1. Introduction

In the realm of Linux server administration, encountering an error message like port 22: connection refused during an attempt to connect via Secure Shell (SSH) can be a formidable obstacle. This issue, indicating a failure to establish a connection through the SSH protocol, necessitates a methodical approach to diagnose and resolve.

In this tutorial, we’ll explore common reasons for the error message port 22: connection refused and look at solutions. The goal is to equip users and administrators with the knowledge and skills needed to diagnose and rectify common connectivity hurdles.

2. Checking Client Connectivity Issues

To begin with, we investigate the client side. In particular, we use ping and telnet for this purpose.

2.1. Ping the Server

First, we ping the hostname or server IP address to check if the server is reachable:

$ ping 10.211.55.5
PING 10.211.55.5 (10.211.55.5) 56(84) bytes of data.
64 bytes from 10.211.55.5: icmp_seq=1 ttl=64 time=0.115 ms
64 bytes from 10.211.55.5: icmp_seq=2 ttl=64 time=0.135 ms
64 bytes from 10.211.55.5: icmp_seq=3 ttl=64 time=0.144 ms
...
--- 10.211.55.5 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3081ms
rtt min/avg/max/mdev = 0.115/0.134/0.144/0.011 ms

In this case, 10.211.55.5 is the IP address of the server and the server is reachable.

Notably, while a successful ping serves as a positive indicator of server reachability, no ping response doesn’t necessarily mean that the server isn’t reachable.

2.2. Telnet to the Port

telnet is a command-line tool that can establish a simple text-based connection to a remote server on a specified port.

First, let’s check the default SSH port:

$ telnet 10.211.55.5 22
Trying 10.211.55.5...
Connected to 10.211.55.5.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3

After the connection is established, the server sends a banner that includes information about the SSH server software and the operating system it’s running on.

In this case, it indicates that the server is running OpenSSH and listening to port 22.

Notably, when using telnet to inspect the connection to a specific port, a successful connection indicates that the port is open, and the server is responsive. On the other hand, an unsuccessful attempt doesn’t exclusively suggest an unreachable server.

3. Checking SSH Server Configuration File

This time, we ensure that the SSH port is correctly configured on the server.

Let’s take a look at the SSH daemon configuration:

$ grep Port /etc/ssh/sshd_config
Port 2222

In this case, we use port 2222 instead of the default SSH port 22.

Now, we can use that configured port during the SSH connection on the client side:

$ ssh -p 2222 username@our_server_ip

We used -p to use port 2222 for the SSH connection.

Of course, we can always change the current port 2222 to default SSH port 22 on the server:

$ grep Port /etc/ssh/sshd_config
Port 22

Then, we restart the SSH service:

$ sudo systemctl restart sshd

In this case, we used systemctl via sudo to restart the SSH service. At this point, we should be able to connect via port 22.

4. Checking SSH Service Status

After checking the SSH configuration file, we examine the SSH service on the Linux server and check its installation status and activation.

4.1. Install SSH Service

At this point, we ensure SSH is installed on the Linux server. If not installed yet, we use the package manager specific to our distribution.

To install SSH service on Ubuntu or Debian, we use apt-get:

$ sudo apt-get install openssh-server

To install SSH service For Red Hat or Fedora, we use yum:

$ sudo yum install openssh-server

Once installed, we can check the service status.

4.2. SSH Service Status

So, let’s make sure the service is up and running:

$ systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: en
abled)
     Active: active (running) since Thu 2023-08-17 09:22:52 UTC; 2 mo
nths 30 days ago
...
Aug 17 09:22:52 amir-ubuntu sshd[961]: Server listening on 0.0.0.0 port 22.
Aug 17 09:22:52 amir-ubuntu sshd[961]: Server listening on :: port 22.
...

In summary, this output provides a detailed snapshot of the SSH service’s current status, configuration, process information, and recent log events.

In this case, the SSH service is active and running, listening on port 22.

On the other hand, if it’s not running, we can start it:

$ sudo systemctl start sshd

Moreover, we might want to enable SSH service at boot time:

$ sudo systemctl enable sshd

Then, we can check the status again after a reboot.

5. Checking and Configuring the Firewall

One of the reasons for this error may be that the SSH port is blocked by the firewall. Hence, we need to identify the firewall tool that controls access to the Linux system.

Common firewall tools include ufw, iptables, and firewalld. The commands will vary based on the tool in use.

5.1. Using ufw

Let’s verify the firewall allows SSH traffic through:

$ sudo ufw status
Status: active

To             Action      From
--             ------      ----
22             ALLOW       Anywhere
22 (v6)        ALLOW       Anywhere (v6)

In this case, the default SSH port is open.

Of course, we can also open the port if it’s not open:

$ sudo ufw allow 22

Then, we reload ufw for the changes to take effect:

$ sudo ufw reload

At this point, port 22 should be allowed.

5.2. Using iptables

Now, we check the current iptables rules:

$ sudo iptables -n -L | grep 22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:22

In this case, the output shows two rules in the iptables configuration that explicitly allow both TCP and UDP traffic on port 22.

Of course, we can add an iptables rule to allow incoming traffic on port 22:

$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Now, let’s break down the code:

  • -A INPUT appends the rule to the INPUT chain
  • -p tcp specifies the protocol as TCP
  • –dport 22 specifies the destination port as 22
  • -j ACCEPT specifies that the traffic matching this rule should be accepted

Then, we install iptables-persistent to make them persistent across reboots:

$ sudo apt-get install iptables-persistent

During the installation, we’ll be prompted to save the current iptables rules. Now, the rule table should be preserved after a reboot as well.

5.3. Using firewalld

If firewalld is running on the Linux system, we use firewall-cmd to make sure the SSH port is open:

$ sudo firewall-cmd --list-ports
...
22/tcp

Of course, if the SSH port isn’t in the list, we can add it to the allowed ports:

$ sudo firewall-cmd --permanent --add-port=22/tcp

This command adds port 22 to the allowed ports in the permanent configuration.

After making changes, we reload firewalld for the modifications to take effect:

$ sudo firewall-cmd --reload

Thus, we reload the firewalld configuration, applying any changes.

6. Clearing SSH Known Hosts

This time, we address potential issues related to stored host keys, allowing for a connection attempt.

So, let’s back up and clear the ~/.ssh/known_hosts file on the client side:

$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts.bak && echo > ~/.ssh/known_hosts

This file stores the host keys of SSH servers that the user has connected to in the past. To omit any mismatch between addresses and server keys, we cleared the content of this file.

7. Review SSH Logs

In our approach to troubleshooting, we can examine SSH logs for any potential error messages or issues. The SSH server logs are typically located in /var/log/auth.log or /var/log/secure.

To view the latest log entries, we can use the tail command and also use -f to see any new entries as they’re added:

$ tail -f /var/log/auth.log
...
Nov 19 07:17:29 amir-ubuntu sshd[2415]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.244.1 user=amir
Nov 19 07:17:31 amir-ubuntu sshd[2415]: Failed password for amir from 192.168.244.1 port 55300 ssh2
...

In this case, we entered the password incorrectly.

8. Debugging SSH

At this point, if nothing else helps, we can employ the verbose output of an SSH connection for debugging:

$ ssh -v [email protected]
OpenSSH_8.9p1 Ubuntu-3ubuntu0.3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/amir/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.244.129 [192.168.244.129] port 22.
...
debug1: Next authentication method: password
[email protected]'s password:
Authenticated to 192.168.244.129 ([192.168.244.129]:22) using "password".
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
...
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.UTF-8"

This output helps in diagnosing SSH connection issues. In this case, the connection is successfully established using password authentication.

9. Conclusion

In this article, we learned practical solutions to the SSH error port 22: Connection refused in Linux.

We explored general connectivity issues, checked SSH configurations, and ensured the service was up and running. Following that, we delved into the firewall setup and debugging techniques.

By understanding these troubleshooting steps, administrators are empowered to maintain seamless and secure SSH connections on Linux systems.