Basic troubleshooting steps for SSH

Ievaz

If there is an issue with SSH on your VPS, this guide will provide basic steps to investigate SSH connection issue.

VPS password is not correct

If you cannot connect to your VPS with your current VPS password, or you forgot it, you can connect to our client area and reset your VPS root password. Here is a guide how to do it.

Unresponsive SSH connection

If your SSH connection attempts are timing out or are being immediately rejected, then your SSH service might not be running, or your firewall might block SSH connections.

So you can connect to your VPS via Emergency Console.

How to check SSH status?

To check your SSH service status, you need to connect to your VPS and run one of these commands:

1) Ubuntu 16.04+, Debian 8+, CentOS 7+, etc:

sudo systemctl status sshd -l

2) CentOS 6:

sudo service sshd status

3) Ubuntu 14.04, Debian 7

sudo service ssh status

How to restart SSH service?

If the output shows that your SSH is not running, then try to restart your SSH:

sudo systemctl restart sshd

CentOS 6:

sudo service sshd restart

Ubuntu 14.04, Debian 7:

sudo service ssh restart

How to check SSH logs?

If it won't help, then check your VPS logs of SSH::

sudo journalctl -u sshd -u ssh

CentOS 6

less /var/log/secure

Ubuntu 14.04, Debian 7

less /var/log/auth.log

SSH is running on a non-standard port

If SSH status is active, make sure on what port SSH service is running. Run netstat on your server to check which port is used by SSH. For this, you can use this command:

sudo netstat -plntu | grep ssh

By default, SSH service runs on 22 port, but if you see a different port, then try to connect to your VPS via SSH by using that port:

ssh username@IP_address -p port

The same port is used by more than one service

If SSH service is running on your VPS, but you still cannot connect through SSH, then check your logs, to make sure that another service is not bounded on the same port as SSH. If in the logs, you see this message:

Bind to port 22 on 0.0.0.0 failed: Address already in use.

Then it means that another service on your server is already using the same port that SSH binds to. So this is a reason why SSH you cannot connect to your VPS via SSH. There are some ways to solve this issue:

1) Bind SSH service to a different port:

Here is a guide how to do that.

2) Stop the other service:

Use netstat command to check which other process is using the same port (as an example, we use 22 port);

sudo netstat -plntu | grep :22

Then stop that process:

sudo systemctl stop some-other-service

sudo systemctl disable some-other-service

Or simply kill the process using the process ID listed next to the process name when you check processes with the command - netstat.

3) Change other service port to a different port:

Again use netstat command to find what service is bound to the same port. Then, change the configuration for that service to use a different port. Ater that, you need to restart SSH service.

Misconfigured firewall rules for SSH service

If you can start the SSH service successfully, but your connections still time out or are rejected, then review your firewall rules. It might e that you have blocked SSH connection on your firewall.

To check that, you can review your current firewall ruleset:

sudo iptables-save # displays IPv4 rules

sudo ip6tables-save # displays IPv6 rules

Also, if you have configured on your VPS FirewallD or UFW, make sure if you are running either package with these commands:

sudo ufw status

sudo firewall-cmd --state

when the rules will be listed, make sure that your rule for SSH looks something like this:

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

The rule says that you allow SSH connection in your VPS.

Disabling firewall rules

Additionally, for some time, you might to disable the firewall on your VPS to be sure that it is not a reason why you cannot connect to your VPS via SSH.

Note 1: The disabled firewall increases the security risk on your VPS, so make sure that you will re-enable it after you investigate your firewall configuration.

1. To do that, you can create a backup of your VPS firewall rules:

sudo iptables-save > ~/iptables.txt

2. Then set the INPUT, FORWARD and OUTPUT packet policies as ACCEPT:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

3. After that, you need to flush the nat table that is consulted when a packet that creates a new connection is encountered:

sudo iptables -t nat -F

4. further, you need to flush the mangle table too that is used for specialized packet alteration:

sudo iptables -t mangle -F

5. And additionally flush all the chains in the table:

sudo iptables -F

6. In the end, delete every non-built-in chain in the table:

sudo iptables -X.

Note 2: You might need to do all these steps with ip6tables command to flush your IPv6 rules.

Note 3: Do not miss to use a different name for the IPv6 rules file.

Rejected SSH logins

If SSH is listening and accepting connections but is rejecting login attempts, you should check logs of rejected attempts.

Also, make sure that logins are not disabled for the root user. It can be checked with the command:

grep PermitRootLogin /etc/ssh/sshd_config

Note 4: If the value of the PermitRootLogin is no, then try logging in with another user. Or, set the value in /etc/ssh/sshd_config to yes. After that, you need to restart SSH, and try logging in as root again.