SSH clients like PuTTY, OpenSSH, etc. provides users with a seamless way to manage their servers.

But, users can occasionally come up with server side errors, like ‘SSH connection refused’ in their DigitalOcean Droplets.

How can I fix it with this little piece of information? Right, there’s not much information we get from this error message.

But, don’t worry, at Bobcares, we help Droplet owners fix such errors as part of our Managed Cloud Services.

Today, we’ll discuss the top 4 reasons for this error and how our Support Engineers fix it.

‘SSH Connection refused’ in DigitalOcean – Let’s get an idea

Before we move on to the reasons, let’s first get an idea of this error.

SSH connection refused error means that the request to connect to the server is routed to the SSH host, but the host doesn’t accept that request and send an acknowledgement.

And, Droplet owners see this acknowledgement message as given below.

ssh: connect to host 192.xxx.12x.1x port xx: Connection refused

There are a number of reasons for this error.

Now, let’s see the top 4 reasons why SSH drops the connection and how our Support Engineers fix it.

‘SSH Connection refused’ in DigitalOcean – Causes & Fixes

Inorder to fix this error, we identify the cause of the error by checking and ruling out each possibility.

Usually, we use the Droplet console from Access > Console Access > Launch Console to troubleshoot such SSH related issues.

DigitalOcean Droplet Console

In our experience managing Droplets, we’ve come across a number of reasons that can cause this error.

1) SSH service down

SSH service uses sshd daemon to listen to the incoming connections, and handles user authentication, terminal connections, etc.

So, if this service crashes, the connection fails and results in SSH Connection refused error in DigitalOcean servers.

Solution

The reason for service failures can be traffic spikes, resource outages, disk errors, DDoS attacks, and so on.

Our Hosting Engineers identify the reason and fix it.

If a backend service fails or doesn’t respond, we’ll kill the dead process and restart the service.

For example, in a CentOS 7 Droplet, we restart the SSH service using the below command.

systemctl restart sshd

After that, we confirm that SSH is running, and the output will be like this.

sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Mon 2018-12-19 10:00:22 GMT; 3 days ago

[Do you face intermittent service downtime in your Droplet? Our Server Administrators can fix it permanently for you.]

2) Wrong SSH port

Since standard ports are more vulnerable to attack, many web hosts change the SSH port to a custom port.

So, if Droplet owners access their servers using the wrong port, they will be knocked out with the error SSH Connection refused.

Solution

Inorder to identify the correct SSH port, our Hosting Engineers access the Droplet via a console and check the SSH configuration file.

On most systems, the configuration file for the SSH service is at /etc/ssh/sshd_config. Inorder to identify the port used in the system, we check the “Port” parameter in ssh config file.

Alternatively, we check the SSH port using the netstat command.

If we find that the service is listening on a custom port, we update the correct port to the customers.

3) Firewall restriction

Similarly, SSH connectivity problems may occur due to improper firewall configurations.

Some public networks may also block default SSH port 22 or SSH custom ports.

If the ports are not allowed for connections in the firewall, the connectivity can fail and lead to the error SSH connection refused.

Solution

In such cases, our Hosting Engineers analyze the firewall rules configured on the server.

In addition to that, we check the connectivity to the SSH port from the external network using the below command.

telnet IP PORT

Here, replace IP with the Droplet IP address and PORT with SSH port.

If we find any rules that deny connection to port 22, we’ll remove that rule from the firewall configuration.

For example, in CentOS servers, if we see a rule to REJECT or DROP incoming connections on the SSH port, we’ll remove that rule from the firewall.

Further, we edit the firewall configuration to allow connections to the SSH port like this.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[Have you messed up the Droplet firewall rules? Our Support Experts can fix it for you in minutes.]

4) Wrong Host IP address

Droplet owners face this SSH connection refused error, when they use wrong IP address or if there is an IP conflict.

In other words, this error can occur when the wrong IP address is used or multiple Droplets use the same IP address.

Solution

In such cases, we check the Droplet IP address via Networking > Public Network in the DigitalOcean control panel.

Similarly, we use tools like nmap to identify Droplets running on the network.

And, if we find any IP conflicts, we change the IP address of the Droplet, after confirming it with the customer.

Conclusion

In short, SSH connection refused in DigitalOcean servers can happen due to firewall restrictions, service down time, and more. Today, we’ve discussed the top 4 reasons for this error and how our Cloud Experts fix it.