Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I maintain a wifi network for guests at a hotel, made up of several wifi AP's and a Linux server as a gateway. Recently we've had an increasing number of downloads of copyrighted material through p2p, to the point where our ISP is threatening to close the connection if we don't do something. Given the setup, a non-technical solution is not much of an option - as it is not a regular organisational environment, where users can be monitored, educated, sent to HR for a prep talk, warned etc. Also the end devices are not under our control - so nothing can be done there either.
Based on my findings so far, it seems that blocking p2p altogether would be impossible - as many protocols now use encryption - so packet inspection would probably not work. There doesn't even seem to be a robust, current L7 packet inspection software for Linux anyway. Also port blocking seems to be out - as lots of p2p software can use common ports.
The best option seems to be to slow down large downloads, hoping to dissuade users from using the hotel's wifi for illegal downloads - mainly copyrighted films. I know it is a blunt tool, but I can't see a better option at the moment.
The proposed config is:
1. Mark packets belonging to large downloads with iptables (with connbytes) and then send them to a slow queue using tc.
2. Track internal IP addresses generating an inordinately large number of new connections in a short period of time with iptables (with connlimit) and again send them to a slow queue with tc.
Is the setup above likely to work? Also, is it likely to have a significant impact on any other piece of software or protocol? Any comments from those with an understanding of current p2p protocols would be much appreciated. Maybe there are some other options available as well out there?
The business traveler downloading a presentation just before the big meeting is going to be upset. No way to distinguish legitimate downloads, though. Sounds like your ISP is pushing their problem onto you.
I agree - it is a blunt solution - a compromise. I am hoping that by setting the threshold reasonably high - something like 20MB or 30MB - most legitimate uses will not be affected.
As to the ISP, it appears to be the general situation in UK at the moment. The copyright holders identify infringing IP addresses and send cease and desist letters to ISP's - who in turn send warning letters and threats of disconnection to their customers. I don't know what is the exact legal situation and implications though - and who is technically responsible for what when it comes down to the letter of the law. Or even if it has been decided in a court of law, in a test case, yet.
I am more looking at some comments on the technical side of things - if the way I am going about things is likely to slow p2p downloads down or not?
Damn shame the way ordinary folk are made to be enforcers of law.
I remember getting a ticket for allowing an open container once way back. Brother drank a beer and I got a ticket.
Also remember managing, or helping to, properties with many tenants before I left that horrible country. I pushed plausible deniability to a highest art form. I was blinder than a deaf bat. Mr. Magoo incarnate. Tenants were very lucky to have me.
Can I ask you if you really believe in the laws you're enforcing?
Have you actually verified that the materials being downloaded are copyrighted?
Do you believe private citizens should be encouraged to audit eachother's net usages?
The best answer is to leave such an environment, but few do, so let me offer you the next most merciful option in this fight that I doubt is yours anyway.
"Plausible deniablity". Under Amerikan law, nothing will save your * like the mastering of this simple concept. Wrap it about you as a cloak.
If you have customers, treat them as such.
Last time someone bottle-necked me, he found his modems locked and in the "wrong" language. You will probly' create problems for yourself.
I suggest that if you really do believe in and want to be a part of bringing law and order of full copyright protection to your community, that you plainly and largely display a public notice of the ban on all P2P along with advisements on your monitoring program to insure the people's obedience on the wall next to the keys so they may know what they're renting.
This would be honest. Your problem would be solved as such people would just not go there. You don't need the money ,right?
Stay out of it. Run the WIFI. Are you that bored? Watch Mr. Magoo. Learn something.
Another option is to setup a proxy server that only allows HTTP and SSL connections only, the majority of the services nowadays uses SSL and HTTP more for web pages, if you use emule or bittorrent for sure you will use HTTP or even SSL for download the torrent or for signaling but after you will need some Torrent or Emule specific protocol on some random port, so if you drop all the traffic and just limit HTTP and SSL through a good proxy, you probably will reduce the problem so far. However, there is always exceptions from some some cases.
Another option is to setup a proxy server that only allows HTTP and SSL connections only
I could be wrong, but I believe you can't setup a transparent https proxy (one which intercepts https requests and forces them through the proxy). Even if you do, most modern browsers will not like it, or be able to circumvent it. And rightly so, as the whole point of https is to secure the connection end to end. Also, being a network to be used by the guests of the hotel, you can't ask them to change their proxy settings in their browsers manually. Besides, there are plenty of other legitimate protocols below 1024 which are needed - imap, smtp 587, pop3, ftp - and the list goes on.
I didn't realise that Snort can do p2p detection. I'll have to look into it. However, I wonder if Snort can do anything about encrypted p2p connections - as the packets can't be analysed?
No updates allowed? Lots of distros unavailable as well. Slackware users will just have to go to an ecafe after already having paid for a room with "wifi" to download. I even set up a way to share all my familiy's genealogical info on a private torrent so the whole family can have easy access. Why would you block such things? What are you thinking?
If you are still advertising as having free wifi, you may be liable. No better than selling a burger and giving a bun with mayo and lettuce.
What you are supplying will no longer be a WIFI connection but a browser-only connection. Make new signs that reflect this and include it in your advertising. Be honest about what you are selling. Anything else is straight thievery.
"Do what thou wilt", but inform people. You believe in what you're doing, don't you? Why hide it then? Again, be honest to your customers. Those who don't share your politics are not wanted there.
As you don't value or want these sorts of people, they would just turn around at the door and you wouldn't even havta talk to them. Usta be lots of signs like "no blacks" and "no hippies" and the like.
Your method will bait them with false promises of access bringing anger and a certain percentage of these will act out and your property is an easy target. Its too easy to cost you alot of money. Why would you look for a fight?
A strictly defensive strategy in any engagement will eventually lose. There is no winning scenario for you doing this.
Lastly, torrenters are reading this now and have whole other forums with advice and tutorials on getting around even the most extreme filtering though they'd much prefer to just go where they can have a real connection and a landlord not on some kind of misguided moral(?) quest.
Please keep the blocking to your own children in your own home. You've every right there. Room renters are seldom looking for a new "daddy". Please just set the WIFI. Thats all your customers want.
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425
Rep:
Quote:
Originally Posted by xj25vm
I maintain a wifi network for guests at a hotel, made up of several wifi AP's and a Linux server as a gateway. Recently we've had an increasing number of downloads of copyrighted material through p2p, to the point where our ISP is threatening to close the connection if we don't do something.
Ask the ISP if it would be satisfied with you maintaining a continuously-updated list of banned sites in your IP tables. If it is satisfied, , then just ban the sites and keep the ban list updated. If guests complain, explain the situation; block the illegal downloads or get totally cut off.
Ask the ISP if it would be satisfied with you maintaining a continuously-updated list of banned sites in your IP tables.
My opinion is that the ISP jurisdiction ends where private property begins, and this user has a right to block whatever he wants on his internal network.
There's no way for one to legally enforce firewall rules on equipment which one does not own, hence the ISP is no factor here unless they own networking equipment which hosts the firewall.
Dropping your personal firewall because the ISP doesn't like it is kinda like sending your guard dog to an animal shelter due to the mailman not feeling comfortable around him.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.