How to block Tor

[Guest]

[hasanmnaqvi]

Hello All,
       I was a very satisfied user of Endian Firewall, till the time I found some of the users in my network easily going through the firewall using Onion Router mechanism Tor.
Is there any way to block its future uses.

Also can anybody tell me how to track the usage of tor and what all data has been compromised using it.

Please reply soon ... the situation here is risky

[gyp_the_cat]

Hi hasanmnaqvi,

I understand your problems

Unfortunatly Tor was created to be able to tunnel through just about whatever ports you open up.  It's a bit like Skype in that regards in thats it's very clever and very, erm "slippery".

I don't believe Endian has the ready made ability to block Tor, and neither do most of the firewalls on the market (both open and closed source).

I've come across two ways of blocking it (and neither I will admit are 100% satsifactory since Tor is a B#@tard).

Gyp

Option 1
Create rules to block access to all the IP addresses.

Since the Tor network is incredibly dynamic it is possible that people can work around it, and you'll have to stay on your toes to be able to block.

You'll either have to create firewall rules to block the following or use hosts.deny.

For a list try:
https://www.dan.me.uk/torlist/
https://www.dan.me.uk/torlist/

Option 2
Use Snort (which is very much beyond me at the level these guys are talking about), have a look at:
https://packetprotector.org/forum/viewtopic.php?id=71

[gyp_the_cat]

Hm, been thinking about this a bit more this afternoon (as you do sat in the office pondering such things), and I've found:

http://archives.seul.org/or/talk/Dec-2008/msg00290.html

Relating to blocking Tor using Squid, simply by disallowing access to numerical IP addresses.

acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT numeric_IPs all

And I've also found an RBL that contains TOR nodes over at http://efnetrbl.org/ of rbl.efnetrbl.org.

Off topic: the RBL could be great used with Apache for websites hmmm

Will continue having a think, but I was likely quite wrong in that there are things you can do to block Tor not sure how succesful they'd be since I can test it from behind my firewalls unfortunatly.

Thinking could put the Tor list from https://www.dan.me.uk/torlist/ in Proxy - Banned IP Addresses and/or the same list in Proxy - Content Filter - Banned Sites.

Is it worth giving these a try hasanmnaqvi?

[hinge]

hi! i ask Something what is TOR means and you any link about this? thank you..

[gyp_the_cat]

Hi Hinge, have a look at http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 and http://www.torproject.org/.

[lickfrog]

Tor uses SSH tunneling and could be easily blocked by filtering all ingress SSH traffic (especial over port 80). I must admit though that I've never used Endian so I have no idea how you might actually do this but i would be surprised and very disappointed if Endian does not support traffic filtering of this type...

hi! i ask Something what is TOR means and you any link about this? thank you..

Tor uses a series of nodes to tunnel traffic all over the web and is the perfect tool for near-total anonymity! Because tor uses a type of SSH tunneling to encrypt all network traffic it becomes the perfect attacker/cracker platform for launching any number of nefarious attacks against any organization.

[unassassinable]

I did this using the outbound firewall.  Set rules of what services you want to allow out, and block everything else.  This way you're not explicitly blocking every bad thing...because really, you're never gonna find every bad thing.  New bad things pop up every day, and people find ways to use them.  Doing it this way assumes that if you don't allow it, it's bad, and blocked.

Rich