RE: [suse-security] Blocking Kazaa and other P2P communication tools.
Hmm. If that is so, setting Kazaa to use well known ports, then that's a problem. But my experiences are, that you can talk endlessly with users, you will always have someone ignoring what's said. Even writte policies are ignored. It's effective if you have honest users, I agree. -KEH -----Original Message----- From: Johannes Bretscher [mailto:bretscher@5sl.org] Sent: Tuesday, August 19, 2003 3:29 PM To: Knut Erik Hauslo Cc: suse-security@suse.com Subject: Re: [suse-security] Blocking Kazaa and other P2P communication tools. On Tue, Aug 19, 2003 at 03:17:10PM +0200, Knut Erik Hauslo wrote:
Use a sniffer and watch which ports are being used. I cannot tell you which ports, because the corporate firewall that I manage is not SuSEs
Firewall2, but I have only defined which ports to accept outbound (SMTP, HTTP(S), etc) and Kazaa does not work here.
The problem is that these programs can change ports. Even well known ports like 80 443 25 etc may be used. I don't know if Kazaa can do this but I have seen programs speaking perfect http over port 80 that are in no other way related to the www.
Not very useful maybe, but talking with users to have them stop using Kazaa is i think more complicated.
It may be the only effective way.
-KEH
Greetings, Johannes -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
Forgive me, if I'm being a bit stupid here, because my brain is nested six levels deep in something else right now, but is it not possible to block outgoing requests to Kazaa?? If nobody can request anything, Kazaa, is not likely to send anything back, is it? Best regards. . . Fred Knut Erik Hauslo wrote:
Hmm. If that is so, setting Kazaa to use well known ports, then that's a problem. But my experiences are, that you can talk endlessly with users, you will always have someone ignoring what's said. Even writte policies are ignored. It's effective if you have honest users, I agree.
-KEH
-----Original Message----- From: Johannes Bretscher [mailto:bretscher@5sl.org] Sent: Tuesday, August 19, 2003 3:29 PM To: Knut Erik Hauslo Cc: suse-security@suse.com Subject: Re: [suse-security] Blocking Kazaa and other P2P communication tools.
On Tue, Aug 19, 2003 at 03:17:10PM +0200, Knut Erik Hauslo wrote:
Use a sniffer and watch which ports are being used. I cannot tell you which ports, because the corporate firewall that I manage is not SuSEs
Firewall2, but I have only defined which ports to accept outbound (SMTP, HTTP(S), etc) and Kazaa does not work here.
The problem is that these programs can change ports. Even well known ports like 80 443 25 etc may be used. I don't know if Kazaa can do this but I have seen programs speaking perfect http over port 80 that are in no other way related to the www.
Not very useful maybe, but talking with users to have them stop using Kazaa is i think more complicated.
It may be the only effective way.
-KEH
Greetings, Johannes
On Tue, Aug 19, 2003 at 02:57:33PM +0100, Fred Merritt wrote:
Forgive me, if I'm being a bit stupid here, because my brain is nested six levels deep in something else right now, but is it not possible to block outgoing requests to Kazaa?? If nobody can request anything, Kazaa, is not likely to send anything back, is it?
There is not one single Kazaa server. There are several of them and they use several ports. You would have to maintain a blacklist and as I said before this always means being one step behind.
Best regards. . . Fred
Greetings, Johannes -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 August 2003 10:57 am, Fred Merritt wrote:
Forgive me, if I'm being a bit stupid here, because my brain is nested six levels deep in something else right now, but is it not possible to block outgoing requests to Kazaa?? If nobody can request anything, Kazaa, is not likely to send anything back, is it?
Aha, you just reminded me of the string matching module. A bit of Googling returned this: iptables -m string --string "X-Kazaa-Username:" -j DROP iptables -m string --string "X-Kazaa-Network:" -j DROP iptables -m string --string "X-Kazaa-IP:" -j DROP iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/QjRT+FOexA3koIgRAr5KAKC4S21sfAPYDhKFYQYPIn5Z9ONJXACgnMS5 p6NEr0o2sVHw+S+Htw1i4jg= =mkOj -----END PGP SIGNATURE-----
On Tuesday 19 Aug 2003 15:29, James Oakley wrote:
Aha, you just reminded me of the string matching module. A bit of Googling returned this:
iptables -m string --string "X-Kazaa-Username:" -j DROP iptables -m string --string "X-Kazaa-Network:" -j DROP iptables -m string --string "X-Kazaa-IP:" -j DROP iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP
How efficient is that, does it hit throughput badly? Is the firewall looking inside every packet, scanning for those 4 strings? Would it take out other packets, like your email which happened to contain the strings in them? Rob
On Tue, 2003-08-19 at 17:33, Robert Davies wrote:
On Tuesday 19 Aug 2003 15:29, James Oakley wrote:
Aha, you just reminded me of the string matching module. A bit of Googling returned this:
iptables -m string --string "X-Kazaa-Username:" -j DROP iptables -m string --string "X-Kazaa-Network:" -j DROP iptables -m string --string "X-Kazaa-IP:" -j DROP iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP
How efficient is that, does it hit throughput badly? Is the firewall looking inside every packet, scanning for those 4 strings? Would it take out other packets, like your email which happened to contain the strings in them?
Depends which chain you add it to.
Rob -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
On Tuesday 19 Aug 2003 16:47, Ray Leach wrote:
On Tue, 2003-08-19 at 17:33, Robert Davies wrote:
On Tuesday 19 Aug 2003 15:29, James Oakley wrote:
Depends which chain you add it to.
Doesn't that take us back to where we started, struggling to know which servers / ports Kazaa using? Rob
you can have this to block your kazaa including p2p communication, i am using this rule to my server. this is an http tunneling... iptables -A INPUT -s 38.0.0.0/8 -j DROP iptables -A FORWARD -s 38.0.0.0/8 -j DROP just a thought maybe you need it... ----- Original Message ----- From: "Robert Davies" <rob_davies@ntlworld.com> To: "SuSE Security" <suse-security@suse.com> Sent: Wednesday, August 20, 2003 1:41 AM Subject: Re: [suse-security] Blocking Kazaa and other P2P communication tools.
On Tuesday 19 Aug 2003 16:47, Ray Leach wrote:
On Tue, 2003-08-19 at 17:33, Robert Davies wrote:
On Tuesday 19 Aug 2003 15:29, James Oakley wrote:
Depends which chain you add it to.
Doesn't that take us back to where we started, struggling to know which servers / ports Kazaa using?
Rob
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (7)
-
Fred Merritt -
James Oakley -
Johannes Bretscher -
Knut Erik Hauslo -
Ray Leach -
Robert Davies -
Rodel Collado Urani