How to Resolve SSH 'Connection Refused' Errors on Linux Servers

Problem Description

When attempting to connect to a Linux server via SSH, you may encounter the error message:

ssh: connect to host 203.0.113.10 port 22: Connection refused

This error indicates that the SSH client successfully reached the server's IP address, but the server actively rejected the connection on the specified port. This is different from a timeout error, which suggests a network or firewall issue blocking traffic entirely.

Common scenarios where this occurs include:

• The SSH daemon (sshd) is not running on the server.
• The SSH service is listening on a non-default port.
• A firewall rule on the server is blocking the SSH port.
• The SSH service was recently updated or reconfigured and failed to restart.

Solution Steps

Step 1: Verify the SSH Service Status

Log in to the server via the console (e.g., through your hosting provider's VNC/KVM console) and check the SSH daemon status:

sudo systemctl status sshd

If the service is inactive or failed, start it with:

sudo systemctl start sshd
sudo systemctl enable sshd

Step 2: Check the SSH Listening Port

The SSH daemon may have been configured to listen on a non-standard port. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Look for the Port directive:

Port 22

If a different port number is defined (e.g., Port 2222), connect using that port:

ssh -p 2222 [email protected]

Step 3: Inspect Firewall Rules

Check whether the server's firewall is blocking the SSH port.

For systems using iptables:

sudo iptables -L -n | grep 22

For systems using firewalld:

sudo firewall-cmd --list-ports

For systems using ufw (Ubuntu/Debian):

sudo ufw status

If the SSH port is not allowed, add a rule to permit it. For example, with ufw:

sudo ufw allow 22/tcp

Step 4: Verify the SSH Daemon Is Listening

Confirm that sshd is actively listening on the expected port:

sudo ss -tlnp | grep sshd

This command will show the port and address the SSH daemon is bound to. If it shows 0.0.0.0:22 or :::22, the service is listening on all interfaces on port 22.

Step 5: Review SSH Logs for Errors

If the service fails to start, check the system logs for detailed error messages:

sudo journalctl -u sshd --no-pager -n 50

Common issues include configuration syntax errors or missing host keys. Fix any reported errors, then restart the service:

sudo systemctl restart sshd

Additional Tips

• Test locally first: If you have console access, test the SSH connection from the server itself using ssh localhost to isolate whether the issue is local or network-related.
• Use verbose mode for debugging: Run ssh -vvv [email protected] from the client side to get detailed connection debug output.
• Check for recent changes: If the issue started after a system update or configuration change, consider rolling back the changes or reviewing the update logs.
• Ensure host keys exist: Missing SSH host keys in /etc/ssh/ will prevent the daemon from starting. Regenerate them with sudo ssh-keygen -A if needed.
• Security best practice: If you change the SSH port, always update your firewall rules accordingly and document the new port for future reference.