What "Connection refused" means
"Connection refused" is a network-level rejection: your packets reached the machine (or a firewall in front of it), and something actively said "nothing is listening here." This is different from Permission denied (auth failed after connecting) and from a timeout (packets vanished — usually wrong IP or unreachable network). Refused means: right machine, but no SSH server answering on that port. Four causes cover nearly every case.
The four causes
| # | Cause | Quick check |
|---|---|---|
| 1 | SSH server not running | systemctl status ssh on the box |
| 2 | Wrong port | Was SSH moved off 22? Check the connection's port |
| 3 | Firewall actively rejecting | ufw status / cloud security group |
| 4 | Wrong host (something else at that IP) | Did the IP change (DHCP)? Is it the right machine? |
1 — Is sshd actually running?
On the server (console, web VNC, or any other way in):
sudo systemctl status ssh # Debian/Ubuntu (sshd on RHEL)
sudo systemctl enable --now sshFresh installs are a classic: Raspberry Pi OS and many minimal images ship with SSH disabled. Enable it once and it persists. See enabling SSH on a Pi.
2 — Right port?
If the admin moved SSH off port 22 (a common noise-reduction step), connecting to 22 gets refused. Check the connection profile's port field, or probe from another machine: nc -vz host 22 vs nc -vz host 2222.
3 — Firewall rejecting
A firewall configured to reject (not drop) produces exactly this error. On the box: sudo ufw status — is your SSH port allowed? On cloud servers also check the provider's security group / firewall rules in the dashboard; a VPS with port 22 closed at the provider level refuses before the OS ever sees the packet.
4 — Wrong machine at that address
Home networks reassign IPs (DHCP). If your saved connection points at 192.168.1.42 but the box rebooted onto .57, you might hit a different device that refuses port 22. Re-check the router's device list — or sidestep the whole class of problem with Tailscale: each box keeps a stable private address no matter what the LAN does. TermAI has it built in. See Tailscale SSH setup.
Refused vs timed out vs permission denied
- Connection refused — machine reachable, nothing listening (this article).
- Connection timed out — packets vanished: wrong IP, machine off, or you're outside the network trying to reach a private address (use Tailscale).
- Permission denied — SSH answered, your auth failed: see the publickey guide.
Debugging from a phone
The awkward part of this error on mobile is you often can't SSH to the box to check it. If any other machine on that network is reachable, hop through it: SSH there, then nc -vz / ping the refused box to see what's actually open. And if you can't remember the diagnostic incantations, describe the situation to TermAI's assistant — "check if anything is listening on port 22 of 192.168.1.42" — and run the suggested command from the box you are connected to.
FAQ
What causes SSH connection refused?
The SSH server not running, SSH on a different port, a firewall rejecting the port, or the wrong machine at that IP. It's a network-level rejection, not an auth failure.
How is it different from connection timed out?
Refused = the machine answered "nothing here." Timed out = no answer at all (wrong IP, host down, or unreachable network).
How do I fix connection refused on a Raspberry Pi?
SSH is disabled by default on Raspberry Pi OS — enable it via raspi-config or by placing an ssh file in the boot partition, then it persists.
Quick Facts
- Meaning: reachable machine, nothing listening on that port (network-level, pre-auth)
- Causes: sshd not running · wrong port · firewall reject · wrong host/IP changed
- Check:
systemctl status sshon the box;nc -vz host portfrom outside - Avoid IP drift: stable Tailscale addresses instead of LAN DHCP IPs
Free on iOS and Android. 5 AI requests/day on the free tier, plus unlimited SSH/SFTP and built-in Tailscale.