My goal is to basically save people from themselves.....

I've setup a solid iptables firewall with NAT, my next problem is spyware/malware/porn dialers, etc. The problem comes in with the users. They're all various windows based machines using IE (this is something I can't change or I would have them on Firebird). and it's wonderful ability to help them install these wonderful programs.

Upping browser security levels won't work (another set of problems we won't go into) and as I've said changing the browser is out of the question.


In theory you'd be able to filter these things (using squid maybe??) but I haven't been able to find any information about people attempting this. Granted you'd never be able to catch them ALL, but even a few on a slient proxy filtering service would help these poor people. My question is if anyone has information about people trying this. Google searches on the subject doesn't point me in the right direction unfortunately.

Thanks in advance

Try installing something like "Spybot - Search and Destroy" on the Windows clients. It's a pretty decent tools for detecting, removing, and blocking these types of things. You might also consider putting in a proxy like squid or privoxy to help out.

I think the first step would be "educating" your users, if you're in the position to do that of course. I mean, pr0n dialers don't sneak in tru reading the news or Googling around.

Next to that you should look at coverage for different "popular" infection vectors. Web traffic is one, email, P2P and IRC are other variants. I agree having workstation AV and malware scanning should be mandatory.

If you decide on using Privoxy, post rule or filter questions in Linux - Newbie or Linux - General, I've gotten quite used to making them. Also there's some sites out there that make pretty good blocklists in all sorts of formats. Make sure you LOG and block unwanted in and outbound traffic at the firewall, and force web traffic tru the proxy. Next you will want signalling caps for when all hell breaks loose: add an IDS like Snort.

Putting spybot/adaware/hijack this! on the client PCs would be "a bad thing(tm)" IMHO. The average person wouldn't know which reg entries to delete, keep, etc. Besides, let's be realistic. The average joe won't run the things until it's too late. Trust me, it's easier to reinstall the OS than try slugging it out with 30 or 40 different malware proggies running in the background.

Unfortunately educating people won't work either, trust me. I've tried this already, heck getting people to understand the concept of malware/spyware alone made me feel like I was explaning nuclear physics to a rat terrier.

I'm planning on doing privoxy (man I love that thing) as well, that's going to be a fine tuning nightmare.

I was just curious if anybody had seen a few blocking setups or the like. I suppose I could write them manually, but assumed this was a road already trodden. I may be oversimplyfing it but this just seems to me to be something more people would want. Email spam isn't anything compared to these "offical" looking activeX programs that people are unwittingly installing on their PCs. The average public doesn't understand why their "PC is running real slow lately" while 4 proggies are in the background playing swap the homepage.

Suppose I'll build a '98 box and start looking at these things on purpose (shudder).

Putting spybot/adaware/hijack this! on the client PCs would be "a bad thing(tm)" IMHO.
No, that SW ain't bad. It's the wetware :-]


The average joe won't run the things until it's too late.
AV runs in the background, right?


Trust me, it's easier to reinstall the OS than try slugging it out with 30 or 40 different malware proggies running in the background.
Usually I don't suggest this, and I don't know your setup, but if you're into, uhhh, buying stuff, you could settle for the stuff they use in schools? You know, the "uncrackable" stuff that restores the system to a pristine state when rebooted? Except for them infecting remote hosts and the central fileserver, you'll loose all local problems at once.


I'm planning on doing privoxy (man I love that thing) as well, that's going to be a fine tuning nightmare.
Also don't forget to get on the Privoxy mailinglist. Lots of helpful ppl there.


I was just curious if anybody had seen a few blocking setups or the like.
If you Google for "blocklist privoxy" I'm sure you find a lot of resources like http://pgl.yoyo.org/adservers/ , http://www.riverofdata.com/tools/blacklist.txt , http://www.unixhub.com/block.html ,
http://home.earthlink.net/~briankass/adshield/ , http://www.spamanti.net/rogues.txt .
Some are old, but if you crosscheck lists I guess it's a good start on the domain part.
I haven't seen scripting against BHO's since that's MICROS~1 territory, but if it's retrievable by the browser it shouldn't pose problems to build filters.


Email spam isn't anything compared to these "offical" looking activeX programs that people are unwittingly installing on their PCs.
I don't see why you should differentiate between BHO's, SMTP-selfpropagating "goodies" or "plain" viruses higher as the other: they're all bad. I think letting down your guard thinking some are "less worse" than the other would be like enforcing strong passwords on Linux but letting users log in tru telnet.


//WTF? Why am I discussing measures protecting MICROS~1 boxen?..

Heh thanks Unspawn.

I'd googled the last few days looking for this, and found aforementioned sites earlier.

My overall goal is to try and protect 5 or 6 different small business DSL connections through a iptables based firewall setup on some inexpensive hardware. I'm planning on layering it on top of the (pathetic) software firewalls that the companies have now. The amount of script kiddie attempts on these businesses have risen to the annoying level lately.

Some of these business are using the built-in NAT of the DSL modems, others have crap like wingate (YECH).

I figure I can setup one of the smaller distros up, configure PPOE, IPTables, Privoxy, Squid, DHCP, etc into decent little "first line defense" boxen. Granted I'm not going for "DOD" style protection here, but adding a layer to try and keep things down to a mild roar for them. One has to balance things inbetween user-friendly and security gustapo.

With Privoxy blocking the known dubious cookies and it's built-in POP up protection I'd gotten the idea into my head that perhaps it's possible to make a "signature" of some of the more common agents. I'm not planning on blocking them all (of course) but just *try* and save them from themselves.

//WTF? Why am I discussing measures protecting MICROS~1 boxen?..

Heh because unfortunately some of us still have to deal with the things. I honestly wish I could at the minimum talk them all switching over to Firebird. It alone would solve 90% of the problems I have with these people.

I've gotten everything else done but this. I'll sit down this weekend I suppose and investigate it further. I'm now at the point I think I could setup the blocking once I nail down the installers.

I don't see why you should differentiate between BHO's, SMTP-selfpropagating "goodies" or "plain" viruses higher as the other: they're all bad. I think letting down your guard thinking some are "less worse" than the other would be like enforcing strong passwords on Linux but letting users log in tru telnet.

A little off topic...but its an interesting comment....

It's a matter of importance to the customer and how much it impedes them. Email spam can be siltently ignored (if not filtered). Not being able to get onto the 'net because of winsock replacement due to malware isn't so easy.

Deleting a few "penis enlargement" emails doesn't take near as long as getting C2.lop off a PC no matter how you look at it.

It falls back to the old security/usability addage. I figure if I can silently filter out even 5% of the malware installers that's better than either breaking their business softare by switching browsers or breaking other stuff by disabling all activeX.

Besides, I love doing all this at the entry point with Linux. It's just too darn much fun. >

Well one of the first steps you could take to prevent Malware/Spyware from being able to "phone hone" is to block all outbound ports by default, and only allow those that you need. You can redirect all outbound connections to port 80 or 443 to your Squid proxy (I assume this is possible using iptables) so that no matter how traffic tries to egress the network, as long as it's heading for an http(s) port, it will go to the proxy (no client changes, either).

You might also consider looking into Hogwash or Snortsam to provide active defense against instrusions.

Personally, I like the idea of default deny any traffic crossing the firewall. It's a great way to save users from themselves. BTW you should be able to accomplish this on an inline firewall using a bridge when sitting behind already NAT'd devices (to avoid double-NAT).

I don't understand why adding another helpful tool is "a bad thing" as you put it. Spybot is not complex or difficult to use, and the immunize feature will prevent downloads of common malware. Given that malware developers are employing new tricks (ie like reading IE's proxy settings) to get around firewalls and proxies, it's best to prevent them from from being installed. If you had a virus on your network, would you clean it or just prevent it from spreading to other computers not on your network?

In addition, you need to educate you users. You don't need to go into technical details for them to understand the negative affects that malware can have. Users understand that when corporate data is leaked it puts their company in a vulnerable position. Reinstalling an OS may be the quicker way to get a computer back to a pristine state, but it isn't going to fix the damage that has been done. It's hard to make private data private again when it has been seen by an untrusted third party.

Personally I like adding multiple layers of protection wherever possible just in case.

What about using this host file. But not on each Host. Could not you use it at the firewall??

http://www.mvps.org/winhelp2002/hosts.htm


What do you think??

Ad-Watch form Lava soft has automatic mode

yeah, you can use any of the thousands of host files available on the web... just install a dns daemon on the firewall and configure the machines on the lan to use the firewall as their dns server... that way the firewall's /etc/hosts file will affect the entire lan...

http://thekelleys.org.uk/dnsmasq/doc.html

for cases like, i recommend doing the filtering on the server as the primary solution.

http://www.privoxy.org is ok. you can also try http://dansguardian.org/ its free for non-commercial use.

i wanted to ask you guys about this "free for non-commercial use" thing... i mean, take a look at this (from the DG page):
complete license info here: http://dansguardian.org/?page=copyright2

i'm confused by the conditions the author places upon dansguardian...

is there really no conflict between his conditions and the GPL license??

i mean, it's supposed to be "GPL software" but if i install it at my friend's cybercafe and charge him a couple bucks for the installation i'm violating the license?? it doesn't make sense to me... could someone please explain how someone can place so many restrictions on something with a GPL license??

take a look at the preamble of the GPL. also, the GPL itself does say that a program author may add limitations to the program even if it is distributed under the GPL.
ah, why i'm i explaining this?

really? could you show me where it says that? what limitations does it say can be added? i read through the license and couldn't find anything mentioning these optional limitations you speak of... AFAIK, you can't make your own modifications to the GPL and still call it the "GPL"... it just doesn't work that way...

i was indeed wondering how this "free for non-commercial" BS could be for real when dansguardian is in debian trees and debian is known for being the most FREE (as in FREEDOM) distro on the planet... it makes no sense that a GPL app couldn't be used commercially...

on the DG page i found this which sorta sums-up the situation:

so YES, i can apt-get dansguardian at my friend's COMMERCIAL cybercafe and charge

<Dr. Evil voice> ONE MEEEEEEEELLION DOLLARS </Dr. Evil voice>

and i wouldn't be violating any licenses...

what that DG guy tries to do is get people to pay for downloading the software from his site - which is fine by the GPL... i just hate how he tries so hard to obfuscate the whole license issue... i don't think you need to use those kinda tactics to make money with GPL software - even if the tactics are totally legit...