Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 23 November 2024, 09:36:33 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14258 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Sotware problem with ultrasurf
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Sotware problem with ultrasurf  (Read 28649 times)
chapyo
Jr. Member
*
Offline Offline

Posts: 6


« on: Thursday 11 March 2010, 02:45:12 am »

Hi first my English is not very good.
I have the version "Endian Firewall Community release 2.2" and the content proxy enabled but there is a program called ultrasurf with which users avoid blocking my pages.
With this program ultrasurf completely bypass the proxy.
How can I avoid this problem?
thanks
Logged
whoiam55
Full Member
***
Offline Offline

Posts: 71



WWW
« Reply #1 on: Thursday 11 March 2010, 04:40:28 am »

ultrasurf is hard to block at endian level because it send data using ssl, what type of setup you have? you could try blocking it  by the hash of the executable in the registry.
Logged

सत्यमेव जयते!
chapyo
Jr. Member
*
Offline Offline

Posts: 6


« Reply #2 on: Thursday 11 March 2010, 10:47:01 am »

Hi thanks for answer I need is a way to block it without having to completely close the port 443.
Can not lock the program in local mode on all computers that are using it.
Thanks
Logged
hinge
Full Member
***
Offline Offline

Posts: 93


« Reply #3 on: Thursday 11 March 2010, 02:30:14 pm »

hi! that also my problem to my network  Angry.. i hope theres a way can block that kind of program..  Angry and their have any program like this? Huh
Logged
whoiam55
Full Member
***
Offline Offline

Posts: 71



WWW
« Reply #4 on: Thursday 11 March 2010, 04:02:16 pm »

I need is a way to block it without having to completely close the port 443.
There is no other way, 443 is SSL and proxies are pretty much blind when it comes to ssl and that's what it meant for. So you don't have much of the option except doing a man in the middle attack and performing a layer7 filtering on the packets.
Logged

सत्यमेव जयते!
chapyo
Jr. Member
*
Offline Offline

Posts: 6


« Reply #5 on: Friday 12 March 2010, 02:11:30 am »

Hi as I do packet filtering in layer7?
I'm not a linux expert and this seems complicated.
Thanks
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #6 on: Friday 12 March 2010, 03:01:47 pm »

If Ultrasurf  uses SSL (Port 443) it may be easier to deny all https sites (using squid) and set up a https Allowed list.

The number of https sites you are likely to want to access would be very minimal and your HTTPS Allowed list would not be too difficult to maintain.

Just an idea ....
Logged

                          
whoiam55
Full Member
***
Offline Offline

Posts: 71



WWW
« Reply #7 on: Friday 12 March 2010, 08:30:53 pm »

Just an idea ....
Nice Idea Smiley
Logged

सत्यमेव जयते!
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #8 on: Friday 12 March 2010, 11:31:05 pm »

I made some modifications, and it works fine. Ultrasurf is blocked.

Here's how to do it.

(1) First, set up your content filtering the way you want.
(2) Enable the HTTP proxy.
(3) Enable the Outgoing Firewall, Disable Green to Red on TCP Port 80 and Disable Green to Red on TCP Port 443 (This will prevent bypassing the proxy)

(4) Edit the file: /etc/squid/squid.conf.tmpl

Search for the line:
http_access deny    CONNECT !allowed_sslports

Replace with:
# MOD - ONLY ALLOW ACCESS TO TRUSTED HTTPS SITES
acl allowed_ssldomains dstdom_regex -i "/etc/squid/acls/dst_allowssl.acl"
http_access deny    from_green !allowed_ssldomains allowed_sslports
http_access deny    CONNECT !allowed_ssldomains !allowed_sslports
http_access deny    CONNECT !allowed_sslports


(5) Create a new file called dst_allowssl.acl with the fillowing contents:
.ebay.com
.ebaystatic.com
.paypal.com
.paypalobjects.com
.paypal-education.com
.paypal-business.com
.verisign.com
.google.com

Copy this file to /etc/squid/acls/


(6) Restart the the HTTP proxy (You can re-boot if you like)



Notes:
The file     /etc/squid/acls/dst_allowssl.acl     contains the list of domains you allow HTTP(SSL) connections to.
You will need to add to or modify this file to suit your needs, I've just added some domains for testing purposes.
Logged

                          
chapyo
Jr. Member
*
Offline Offline

Posts: 6


« Reply #9 on: Sunday 14 March 2010, 12:16:01 am »

Hello, thanks Steve for your notes but doing exactly what you put I can not browse any site even for those that are within dst_allowssl.acl.
What I need is that users can surf all sites except as expressly denied.
Doing what you propose is true that connects ultrasurf but I can not browse any website.
Thanks
Logged
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #10 on: Sunday 14 March 2010, 03:16:04 am »

If you are using v2.3 it works.
Only domains listed in the  dst_allowssl.acl  file can connect via the SSL ports, all others are blocked.

If you can't browse anything it's probably the way you have your proxy set.
Take a few steps back. Turn your content filtering off.
Set the HTTP Proxy to Transparent and make sure you use "Automatically Detect Settings" on your browser.

You will have to stop/start your proxy so the  /etc/squid/squid.conf   file gets updated from the template file.


See how you go.




Logged

                          
Steve
Sr. Member
****
Offline Offline

Posts: 108



WWW
« Reply #11 on: Sunday 14 March 2010, 03:38:52 am »

Hello, thanks Steve for your notes but doing exactly what you put I can not browse any site even for those that are within dst_allowssl.acl.
What I need is that users can surf all sites except as expressly denied.
Doing what you propose is true that connects ultrasurf but I can not browse any website.
Thanks

That logic won't work with Ultrasurf.
Ultrasurf has access to thousands of secure sites and talks to them over port 443.
This list keeps changing and growing every day, keeping this list up to date is impossible.

The logic I used is to ALLOW ONLY TRUSTED SITES to use secure ports.
In your office or school environment this number will be very small. (Paypal, eBay, Banks ...)
If a user wants access to a particular secure site all you have to do is add it to the list of trusted sites.

Logged

                          
serkanp
Jr. Member
*
Offline Offline

Posts: 5


« Reply #12 on: Thursday 18 March 2010, 11:25:17 pm »

I'm using Endian 2.3
Block 443 port Firewall Outgoing... Green > RED
443 port blocking and dst_allowssl.acl not working

what is the problem ?
Logged
serkanp
Jr. Member
*
Offline Offline

Posts: 5


« Reply #13 on: Friday 19 March 2010, 12:46:40 am »

this is the new way; I don't know this is working or not working.

acl CONNECT method CONNECT
acl ultra_block  url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT ultra_block  all

but where put into squid.conf.tmpl

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.156 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com