TL;DR

ssh: connect to host x.x.x.x port 22: Connection refused means the SSH daemon is not accepting connections. This locks you out of your server — making remote triage impossible until the issue is resolved through a console, VNC, or out-of-band access.

Common causes

The SSH daemon (sshd) is not running
SSH is listening on a non-standard port
A firewall rule (UFW, iptables, cloud security group) blocks port 22
The server's disk is full, preventing sshd from writing its PID file
The sshd configuration has a syntax error preventing startup
Fail2ban or DenyHosts banned your IP address

Diagnosis (requires console access)

Access the server via your cloud provider's web console, then:

systemctl status sshd
ss -tlnp | grep ssh

Check firewall:

sudo ufw status
sudo iptables -L -n | grep 22

Check if your IP is banned:

sudo fail2ban-client status sshd
sudo fail2ban-client set sshd unbanip YOUR_IP

Fixes

Start sshd if it is not running:

sudo systemctl start ssh
sudo systemctl enable ssh

If sshd fails to start, check the config for syntax errors:

sudo sshd -t

Open port 22 in the firewall:

sudo ufw allow 22/tcp
sudo ufw reload

For cloud providers, verify the security group or firewall rule in the provider's dashboard allows inbound TCP port 22 from your IP.

Prevention

Always test SSH access after changing sshd_config — keep an existing session open as a safety net
Use a non-standard port to reduce brute-force noise, but update your firewall and SSH config accordingly
Configure Fail2ban with a whitelist for your office or VPN IP range
Set up out-of-band access (cloud console, IPMI) before you need it in an emergency

Where Reflex helps

Reflex monitors SSH daemon health and port reachability from outside your network. If SSH becomes unreachable, Reflex can alert immediately and, for supported cloud providers, use API-level access to restart the SSH service or adjust security group rules to restore access. See How it works.