SSH Connection Refused

Last updated: April 2026

A "Connection refused" error means the TCP handshake reached the remote host, but no service accepted the connection on the target port. Unlike a timeout (where packets are silently dropped or never arrive), a refused connection produces an immediate RST packet from the remote system. This article walks through the most common causes in order of likelihood.

1. SSH Service Not Running

The most common cause is simply that the SSH daemon is not running on the remote host. How you verify this depends on the target platform.

Linux (systemd)

systemctl status sshd

If the service is inactive or failed, start and enable it:

sudo systemctl start sshd
sudo systemctl enable sshd

Linux (SysVinit / Upstart)

service ssh status

Start it with:

sudo service ssh start

Cisco IOS

Verify SSH is enabled and check the version:

show ip ssh

Confirm VTY lines accept SSH connections:

show run | section line vty

You should see transport input ssh (or transport input all) under the VTY line configuration. If SSH is not configured, you will need to generate an RSA key pair and set a domain name first:

conf t
ip domain-name example.com
crypto key generate rsa modulus 2048
ip ssh version 2
line vty 0 4
 transport input ssh
 login local
end

Windows (OpenSSH Server)

Check the OpenSSH SSH Server service in PowerShell:

Get-Service sshd

Start and set to automatic:

Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

2. Wrong Port

The default SSH port is 22, but many administrators change it for security or operational reasons. If the server listens on a non-standard port and you connect to port 22, you will get "Connection refused."

Check the Listening Port on the Remote Host

On modern Linux systems:

ss -tlnp | grep ssh

On older systems:

netstat -tlnp | grep ssh

Look for the port number in the Local Address column (e.g., 0.0.0.0:2222 means SSH is listening on port 2222).

Check sshd_config

grep -i "^Port" /etc/ssh/sshd_config

If the line reads Port 2222, configure RockTerm to connect on port 2222 instead of the default.

Configuring the Port in RockTerm

In your connection profile, set the Port field to match the server's listening port. You can also test from the command line:

ssh -p 2222 user@hostname

3. Firewall Blocking the Connection

A firewall on the remote host, on the local host, or somewhere in the network path may be blocking port 22 (or your configured port). Unlike a silent drop (which causes a timeout), some firewalls send an explicit REJECT, which produces a "Connection refused" error.

Linux iptables

sudo iptables -L -n --line-numbers

Look for rules that DROP or REJECT traffic on your SSH port. To allow SSH through iptables:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Linux firewalld

sudo firewall-cmd --list-all

Ensure the ssh service is listed under services. If not:

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Cisco ASA

show access-lists

Verify that your source IP and destination port 22 are permitted in the relevant access-list applied to the interface.

Windows Firewall

Check inbound rules in PowerShell:

Get-NetFirewallRule -DisplayName "*SSH*" | Format-Table -AutoSize

Or open Windows Defender Firewall with Advanced Security and look for an inbound rule allowing TCP port 22. If the OpenSSH Server feature was installed, this rule is typically created automatically.

Cloud Security Groups

If the remote host is in AWS, Azure, GCP, or another cloud provider, check the security group or network security group rules. Ensure an inbound rule permits TCP traffic on your SSH port from your source IP address or CIDR range.

4. Host-Based Access Restrictions in sshd_config

Even if the SSH daemon is running and the firewall allows traffic, the SSH server itself can refuse connections based on configuration directives in /etc/ssh/sshd_config.

AllowUsers and AllowGroups

If AllowUsers or AllowGroups is defined, only the listed users or groups may connect. Everyone else is refused at the authentication stage.

grep -i "^Allow\|^Deny" /etc/ssh/sshd_config

Example configuration:

AllowUsers admin deployer@192.168.1.0/24
AllowGroups sshusers

DenyUsers and DenyGroups

These explicitly block specific users or groups. DenyUsers is processed before AllowUsers.

ListenAddress

If ListenAddress is set to a specific IP (e.g., ListenAddress 10.0.0.5), SSH will only accept connections on that interface. Connections to other IP addresses on the same host will be refused.

grep -i "^ListenAddress" /etc/ssh/sshd_config

After making changes to sshd_config, restart the SSH service:

sudo systemctl restart sshd

5. TCP Wrappers

On older Linux distributions, TCP wrappers (libwrap) can restrict access to services including SSH. This mechanism uses two files:

• /etc/hosts.allow — explicitly permitted connections
• /etc/hosts.deny — explicitly denied connections

Rules in hosts.allow are evaluated first. If a match is found, access is granted. Otherwise, hosts.deny is checked. If hosts.deny contains ALL: ALL and no corresponding allow rule exists for SSH, connections will be refused.

Example: Allow SSH from a Specific Subnet

In /etc/hosts.allow:

sshd: 192.168.1.0/255.255.255.0

In /etc/hosts.deny:

sshd: ALL

Note: TCP wrappers are deprecated on most modern distributions. RHEL 8+ and Ubuntu 20.04+ no longer ship with libwrap support compiled into OpenSSH. Use firewall rules or sshd_config directives instead.

6. Network Path Issues

If none of the above apply, the problem may be in the network path between your workstation and the remote host.

Basic Connectivity

ping hostname

Note: ICMP may be blocked, so a failed ping does not always mean the host is unreachable.

Test TCP Connectivity to the SSH Port

From Windows PowerShell:

Test-NetConnection -ComputerName hostname -Port 22

This will report whether the TCP connection succeeded and display the remote address and latency. Look at the TcpTestSucceeded field in the output.

From Linux:

nc -zv hostname 22

Trace the Route

From Windows:

tracert hostname

From Linux:

traceroute hostname

Look for where packets stop or where latency spikes. This can identify routing issues or an intermediate firewall that is blocking traffic.

NAT and Port Forwarding

If the remote host is behind a NAT device or load balancer, ensure port forwarding is configured correctly. A "Connection refused" can occur if the NAT device receives the SYN but has no translation rule to forward it to the internal host.

Quick Checklist

1. Is the SSH service running on the remote host? (systemctl status sshd)
2. Are you connecting to the correct port? (ss -tlnp | grep ssh)
3. Is the host firewall allowing inbound SSH? (iptables -L -n, firewall-cmd --list-all)
4. Are cloud security groups or network ACLs permitting the traffic?
5. Does sshd_config restrict access by user, group, or listen address?
6. Are TCP wrappers blocking the connection? (Check /etc/hosts.allow and /etc/hosts.deny)
7. Can you reach the port at all? (Test-NetConnection -ComputerName hostname -Port 22)
8. Is a NAT device or load balancer in the path configured correctly?

← Back to Support Articles

Still need help?

If you're still experiencing issues, contact us or email info@rockriverresearch.com.