LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 10-27-2003, 02:18 AM   #1
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
Exclamation monitoring and/or blocking yahoo messenger at firewall


Hi a little help over here please :P

I am setting up a new firewall and boss has requested that ideally Yahoo Messenger is monitored and if that doesnt help or is hard to do then we block it. but looking through all the documents it appears to me that Yahoo have designed it very well (well for them bad for me)

I can block out default ports (5000, 5001, 5050, 5100) which includes the file transfer and webcam ports too... BUT if yahoo doesnt work it seems to go through other ports... 80 for example and if not ANY OTHER AVAILABLE PORT!

I have not actually built up and tested this as we are in the R&D part of the project (a complete office Microsoft to Linux migration) but i want to be sure that its do-able.

I know that ICQ, MSN, AOL and IRC are ok to block through ports.

Anyone got any ideas? Maybe blocking an IP address range (if yahoo uses a unique one)???

It is prefered though that this is Monitored so while i want to know how to block if need be i would really like to know how to monitor use on those ports (of course harder again because it will use any port available) Any suggestions??

Chris
 
Old 10-27-2003, 09:06 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Here's an LQ search for block yahoo messenger.
About logging. All traffic will be coming from wetware-controlled boxen, (you didn't mix human LAN and server DMZ, right?) so there's your source range. Next all traffic is watched by protocol. http://help.yahoo.com/help/us/mesg/twin/twin-15.html tells us YIM uses TCP (HTTP) and UDP, so there's your protocols. The page also shows you the ports. YIM contacts a fixed set of hubs, so there's the destination range.
Only thing to do now is I. restrict traffic by blocking YIM file transfer and video (preserve bandwidth), deny outgoing proxy traffic and II. "sniff" or distinguish different (application layer, right?) protocols like HTTP, SMTP by filtering packets contents and log only the ones YIM uses. Snort should be capable to do this and flexible enough to also use it to block traffic if necessary. Here's some rules I ripped off the 'net as example:


alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000001; rev:1;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000003; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)


There are scripts to convert Snort rules to Netfilter rules, but IMHO that would not be as flexible as using Snort and come with a performance penalty as well. Of course you can set up Iptables rules with LOG targets for the destination ranges/IP's, ports and protocol, but that won't be (IMHO) as detailed as using Snort.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
using squid -blocking yahoo messenger gadekishore Linux - Software 3 08-04-2010 01:41 AM
How can i use MSN Messenger or Yahoo Messenger in slack ware ruzvay Linux - Software 8 02-16-2006 12:42 PM
blocking yahoo messenger with iptables mardanian Linux - Networking 5 04-24-2004 02:32 PM
blocking yahoo messenger with iptables linuxboy_inside Linux - Security 3 01-20-2004 09:12 PM
Instant messenger Chat Kopete mandrake linux yahoo and MSN messenger saurya_s Linux - Software 1 11-22-2003 01:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 10:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration