EFW Support

Support => General Support => Topic started by: chapyo on Thursday 11 March 2010, 02:45:12 am



Title: Sotware problem with ultrasurf
Post by: chapyo on Thursday 11 March 2010, 02:45:12 am
Hi first my English is not very good.
I have the version "Endian Firewall Community release 2.2" and the content proxy enabled but there is a program called ultrasurf with which users avoid blocking my pages.
With this program ultrasurf completely bypass the proxy.
How can I avoid this problem?
thanks


Title: Re: Sotware problem with ultrasurf
Post by: whoiam55 on Thursday 11 March 2010, 04:40:28 am
ultrasurf is hard to block at endian level because it send data using ssl, what type of setup you have? you could try blocking it  by the hash of the executable in the registry.


Title: Re: Sotware problem with ultrasurf
Post by: chapyo on Thursday 11 March 2010, 10:47:01 am
Hi thanks for answer I need is a way to block it without having to completely close the port 443.
Can not lock the program in local mode on all computers that are using it.
Thanks


Title: Re: Sotware problem with ultrasurf
Post by: hinge on Thursday 11 March 2010, 02:30:14 pm
hi! that also my problem to my network  >:(.. i hope theres a way can block that kind of program..  >:( and their have any program like this? ???


Title: Re: Sotware problem with ultrasurf
Post by: whoiam55 on Thursday 11 March 2010, 04:02:16 pm
I need is a way to block it without having to completely close the port 443.
There is no other way, 443 is SSL and proxies are pretty much blind when it comes to ssl and that's what it meant for. So you don't have much of the option except doing a man in the middle attack and performing a layer7 filtering on the packets.


Title: Re: Sotware problem with ultrasurf
Post by: chapyo on Friday 12 March 2010, 02:11:30 am
Hi as I do packet filtering in layer7?
I'm not a linux expert and this seems complicated.
Thanks


Title: Re: Sotware problem with ultrasurf
Post by: Steve on Friday 12 March 2010, 03:01:47 pm
If Ultrasurf  uses SSL (Port 443) it may be easier to deny all https sites (using squid) and set up a https Allowed list.

The number of https sites you are likely to want to access would be very minimal and your HTTPS Allowed list would not be too difficult to maintain.

Just an idea ....


Title: Re: Sotware problem with ultrasurf
Post by: whoiam55 on Friday 12 March 2010, 08:30:53 pm
Just an idea ....
Nice Idea :)


Title: Re: Sotware problem with ultrasurf
Post by: Steve on Friday 12 March 2010, 11:31:05 pm
I made some modifications, and it works fine. Ultrasurf is blocked.

Here's how to do it.

(1) First, set up your content filtering the way you want.
(2) Enable the HTTP proxy.
(3) Enable the Outgoing Firewall, Disable Green to Red on TCP Port 80 and Disable Green to Red on TCP Port 443 (This will prevent bypassing the proxy)

(4) Edit the file: /etc/squid/squid.conf.tmpl

Search for the line:
http_access deny    CONNECT !allowed_sslports

Replace with:
# MOD - ONLY ALLOW ACCESS TO TRUSTED HTTPS SITES
acl allowed_ssldomains dstdom_regex -i "/etc/squid/acls/dst_allowssl.acl"
http_access deny    from_green !allowed_ssldomains allowed_sslports
http_access deny    CONNECT !allowed_ssldomains !allowed_sslports
http_access deny    CONNECT !allowed_sslports


(5) Create a new file called dst_allowssl.acl with the fillowing contents:
.ebay.com
.ebaystatic.com
.paypal.com
.paypalobjects.com
.paypal-education.com
.paypal-business.com
.verisign.com
.google.com

Copy this file to /etc/squid/acls/


(6) Restart the the HTTP proxy (You can re-boot if you like)



Notes:
The file     /etc/squid/acls/dst_allowssl.acl     contains the list of domains you allow HTTP(SSL) connections to.
You will need to add to or modify this file to suit your needs, I've just added some domains for testing purposes.


Title: Re: Sotware problem with ultrasurf
Post by: chapyo on Sunday 14 March 2010, 12:16:01 am
Hello, thanks Steve for your notes but doing exactly what you put I can not browse any site even for those that are within dst_allowssl.acl.
What I need is that users can surf all sites except as expressly denied.
Doing what you propose is true that connects ultrasurf but I can not browse any website.
Thanks


Title: Re: Sotware problem with ultrasurf
Post by: Steve on Sunday 14 March 2010, 03:16:04 am
If you are using v2.3 it works.
Only domains listed in the  dst_allowssl.acl  file can connect via the SSL ports, all others are blocked.

If you can't browse anything it's probably the way you have your proxy set.
Take a few steps back. Turn your content filtering off.
Set the HTTP Proxy to Transparent and make sure you use "Automatically Detect Settings" on your browser.

You will have to stop/start your proxy so the  /etc/squid/squid.conf   file gets updated from the template file.


See how you go.






Title: Re: Sotware problem with ultrasurf
Post by: Steve on Sunday 14 March 2010, 03:38:52 am
Hello, thanks Steve for your notes but doing exactly what you put I can not browse any site even for those that are within dst_allowssl.acl.
What I need is that users can surf all sites except as expressly denied.
Doing what you propose is true that connects ultrasurf but I can not browse any website.
Thanks

That logic won't work with Ultrasurf.
Ultrasurf has access to thousands of secure sites and talks to them over port 443.
This list keeps changing and growing every day, keeping this list up to date is impossible.

The logic I used is to ALLOW ONLY TRUSTED SITES to use secure ports.
In your office or school environment this number will be very small. (Paypal, eBay, Banks ...)
If a user wants access to a particular secure site all you have to do is add it to the list of trusted sites.



Title: Re: Sotware problem with ultrasurf
Post by: serkanp on Thursday 18 March 2010, 11:25:17 pm
I'm using Endian 2.3
Block 443 port Firewall Outgoing... Green > RED
443 port blocking and dst_allowssl.acl not working

what is the problem ?


Title: Re: Sotware problem with ultrasurf
Post by: serkanp on Friday 19 March 2010, 12:46:40 am
this is the new way; I don't know this is working or not working.

acl CONNECT method CONNECT
acl ultra_block  url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT ultra_block  all

but where put into squid.conf.tmpl