Current setup:

RH9 all patches current
iptables set to deny all direct traffic out except to a select few
squid with acls to allow only http(s)/ftp, more acls to allow access to msn/yahoo.

Problem:

Some users have installed hopster and are able to connect to messenger servers even if they are not listed under the "chat access" acls.

Here is some information on what hopster does.

I have tried in vain to block traffic using iptables. I tried INPUT filter on traffic coming in from port 1863 (for example), under the assumption that the messenger server has to reply to hopster requests. I have tried blocking FORWARDs again, based on source port 1863 on the external interface.

My last resort (administrative) is to invoke the rule that no unauthorized software be installed on the systems.

Does anyone have ideas on how I can block hopster (and other similar socks based tunneling applications) from tunnelling out.

Have you tried the following:
- Blocking access to the Hopster servers
- Adding a username/password authentication to your proxy
- Publishing traffic reports based on source/destination

People are less likely to skirt company policy when the have to put their name next to where they go...

I have tried blocking the hopster servers, even banned the word hopster. That only benefits the users in that they do not get the hopster advertisements :P.

Access to squid proxy is restricted based on MAC address. We also know the users who are using this software. And our corporate policy does allow us remove such software from the user systems.

I just want a way to block such traffic, that is, if it is possible ... I believe it is, trying to figure out how.

Check your squid logs for requests from the Hopster users, then block the outside SOCKS servers. Overtime you can eliminate all of the outside Hopster servers that the client connects to.

Stickman, the proxy logs (we use sawmill) come up with nought. Hopster does not use any external servers. It initiates a HTTP request with the gateway proxy server. once a connection is established, it tunnels all requests as HTTP requests. Poor proxyserver will assume it is valid http traffic and allows it to pass into the external world.

Check this page - towards the end you will find some explanation about what hopster does.
http://www.hackingspirits.com/eth-ha...s-fw-sock.html

I thought that although hopster fools the proxyserver by making it believe that the traffic is just HTTP, the return traffic from the chat servers can be filtered / blocked. I have not had much success with this ... although I am still pursuing this idea.

Yes, Hopster does tunnel the traffic to look like a regular HTTP request, but it sends it to a SOCKS server (Step 3 on the info page you recommend). Block those servers.

Thanks for bringing that to my notice stickman (thanks for helping me tunnel through my "assumption" filters ). I was under the impression that this Socks Proxy Server is the client itself ... Will sniff that external socks server first thing tomorrow morning.

Update:-
Managed to block hopster traffic. Hopster first connects to an external server using https. I have been able to detect just one IP. I am not sure whether hopster uses just a single external server. Keeping a watch for IPs of other external partners of hopster. I am not sure whether.

Well we have been able to squash this problem both administratively and technically. Other similar software found in use is proxycap.

So...... Have you block hopster ????