Archive

[Solved] ‘SSH Connection refused in DigitalOcean’

In this article, we are going to discuss four primary reasons behind the error ‘SSH Connection refused in DigitalOcean’ and how to fix those errors. SSH clients such as Putty and OpenSSH are used to manage remote Linux servers with SSH installed on them, but sometimes users get a particular error such as ‘SSH connection refused’ in the DigitalOcean Droplets.

If you are looking for managed service you can visit our DigitalOcean Cloud Plans, where we do everything for you and let you run your business with ease.

It’s a significant challenge for sysadmins and direct users to know the possible four reasons to access their servers. We are going to understand the complexity behind this error and how our technical support staff fixes it.


What is SSH?

SSH is known as a secure shell or secure socket shell is a protocol network that mainly used by system administrators to access their server from an unsecured network in a safer way.

SSH is the best way to access remote Linux servers and it is already installed by default on most of the Linux distributions. Users can use various ssh clients to access remote SSH, such as Putty for Windows or use terminal directly if your OS is Linux.

What is the meaning of the error ‘SSH connection refused in DigitalOcean’?

First, it is important to understand the SSH connection refused error. When the connection request is properly routed to SSH Host, but the host doesn’t accept that request and send an acknowledgment message as mentioned below:

ssh: connect to host 192.168.xxx.xxx port xx: Connection refused

This message is sent to droplet owners for affirmation. There can be many reasons behind it, but we will discuss four major reasons.


What are the causes and how to fix the error ‘SSH connection refusal in DigitalOcean’?

After checking every possibility that causes this error, it is important to access your droplet from the DigitalOcean console window to troubleshoot the problem (troubleshooting requires console access, so this step is a must).

Droplet > Access Console

Access Console of a droplet in digitalocean

Once you click on the Access Console, a new window opens to troubleshoot your error from the console.

Centos Linux 7 Kernel to troubleshoot the error

According to our experience in the past, let’s discuss the four primary reasons behind the error ‘SSH Connection refused in DigitalOcean’ and How to get it Fixed.

SSH Service Connection Fails

Problem: SSH service uses sshd daemon to listen to the incoming connections and handles user authentication, terminal connections, and many more. If this service crashes, the connection fails, and results in SSH Connection refused error in DigitalOcean servers.

Solution: Technical staff identifies and researches on the root cause of service failures. The reasons can be traffic impales, disk errors, resource breakdowns, DDoS attacks, and many more.

Sometimes the backend service fails or doesn’t respond. In this case, technical staff kill the dead process and restart the service. For example, In CentOS 7 droplet, we restart the SSH service using the below command:

 

systemctl restart sshd

 

After a restart, we confirm that the SSH is running and the output shows like this:

 

sshd.service – OpenSSH server daemon

Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)

Active: active (running) since Mon xxx-xx-xx xx:xx:xx GMT; x days ago

 

Wrong Selection of SSH Port

Since standard ports are more vulnerable to attack, many web hosts change the SSH port to a custom port.

So, if Droplet owners access their servers using the wrong port, they will be knocked out with the error SSH Connection refused.

Problem: Since standard ports are weak to attack and many web hosts change the SSH port to a custom port for security purposes, and that causes the error of SSH Connection refused when accessed by a droplet owner.

Solution: There are two ways to check the correct SSH port. First, technical staff access the droplet via a console and check the SSH configuration file. By default SSH configuration file is saved at /etc/ssh/sshd_configTo identify the port that is set in the system, we check the Port Parameter in the ssh_config file.

The second way is to check the SSH port using netstat command. The output shows the port that listens to the custom port or not. If it is on the custom port, then technical staff change the custom port to the correct port.

Restriction of the firewall

Problem: Another reason for SSH connection refused error is improper firewall configurations. Some public networks may block the default SSH port 22 or custom SSH port, if the default port is blocked on the firewall it should be opened and in case you have changed to use another port make sure it is added to the firewall so that SSH can be assessed.

Solution: In this case, technical staff checks the firewall rules that are configured on the server. Second, the connectivity to the SSH port from the external network is evaluated with the help of the following command:

telnet IP PORT

Now, replace the IP with the droplet IP address and port with SSH port. Also, we study the configured rules of the firewall, and if one of them denies the connection to port 22, then that rule is removed instantly from the firewall configuration.

In CentOS7 servers, if the rule exists to reject or drop incoming connections on the SSH port, then that rule is removed instantly from the firewall. Furthermore, we edit the firewall configuration to allow connections to the SSH port with the help of the following command:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

 

Wrong Selection of Host IP Address

Problem: One of the four reasons behind SSH connection refused error is the incorrect selection of IP address or IP conflict. In simple words, when multiple droplets use the same IP address, then this error occurs, and if someone uses the wrong IP address.

Solution: To resolve this error, we check the droplet IP address from Manage>Networking > PTR Records in the DigitalOcean control panel. Furthermore, we use tools like nmap to check the droplets that are running on the network, and if the IP of the droplet conflicts, then that is instantly changed after confirmation with the customer.

Networking option in digitalocean to manage IP address of your droplet


Conclusion

In this article, we have discussed four significant reasons behind the error ‘SSH Connection refused in DigitalOcean’ and how to get them fixed. Furthermore, we have analyzed the solutions to four major problems that are solved and fixed by sysadmins to access customer’s servers from SSH using Putty or OpenSSH. You must have understood the complexity behind this error and how technical support staff fixes it.

[Solved] Temporary failure in name resolution

DNS errors such as temporary failure in name resolution can easily cripple your server. You will not be able to install any yum packages, you will even not be able to ping google.com, because as you can see this is a name resolution error, which means your server can not resolve domain names to their respective IP Addresses (if you know about DNS, you will know that this is something the whole internet relies on).

 

In this article we will see how to resolve temporary failure in name resolution error, we will discuss various reasons and their respective solutions.


Missing DNS Server IPs

 

Every server needs IP of DNS servers to which they can send their DNS queries. So if IPs of DNS servers are not configured then your server doesn’t know how to resolve domain names to IP Address thus you will end up getting temporary failure in name resolution.

 

In UNIX based system (Linux servers). DNS servers are usually configured in a file called /etc/resolv.conf. So if you don’t have this file or it is empty then you can not resolve domain names, make sure to create one and put the following contents in it:

 

nameserver 1.1.1.1
nameserver 8.8.8.8

 

Network Manager

 

Recently most of the Linux based servers are shipped with NetworkManager. NetworkManager help your connect your server automatically to the internet, for this task network manager auto-generates some configuration files. NetworkManager reads your interface file (eth0 or ifcfg) and then auto-generates /etc/resolv.conf file.

 

Now if you have not defined DNS servers in your /etc/sysconfig/network-scripts file, then /etc/resolv.conf will remain empty, thus you end up getting temporary failure in name resolution error. You can also fix this issue by just populating /etc/resolv.conf file as described above.

 

Also, make sure that in your /etc/sysconfig/network-scripts file set NM_CONTROLLED=no. So that NetworkManager will not update your /etc/resolv.conf file again.

Having issues installing packages on Ubuntu

 

You might see something like

 

Err:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
Temporary failure resolving ‘security.ubuntu.com’
Err:2 http://dl.google.com/linux/mod-pagespeed/deb stable InRelease
Temporary failure resolving ‘dl.google.com’
Err:3 http://mirrors.digitalocean.com/ubuntu xenial InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Err:4 http://mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Err:5 http://mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Temporary failure resolving ‘mirrors.digitalocean.com’
Err:6 https://repos.sonar.digitalocean.com/apt main InRelease
Could not resolve host: repos.sonar.digitalocean.com

 

This is an example of temporary failure in name resolution error, as apt can not resolve these mentioned domains to their IP Address. Make sure to allow these ports in UFW using the command below :

 

sudo ufw allow out 53,113,123/udp


Restrictions in your Firewall

 

There might also be a firewall restriction preventing your DNS queries. That is why we always recommend installing CyberPanel for free, CyberPanel will open all default ports for you, it will also help you run a super-fast website. Install CyberPanel for free using the install guide. You can also learn how CyberPanel will help you run the super fast website by reading our OpenLiteSpeed vs NGINX article.

 

Let see if this is actually a firewall error by stopping the firewall.

 

Firewalld

 

systemctl stop firewalld

 

Or CSF

 

csf -f

 

Now test and see if your issue is resolved if so, it means that your firewall is preventing your DNS queries.

 

Fix for Firewalld

 

You can add port 53 (UDP) and 43 (whois) to your firewalld. Following commands can be used

 

firewall-cmd — permanent — add-port=56/udp

firewall-cmd — permanent — add-port=43/tcp

 

This will open DNS related ports in FirewallD. If you are using CyberPanel you can easily go to CyberPanel firewalld interface and add these ports without going to CLI.

 

Go to -> https://<IP Address>:8090/firewall/

 

There you can easily open these two ports.

 

Fix for CSF

 

Open file /etc/CSF/csf.conf, then find the line containing TCP_IN and TCP_OUT then add your desired ports. Once your desired ports are added simply restart CSF so that your changes can take effect

 

csf -r

 

To remove any ports, you can just remove those ports from same lines and restart CSF.

 

Again if you are using CyberPanel and you have installed CSF (this will disable Firewalld interface). You can easily go to -> https://<IP Address>:8090/firewall/csf

 

From there you can add your ports and CyberPanel will take care of everything.


Wrong permissions on /etc/resolv.conf file

 

In some rare cases it is possible that your resolver file have wrong owner or permissions, execute following commands to implement correct permissions

 

chown root:root /etc/resolv.conf

chmod 644 /etc/resolv.conf

 

This should fix any permissions related issues with the resolver file.


Conclusions

 

I hope by now you have a general idea of what actually is a  temporary failure in name resolution error, because to fix any error we first need to know what actually it is. Then we’ve also discussed various ways to fix this error in different situations.

 

If you are a system administrator, then the first rule to solving any problem is stay calm and debug the problem. However, if you don’t have much time and looking for experts to manage your server, you are in the right place, you can hire our managed vps service. We offer 3 days free trial (no credit card required).