How to fix connection reset by host error [SSH]
The Problem
Sometimes you can't take SSH on a server, even if your IP is allowed/whitelisted. This can happen because multiple layers of access control exist in Linux. It’s important to know which rules take precedence so you don’t get locked out.
2. Basic Linux Access Control: hosts.allow and hosts.deny
/etc/hosts.allow → This file lists IPs or subnets explicitly allowed to connect to services like SSH.
/etc/hosts.deny → This file lists IPs or subnets explicitly denied.
Important:
hosts.allow always takes precedence over hosts.deny.
These LAC rules take precedence over CSF rules, meaning if an IP is blocked here, it will be denied access even if it’s whitelisted in CSF.
- # /etc/hosts.allow
- sshd: 10.0.0.1
- # /etc/hosts.deny
- sshd: 10.0.0.1
IP 10.0.0.1 can still connect to SSH even though it's blocked in hosts.deny.
3. CSF (ConfigServer Security & Firewall)
CSF is a firewall + login failure daemon (LFD) that adds more rules on top of hosts.allow/deny. It controls:
- Which IPs can connect to which ports (including SSH)
- Temporary bans for repeated failed logins.
- Rate limiting to prevent brute force attacks.
CSF Key Files
/etc/csf/csf.allow → The allow list is used to specify IP addresses that should always be permitted to access the server. IPs added to this list are explicitly allowed through the firewall, bypassing many of the checks that might otherwise block access.
/etc/csf/csf.deny → The deny list is used to specify IP addresses that should always be blocked from accessing the server.
Checking an IP
- csf -g 10.0.0.1
This will show you if the IP is allowed, denied.
Permanently allowing IP
- csf -a 10.0.0.1
- csf -r
Permanently blocking IP
- csf -d 10.0.0.1
- csf -r
Removing an IP from allow/deny
- csf -ar 10.0.0.1 # remove from allow
- csf -dr 10.0.0.1 # remove from deny
- csf -r # apply new rules
Solution
- Check the first layer (Linux access control)
- Is the IP blocked in /etc/hosts.deny ?
- Check the second layer (CSF firewall):
- Is the IP blocked in /etc/csf/csf.deny?
- Check logs if SSH still fails:
- journalctl -u ssh or /var/log/auth.log.
- /var/log/lfd.log for CSF/LFD related bans.
Related Articles
Clearing the known_hosts ssh file
Sometimes when connecting to a computer with SSH, things can get jumbled up and an error can occur that looks like this: The purpose of the known_hosts file is for the client to authenticate the server they are connecting to. This error will occur ...How to Connect to an SSH Server from Windows, macOS, or Linux
An SSH client allows you to connect to a remote computer running an SSH server. 1. Windows The most popular and widely recommended solution for connecting to SSH servers is an open source, third-party application called PuTTY. But now with windows 10 ...[How to] Reset VirtualMin ftp password
Reset VirtualMin ftp password Login to the VirtualMin dashboard: on https://server_ip_or_dns_name:10000 Login using the root login. From the VirtualMin Dash drop down on left hand side, select the domain. Edit Virtual Server > Configurable settings ...[How To]: Reset bulk passwords for users in Zimbra
How to Reset password for all (any) users in Zimbra. Login to Zimbra SSH. updatedb && locate zmprov In most cases it the location for the bin file of zmprov will be at /opt/zimbra/bin/zmprov Now Fetch Users from the Zimbra Backend. ...How to connect to ftp/sftp using filezilla?
What is filezilla? Filezilla is a free and open source SFTP(secure FTP)/FTP client which is built on modern standards. It is available cross-platform (Mac, Windows and Linux) and is actively maintained. First you will need to download and install the ...