I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my EC2 instance with SSH. How do I resolve this?
Last updated: 2021-04-27
I'm receiving "Connection refused" or "Connection timed out" errors when trying to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance using SSH. How do I resolve this?
Error message: "Error connecting to [instance], reason: Connection timed out: connect" refers to issues with connectivity to the instance, meaning the request fails to reach the instance and times out. This might happen if SSH isn't running on the instance or if a firewall is blocking access.
Error message: "ssh: connect to host ec2-X-X-X-X.compute-1.amazonaws.com port 22: Connection refused" indicates that the instance refused the connection or the SSH service daemon isn't running. This error might also occur if a firewall is rejecting access to the instance.
Verify the following:
- There isn't a firewall blocking the connection.
- The SSH service is running on the instance.
- The SSH tcp port 22 is in the listening state.
There are four methods for performing these tasks:
Method 1: Use the EC2 Serial Console
If you enabled EC2 Serial Console for Linux, then you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).
Before using the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, follow the instructions in Method 2, 3, or 4. For information on configuring the EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Method 2: Use AWS Systems Manager Session Manager
1. Open the AWS Systems Manager console.
2. Start a session.
3. To disable firewalls and restart the SSH service, run the following commands.
$ sudo iptables -F $ sudo service sshd restart
Note: The preceding command flushes all main iptables rules, not just for port 22. After you regain access to your instance, review your firewall configuration (for example, ufw, firewalld, iptables).
4. Verify that the SSH tcp port (22) is in a listening state.
$ sudo netstat -tnlp | grep :22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 849/sshd tcp6 0 0 :::22 :::* LISTEN 849/sshd
5. End the session.
6. Connect to the instance using SSH.
Method 3: Run the AWSSupport-TroubleshootSSH automation document
AWSSupport-TroubleshootSSH automation document installs the Amazon EC2Rescue tool on the instance. This tool checks for and corrects some issues that cause remote connection errors when connecting to a Linux machine through SSH. For more information, see How can I use the AWSSupport-TroubleshootSSH Automation workflow to troubleshoot SSH connection issues?
Method 4: Use a user data script
- This procedure requires a stop and start of your EC2 instance. Note that if your instance is instance store-backed or has instance store volumes containing data, the data is lost when the instance is stopped. For more information, see Determine the root device type of your instance.
- If your instance is part of an Amazon EC2 Auto Scaling group, or if your instance is launched by services that use AWS Auto Scaling, such as Amazon EMR, AWS CloudFormation, AWS Elastic Beanstalk, and so on, then stopping the instance could terminate the instance. Instance termination in this scenario depends on the instance scale-in protection settings for your Auto Scaling group. If your instance is part of an Auto Scaling group, then temporarily remove the instance from the Auto Scaling group before starting the resolution steps.
- Stopping and starting the instance changes the public IP address of your instance. It's a best practice to use an Elastic IP address instead of a public IP address when routing external traffic to your instance.
1. View the EC2 instance console logs. The following entry appears in the EC2 instance console logs if ufw is enabled.
systemd : starting Uncomplicated Firewall Starting Uncomplicated firewall...
2. Open the Amazon EC2 console.
3. Choose Instances from the navigation pane, and then select the instance you're trying to connect to.
5. Choose Actions, Instance Settings, Edit User Data.
6. Copy the following user data script into the Edit User Data dialog box, and then choose Save.
Content-Type: multipart/mixed; boundary="//" MIME-Version: 1.0 --// Content-Type: text/cloud-config; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cloud-config.txt" #cloud-config cloud_final_modules: - [scripts-user, always] --// Content-Type: text/x-shellscript; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="userdata.txt" #!/bin/bash iptables -F service sshd restart --//
Note: The preceding command flushes all main iptables rules, not just for port 22. After you regain access to the instance, review your firewall configuration (for example, ufw, firewalld, iptables).
7. Connect to the instance using SSH.
8. The preceding user data script is set to run on every reboot of the instance. After regaining access to your instance, remove the user data script.
To remove user data:
1. Complete steps 1–4 in the Method 4: Use a user data script section.
2. Delete the user data script in the Edit User Data dialogue box.