ssh: connect to host hostname port 22: Connection refused
Last updated: March 2026
When you run ssh user@hostname and get ssh: connect to host hostname port 22: Connection refused, the TCP connection to port 22 was actively rejected. This is different from a timeout (where the host is unreachable) — a refused connection means something responded and said "no". The causes are well-defined and diagnosable in a few minutes.
Diagnostic Flow
Start here before assuming a specific cause:
# Step 1: Can you reach the host at all?
ping -c 4 hostname
# Step 2: Is something listening on port 22?
nc -zv hostname 22
# Step 3: Port scan to find the actual SSH port
nmap -p 1-65535 hostname -T4 | grep open
If ping fails, the host is unreachable — skip to "Host Unreachable" below. If nc outputs Connection refused, the host is reachable but nothing is listening on port 22 — the SSH daemon is not running or is on a different port.
Cause 1: SSH Service Not Running
The most common cause. The sshd daemon is stopped or crashed.
Check the status
systemctl status sshd
# Or on some distributions:
systemctl status ssh
Start the service
sudo systemctl start sshd
sudo systemctl start ssh # Debian/Ubuntu
Enable it to start automatically on boot
sudo systemctl enable sshd
If you are connected via console (not SSH)
If you can access the server console (cloud provider's web console, physical access, or VNC):
# Check if sshd is installed at all
which sshd
sshd -v
# Start manually if systemctl is not available
sudo /usr/sbin/sshd
Cause 2: SSH Running on a Non-Standard Port
Many administrators change the SSH port from 22 to reduce automated scanning. If the server uses a different port, you get "Connection refused" on port 22.
Connect to a different port
ssh -p 2222 user@hostname
Find the actual port
# If you have console access, check the SSH config
grep -i "Port" /etc/ssh/sshd_config
# From outside, scan for open ports
nmap -p 1-65535 hostname -T4 | grep open
# Or check common alternate ports
for port in 22 222 2222 22022 8022; do
nc -zv hostname $port 2>&1 | grep -v refused
done
Update your SSH config to remember the port
# ~/.ssh/config
Host myserver
HostName hostname
Port 2222
User myuser
See the SSH Config File guide for full details on config file options.
Cause 3: Firewall Blocking Port 22
A firewall on the server or the network is dropping connections. Unlike "Connection refused" (active rejection), firewall drops cause timeouts, but some firewall configurations send a TCP RST (which looks like a refusal).
Check ufw (Ubuntu/Debian)
sudo ufw status verbose
Allow SSH:
sudo ufw allow ssh
# Or explicitly:
sudo ufw allow 22/tcp
sudo ufw reload
Check firewalld (RHEL/CentOS/Fedora)
sudo firewall-cmd --list-all
sudo firewall-cmd --list-services
Add SSH permanently:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Check iptables directly
sudo iptables -L INPUT -n -v | grep -E "22|ssh|ACCEPT|DROP"
Allow SSH with iptables:
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# To persist across reboots:
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Cloud provider security groups / ACLs
If the server is on AWS, GCP, Azure, or another cloud: - AWS: Check Security Groups in EC2 → Security → Inbound rules. - GCP: Check Firewall rules in VPC network → Firewall. - Azure: Check Network Security Groups → Inbound security rules.
Ensure port 22 (or your custom port) allows TCP inbound from your IP.
Cause 4: SSH Is Not Installed
A fresh minimal server image might not have OpenSSH server installed.
Install on Debian/Ubuntu
sudo apt update
sudo apt install openssh-server
sudo systemctl enable --now ssh
Install on RHEL/CentOS/Rocky/AlmaLinux
sudo dnf install openssh-server
sudo systemctl enable --now sshd
Install on Alpine Linux
apk add openssh
rc-update add sshd
service sshd start
Cause 5: Host Unreachable
If ping hostname fails, the problem is not SSH — the network path is broken.
# Check DNS resolution
nslookup hostname
dig hostname
# Trace the network path
traceroute hostname
# Or on Windows:
tracert hostname
Possible causes: - Wrong hostname or IP address. - DNS record points to the wrong IP. - The server is powered off. - A network device (router, switch) is down. - VPN or proxy required but not connected.
Cause 6: fail2ban Has Banned Your IP
fail2ban monitors authentication logs and temporarily bans IPs that have too many failed login attempts. If you tried the wrong password or key several times, your IP may be banned.
Check if fail2ban is running
sudo systemctl status fail2ban
Check if your IP is banned
sudo fail2ban-client status sshd
Look for your IP in the "Banned IP list".
Unban your IP
sudo fail2ban-client set sshd unbanip YOUR_IP_ADDRESS
Replace YOUR_IP_ADDRESS with your actual IP. Find your IP with:
curl ifconfig.me
Temporary ban duration
By default, fail2ban bans for 10 minutes. If you wait 10 minutes and the connection starts working, fail2ban was the cause. Adjust the bantime in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local.
Cause 7: MaxStartups Limit Reached
If many SSH connections are being established simultaneously (e.g., during a deployment), the SSH daemon may reject new connections due to the MaxStartups limit.
Check:
grep MaxStartups /etc/ssh/sshd_config
Default is 10:30:100 (start refusing at 10 unauthenticated connections, drop with 30% probability up to 100). Increase if needed and restart sshd.
Full Diagnostic Commands Reference
# Check if host is reachable
ping -c 4 hostname
# Check specific port
nc -zv hostname 22
nc -zv hostname 2222
# Scan all ports to find SSH
nmap -p 1-65535 -T4 hostname | grep open
# On the server: check SSH daemon
systemctl status sshd
journalctl -u sshd --since "10 minutes ago"
# On the server: what is listening on port 22?
ss -tlnp | grep ':22'
netstat -tlnp | grep ':22'
# On the server: firewall rules
sudo ufw status verbose
sudo iptables -L INPUT -n
# fail2ban
sudo fail2ban-client status sshd
FAQ
Q: I get "Connection refused" only from my home network but not from my phone hotspot. Why?
Your home network's IP may be banned by fail2ban (see Cause 6), blocked by a cloud security group rule that only allows specific IPs, or your ISP is blocking outbound connections to port 22. Test with nc -zv hostname 22 from each network.
Q: The server was working yesterday. Now it says "Connection refused". I changed nothing.
The most likely causes: the server was rebooted and sshd did not start (systemctl enable sshd was not set), or a firewall was enabled/updated. Access via the cloud console and check systemctl status sshd.
Q: How do I keep SSH running after a server reboot?
sudo systemctl enable sshd
# Verify
systemctl is-enabled sshd
# Output: enabled