Re: can Hopster traffic be blocked?

From: lonely wolf (wolfy_at_nobugconsulting.ro)
Date: 08/05/04

  • Next message: Charles Weidner (Accenture): "RE: can Hopster traffic be blocked?"
    Date: Fri, 06 Aug 2004 00:40:32 +0300
    To: focus-linux@securityfocus.com
    
    

    Prakash Purushotham wrote:
    > Current setup:
    >
    > RH9 all patches current
    > iptables set to deny all direct traffic out except to a select few
    > squid with acls to allow only http(s)/ftp,
    Guess why is port 80 declared 'universal firewall bypass'

    > more acls to allow access to msn/yahoo.
    >
    > Problem:
    >
    > Some users have installed hopster and are able to connect to messenger
    > servers even if they are not listed under the "chat access" acls.
    >
    > The following site has some information on hopster and similar software.
    > http://www.hackingspirits.com/eth-hac/prf-of-conc/bypass-fw/PoF01/bypass-fw-sock.html
    >
    > I have tried in vain to block traffic using iptables. I tried INPUT
    > filter on traffic coming in from port 1863 (for example), under the
    > assumption that the messenger server has to reply to hopster requests. I
    > have tried blocking FORWARDs again, based on source port 1863 on the
    > external interface.
    wrong way. connections are already socks-ified.

    > My last resort (administrative) is to invoke the rule that no
    > unauthorized software be installed on the systems.
    >
    > Any suggestions on how I can block hopster (and other similar socks
    > based tunneling applications) from tunnelling out.
    I bet all my weekend beers that the only way out is content filtering
    done at the proxy level. Maybe squidguard/dansguardian could help. Or
    snort. Otherwise .. IBM websense.

    You cannot filter based on IP addresses because the users can always
    look for open proxy servers to chain with, and replace them more often
    then you can hunt them.

    -- 
           Manuel Wolfshant       linux registered user #131416
    	    IT manager	NoBug Consulting Romania
    	http://www.brainbench.com/transcript.jsp?pid=40317
    

  • Next message: Charles Weidner (Accenture): "RE: can Hopster traffic be blocked?"

    Relevant Pages

    • Re: can Hopster traffic be blocked?
      ... > iptables set to deny all direct traffic out except to a select few ... > squid with acls to allow only http/ftp, more acls to allow access to ... > The following site has some information on hopster and similar software. ... prefer to do at their homes for faster connection) saving almost the ...
      (Focus-Linux)
    • can Hopster traffic be blocked?
      ... iptables set to deny all direct traffic out except to a select few ... squid with acls to allow only http/ftp, more acls to allow access to ... The following site has some information on hopster and similar software. ... based tunneling applications) from tunnelling out. ...
      (Focus-Linux)