P2
Connection Refused — SSH Troubleshooting Guide
Diagnose and fix SSH connection failures. Covers network connectivity, sshd configuration, firewall rules, fail2ban, and daemon troubleshooting.
10 min7 steps
Progress: 0/7 steps
0%
Verify the server is reachable at the network level.
ping -c 3 SERVER_IP && echo '---' && nc -zv SERVER_IP 22 -w 5
Expected: Ping should succeed. nc should show 'Connection to SERVER_IP 22 port [tcp/ssh] succeeded!' If nc fails, SSH isn't listening.
If you have console/IPMI access, check sshd status on the server.
systemctl status sshd && ss -tlnp | grep :22
Expected: sshd should be active (running) and listening on port 22.
Verify which port SSH is configured to listen on.
grep -E '^Port|^ListenAddress' /etc/ssh/sshd_config
Expected: Default is Port 22. If changed, use 'ssh -p PORT user@host'.
Ensure the firewall allows SSH connections.
ufw status 2>/dev/null || iptables -L -n | grep -i ssh || firewall-cmd --list-all 2>/dev/null
Expected: Port 22 (or custom SSH port) should be ALLOW/ACCEPT.
Your IP may be banned due to failed login attempts.
fail2ban-client status sshd 2>/dev/null && echo '---' && grep YOUR_IP /var/log/fail2ban.log 2>/dev/null | tail -5
Expected: Check if your IP is in the 'Banned IP list'. Unban with: fail2ban-client set sshd unbanip YOUR_IP
Look at recent SSH logs for error messages.
journalctl -u sshd --since '30 minutes ago' --no-pager | tail -30
Expected: Look for errors like 'Too many authentication failures', 'Connection closed by', or 'No supported authentication methods'.
If configuration was changed, restart sshd to apply.
systemctl restart sshd && systemctl status sshd
If you're connected via SSH, use 'systemctl reload sshd' instead to avoid disconnecting yourself.