Block proxies (Ultrasurf, Tor,…)

Home Page Forums Network Management ZeroShell Block proxies (Ultrasurf, Tor,…)

This topic contains 9 replies, has 0 voices, and was last updated by  luckas 9 years, 2 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #42263

    luckas
    Member

    First of all: hello to everybody. The zeroshell is the best firewall that I’ve tested until now and it works!
    But I have a problem. I want to block programs that connects to proxies by port 443 (ssl); for example ultrasurf. I haven’t found anything to block this, so I’ve tried another thing.
    I use the l7 protocol in firewall:
    – Accepting only valid ssl certificates (validatessl rule).
    – Blocking all the other 443 connections.

    The problem is that no connection goes by first rule (validatessl).
    What’s wrong?

    Thank you very much!

    #49841

    ppalias
    Member

    Truth is I had some problems with L7 matches in firewall and ever since I don’t trust them that much. However make sure you have the latest release of the signatures.

    #49842

    luckas
    Member

    I have the one included in beta12.
    Is it the last?
    I’ve visited the official webpage and it says that he discontinues the l7.

    #49843

    ppalias
    Member

    I think there was one more edition since the release of ZSbeta12.

    #49844

    AtroposX
    Member

    2009-05-28 is the latest version, under the definitions directory…

    http://sourceforge.net/projects/l7-filter/files/

    The one included in beta12 is out of date. Version 2008-12-18 is what comes with beta12.

    #49845

    luckas
    Member

    I’ve upgraded to the last version, but all continues equal.

    #49846

    atheling
    Member

    I don’t think that what you are trying to do with L7 filters is possible:

    As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.

    SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.

    And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.

    I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.

    #49847

    dsy
    Member

    You can ban TOR nodes IP with the provided script:
    http://www.torproject.org/faq-abuse.html.en#Bans

    #49848

    luckas
    Member

    Yes, you are true.
    But the problem is that ultrasurf uses a very laaarge and change every day the list of ip’s (that none knows).
    The only thing that now I can do is blocking all the 443 connexions except the ones that I accept (gmail, hotmail,…). It would be better a good blocking program to do it.
    Any other idea?

    Thank you!

    @atheling wrote:

    I don’t think that what you are trying to do with L7 filters is possible:

    As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.

    SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.

    And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.

    I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.

    #49849

    JC
    Member

    What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
    hope this is useful to you.

    #49850

    luckas
    Member

    Yes, but there are programs to bypass this. And I want to block these programs. They work as a proxy.

    @jc wrote:

    What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
    hope this is useful to you.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.