Linux SSH Connection Refused Error Fix

What Does This Error Mean?

SSH 'Connection refused' means your computer tried to connect to port 22 (the default SSH port) on the remote machine, but nothing answered. This means the SSH server is not installed, is not running, is blocked by a firewall, or is listening on a different port. It does not mean your password is wrong — you never even got that far.

Affected Models

Ubuntu
Debian
Fedora
CentOS
Arch Linux
Raspberry Pi OS

Common Causes

The SSH server (openssh-server) is not installed on the remote machine
The SSH service is installed but stopped and needs to be started
A firewall on the remote machine is blocking port 22
The SSH server was configured to listen on a different port than 22
The IP address or hostname you are connecting to is wrong

How to Fix It

Install the SSH server. On the remote machine, run: sudo apt install openssh-server (Ubuntu/Debian) or sudo dnf install openssh-server (Fedora). Then: sudo systemctl enable --now ssh

Many desktop Linux installations do not include an SSH server by default. It must be installed separately.
Start and enable the SSH service. Run: sudo systemctl start ssh (Ubuntu) or sudo systemctl start sshd (Fedora/CentOS). To start automatically at boot: sudo systemctl enable ssh

The service name is 'ssh' on Debian/Ubuntu and 'sshd' on Fedora/CentOS. Both refer to the same OpenSSH server.
Check if the firewall is blocking port 22. Run: sudo ufw status (Ubuntu) or sudo firewall-cmd --list-all (Fedora). If SSH is not listed as allowed, add it: sudo ufw allow ssh

The ufw firewall on Ubuntu is disabled by default on desktop installations. On servers, it is often enabled and SSH may need to be explicitly allowed.
Check what port SSH is listening on. Run on the remote machine: sudo ss -tlnp | grep sshd. Look for the port number. If it is not 22, connect with the correct port: ssh -p [port] user@hostname

Some system administrators change the SSH port for security. If the port was changed, you must specify it explicitly when connecting.
Verify you have the correct IP address. From the remote machine, run: ip addr show to find the correct IP address. Make sure you are connecting to that exact address.

IP addresses can change on home networks when the device reconnects. Assign a static IP to avoid this.

When to Call a Professional

SSH connection errors are always diagnosable and fixable by someone with access to the remote machine. If the remote machine is a VPS or cloud server, the provider's web console can give you access to fix the SSH service without needing SSH. For home servers, physical access to the machine lets you fix SSH easily.

Frequently Asked Questions

What is the difference between Connection refused and Connection timed out?

Connection refused means the remote machine actively rejected the connection — it is reachable but SSH is not running or is blocked. Connection timed out means no response came at all — the machine may be offline, the IP is wrong, or a network firewall dropped the packet silently. Refused is actually better news: it means you are reaching the right machine.

How do I check if a port is open without SSH?

From your local machine, run: nc -zv [ip-address] 22 or: telnet [ip-address] 22. If you see 'Connected,' the port is open. If you see 'Connection refused,' port 22 is closed. You can also use: nmap -p 22 [ip-address] if nmap is installed.

Is it safe to expose SSH to the internet?

SSH on the open internet is constantly probed by automated bots. To protect yourself: disable password authentication and use SSH keys only, change the SSH port from 22, install fail2ban to block repeated failed login attempts, and only allow specific IP addresses if possible. Never use SSH with a simple or default password on an internet-facing server.