blocked 443 port

Bob Proulx bob at proulx.com
Sun Jun 4 16:34:22 UTC 2023 

Hi Steve!

Steve Wolf wrote:
> Bob Proulx wrote:
> > I actually have ssh on port 443.  Because some places, like the PVH
> > hospital and MCR, no longer allow port 22 out.  Those buggers!
>
> I assume you’re aware of sslh, which multiplexes SSH and HTTPS,
> based on the first packet received.

I picked this system for the port 443 for ssh because that's the one
system of mine which does not need to run https.  So for this one
there is no need to multiplex between them.  But otherwise it's a good
tool to do this.  Note that it does add a required pause to the
connection to identify the protocol being used though.

    https://www.rutschle.net/tech/sslh/README.html

> I ran ssh/443 on my home server for awhile (with sslh) when my
> employer was blocking 22.  I had the opportunity of demonstrating to
> an IT manager a SOCKS tunnel between my home server and a machine
> inside the corporate firewall, after which the policy of blocking 22
> went away as being fruitless.  I told the IT manager that there are
> many reasons to trust employees to do the right thing, this being
> one of them.

In addition to the above I also like "sshuttle".  It creates a
tunnel-everything setup.  I use it when I am working at a client
network.  For example it allows me to tunning researching something
which might take me to random web sites (which might be blocked by the
corporate IT department as not listed in their allow list).  I don't
want to trigger too many blocked web sites and so it is just better if
I keep that work private.

    https://github.com/sshuttle/sshuttle

Using sshuttle works great!  I have talked about sshuttle before so
won't repeat all of that here again.

> Bob, perhaps you can perform such a demo for the PVH IT crew…

I have been thinking of nagging the IT folks at PVH & MCR that they
should allow outgoing port 22 ssh.  I am sure that they are simply MS
Windows people and just not even aware of any other needs.  There
would be no security implications for their network since it is
already a public use and public access network.  The only reason I
have not is that whenever I run into such networks I simply use my
cell modem.  That bypases the problem entirely.  Removing the itch and
so no itch to scratch.

Bob

More information about the NCLUG mailing list