How to Fix "ssh: connect to host port 22: Connection refused"
Fix 'Connection refused' on SSH port 22. Learn how to check sshd status, open firewalls (UFW/iptables), and resolve AWS EC2 or Raspberry Pi SSH connection error
- The SSH daemon (sshd) is not installed, not running, or crashed on the target server.
- A firewall (UFW, iptables, AWS Security Groups) is actively rejecting traffic on port 22.
- The SSH service is bound to a different IP address or listening on a custom port instead of 22.
- Quick Fix: Log into the server via console/web terminal, run 'sudo systemctl start ssh', and ensure 'sudo ufw allow 22' is set.
| Root Cause | Symptom / When it Happens | Time to Fix | Risk Level |
|---|---|---|---|
| Service Down | ssh localhost connection refused | 1 min | Low |
| OS Firewall Block | ubuntu server ssh connection refused | 3 mins | Medium |
| Cloud Security Group | aws ec2 ssh connection refused | 2 mins | Medium |
| Dynamic IP Change | ec2 ssh connection refused after reboot | 5 mins | Low |
| Outbound Port 22 Block | ssh connect to host github com port 22 connection refused | 2 mins | Low |
Understanding the "Connection Refused SSH Port 22" Error
When you see ssh connect to host port 22 connection refused (or variations like ssh connect to host 10.0.2.15 port 22 connection refused in VirtualBox, or ssh connect to host 127.0.0.1 port 22 connection refused locally), it specifically means your computer successfully reached the target IP address, but the target server actively rejected the TCP connection on port 22.
Unlike a "Connection timed out" error (which means packets are dropping silently into a network black hole), a refusal is explicit. The server's operating system sent a TCP RST (Reset) packet back to your client. This typically happens for three reasons: the SSH daemon (sshd) isn't running, a firewall is rejecting the connection, or the service is listening on a non-standard port.
Distinguishing Between "Connection Refused" and "Permission Denied"
Many users confuse network-level connection refusals with authentication failures. If you see ssh root permission denied or raspberry pi ssh permission denied, your connection succeeded, but your credentials (password or SSH key) failed.
If you are dealing with linux ssh key permissions issues, ensure your private keys are locked down. The correct permissions for ssh key files (e.g., ~/.ssh/id_rsa) is 600, and the ~/.ssh directory should be 700. Incorrect ssh permissions or a bad permission ssh key setup will cause the server to drop your authentication attempt, but it will not trigger a "connection refused" error. "Connection refused" happens before keys are even evaluated.
Step 1: Verify the SSH Daemon is Running
The most common cause of an ubuntu server ssh connection refused or debian ssh connection refused error is that openssh-server is either not installed or not running. Desktop Linux distributions often omit the SSH server by default.
Access the target server via a physical console or cloud provider web console and check the service status:
sudo systemctl status ssh (use sshd on RHEL/CentOS systems).
If the service is inactive or failed, start and enable it:
sudo apt install openssh-server (if missing)
sudo systemctl start ssh
sudo systemctl enable ssh
Step 2: Check OS-Level Firewalls (UFW, iptables)
If the daemon is running, an internal firewall is likely blocking you, resulting in a linux ssh connection refused or ssh connection refused linux error.
- Ubuntu/Debian (
ssh connection refused ubuntu):sudo ufw allow 22/tcp - RHEL/CentOS/AlmaLinux (
rhel 8 ssh connection refused):sudo firewall-cmd --permanent --add-port=22/tcp && sudo firewall-cmd --reload - Windows (
ssh windows connection refused/ssh connection refused windows): Open Windows Defender Firewall and create an Inbound Rule allowing TCP port 22 if you are running an OpenSSH server natively or inside WSL.
Step 3: Cloud Provider Security Groups and Firewalls
Cloud providers utilize external, network-level firewalls that sit in front of your server's OS.
- AWS EC2: An
aws ec2 ssh connection refusedoraws ssh port 22 connection refusedis almost always a Security Group issue. Ensure the Security Group attached to your EC2 instance has an Inbound Rule allowing TCP Port 22 from your specific IP address (or0.0.0.0/0for testing, though not recommended for production). - EC2 Reboot Issue: If you get an
ec2 ssh connection refused after reboot, it is highly likely you did not attach an Elastic IP. Stopping and starting an EC2 instance changes its public IPv4 address. You are trying to connect to the old, now-invalid IP address. Check the AWS Management Console for the new public IP. - Other Providers: The exact same network firewall principles apply to
oracle cloud ssh connection refused,linode ssh connection refused,vultr ssh connection refused,contabo ssh connection refused, andcpanel ssh port 22 connection refused(often managed via WHM/cPanel's CSF firewall). Always verify the provider's web dashboard for external firewall rules.
Step 4: Specific Platform Quirks and Edge Cases
Raspberry Pi (raspberry pi 4 ssh connection refused)
Modern versions of Raspberry Pi OS disable SSH by default for security purposes. To fix an ssh connection refused raspberry pi or raspberry ssh connection refused on a headless setup (no monitor), insert the SD card into your computer and create an empty file named exactly ssh (no file extension) in the root of the boot partition. When you boot the Pi, it will detect this file and automatically start the SSH daemon.
GitHub Outbound Blocks (ssh connect to host github com port 22 connection refused)
Corporate firewalls, university networks, and public Wi-Fi often block outbound traffic on port 22. If you cannot push or pull from GitHub via SSH, edit your local ~/.ssh/config file to route SSH traffic over HTTPS port 443:
Host github.com
Hostname ssh.github.com
Port 443
User git
Network Appliances & Enterprise Routing (cisco ssh connection refused / udm pro ssh connection refused)
For networking hardware like Cisco routers (the remote system refused the connection ssh cisco) or Ubiquiti UDM Pro devices, ensure you have generated crypto keys (crypto key generate rsa in Cisco IOS) and explicitly enabled SSH on the VTY lines (transport input ssh).
FIPS Compliance (fips mode initialized ssh connection refused)
In highly secure enterprise environments, a server running in FIPS 140-2 mode will refuse connections if your client attempts to negotiate using weak, non-compliant ciphers (like ssh-rsa or chacha20-poly1305). You must upgrade your SSH client or explicitly specify a FIPS-compliant cipher in your connection command, such as ssh -c aes256-gcm@openssh.com user@host.
CI/CD Pipelines (circleci ssh connection refused)
If your CI/CD pipeline fails to deploy via SSH, verify that the runner's IP address is whitelisted in your server's firewall, and ensure the SSH key is properly loaded into the ssh-agent during the workflow steps.
Frequently Asked Questions
#!/bin/bash
# Diagnostic script for resolving SSH Port 22 "Connection Refused"
TARGET="127.0.0.1" # Replace with your target IP
echo "1. Checking if port 22 is open on $TARGET via netcat..."
nc -zv $TARGET 22
echo -e "\n2. Checking SSH daemon status (requires local access to target)..."
sudo systemctl status sshd || sudo systemctl status ssh
echo -e "\n3. Checking local firewall rules (UFW/iptables)..."
sudo ufw status | grep "22" || sudo iptables -L | grep "ssh"
echo -e "\n4. Applying correct SSH Key permissions (fixes 'Permission Denied' edge cases)..."
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa 2>/dev/null
chmod 600 ~/.ssh/id_ed25519 2>/dev/null
chmod 644 ~/.ssh/*.pub 2>/dev/null
echo "Local SSH permissions secured."Error Medic Editorial
Error Medic Editorial comprises senior DevOps and SRE engineers dedicated to demystifying complex cloud infrastructure, Linux systems, and networking errors.