GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to block a messenger called qq or qq international, it's a chinese messenger. I'm using a very simple router that can only block by url, or IP. Since this messenger, having its default ports blocked, uses the http/https ports as a last resort, blocking its ports doesn't really do the job.
On the official website there wasn't any information about where does it connect (what server should I block), but after some googling around I found some IPs, and that it connects to servers sz.tencent.com, and sz[2-9].tencent.com.
Everytime I blocked one IP from one of those servers, it ended up changing again the next time I tried it (using ping to test whether it was blocked or not). So I just blocked the whole range of IPs from those providers, they are chinese providers and nobody uses them so there is no problem in that.
I blocked the IPs by doing a whois on the IP returned after pinging the above written URLs, and blocking the range returned. E.g.
So I would block the IPs of the range from 219.128.0.0 to 219.137.255.255.
Done that on the sz.tencent.com and all the sz[2-9].tencent.com servers, ping returns 100% packet loss on all the servers. So at least I'm sure all those servers are blocked.
Shouldn't this work? Because for some reason QQ messenger still connects...
If anyone knows this messenger and has some information on how to block it, it would be greatly appreciated.
I'm trying to block a messenger called qq or qq international, it's a chinese messenger. I'm using a very simple router that can only block by url, or IP. Since this messenger, having its default ports blocked, uses the http/https ports as a last resort, blocking its ports doesn't really do the job.
On the official website there wasn't any information about where does it connect (what server should I block), but after some googling around I found some IPs, and that it connects to servers sz.tencent.com, and sz[2-9].tencent.com.
Everytime I blocked one IP from one of those servers, it ended up changing again the next time I tried it (using ping to test whether it was blocked or not). So I just blocked the whole range of IPs from those providers, they are chinese providers and nobody uses them so there is no problem in that.
I blocked the IPs by doing a whois on the IP returned after pinging the above written URLs, and blocking the range returned. E.g.
So I would block the IPs of the range from 219.128.0.0 to 219.137.255.255.
Done that on the sz.tencent.com and all the sz[2-9].tencent.com servers, ping returns 100% packet loss on all the servers. So at least I'm sure all those servers are blocked.
Shouldn't this work? Because for some reason QQ messenger still connects...
If anyone knows this messenger and has some information on how to block it, it would be greatly appreciated.
Try netstat you can see exactly were QQ is sending these packets, then add those ip's to the blacklist and boom no more QQ.
Try netstat you can see exactly were QQ is sending these packets, then add those ip's to the blacklist and boom no more QQ.
Thanks for the advice. But QQ is not running from my computer, just from another computer on the same LAN. And all the computers in the LAN are connected to a "cheap" router.
netstat only shows the ports open on the computer it is running in, right? And my router doesn't have any netstat-like tool, that's why I had to google around looking for those IPs.
Yeah, if anyone has done as above ---blocked the IPs got with netstat---, I'd really like to get them... Other advices are welcome as well.
Thanks for the advice. But QQ is not running from my computer, just from another computer on the same LAN. And all the computers in the LAN are connected to a "cheap" router.
netstat only shows the ports open on the computer it is running in, right? And my router doesn't have any netstat-like tool, that's why I had to google around looking for those IPs.
Yeah, if anyone has done as above ---blocked the IPs got with netstat---, I'd really like to get them... Other advices are welcome as well.
Netstat give you something better (the domain name), all you need to do is blacklist that domain name (if your router supports it)
Ok, I got a computer with windows. Installed qq just so I could use netstat there and find out what IPs to block.
In the windows computer, I did
Code:
netstat -ao 5
and logged in with qq.
I looked for the PID of QQ (1620), and there were some lines like this:
Code:
Proto Local Address Foreign Address State PID
TCP NOTEBOOK:1062 reverse.gdsz.cncnet.net:http ESTABLISHED 1620
UDP NOTEBOOK:1063 *:* 1620
UDP NOTEBOOK:4005 *:* 1620
I obviously thought the url, reverse.gdsz.cncnet.net, had something to do with the process of logging in. So I blocked the address in my router.
I logged out, and logged in again. And it had no problems connecting...
I tried blocking the UDP and TCP ports from 1000 to 1100, as well as the UDP ports from 4000 to 4100. And every time I try to log in again, another port gets used like UDP 4005 (previous session) to 4006 (after logging out previous session, current session). I thought blocking the UDP ports 4000-4100 would solve this, but apparently it didn't.
Somehow, QQ is still able to log in.
If I block the http port in my router, it gets blocked. And I tried pinging to the url above, and it said unknown host. So I guess the router does correctly blocks urls and the ports I tell it to. I really have no idea what to do next...
I thought there might be another program for the function of logging in, but I don't seem to find it, so I guess not.
Maybe my usage of netstat is wrong and it's not showing me the information I need or something? I really can't believe after blocking its ports and everything it still gets connected.
sorry for all the blank spaces. They occurred while cutting & pasting somehow.
Do they use a tun server service that you haven't blocked.
Installing the program yourself and monitoring your own traffic may provide more clues.
You could add IP address to block on your computers own firewall, and retry connections.
You could use netstat in the continuous mode to record traffic continuously.
;; ANSWER SECTION:
sz.tencent.com. 2891 IN A 219.133.60.26
sz.tencent.com. 2891 IN A 219.133.60.27
sz.tencent.com. 2891 IN A 219.133.60.172
sz.tencent.com. 2891 IN A 219.133.62.4
sz.tencent.com. 2891 IN A 219.133.49.47
sz.tencent.com. 2891 IN A 219.133.49.163
sz.tencent.com. 2891 IN A 219.133.49.169
sz.tencent.com. 2891 IN A 219.133.49.170
sz.tencent.com. 2891 IN A 219.133.49.171
sz.tencent.com. 2891 IN A 219.133.49.173
sz.tencent.com. 2891 IN A 219.133.51.251
sz.tencent.com. 2891 IN A 219.133.60.18
sz.tencent.com. 2891 IN A 219.133.60.19
sz.tencent.com. 2891 IN A 219.133.60.20
sz.tencent.com. 2891 IN A 219.133.60.21
sz.tencent.com. 2891 IN A 219.133.60.22
sz.tencent.com. 2891 IN A 219.133.60.23
sz.tencent.com. 2891 IN A 219.133.60.24
sz.tencent.com. 2891 IN A 219.133.60.25
Thanks for the IPs. But as I already posted above, I already blocked all the IPs whithin the range 219.128.0.0 - 219.137.255.255, which includes all the IPs listed there. I already made sure it can't connect anywhere, anyhow to a sz.tencent.com server...
It's connecting to reverse.gdsz.cncnet.net through the http port, and when the URL is blocked in the router it shouldn't connect. However I found out by restarting qq a couple of times, that it keeps connecting there somehow.
I did a whois on gdsz.cncnet.net (reverse.gdsz.cncnet.net wouldn't return anything) on this site http://www.robtex.com/dns/gdsz.cncnet.net.html and got these IPs: 221.4.64.0/19 221.4.8.0/22 221.4.64.0/19, blocked them too. But still get the ESTABLISHED state on netstat when I restart the program... maybe this is likely to be the problem?
Anyone has any idea of how it keeps connecting there? / What may I be doing wrong?
I hadn't read every IP in my list (out of laziness) because there were so many.
I did update my post with more IPs. Some of the tcpconnect*. domains may have different numbers.
Thank you very much for the IPs! Do you have QQ blocked in your computer/router?
I had already some of them blocked, but there were a lot of them which I hadn't.
Blocking these IPs: 119.144.0.0/14, 121.14.0.0/17, 208.69.36.0/24, 219.133.48.0/18, 58.248.0.0/13, 58.56.0.0/13 should have the same effect that blocking all the IPs you gave me (I block some more, but just for the simplicity).
all the computers in the LAN are connected to a "cheap" router.
Blocking IP addresses isn't, this is your main problem: you're trying to turn the router into something it isn't, namely a versatile, configurable firewall.
Quote:
Originally Posted by rikijpn
Other advices are welcome as well.
So how about using a GNU/Linux, .*BSD or whatever else *way* more configurable machine as router instead? That way you could more easily define a policy blocking traffic using iptables rules plus an IDS for catching traffic that doesn't "play nice" like the QQ IM. There are multiple firewall distributions to choose from in case you do not want to build it from the ground up.
Blocking IP addresses isn't, this is your main problem: you're trying to turn the router into something it isn't, namely a versatile, configurable firewall.
So how about using a GNU/Linux, .*BSD or whatever else *way* more configurable machine as router instead? That way you could more easily define a policy blocking traffic using iptables rules plus an IDS for catching traffic that doesn't "play nice" like the QQ IM. There are multiple firewall distributions to choose from in case you do not want to build it from the ground up.
Thanks for the advice.
Yes, I realize using a linux machine as a router would be a lot easier for this task. The thing is, I already have a router. And blocking a messenger isn't supposed to be such a hard task (so I thought^^, kinda wrong).
In order to use my linux machine as a router too, I'd have to buy another lan card. Besides the fact that it would cost me money, I'd prefer not to use my main computer as a router, not only for security reasons, but simply because it's very loud, and have to shut it down at night, which is not the idea.
Well, if it really can't be done, I'd like to know so. But it sounds pretty logical to me that blocking where it connects, a messenger should be correctly blocked.
The problem with IP blacklisting your way is that it is maintenance-intensive and it will always be incomplete unless you know its methods for "phoning home". While I prefer the GNU/Linux side of things for reasons of stability, performance, versatility and security reasons I understand perfectly well that money can be an issue. While incursions into mcrsft territory are not my thing, if you have physical access to said mcrsft machine or if you can push policies its way you could resort to installing a SW firewall locally, perferably one with lockable admin settings, that denies outbound connections based on executable specs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.