[Kim_Bruning]

My solution was to run an sshd on port 443.

I currently no longer need to do so right this minute, but sometimes people do keep asking me why I still have that.

---

Not sure if this still works on modern corporate networks. These days I tether to a mobile phone with unlimited internet; which is all-around easier to work with.

[aaronax]

As an example, best practice for Palo Alto firewall setup is to create a rule that allows the "application" known as "SSL" and then use "application-default" as the setting for which ports to allow it on. This would inspect the traffic to determine that it is SSL (actually TLS in most cases I guess) and then allow it if on port 443.

If you don't have other relevant allow rules, your sshd traffic would just be dropped, regardless of port.

If the firewall administrator does things poorly, they will create an allow rule for port 443 and your sshd traffic on port 443 would be allowed (no inspection of traffic to determine if it is SSL or SSH).

BTW this is inspection, not decryption. Two very different things.

The business of developing algorithms to effectively detect various applications must be very interesting. You can see all the different "applications" here: https://applipedia.paloaltonetworks.com/

[iso1631]

My wireguard UDP endpoints are available on a high port, 443 and 53. I've often have one of them blocked, very rare to have them all blocked.

[hackernudes]

That worked for me for awhile but then the proxy started checking that all traffic was HTTP. Eventually I used ssh over websocket.