I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my EC2 instance with SSH. How do I resolve this?

Last updated: 2021-10-08

I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. How do I resolve this?

Short description

Error message: "ssh: connect to host ec2-X-X-X-X.compute-1.amazonaws.com port 22: Connection timed out". This error message comes from the SSH client. The error indicates that the server didn't respond to the client and the client program gave up (timed out). The following are common causes for this error:

  • The security group or network ACL doesn't allow access.
  • There is a firewall on the instance's operating system.
  • There is a firewall between the client and the server.
  • The host doesn't exist.

Error message: "ssh: connect to host ec2-X-X-X-X.compute-1.amazonaws.com port 22: Connection refused". This message comes from a host remotely. The following are common causes for this error:

  • The host reached the instance but there was no service listening on the SSH port.
  • A firewall blocked and was set to reject the package instead of dropping it.

Resolution

Verify the following:

There are four methods for performing these tasks:

Method 1: Use the EC2 Serial Console

If you set up EC2 Serial Console for Linux, then you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, then follow the instructions in Method 2, 3, or 4. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Method 2: Use AWS Systems Manager Session Manager

Note: Installation of the SSM Agent is required to use this method. For more information on Session Manager and a complete list of prerequisites, see Setting up Session Manager.

1.    Open the AWS Systems Manager console.

2.    Start a session.

3.    Add the following additional line at the top of the rule table, and then restart the SSH service:

$ sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
$ sudo service sshd restart

Or, you can deactivate the firewall. It's a best practice to use security groups rather than a firewall.

To deactivate the firewall, use one of the following sets of commands, depending on your operating system:

Ubuntu using Uncomplicated Firewall

$ sudo iptables -F
$ sudo iptables -P INPUT ACCEPT
$ sudo ufw disable

Distributions that use firewalld (for example, Red Hat or CentOS)

$ sudo iptables -F
$ sudo iptables -P INPUT ACCEPT
$ sudo systemctl disable firewalld

Note: The preceding command flushes all main iptables rules and adds one that allows incoming SSH connections. Take this into consideration before executing these commands, as you might have other rules that are required for your setup. After you regain access to your instance, review your firewall configuration (for example, UFW, firewalld, iptables).

4.    Make sure that SSH is running and verify that the SSH TCP port (22) is in a listening state.

$ sudo systemctl restart sshd
$ sudo ss -tpln | grep -E '22|ssh'
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1901,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1901,fd=4))

Note: If your system doesn't have the ss command, then you can use the legacy netstat command with the same syntax shown in the preceding example.

5.    End the session.

6.    Connect to the instance using SSH.

Method 3: Run the AWSSupport-TroubleshootSSH automation document

AWSSupport-TroubleshootSSH automation document installs the Amazon EC2Rescue tool on the instance. This tool checks for and corrects some issues that cause remote connection errors when connecting to a Linux machine through SSH. For more information, see How can I use the AWSSupport-TroubleshootSSH Automation workflow to troubleshoot SSH connection issues?

Method 4: Use a user data script

Important

  • This procedure requires a stop and start of your EC2 instance. Note that if your instance is instance store-backed or has instance store volumes containing data, the data is lost when the instance is stopped. For more information, see Determine the root device type of your instance.
  • If your instance is part of an Amazon EC2 Auto Scaling group, or if your instance is launched by services that use AWS Auto Scaling, such as Amazon EMR, AWS CloudFormation, AWS Elastic Beanstalk, and so on, then stopping the instance could terminate the instance. Instance termination in this scenario depends on the instance scale-in protection settings for your Auto Scaling group. If your instance is part of an Auto Scaling group, then temporarily remove the instance from the Auto Scaling group before starting the resolution steps.
  • Stopping and starting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.

1.    View the EC2 instance console logs. The following entry appears in the EC2 instance console logs if UFW is turn on.

systemd[1] : starting Uncomplicated Firewall
Starting Uncomplicated firewall...

2.    Open the Amazon EC2 console.

3.    Choose Instances from the navigation pane, and then select the instance you're trying to connect to.

4.    Stop the instance.

5.    Choose Actions, Instance Settings, Edit User Data.

6.    Copy the following user data script into the Edit User Data dialog box, and then choose Save.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type:
    text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
iptables -F
service sshd restart
--//

Note: The preceding command flushes all main iptables rules, not just the rules for port 22. After you regain access to the instance, review your firewall configuration (for example, UFW, firewalld, iptables).

7.    Connect to the instance using SSH.

8.    The preceding user data script is set to run on every reboot of the instance. After regaining access to your instance, remove the user data script.

To remove user data:

1.    Complete steps 1–4 in the Method 4: Use a user data script section.

2.    Delete the user data script in the Edit User Data dialogue box.