8 comments

[ 4.4 ms ] story [ 25.3 ms ] thread
See also sslh. (Or sshl, I forget which way round it goes.) Which claims some ssh clients are eager (sending a greeting without waiting for the ssh server greeting).

I was once unable to connect to my sshd on port 443 when I was using the free wifi in a pub. The firewall appeared to be blocking the connection: presumably it was checking whether the connection was really ssl or not.

A neat way to hide your SSH port, but not very practical (scanners will just wait a little while to see if the SSH banner gets pumped out). You want something that speaks HTTP so it'll get through transparent proxies of corporations and wifi paywalls, which would be proxytunnel combined with a server-side configuration of whatever your favorite http proxy/server is. Even if your corporate environment forces NTLMv2 proxy authentication, you can chain cntlm and proxytunnel to their proxy and still tunnel out, and nobody is the wiser. (http://dag.wieers.com/howto/ssh-http-tunneling/)
haproxy configuration :

defaults timeout connect 5s timeout client 50s timeout server 20s

listen ssl :443 tcp-request inspect-delay 2s acl is_ssl req_ssl_ver 2:3.1 tcp-request content accept if is_ssl use_backend ssh if !is_ssl server www-ssl :444 timeout client 2h

backend ssh mode tcp server ssh :22 timeout server 2h