address family (IPv4 vs IPv6) is incorrectly configured - SELinux or firewall prevents binding to that port - Permissions prevent sshd from listening on the specified address The error is fatal—sshd will not start at all, making remote SSH access impossible.
First, verify that sshd isn't already listening on the port:
sudo netstat -antp | grep :22
# or with ss (modern systems):
sudo ss -antp | grep :22Look for LISTEN state on port 22 (or your configured SSH port). If sshd is already running, restart it cleanly:
sudo systemctl stop ssh
sudo systemctl start ssh
sudo systemctl status sshIf stopping hangs, force it:
sudo pkill -9 sshd
sudo systemctl start sshIf another process is listening on port 22:
sudo lsof -i :22Or find what's listening on the SSH port:
sudo ss -tlnp | grep :22If it's an old sshd process that didn't shut down cleanly, kill it:
sudo pkill sshd
# Wait a moment, then restart
sudo systemctl start sshIf it's a different service, either:
- Change the SSH port in /etc/ssh/sshd_config (set Port 2222, for example)
- Or stop/disable the conflicting service
Open /etc/ssh/sshd_config and check the AddressFamily setting:
sudo nano /etc/ssh/sshd_configLook for the AddressFamily line. If it's set to inet6 only, change it:
# Old (broken):
AddressFamily inet6
# New (fixed):
AddressFamily anyOr comment it out to use the default (which accepts both IPv4 and IPv6):
# AddressFamily anyThen check the ListenAddress lines. A common mistake is:
# This fails if IPv6 is not fully enabled:
ListenAddress ::
# Better: listen on both
ListenAddress 0.0.0.0
ListenAddress ::Save and validate the config:
sudo sshd -tIf this shows no errors, restart sshd:
sudo systemctl restart sshIf sshd fails only at boot but works after manually restarting, the network isn't ready when sshd starts.
For systemd systems, create an override to make sshd wait for the network:
sudo systemctl edit sshAdd these lines in the [Unit] section:
[Unit]
After=network-online.target
Wants=network-online.targetSave (Ctrl+X in nano). The file is auto-saved and the service is reloaded.
For init.d systems (older Linux), edit /etc/init.d/ssh or the init script to start sshd after network:
# Look for the start-stop-daemon call and ensure it runs after network initialization
# For OpenRC or similar, you may need to adjust the runlevel or add a dependencyReboot to verify:
sudo reboot
# After reboot, verify SSH is running
sudo systemctl status sshIf you changed the SSH port (non-standard port), SELinux may block binding. Check if SELinux is enabled:
getenforceIf it shows "Enforcing" or "Permissive", you need to allow sshd on your port:
# For a custom port (e.g., 2222):
sudo semanage port -l | grep ssh
# Should show: ssh_port_t = 22
# Add your port:
sudo semanage port -a -t ssh_port_t -p tcp 2222
# Verify:
sudo semanage port -l | grep sshThen restart sshd:
sudo systemctl restart sshIf you don't have semanage, install it:
# On RHEL/CentOS/Fedora:
sudo yum install policycoreutils-python-utils
# On Ubuntu (rarely needed):
sudo apt install selinux-policy-devIf sshd_config has a ListenAddress for an IP that doesn't exist on the system:
sudo nano /etc/ssh/sshd_configCheck all ListenAddress lines:
# Problem: This IP doesn't exist on the system
ListenAddress 192.168.100.50
# Fix: Use a real IP or listen on all
ListenAddress 0.0.0.0 # All IPv4
ListenAddress :: # All IPv6To list all IPs on your system:
ip addr show
# or
ifconfigUpdate sshd_config to use only IPs that exist, or use 0.0.0.0 and :: to listen on all interfaces.
Test the config:
sudo sshd -tRestart:
sudo systemctl restart sshAfter applying any fix, verify sshd is running and listening:
# Check service status
sudo systemctl status ssh
# Verify it's listening
sudo ss -tlnp | grep ssh
# Should show: tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
# Test SSH connection from another machine
ssh -v user@your-server-ipIf SSH still won't start, check the sshd logs for more details:
sudo journalctl -u ssh -n 20
# or
sudo tail -f /var/log/auth.log | grep sshdLook for specific error messages beyond "Cannot bind any address" to identify the exact cause.
IPv6 socket handling: If sshd opens an IPv6 socket without the IPV6_V6ONLY flag (or when net.ipv6.bindv6only=0), that socket accepts both IPv4 and IPv6 connections. This can prevent opening a separate IPv4 socket on the same port. Check with sysctl net.ipv6.bindv6only (should be 1 for separate sockets).
Systemd dependency ordering: Modern Linux uses systemd, which starts services in parallel by default. Use After=network-online.target to ensure the network is ready before sshd starts. The default After=network.target is insufficient—network.target fires as soon as networking is configured, not when IPs are assigned.
Multiple ListenAddress lines: sshd can listen on multiple addresses. If *any* address fails to bind, the entire service fails. Ensure all ListenAddress IPs actually exist on the system.
Port privileges: SSH port 22 is privileged (< 1024), requiring sshd to run as root. Custom ports >= 1024 may have different permission requirements. When changing ports, also update firewall rules and SSH client connection strings.
SELinux on non-standard ports: This is a common gotcha. Default SELinux policy only allows ssh_t to bind to port 22. Any custom port requires explicit semanage configuration or disabling SELinux (not recommended).
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH