ssh: connect to host ... port 22: Connection refused

The Connection refused SSH error means nothing listens on port 22 on the server. Fix it by starting sshd, checking ufw rules, or verifying the configured port.

What It Means

When you see Connection refused, the TCP handshake completed at the network level (the host is up), but the port you connected to returned a RST (reset) packet because no process is bound to it. This is different from a timeout — the server actively rejected you.

Why It Happens

• The SSH daemon (sshd) is not installed or not running on the server.
• SSH is running on a non-standard port and you’re connecting to port 22.
• A firewall is blocking the port but sending a reject (not a drop).
• The SSH service crashed or failed to start after an update or reboot.
• The server’s listen directive in /etc/ssh/sshd_config is set to a different address.

How to Fix It

1. Check if SSH is running on the server

sudo systemctl status sshd
sudo systemctl status ssh

If it shows inactive (dead), start and enable it:

sudo systemctl start sshd
sudo systemctl enable sshd

2. Verify the port is listening

sudo ss -tlnp | grep :22

The output should show LISTEN and the SSH process name. If nothing appears, SSH isn’t bound to the port.

3. Check the SSH configuration

sudo grep -E "^(Port|ListenAddress)" /etc/ssh/sshd_config

If Port is set to a non-default value (e.g., 2222), connect with:

ssh -p 2222 user@host

4. Check firewall rules

sudo ufw status
sudo iptables -L -n | grep :22

Ensure the firewall allows incoming traffic on port 22:

sudo ufw allow 22/tcp
sudo ufw reload

5. Restart the SSH service

sudo systemctl restart sshd

After restarting, verify the port is listening again with ss -tlnp.

6. Check the SSH logs

sudo journalctl -u sshd --no-pager -n 30

Logs often reveal why SSH failed to start — missing host keys, binding errors, or configuration syntax issues.