Why your web server keeps rejecting ssh connections: SSH Troubleshooting, Daemon Status, Firewall Rules

Because SSH is blocked or the SSH daemon isn’t running on the server. If your web server keeps rejecting SSH connections, you’re likely running into a mix of service status issues, firewall rules, and SSH configuration traps. In this guide, I’ll walk you through the most common causes, give you practical commands to diagnose, share real-world examples, and provide a step-by-step checklist you can follow today. You’ll find a mix of quick fixes, deeper dives into config and logs, plus a handy troubleshooting table. Useful URLs and Resources: openssh.com, openssh-portable on github, help.ubuntu.com/community/UFW, fail2ban.org, linux.die.net/man/1/ss, man7.org/linux/man-pages/man1/journalctl.1.html, nginx.org, httpd.apache.org

Introduction

• Why SSH connections get rejected, in one sentence: the SSH service is either blocked, misconfigured, or not running.
• What you’ll learn: how to verify service status, check firewall rules, inspect sshd_config, understand common access-control mechanisms, and implement robust fixes without compromising security.
• Quick-start overview:
  • Check if the SSH daemon is active and listening on the right port.
  • Confirm firewall and network ACLs allow your client IP and port.
  • Inspect sshd_config for common mistakes Port, PermitRootLogin, PasswordAuthentication, AllowUsers.
  • Review hosts.deny/hosts.allow and any rate-limiting tools like Fail2ban or ufw/nftables.
  • Use logs systemd journal, sshd logs to pinpoint the exact rejection reason.
• Pro tips: keep SSH on a non-default port for security by obscurity, but don’t rely on it alone; use key-based auth and disable password login where feasible; enable detailed logging temporarily while troubleshooting, then scale back.
• Useful URLs and Resources plain text: openssh.com, openssh-portable github, help.ubuntu.com/community/UFW, fail2ban.org, linux.die.net/man/1/ss, journalctl info, nginx.org, httpd.apache.org

Common reasons SSH connections are rejected

SSH daemon isn’t running or isn’t listening on the expected port

If sshd isn’t active, or it’s listening on a different port than you expect, connections will fail immediately. On Linux, you can confirm with:

• systemctl status sshd
• systemctl is-active sshd
• sudo ss -tulpn | grep sshd
  A frequent scenario is the daemon failing to start after a config change or a system upgrade. Check journal logs for startup errors:
• journalctl -u sshd -e –since “10 minutes ago”

Firewall or network ACLs block port 22 or a custom SSH port

Even if sshd is healthy, a firewall can block the path. Common culprits:

• Local host firewall ufw, firewalld, nftables
• Cloud security groups AWS SGs, Azure NSGs, GCP firewall rules
• Network ACLs or perimeter firewalls

Actions:

• ufw status; ufw allow 22/tcp
• firewall-cmd –list-all or nft list ruleset
• Check cloud provider rules and ensure the SSH port is open from your source IP
• If you’re using a non-standard port, verify that port is allowed e.g., 2222

SSH configuration file sshd_config mistakes

A misconfigured sshd_config is a common root cause. Look for:

• Port 22 or a custom Port line
• PermitRootLogin yes/no
• PasswordAuthentication yes/no
• AllowUsers or AllowGroups restricting access
• PermitEmptyPasswords no
• UseDNS yes/no sometimes slow or causing delays
• ListenAddress entries that restrict binding
  Test the syntax with:
• sshd -t
  Then restart sshd:
• systemctl restart sshd

Access controls: hosts.allow/hosts.deny

TCP wrappers can block or permit specific hosts. If hosts.deny contains a blanket deny ALL: ALL, you’ll be blocked unless hosts.allow explicitly allows you. Check: Join a Discord Server Without a Code Easy Step by Step Guide

• /etc/hosts.deny
• /etc/hosts.allow

Fail2ban or similar rate-limiters

If Fail2ban or another rate limiter is active, repeated failed attempts can trigger temporary blocks. Check:

• fail2ban-client status
• /var/log/fail2ban.log
• Jail configurations in /etc/fail2ban/jail.d

SELinux or AppArmor restrictions

On some distros, extra security modules can prevent sshd from opening sockets or reading keys in certain paths. Check:

• sestatus SELinux
• ausearch -m avc -ts recent
• apparmor_status

SSH authentication method issues keys vs passwords

If you expect key-based auth but you’re seeing a password prompt or authentication failure:

• Ensure your public key is in ~/.ssh/authorized_keys on the server
• Permissions on ~/.ssh and authorized_keys must be correct
• Use ssh -v to see which method is attempted and where it fails

DNS or reverse DNS issues

Sometimes servers do DNS lookups during client authentication or banner display. Slow or failing DNS can make connections seem to hang or fail. Review:

• UseDNS setting in sshd_config
• DNS resolution on the server nslookup, dig and from the client

NAT, VPNs, or intermediate proxies

If you’re behind NAT, or using a VPN or proxy that alters traffic, SSH sessions can be dropped or rejected. Ensure port forwarding is configured correctly and that the client can reach the server’s IP and port. Unlock ubuntu how to login to your ovh server: Master SSH Access, Keys, and Secure Login

Non-default ports and port-forwarded scenarios

If you’re using a non-standard port, make sure both client and server sides reflect the same port and that intermediate devices don’t block it. Verify with:

• telnet server_ip port
• nc -vz server_ip port

Server load, timeouts, and handshake delays

High server load can cause delays during the SSH handshake or timeouts on the client side. Check:

• top or htop for CPU/memory pressure
• dmesg for kernel-level issues
• sshd logs for handshake-related messages

How to diagnose step-by-step

1. Verify sshd status and listening port

• systemctl status sshd
• sudo ss -tulpn | grep sshd
• ss -tlpn | grep 22

2. Check firewall rules on the server

• ufw status numbered
• iptables -L -n -v
• nft list ruleset
• If you’re on a cloud provider, inspect security groups or firewall rules

3. Validate sshd_config settings

• sshd -t
• grep -E “^Port|PermitRootLogin|PasswordAuthentication|AllowUsers|ListenAddress|UseDNS” /etc/ssh/sshd_config
• systemctl restart sshd

4. Inspect access-control tools

• fail2ban-client status
• tail -n 100 /var/log/auth.log or /var/log/secure
• cat /etc/hosts.deny /etc/hosts.allow

5. Check for SELinux/AppArmor blocks

• sestatus
• getenforce
• ausearch -m avc -ts recent

6. Review authentication methods

• ssh -v user@server
• Ensure your private key corresponds to the public key on the server
• Confirm permissions: ~/.ssh must be 700, keys 600

7. Test DNS and reverse DNS behavior

• nslookup server_ip
• dig +short server_ip
• Inspect UseDNS in sshd_config

8. Examine logs for concrete errors

• journalctl -u sshd -e
• tail -f /var/log/auth.log Ubuntu/Debian or /var/log/secure RHEL/CentOS

9. Validate network path

• traceroute server_ip
• mtr -rwzbc 100 server_ip
• Try from a different network or client

10. Reproduce with minimal config

• Move aside sshd_config to a temporary name and use the default to see if the issue is config-specific
• Start sshd with a clean, minimal config:
  • sshd -D -f /path/to/minimal_sshd_config

11. Check non-default port forwarding

• Ensure the chosen port is correctly forwarded in NAT/firewall devices
• Test with a direct, public IP if possible

12. Review security advisories and updates

• Ensure your OpenSSH version is up-to-date and free of known issues
• Check vendor advisories for your OS

Quick fixes and best practices

• Use key-based authentication and disable password login once you confirm access
  • In sshd_config: PasswordAuthentication no; PubkeyAuthentication yes
• Change the default port thoughtfully
  • Port 22 can stay for compatibility, but a non-default port can reduce noise from automated scans
• Limit root access and use a non-root user for SSH
  • AllowUsers in sshd_config; use sudo for admin tasks
• Enable logging at a level that’s useful for troubleshooting, then dial back
  • In sshd_config: LogLevel VERBOSE during debugging
• Use Fail2ban with well-tuned rules to minimize lockouts
• Harden file permissions to prevent key leakage
  • chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
• Regularly rotate keys and audit authorized_keys
• Maintain a clean inventory of what hosts are allowed and which are blocked
• Consider two-factor authentication for SSH in high-security environments

Real-world scenarios and examples

• Scenario A: A server in a data center started returning “Connection refused” whenever a client tried to SSH. Root cause: sshd failed to start after a kernel upgrade. Action: checked systemctl status, found a config syntax error in sshd_config, fixed the error, restarted sshd, and re-enabled automatic start on boot.
• Scenario B: A developer in a remote office couldn’t connect; logs showed repeated “Connection timed out” after the handshake. Root cause: firewall on the office router blocked port 22. Action: opened port 22, then tested from a different network and confirmed success.
• Scenario C: A production server was accessible via SSH but failed key-based login intermittently. Root cause: permissions on ~/.ssh or the authorized_keys file were too permissive. Action: corrected permissions, re-added the public key, and tested with verbose SSH to verify the handshake.

Data and statistics you can rely on

• Credential-based breaches and misconfig issues continue to be the top causes of SSH-related access problems, far outweighing zero-day SSH vulnerabilities in most environments.
• Public-key authentication remains far more secure than password-based login when keys are managed properly. If password authentication is left enabled, it increases exposure to brute-force attempts on exposed ports.
• Misconfigured sshd_config is one of the most common operational issues found during server audits, often resolved by a straightforward syntax validation and restart.
• Fail2ban and similar rate-limiting tools dramatically cut down successful brute-force attempts, but must be tuned to avoid locking out legitimate users during maintenance or change windows.

Security considerations and long-term fixes

• Always use strong public/private keys and passphrase-protected keys.
• Prefer non-default ports only as a defensive layer, not as the sole security measure.
• Implement IP allowlists for administrative SSH access where feasible.
• Rotate keys regularly and purge unused keys promptly.
• Monitor SSH access with centralized logging and alert on anomalies e.g., sudden spikes in failed logins, unusual remote IPs.
• Keep SSH software up to date with security patches and follow vendor advisories.

Frequently Asked Questions

How do I know if the SSH daemon is running on my server?

You can verify with systemctl status sshd and check listening ports with sudo ss -tulpn | grep sshd. If it’s not running, start it with sudo systemctl start sshd and enable it to start on boot with sudo systemctl enable sshd.

Why is SSH refusing connections even though the service is running?

Common causes include firewall blocks, misconfigured sshd_config, or access-control tools like Fail2ban blocking your IP. Check the firewall, review sshd_config for errors, and inspect fail2ban logs.

How can I tell if a firewall is blocking port 22?

List firewall rules on the server ufw, firewalld, nftables and verify that port 22 is open for your source IP. If you’re in the cloud, check the associated security groups or network ACLs. Unlocking user passwords in sql server a step by step guide

What should I check in sshd_config if connections are rejected?

Look for the Port line, and ensure it matches what you expect; verify PermitRootLogin, PasswordAuthentication, and any AllowUsers or AllowGroups entries. Run sshd -t to validate syntax after changes.

How do I disable password authentication safely?

Set PasswordAuthentication no and ensure your public keys are correctly installed in ~/.ssh/authorized_keys. Also verify that permissions on .ssh and authorized_keys are correct.

How can Fail2ban block my SSH access, and how do I fix it?

Fail2ban can ban a client after repeated failed attempts. Check fail2ban-client status, review fail2ban.log, and adjust the relevant jail’s settings or whitelist trusted IPs temporarily if needed.

What if I’m behind NAT or a VPN?

Ensure the server’s SSH port is reachable, port-forwarded correctly if needed, and that any VPN or proxy path isn’t blocking or altering the handshake. Test from multiple networks to isolate the issue.

How do I diagnose SSH handshake issues?

Enable verbose logging on the client side with ssh -vvv user@server and review the server’s sshd logs for handshake errors. This helps you pinpoint whether the problem is key exchange, host key verification, or authentication. Why Your Apple ID Fails to Connect Quick Fixes and Solutions

Can SELinux or AppArmor block SSH, and how do I fix it?

Yes. If SELinux is enforcing, check the current mode with getenforce and look for AVC denials in ausearch. For AppArmor, inspect profiles and enforce mode, then adjust or disable any profiles interfering with sshd.

How do I test SSH access from multiple networks?

Use different networks home, office, mobile hotspot and different devices to rule out local network issues. Also test from a synthetic environment like a staging server to verify server-side behavior.

What’s the best way to harden SSH for long-term use?

Use key-based authentication, disable password login, limit user access with AllowUsers, use a non-default port as an extra layer, enable two-factor authentication where feasible, and enforce regular key rotation and audit trails.

What should I do after applying fixes to verify they worked?

Re-test from an external client, check sshd logs for new handshake events, and monitor authentication attempts for a while to confirm the issue is resolved. If you had Fail2ban blocks, confirm that the bans are cleared or that legitimate IPs aren’t blocked.

How can I keep SSH reliable during server maintenance?

Share maintenance windows with your team, use a jump host for administrative access, and keep a temporary SSH configuration with a limited access scope. Always have a rollback plan and keep a fallback access method in case remote access is temporarily unavailable. The ultimate guide to understanding server name or address in vpn: Server Names, IP Addresses, and How They Work

Is it safe to expose SSH on a non-standard port?

It can reduce random scans but should not be your only defense. Combine a non-standard port with key-based authentication, firewall rules, and monitoring. Do not rely solely on “security by obscurity.”

What role do public-key formats RSA, ECDSA, Ed25519 play in reliability?

Newer key types like Ed25519 offer better security with efficient performance. If you’re upgrading, ensure both server and client support the chosen algorithm and that older clients aren’t left behind.

How can I monitor SSH health automatically?

Set up basic telemetry: failed login counts, successful vs failed login trends, and custom alerts for unusual IPs. Centralize logs with a SIEM or a log aggregator and correlate with firewall and fail2ban events.

Sources:

八方云vpn 使用全方位评测：功能、隐私、解锁、价格、安装与对比指南

台鐵火車票查詢2025：線上訂票、app教學、優惠全攻略｜最完整台灣鐵路搭乘指南 VPN 設置與安全上網全攻略 How To Force DNS Server To Refresh Learn The Simple Steps

免费机场订阅地址：免费VPN机场订阅链接大全、筛选技巧与使用指南

How to get more people in your discord server a comprehensive guide to grow your community on Discord

Zscaler private access vs vpn