SSH: Connection refused

SSH produces "Connection refused" when the client reaches the server's IP address but the SSH daemon (sshd) is not listening on the target port, or a firewall actively rejects the TCP connection.

When SSH Produces "Connection refused"

SSH displays "ssh: connect to host 203.0.113.50 port 22: Connection refused" when the TCP connection attempt receives a RST (reset) packet instead of a SYN-ACK. This is different from a timeout — "Connection refused" means something at the server actively rejected the connection.

What Causes "Connection refused" in SSH

The SSH daemon (sshd) is not running on the server. This occurs on freshly provisioned servers where OpenSSH server was not installed, after a failed sshd configuration change that prevents the service from starting, or after a system reboot where sshd is not enabled.

The SSH daemon listens on a non-standard port. If sshd is configured to listen on port 2222 instead of the default 22, connecting to port 22 produces "Connection refused" because nothing listens there.

A firewall on the server actively rejects connections to port 22 with a RST packet. UFWrules that deny SSH produce this error.

How to Fix "Connection refused" in SSH

1. Access the server through an alternative method (console, VNC, or cloud provider's web terminal).

2. Check if sshd is running:

systemctl status sshd

3. Start and enable sshd if it is inactive:

sudo systemctl enable sshd
sudo systemctl start sshd

4. Verify sshd is listening on the expected port:

ss -tlnp | grep sshd

5. Check firewall rules allow SSH:

sudo ufw status

How to Verify the Fix

SSH connects successfully from the client machine:

ssh user@203.0.113.50

Related SSH Errors

SSH: Permission denied (publickey)— SSH connects but authentication fails. SSH: Connection timed out— a firewall silently drops packets instead of rejecting them.