I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my EC2 instance with SSH. How do I resolve this?

Last updated: 2020-04-14

I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. How do I resolve this?

Short Description

Error message: "Error connecting to [instance], reason: Connection timed out: connect" refers to issues with connectivity to the instance, meaning the request fails to reach the instance and times out. This might happen if SSH isn't running on the instance or if a firewall is blocking access.

Error message: "ssh: connect to host ec2-X-X-X-X.compute-1.amazonaws.com port 22: Connection refused" indicates that the instance refused the connection or the SSH service daemon isn't running. This error might also occur if a firewall is rejecting access to the instance.

Resolution

Verify that there isn't a firewall blocking the connection, that the SSH service is running on the instance, and that SSH tcp port 22 is in the listening state.

There are three methods for performing these tasks:

Method 1: Use AWS Systems Manager Session Manager

Note: Installation of the SSM Agent is required to use this method. For more information on Session Manager and a complete list of prerequisites, see Getting started with Session Manager.

1.    Open the AWS Systems Manager console.

2.    Start a session.

3.    To disable firewalls and restart the SSH service, run the following commands.

$ sudo iptables -F
$ sudo service sshd restart

Note: The preceding command flushes all main iptables rules, not just for port 22. After you regain access to your instance, review your firewall configuration (for example, ufw, firewalld, iptables).

4.    Verify that the SSH tcp port (22) is in a listening state.

$ sudo netstat -tnlp | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      849/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      849/sshd

5.    Terminate the session.

6.    Connect to the instance using SSH.

Method 2: Run the AWSSupport-TroubleshootSSH automation document

AWSSupport-TroubleshootSSH automation document installs the Amazon EC2Rescue tool on the instance. Then this tool checks for and corrects some issues that cause remote connection errors when connecting to a Linux machine through SSH. For more information, see How can I use the AWSSupport-TroubleshootSSH Automation workflow to troubleshoot SSH connection issues?

Method 3: Use a user data script

Important

  • This procedure requires a stop and start of your EC2 instance. Instance store data is lost when an instance is stopped and restarted. Be aware that if your instance is instance store-backed or has instance store volumes containing data, the data is lost when the instance is stopped. For more information, see Determining the Root Device Type of Your Instance.
  • If your instance is part of an Amazon EC2 Auto Scaling group, or if your instance is launched by services that use AWS Auto Scaling, such as Amazon EMR, AWS CloudFormation, AWS Elastic Beanstalk, and so on, then stopping the instance could terminate the instance. Instance termination in this scenario depends on the instance scale-in protection settings for your Auto Scaling group. If your instance is part of an Auto Scaling group, then temporarily remove the instance from the Auto Scaling group before starting the resolution steps.
  • Stopping and starting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

1.    View the EC2 instance console logs. The following entry appears in the EC2 instance console logs if ufw is enabled.

systemd[1] : starting Uncomplicated Firewall
Starting Uncomplicated firewall...

2.    Open the Amazon EC2 console.

3.    Choose Instances from the navigation pane, and then select the instance you're trying to connect to.

4.    Stop the instance.

5.    Choose Actions, Instance Settings, View/Change User Data.

6.    Copy the following user data script into the View/Change User Data dialog box, and then choose Save.

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type:
    text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
iptables -F
service sshd restart
--//

Note: The preceding command flushes all main iptables rules, not just for port 22. After you regain access to the instance, review your firewall configuration (for example, ufw, firewalld, iptables).

7.    Connect to the instance using SSH.

8.    The preceding user data script is set to run on every reboot of the instance. After regaining access to your instance, remove the user data script.

To remove user data:

Complete steps 1–4 in this section.

Delete the user data script in the View/Change User Data dialogue box.