Search This Blog

Saturday, May 26, 2007

firewall-wizards Digest, Vol 13, Issue 13

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: can iptables block incoming http connections from open
proxy servers? (John Mason Jr)
2. Re: HIPS experience (Paul Melson)
3. Re: Best way to block incoming connections from open
httpproxy servers? (White Hat)
4. Re: Best way to block incoming connections from open http
proxy servers? (Jerry Gardner)


----------------------------------------------------------------------

Message: 1
Date: Fri, 25 May 2007 11:21:51 -0400
From: John Mason Jr <john.mason.jr@cox.net>
Subject: Re: [fw-wiz] can iptables block incoming http connections
from open proxy servers?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4656FF0F.608@cox.net>
Content-Type: text/plain; charset=ISO-8859-1

You might look at <http://www.projecthoneypot.org/httpbl.php>

John

White Hat wrote:
> Hi List,
>
> How can I block people from making http connections to an internal
> webserver when they are using open http proxies?
>
> While I think that open http proxies are an excellent tool for surfing
> the web anonymously and I often use them, they also present me with a
> big problem.
>
> I run a small forum, and don't have a good way of keeping users who
> are banned for flaming, not following the rules, and other bad conduct
> on the forums from returning and re-registering new accounts when
> using open http proxies.
>
> The web server is a Gentoo linux box and has packet filtering
> (netfilter code), etc built into the kernel. I have the iptables
> userspace ebuild installed.
>
> At the moment, I've added rules to the proxies chain which is checked
> by the input chain to stop inbound connections from proxy servers
> based on the source ports being used by the remote proxy server.
> However, this does not seem to be working at the moment.
>
> For example.
>
> iptables -N proxies
> iptables -A INPUT -j proxies
> iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP
>
> I also have rules for all of the other common proxy server ports in
> place in the proxies chain.
>
> I'm guessing that this does not work because the source port is randomized.
>
> To test this I configured firefox to use an open http proxy running
> squid on port 3128 and then connected to the remote site with
> wireshark running on the web server.
>
> In the packet dump, the http traffic does not come from or go to port
> 3128. It seems that this port is never used for incoming our outgoing
> source or destination ports.
>
> My next thought is to use the excellent linblock perl script to just
> load lists of IP's of known proxy servers into iptables, and then
> setup a cron job to automate the whole thing every so often, but after
> thinking about this for a bit, I'm wondering how I'm going to keep up
> with the changes. Often times a proxy will be there one day and gone
> the next and another system will replace it. The web server has
> limited amounts of ram, and it would be exhausted after trying to load
> x amount of addresses. Can snort be used to detect incoming
> connections from open http proxy servers? Is there a pre-processor
> that can be turned on to kick off an alert to the alert file?
>
> I'm also having trouble finding an updated proxy list that I can use
> with linblock. One of my favorite sites, bluetack, no longer has
> anyone maintaining the proxy list.
>
> I'm wondering, what's the best way to keep people using proxy servers
> from connecting to the site. Is there a good way to do this with out
> having to load thousands of rules to block each particular proxy?
>
> I would greatly appreciate advice on how to handle this situation,
> especially from forum admin types who have experience with this
> problem.
>
> WhiteHat237
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

Message: 2
Date: Wed, 23 May 2007 16:06:45 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <006d01c79d75$e4496c20$0202fea9@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> Not sure if you mean releases of Integrity or releases of Cisco SW. WRT
Cisco, I just checked our 3020
> and it's still in there. It's running 4.7, rel 10 March 2005.

I was talking about Check Point dropping support for VPN3K from Integrity.
That combo makes Cisco more competitive in the client VPN space, there's
pretty much no good incentive for Cisco to cut off Integrity users.

PaulM


------------------------------

Message: 3
Date: Fri, 25 May 2007 09:58:43 -0700
From: "White Hat" <whitehat237@gmail.com>
Subject: Re: [fw-wiz] Best way to block incoming connections from open
httpproxy servers?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<111367f50705250958y6b5463a3p8dd7ca356c28d62@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi,

I've actually written a more detailed posting.

Here it is.

Hi List,

How can I block people from making http connections to an internal
webserver when they are using open http proxies?

While I think that open http proxies are an excellent tool for surfing
the web anonymously and I often use them, they also present me with a
big problem.

I run a small forum, and don't have a good way of keeping users who
are banned for flaming, not following the rules, and other bad conduct
on the forums from returning and re-registering new accounts when
using open http proxies.

The web server is a Gentoo linux box and has packet filtering
(netfilter code), etc built into the kernel. I have the iptables
userspace ebuild installed.

At the moment, I've added rules to the proxies chain which is checked
by the input chain to stop inbound connections from proxy servers
based on the source ports being used by the remote proxy server.
However, this does not seem to be working at the moment.

For example.

iptables -N proxies
iptables -A INPUT -j proxies
iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP

I also have rules for all of the other common proxy server ports in
place in the proxies chain.

I'm guessing that this does not work because the source port is randomized.

To test this I configured firefox to use an open http proxy running
squid on port 3128 and then connected to the remote site with
wireshark running on the web server.

In the packet dump, the http traffic does not come from or go to port
3128. It seems that this port is never used for incoming our outgoing
source or destination ports.

My next thought is to use the excellent linblock perl script to just
load lists of IP's of known proxy servers into iptables, and then
setup a cron job to automate the whole thing every so often, but after
thinking about this for a bit, I'm wondering how I'm going to keep up
with the changes. Often times a proxy will be there one day and gone
the next and another system will replace it. The web server has
limited amounts of ram, and it would be exhausted after trying to load
x amount of addresses. Can snort be used to detect incoming
connections from open http proxy servers? Is there a pre-processor
that can be turned on to kick off an alert to the alert file?

I'm also having trouble finding an updated proxy list that I can use
with linblock. One of my favorite sites, bluetack, no longer has
anyone maintaining the proxy list.

I'm wondering, what's the best way to keep people using proxy servers
from connecting to the site. Is there a good way to do this with out
having to load thousands of rules to block each particular proxy?

I would greatly appreciate advice on how to handle this situation,
especially from forum admin types who have experience with this
problem.

WhiteHat237

On 5/23/07, lordchariot@embarqmail.com <lordchariot@embarqmail.com> wrote:
>
> Trying to enumerate the bad IP addresses with open proxies is a loosing
> battle. I have school kids setting up their own https anonymous proxies to
> get past the school's filtering system. And they are on a DHCP address with
> dynamicDNS which they reset every night so it's different the next day when
> they go to school.
> Way too much maintenance for me.
> Their may be some comprehensive lists of proxies out there, but none that I
> find very well-maintained.
>
> Are you trying to prevent external users from anonymizing themselves when
> they hit your site?
> You might be able to do it with a reverse proxy of some sort that looks at
> various characteristics of the request headers and have rules to restrict if
> there are X-Proxy-Via: or are missing a standard User-Agent: headers.
>
> Explain why you are trying to block them and we might have some other ideas.
>
>
> ________________________________
>
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Chris
> Smith
> Sent: Monday, May 21, 2007 17:16
> To: firewall-wizards@listserv.icsalabs.com
> Subject: [fw-wiz] Best way to block incoming connections from open httpproxy
> servers?
>
>
>
> Hi All.
>
>
>
> What's the recommended way to maintain a list of public, open http proxies
> and block them from making inbound connections to an http server with
> iptables?
>
>
>
> I have linblock http://www.dessent.net/linblock/ which I use for a few other
> lists. Is there a regularly updated list out there for open http proxies
> that can be used for this purpose?
>
>
>
> I'm hoping I can retrieve a text file with the IP's every day with a cron
> job and let linblock update an IPTables chain. Perhaps there's a better
> way?
>
>
>
> csmith
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 4
Date: Fri, 25 May 2007 08:34:00 -0700
From: "Jerry Gardner" <sodaant@gmail.com>
Subject: Re: [fw-wiz] Best way to block incoming connections from open
http proxy servers?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<981f07df0705250834r230d3a6bt42e8b487f75c2237@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

On 5/21/07, Chris Smith <csmith@1pointe.com> wrote:
>
>
> What's the recommended way to maintain a list of public, open http proxies
> and block them from making inbound connections to an http server with
> iptables?
>

That's a losing battle you're never going to win.

I may be in the minority here, but I strongly believe that accessing
inappropriate material in a work or educational setting is a social problem,
not a technical one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070525/38cdace7/attachment-0001.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 13, Issue 13
************************************************

No comments: