Encountering the error message "ssh: connect to host port 22: connection refused" is a common yet frustrating event for system administrators and developers. This specific output indicates that your client successfully initiated a network connection to the target server but received a reset packet (RST) instead of the expected SSH banner. Essentially, the target machine is actively refusing the connection on the standard Secure Shell port, signaling that no service is listening or that a firewall is blocking the entry point.
Diagnosing the Underlying Causes
The root cause of this error typically falls into one of several categories, ranging from simple service misconfiguration to strict network security policies. Unlike a timeout, which suggests the host is unreachable, a "connection refused" message implies the network path is clear, but the specific port is closed or filtered. This distinction is crucial for troubleshooting, as it directs your attention to the server's configuration rather than network routing issues.
Service Daemon Not Running
The most straightforward explanation is that the SSH daemon (sshd) is not active on the remote host. This can occur after a system reboot where the service failed to start automatically, or it was manually stopped. If the daemon is not running, there is no process bound to port 22 to accept incoming connections, resulting in the immediate refusal message from the operating system.
Firewall or Security Group Restrictions
Modern security configurations often block inbound traffic by default. A host-based firewall like `iptables` or `ufw` on Linux, or the built-in firewall on Windows, might be configured to drop SSH traffic. Similarly, cloud environments rely on Security Groups or Network Access Control Lists (NACLs); if the rules do not explicitly allow inbound traffic on port 22 from your IP address, the connection will be refused regardless of the SSH service status.
Verification and Troubleshooting Steps
Resolving this issue requires a systematic approach to verify each layer of the connection. You should begin by confirming the status of the remote service and then move to network-level verification. Skipping these steps can lead to unnecessary changes on your local machine when the issue resides entirely on the remote end.
Common Solutions and Fixes
Once the diagnosis is clear, applying the correct fix is usually straightforward. If the SSH daemon is down, you will need console access or a different method (like a web-based cloud console) to restart the service using `sudo systemctl start sshd` or `sudo service ssh start`. For firewall issues, you must log into the server and adjust the rules to allow traffic on port 22 from your specific IP range.