All Products
Document Center

The "ssh_express_identification: read: Connection reset by peer" error message is displayed when you log on to the ECS instance through SSH.

Last Updated: Sep 21, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.


Problem description

When you log on to an ECS instance through SSH, an error message similar to the following is returned even if you have entered the correct password.

Ssh_express_identification: read: Connection reset by peer.
Sshd [11949]: refused connect from ( ).



In Linux/Etc/hosts. allowOr/Etc/hosts. denyFile to enable TCP Wrapper access control.



You can follow these steps to dynamically set access policies by modifying the configuration file without restarting the server for the configuration to take effect. Apply the hosts. allow rule before applying the hosts. deny rule. The general practice is to configure trusted host rules in hosts. allow and then deny all other hosts in hosts. deny.

Note: The Linux configurations and descriptions in this article have been tested in the CentOS 6.5 64-bit operating system. The operating system configurations of other types and versions may be different. For more information, see the official documentation of the corresponding operating system.

  1. PassManagement terminalEnter the system.
  2. PassCatCommand View/Etc/hosts. allowAnd/Etc/hosts. denyFile, whether it contains a configuration similar to the following.
    All: deny
  3. Back up the file if you need to modify the policy configuration.
  4. Use vi and other editors to modify/Etc/hosts. allowAnd/Etc/hosts. denyFile, delete the entire line or add comments, as shown below.
    # all:all:deny
  5. Try to log on to the server again.



TCP Wrapper is a common standard security framework in Linux. It is similar to IPTABLES and is used to control access to TCP-based applications started from inetd. The daemon process is tcpd. It determines whether to allow or reject TCP connections by reading the relevant policy configurations in the following two files.


Note: For more information about TCP Wrapper, seeTCP Wrapper.



You can also refer to the following documents for further troubleshooting and analysis by referring to more questions about ECS instance logon failures.


Application scope

  • ECS