LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-03-2004, 04:43 AM   #1
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
Hopster menace


Current setup:

RH9 all patches current
iptables set to deny all direct traffic out except to a select few
squid with acls to allow only http(s)/ftp, more acls to allow access to msn/yahoo.

Problem:

Some users have installed hopster and are able to connect to messenger servers even if they are not listed under the "chat access" acls.

Here is some information on what hopster does.

I have tried in vain to block traffic using iptables. I tried INPUT filter on traffic coming in from port 1863 (for example), under the assumption that the messenger server has to reply to hopster requests. I have tried blocking FORWARDs again, based on source port 1863 on the external interface.

My last resort (administrative) is to invoke the rule that no unauthorized software be installed on the systems.

Does anyone have ideas on how I can block hopster (and other similar socks based tunneling applications) from tunnelling out.
 
Old 08-03-2004, 01:32 PM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Have you tried the following:
- Blocking access to the Hopster servers
- Adding a username/password authentication to your proxy
- Publishing traffic reports based on source/destination

People are less likely to skirt company policy when the have to put their name next to where they go...
 
Old 08-03-2004, 11:17 PM   #3
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 47
I have tried blocking the hopster servers, even banned the word hopster. That only benefits the users in that they do not get the hopster advertisements :P.

Access to squid proxy is restricted based on MAC address. We also know the users who are using this software. And our corporate policy does allow us remove such software from the user systems.

I just want a way to block such traffic, that is, if it is possible ... I believe it is, trying to figure out how.
 
Old 08-04-2004, 08:24 AM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Check your squid logs for requests from the Hopster users, then block the outside SOCKS servers. Overtime you can eliminate all of the outside Hopster servers that the client connects to.
 
Old 08-05-2004, 05:02 AM   #5
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 47
Stickman, the proxy logs (we use sawmill) come up with nought. Hopster does not use any external servers. It initiates a HTTP request with the gateway proxy server. once a connection is established, it tunnels all requests as HTTP requests. Poor proxyserver will assume it is valid http traffic and allows it to pass into the external world.

Check this page - towards the end you will find some explanation about what hopster does.
http://www.hackingspirits.com/eth-ha...s-fw-sock.html

I thought that although hopster fools the proxyserver by making it believe that the traffic is just HTTP, the return traffic from the chat servers can be filtered / blocked. I have not had much success with this ... although I am still pursuing this idea.

Last edited by ppuru; 08-05-2004 at 05:04 AM.
 
Old 08-05-2004, 08:38 AM   #6
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Yes, Hopster does tunnel the traffic to look like a regular HTTP request, but it sends it to a SOCKS server (Step 3 on the info page you recommend). Block those servers.
 
Old 08-05-2004, 09:14 AM   #7
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Original Poster
Rep: Reputation: 47
Thanks for bringing that to my notice stickman (thanks for helping me tunnel through my "assumption" filters ). I was under the impression that this Socks Proxy Server is the client itself ... Will sniff that external socks server first thing tomorrow morning.

Update:-
Managed to block hopster traffic. Hopster first connects to an external server using https. I have been able to detect just one IP. I am not sure whether hopster uses just a single external server. Keeping a watch for IPs of other external partners of hopster. I am not sure whether.

Well we have been able to squash this problem both administratively and technically. Other similar software found in use is proxycap.

Last edited by ppuru; 08-06-2004 at 04:38 AM.
 
Old 12-13-2004, 08:25 PM   #8
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Rep: Reputation: 16
Quote:
Originally posted by ppuru
Thanks for bringing that to my notice stickman (thanks for helping me tunnel through my "assumption" filters ). I was under the impression that this Socks Proxy Server is the client itself ... Will sniff that external socks server first thing tomorrow morning.

Update:-
Managed to block hopster traffic. Hopster first connects to an external server using https. I have been able to detect just one IP. I am not sure whether hopster uses just a single external server. Keeping a watch for IPs of other external partners of hopster. I am not sure whether.

Well we have been able to squash this problem both administratively and technically. Other similar software found in use is proxycap.

So...... Have you block hopster ????
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking hopster and proxifier abhi_crusader Linux - Security 2 09-30-2005 01:16 PM
Please help in for blocking hopster and proxifier on my Linux Enterprise 3 AS abhi_crusader Linux - Security 1 09-24-2005 02:55 PM
MS Palladium: A must or a menace? Edward78 General 17 01-19-2003 03:50 AM


All times are GMT -5. The time now is 09:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration