Block proxies (Ultrasurf, Tor,…)

Home Page Forums Network Management ZeroShell Block proxies (Ultrasurf, Tor,…)

  • This topic is empty.
Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #42263
    luckas
    Member

    First of all: hello to everybody. The zeroshell is the best firewall that I’ve tested until now and it works!
    But I have a problem. I want to block programs that connects to proxies by port 443 (ssl); for example ultrasurf. I haven’t found anything to block this, so I’ve tried another thing.
    I use the l7 protocol in firewall:
    – Accepting only valid ssl certificates (validatessl rule).
    – Blocking all the other 443 connections.

    The problem is that no connection goes by first rule (validatessl).
    What’s wrong?

    Thank you very much!

    #49841
    ppalias
    Member

    Truth is I had some problems with L7 matches in firewall and ever since I don’t trust them that much. However make sure you have the latest release of the signatures.

    #49842
    luckas
    Member

    I have the one included in beta12.
    Is it the last?
    I’ve visited the official webpage and it says that he discontinues the l7.

    #49843
    ppalias
    Member

    I think there was one more edition since the release of ZSbeta12.

    #49844
    AtroposX
    Member

    2009-05-28 is the latest version, under the definitions directory…

    http://sourceforge.net/projects/l7-filter/files/

    The one included in beta12 is out of date. Version 2008-12-18 is what comes with beta12.

    #49845
    luckas
    Member

    I’ve upgraded to the last version, but all continues equal.

    #49846
    atheling
    Member

    I don’t think that what you are trying to do with L7 filters is possible:

    As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.

    SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.

    And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.

    I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.

    #49847
    dsy
    Member

    You can ban TOR nodes IP with the provided script:
    http://www.torproject.org/faq-abuse.html.en#Bans

    #49848
    luckas
    Member

    Yes, you are true.
    But the problem is that ultrasurf uses a very laaarge and change every day the list of ip’s (that none knows).
    The only thing that now I can do is blocking all the 443 connexions except the ones that I accept (gmail, hotmail,…). It would be better a good blocking program to do it.
    Any other idea?

    Thank you!

    @atheling wrote:

    I don’t think that what you are trying to do with L7 filters is possible:

    As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.

    SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.

    And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.

    I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.

    #49849
    JC
    Member

    What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
    hope this is useful to you.

    #49850
    luckas
    Member

    Yes, but there are programs to bypass this. And I want to block these programs. They work as a proxy.

    @JC wrote:

    What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
    hope this is useful to you.

Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.