Encountering the message "ssh connect to host port 22: connection timed out" is a common yet frustrating experience for system administrators and developers. This specific error indicates that your client successfully initiated a network connection to the target server's IP address, but the SSH daemon (sshd) did not respond within the expected timeframe. Essentially, the connection attempt was met with silence rather than the standard SSH banner, leading the client to terminate the handshake and log this timeout message.
Diagnosing the Network Path
The first step in resolving this issue is to distinguish between a network routing problem and an issue specific to the SSH service itself. Since the error specifies "connection timed out," the most likely culprit is a firewall blocking the traffic or the server not listening on the expected port. Before diving into server configuration, verify basic network reachability using common command-line tools. A simple ping test can confirm if the host is online, although it is important to remember that many servers are configured to ignore ping requests for security reasons, so a lack of response does not necessarily mean the server is down.
Utilizing Traceroute and Telnet
To gain deeper insight into where the connection is failing, utilize traceroute to map the path packets take to the destination. This can help identify if a specific router along the way is dropping the packets. Furthermore, attempting to connect to the port using a tool like Telnet provides a clear binary result: if the connection is successful, you will see a blank screen indicating a raw TCP connection; if it times out, the port is either closed, filtered by a firewall, or the service is not running. This raw feedback is invaluable for isolating the problem to the network infrastructure or the server's software configuration.
Common Server-Side Culprits
Assuming the network path is clear, the issue almost always resides on the server itself. The most frequent cause is that the SSH service is simply not running. This can occur due to a recent crash, a failed system update, or the server being rebooted without the proper startup scripts executing. Another prevalent scenario involves the server's firewall configuration, specifically with tools like `iptables` or `ufw`. A misconfigured rule can inadvertently block inbound traffic on port 22, effectively creating a barrier that prevents your connection from reaching the SSH daemon.
Checking the Service Status
To verify if the SSH daemon is active, you will need access to the server's console or a different method of administration, such as a KVM over IP or a cloud provider's web-based console. Once logged in directly, you can check the service status with commands like `systemctl status sshd` (on systemd-based systems) or `service ssh status`. If the service is inactive, attempting to start it with `systemctl start sshd` often resolves the timeout issue immediately, provided no underlying configuration errors exist.
Configuration and Port Considerations
While port 22 is the standard for SSH, it is a common security practice to change this default port to reduce exposure to automated bot attacks. If the server administrator recently changed the SSH port but the client configuration was not updated, the "connection timed out" error will occur. The client will be looking for a service on port 22, while the service is actually listening on a different port, such as 2222 or 443. This mismatch results in the client timing out because the port is closed to SSH traffic.
Verifying the Configuration
To resolve a port mismatch, you must access the server's SSH configuration file, typically located at `/etc/ssh/sshd_config`. Look for the line specifying `Port 22` and confirm the correct port number. On the client side, ensure you are connecting via `ssh user@hostname -p [custom_port]`. Additionally, if the server is behind a NAT or load balancer, the public port forwarded to the internal server might differ from the port the SSH service listens on, requiring careful mapping of the network address translation rules.
