SSH Connection refused error comes from the SSH client. The error indicates that the server didn’t respond to the client.
We can check SSH Connection refused issue with the following 5 steps.
- check the network connectivity with the ping command
- check the port connectivity with curl command
- check SSH service status on the instance with systemctl command
- check SSH TCP port 22 in the listening state with netstat command
- check security group and network ACLs allow incoming traffic on TCP port 22
check network connectivity with the ping command
The ping command is a network diagnostic tool that can be used to test the reachability of a host on an IP network. The ping command sends ICMP Echo Request packets to the host and waits for an ICMP Echo Reply. If the packets are not received, the user will see a timeout error message.
To ping a host, use the following command: ping <host_name>
The output will show the round-trip time (in milliseconds) and the packets sent and received.
check port connectivity with curl command
curl is a network utility that can be used to test the connectivity of a host on a specific port. The curl command sends an TCP SYN packet to the host and waits for a TCP ACK from the server.
curl -v telnet://<host_name>:<port_number>
The output of the command will show the TCP handshake between the client and server. If the server doesn’t respond, the user will see a timeout error message.
check SSH service status on the instance with systemctl command
The systemctl command is a systemd utility that can be used to start, stop, and check the status of systemd services. The systemctl status ssh command will return “active (running)” if the SSH service is running on the instance. If the service is not running, the user will see a stopped status. We need to start it with systemctl start sshd.
check SSH TCP port 22 in the listening state with netstat or ss command
The netstat command is a network diagnostic tool that can be used to check the status of network connections. The netstat -ln | grep :22 command will return a list of all the processes that are listening on TCP port 22. If SSH is not in the list, the user will see a “Connection refused” error message.
$ sudo ss -tpln | grep -E ’22|ssh’
LISTEN 0 128 *:22 *:* users:((“sshd”,pid=1901,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:((“sshd”,pid=1901,fd=4))
check security group and network ACLs allow incoming traffic on TCP port 22
The security groups and network ACLs control the traffic that is allowed to reach an instance. In order to allow SSH traffic, the security group or network ACL for the instance must be configured to allow incoming traffic on TCP port 22. If the security group or network ACL is not properly configured, the user will see a “Connection refused” error message.
If you are troubleshooting a connection refused error, these are the five steps you should take. By following these steps, you will be able to determine whether the problem is with the network, the port, SSH service, or the security group. Once you have identified the cause of the error, you can fix it and SSH into your instance.
I hope this article has been helpful. If you have any questions, please feel free to leave a comment below. Thank you for reading!