I believe that my Chinese ISP has started detecting and bandwidth-limiting SSH connections. I'm not using the default SSH port so I suspect that they are using deep packet filtering to detect the unencrypted handshake.
I am aware of one solution to this which patches openSSH to encrypt the handshake. However, I have two problems:
- This project is three years old so if I were to just compile it as is, I would be forsaking three years of security updates for openSSH.
- My server is in the US and my only way of accessing it is through SSH--so downtime or messing up isn't an option.
As such I have two questions:
- Can I somehow patch a current version of openSSH to use the obfuscated handshake? If so, how would I do this? Which files would I need to add/modify in the source?
- How could I avoid any downtime for the ssh server while doing this patch? Can I install two ssh servers side by side?
If anyone could help me with this--or knew of a better way to obfuscate ssh handshakes--my appreciation would be boundless!
You can use Obfsproxy to to beat DPI, here's a screenshot explaining what it does:
Screenshot shamelessly taken from the TorProject site
This might be possible, but given the age of the patch, it may take time to apply. Reading the diffs can help to explain what got edited and where, but given development of software over three years, the patch may need manually applied.
This downtime is negligible. Part of the sshd server update procedure is to turn itself off and turn itself back on when you install with a Debian package. If you patch the source in the package itself, then upload that updated package (and increase the version accordingly) to a PPA, then add that PPA to your sources, and
apt-get updateandapt-get upgrade, there won't be any real downtime issues.