The “SSH Connection refused” error is a common error encountered when attempting to connect to a remote server via SSH.
If the remote server is not accepting connections on this port, the connection will be refused and the user will receive the “SSH Connection refused” error message.
This could be due to a variety of reasons, such as the SSH service not running on the remote server, a firewall blocking incoming connections on port 22, or incorrect SSH server configuration.
We can check this issue with the following 5 steps.
- check the network connectivity with the ping command
- check the port connectivity with curl command
- check SSH service status on the instance with systemctl command
- check SSH TCP port 22 in the listening state with netstat command
- check security group and network ACLs allow incoming traffic on TCP port 22
Table of Contents
Check SSH command syntax
Make sure you use the correct hostname and username when running the ssh command.
To establish a basic ssh connection to a remote host, the syntax is:
ssh username@hostname
Where username is the username you use to log in to the remote host and hostname is the IP address or hostname of the remote host.
You can also use various options with the ssh command to configure the connection, such as specifying a non-standard port, forwarding ports, or specifying a key file for authentication.
By default, the ssh command uses port 22 to establish a connection to the remote host.
However, in some cases, the SSH service on the remote host may be configured to listen on a different port.
In such cases, you can specify a different port to use with the ssh command.
To specify a different port, you can use the -p option followed by the port number. For example, if the SSH service on the remote host is listening on port 2222, you can establish a connection using the following command:
ssh -p 2222 username@hostname
It is important to verify the syntax of the ssh command before executing it to ensure that it is being used correctly and will establish the intended connection.
To check the syntax of the ssh command, you can use the -h option to display the help information for the command.
This will display a list of available options and their descriptions for the ssh command. You can use this information to verify the syntax of the command you are trying to execute.
Enable verbose output in SSH command
You can enable verbose output in the ssh command to get more detailed information about the connection process.
This can be helpful for troubleshooting connection issues or for gaining a better understanding of how the SSH protocol works.
To enable verbose output, you can use the -v option with the ssh command. The -v option can be used one or more times to increase the verbosity level, with each additional -v providing more detailed information.
For example, to enable basic verbose output, you can use the following command:
ssh -v username@hostname
This will display information about the SSH handshake process and authentication, as well as any errors that occur during the connection process.
To enable even more verbose output, you can use multiple -v options. For example, to enable maximum verbosity, you can use the following command:
ssh -vvv username@hostname
This will display detailed debugging information, including the packets being sent and received by the SSH client and server.
Note that enabling verbose output can result in a large amount of output, which may make it difficult to read or analyze. It is recommended to use verbose output only when necessary for troubleshooting purposes.
If you receive a “Connection refused” error, you can add the -v option to enable verbose output:
ssh -v [email protected]
The output will show the connection process, including the attempt to connect to the remote host:
OpenSSH_8.4p1, OpenSSL 1.1.1k 25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.1.100 [192.168.1.100] port 22.
debug1: connect to address 192.168.1.100 port 22: Connection refused
ssh: connect to host 192.168.1.100 port 22: Connection refused
In this case, the verbose output shows that the connection was refused by the remote host.
This could indicate that the SSH service is not running on the remote host, or that the remote host is blocking incoming SSH connections.
check network connectivity with the ping command
The ping command is a network diagnostic tool that can be used to test the reachability of a host on an IP network.
The ping command sends ICMP Echo Request packets to the host and waits for an ICMP Echo Reply. If the packets are not received, the user will see a timeout error message.
To ping a host, use the following command:
ping <host_name>
The output will show the round-trip time (in milliseconds) and the packets sent and received.
When you execute this command, the ping utility will send packets to the specified IP address or hostname and report back whether a response is received.
If a response is received, the round-trip time for the packets will be displayed. If no response is received, it could indicate a network connectivity issue or that the remote host is not reachable.
check port connectivity with curl command
curl is a network utility that can be used to test the connectivity of a host on a specific port. The curl command sends an TCP SYN packet to the host and waits for a TCP ACK from the server.
curl -v telnet://<host_name>:<port_number>
The output of the command will show the TCP handshake between the client and server. If the server doesn’t respond, the user will see a timeout error message.
For example, if you want to test connectivity to a ssh server 192.168.1.100 running on port 22, you can run the following command:
curl -v telnet://192.168.1.100:22
The output will show the connection process, and indicate whether the connection was successful or not.
check SSH service status with systemctl command
You can use the systemctl command to check the status of the SSH service on a Linux system.
To check the status of the SSH service, open a terminal window and run the following command:
systemctl status sshd
This will display the status of the SSH service, including whether it is currently running or not.
If the SSH service is running, you should see a message indicating that it is active (running).
If the SSH service is not running, you may see a message indicating that it is inactive (dead).
If the SSH service is not running, you can start it using the following command:
sudo systemctl start sshd
If you want to ensure that the SSH service starts automatically when the system boots up, you can use the following command:
sudo systemctl enable sshd
This will create a symlink to the SSH service unit file in the appropriate directory, which will cause the SSH service to start automatically when the system boots up.
check SSH port with netstat or ss command
You can use either the netstat or ss command to check whether the SSH port is open and listening on a Linux system.
To use netstat, open a terminal window and run the following command:
sudo netstat -tulnp | grep ssh
Alternatively, you can use the ss command to achieve the same result. Open a terminal window and run the following command:
sudo ss -tulnp | grep ssh
This will display a list of all TCP and UDP connections that are currently in the listening state, and should include an entry for the SSH service.
| Option | Description |
|---|---|
| -t | Only display TCP connections. |
| -u | Only display UDP connections. |
| -l | Only display listening sockets. |
| -n | Display IP addresses and port numbers in numeric form. |
| -p | Display the process ID and name associated with each connection. |
You can also find out the SSH port number by looking at the SSH configuration file.
The SSH configuration file is typically located at /etc/ssh/sshd_config.
To view the contents of the SSH configuration file and find the SSH port number, you can use a command-line text editor such as nano or vi.
For example, to view the SSH configuration file using nano:
sudo nano /etc/ssh/sshd_config
This will open the SSH configuration file in the nano text editor. Look for the line that specifies the Port directive, which will indicate the port number that SSH is listening on.
The line looks like this:
Port 2222
In this example, the SSH server is listening on port 2222 instead of the default port 22.
Once you have identified the SSH port number, you can use it to connect to the SSH server using the ssh command followed by the -p option, like this:
ssh user@hostname -p 2222
Replace 2222 with the actual port number you found in the SSH configuration file.
check firewall rules on both the client and server
Check the firewall rules on both the client and server to ensure that they are not set to DROP traffic by default. If the default policy is set to DROP, incoming traffic will be blocked by default and will need to be explicitly allowed.
Check that the SSH port is permitted for incoming connections. By default, SSH uses port 22, but some servers may use a custom port number.
On Linux machines with iptables, you can use the following command to list the current firewall rules:
sudo iptables -L
On Windows machines, you can use the Windows Firewall with Advanced Security console to view and manage firewall rules.
Look for a rule that allows incoming traffic on the SSH port.
If such a rule exists, the SSH port is permitted for incoming connections. If there is no such rule, you may need to create a new rule to allow incoming traffic on the SSH port.
On Linux machines with iptables, you can use the following command to add a new rule to allow incoming traffic on the SSH port:
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
This command adds a new rule to the INPUT chain of the iptables firewall to accept incoming traffic on the SSH port.
The -p tcp option specifies that the rule applies to TCP traffic, and the –dport ssh option specifies the destination port as the SSH port (port 22 by default). Finally, the -j ACCEPT option tells iptables to accept incoming traffic that matches the specified rule.
Note that this command only adds the new rule temporarily and will be lost when the system is rebooted. To make the rule persistent, you will need to save the iptables configuration. This can be done using the following command:
sudo iptables-save > /etc/sysconfig/iptables
This command saves the current iptables configuration to the /etc/sysconfig/iptables file, which is read at boot time to restore the firewall rules.
I hope this article has been helpful. If you have any questions, please feel free to leave a comment below. Thank you for reading!