Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
RH9 all patches current
iptables set to deny all direct traffic out except to a select few
squid with acls to allow only http(s)/ftp, more acls to allow access to msn/yahoo.
Problem:
Some users have installed hopster and are able to connect to messenger servers even if they are not listed under the "chat access" acls.
I have tried in vain to block traffic using iptables. I tried INPUT filter on traffic coming in from port 1863 (for example), under the assumption that the messenger server has to reply to hopster requests. I have tried blocking FORWARDs again, based on source port 1863 on the external interface.
My last resort (administrative) is to invoke the rule that no unauthorized software be installed on the systems.
Does anyone have ideas on how I can block hopster (and other similar socks based tunneling applications) from tunnelling out.
Have you tried the following:
- Blocking access to the Hopster servers
- Adding a username/password authentication to your proxy
- Publishing traffic reports based on source/destination
People are less likely to skirt company policy when the have to put their name next to where they go...
I have tried blocking the hopster servers, even banned the word hopster. That only benefits the users in that they do not get the hopster advertisements :P.
Access to squid proxy is restricted based on MAC address. We also know the users who are using this software. And our corporate policy does allow us remove such software from the user systems.
I just want a way to block such traffic, that is, if it is possible ... I believe it is, trying to figure out how.
Check your squid logs for requests from the Hopster users, then block the outside SOCKS servers. Overtime you can eliminate all of the outside Hopster servers that the client connects to.
Stickman, the proxy logs (we use sawmill) come up with nought. Hopster does not use any external servers. It initiates a HTTP request with the gateway proxy server. once a connection is established, it tunnels all requests as HTTP requests. Poor proxyserver will assume it is valid http traffic and allows it to pass into the external world.
I thought that although hopster fools the proxyserver by making it believe that the traffic is just HTTP, the return traffic from the chat servers can be filtered / blocked. I have not had much success with this ... although I am still pursuing this idea.
Yes, Hopster does tunnel the traffic to look like a regular HTTP request, but it sends it to a SOCKS server (Step 3 on the info page you recommend). Block those servers.
Thanks for bringing that to my notice stickman (thanks for helping me tunnel through my "assumption" filters ). I was under the impression that this Socks Proxy Server is the client itself ... Will sniff that external socks server first thing tomorrow morning.
Update:-
Managed to block hopster traffic. Hopster first connects to an external server using https. I have been able to detect just one IP. I am not sure whether hopster uses just a single external server. Keeping a watch for IPs of other external partners of hopster. I am not sure whether.
Well we have been able to squash this problem both administratively and technically. Other similar software found in use is proxycap.
Originally posted by ppuru Thanks for bringing that to my notice stickman (thanks for helping me tunnel through my "assumption" filters ). I was under the impression that this Socks Proxy Server is the client itself ... Will sniff that external socks server first thing tomorrow morning.
Update:-
Managed to block hopster traffic. Hopster first connects to an external server using https. I have been able to detect just one IP. I am not sure whether hopster uses just a single external server. Keeping a watch for IPs of other external partners of hopster. I am not sure whether.
Well we have been able to squash this problem both administratively and technically. Other similar software found in use is proxycap.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.