Encountering the error message "ssh connect to host port 22: connection timed out" is a common yet frustrating experience for system administrators and developers. This specific notification indicates that your client machine successfully initiated a network connection, but the target server failed to respond on the standard Secure Shell port within the expected timeframe. Essentially, the digital handshake required to establish a secure session was not completed, leaving your terminal session hanging and your intended tasks unfulfilled.
The underlying causes for this timeout are multifaceted, ranging from simple service disruptions to complex network configuration issues. It is crucial to move beyond the initial frustration and adopt a systematic approach to troubleshooting. By methodically checking the status of the SSH daemon, verifying network routes, and auditing local firewall rules, you can transform a blocked connection into a resolved pathway for secure access.
Verifying the SSH Service Status
Before diving into network complexities, the most logical step is to confirm that the SSH service itself is operational on the remote host. If the daemon is not running, no amount of network troubleshooting will yield a successful connection. This is often the simplest explanation for a "connection timed out" error.
Accessing the Remote Server
If you have direct console access—either via a physical terminal, a cloud provider's web interface, or a different remote connection—you can verify the status of the SSH daemon. On systems utilizing systemd, such as modern Ubuntu or CentOS distributions, the command `sudo systemctl status sshd` (or `ssh`) provides immediate insight. Look for an "active (running)" state; if you see "inactive (dead)" or "failed," the service needs to be started with `sudo systemctl start sshd` and potentially enabled to start on boot.
Network Path and Firewall Analysis
Assuming the service is running, the error shifts focus to the network layer. A "timeout" implies that packets are being discarded rather than rejected, meaning there is no response packet returning to your client. This behavior is typically the result of a firewall silently dropping traffic or a routing issue preventing packets from reaching the destination.
Checking Local and Network Firewalls
Firewalls act as gatekeepers, and an overzealous configuration is a prime suspect. On the server, you must ensure that the host-based firewall (like `iptables` or `ufun`) allows ingress traffic on port 22. For example, a command like `sudo ufw allow 22/tcp` is often necessary. Externally, network firewalls, security groups in AWS, or NSGs in Azure must be inspected. It is a common oversight to configure the server's firewall but forget the network perimeter rules, effectively creating a barrier that blocks all access attempts.
Routing and ISP Issues
Complex network topologies can introduce routing black holes. Tools like `traceroute` or `mtr` can illuminate the path your packets take. If the trace stops abruptly before reaching the destination, it suggests a router along the path is dropping ICMP or TCP packets destined for port 22. Additionally, some Internet Service Providers block residential ports used for hosting services; while less common for standard SSH ports, verifying that your local ISP isn't interfering is a step worth documenting.
Configuration and Client-Side Checks
Occasionally, the issue lies not with the network infrastructure but with the client configuration or the specific parameters of the connection attempt.