Hi to every one. I´m trying to block Ultrasurf program [1]. At this moment this is not working at all.I read a lot of docs over internet and try diferent ways to do this. In this time i try to block ultrasurf through Shorewall using /etc/shorewall/params I will explain everything i do, please feel free to ask. ########################################## /etc/shorewall/rules DROP loc net:$IPPROXY TCP - ########################################## /etc/shorewall/params IPPROXYin this i put IP separated by comma ########################################## I create and script [2] to search for Ultrasurf running on a specific machine with no users and scheduled task running the program every 180 seconds. I do this because this program use TCP port number 443 and it´s not possible to make any diference between Ultrasurf and Skype or https The question is i found a lot of IPs [3] and blocked this but i found every time new IPs and have two doubts: 1. Shorewall will support so many IPs? about 5000 diferent IPs. 2. Some day i will found every IP of this Program. This is a know response: never . I know. I hope some people see this post and don´t try the same. thi There is another way to block but i don´t know how to do! When the programs runs in tcpdump i see this line 162.128.69.91.53 > 192.168.122.178.1398: [udp sum ok] 2 q: A? qmaigzn.info. 4/0/0 qmaigzn.info. [3m] CNAME 35admq.3wllj9822.qmaigzn.info., 35admq.3wllj9822.qmaigzn.info. [3m] CNAME 35adm.q2pys11up2.qmaigzn.info., 35adm.q2pys11up2.qmaigzn.info. [3m] CNAME 35admq.z979oefjm.qmaigzn.info., 35admq.z979oefjm.qmaigzn.info. [3m] A 206.223.154.230 (139) wich seems to be the way ultrasurft get information to get conected again and again and again :P Any help will be appreciatted. Best regards. [1] http://ultrasurf.us/ [2] http://pastebin.com/1jhRCJc7 [3] http://pastebin.com/0GXCEGak -- Emiliano Vazquez | PcCentro S.R.L. White 1611 | C.P. C1407IJG | C.A.B.A. Office: +54 (11) 4635-7764 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com <emiliano@pccentro.com.ar> Web: http://www.pccentro.com.ar ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/3/2012 1:09 PM, Emiliano Vazquez wrote:> Hi to every one. > > I´m trying to block Ultrasurf program [1]. At this moment this is not > working at all.I read a lot of docs over internet and try diferent > ways to do this. > > In this time i try to block ultrasurf through Shorewall using > /etc/shorewall/params > > I will explain everything i do, please feel free to ask. > > ########################################## > /etc/shorewall/rules > > DROP loc net:$IPPROXY TCP - > ########################################## > /etc/shorewall/params > IPPROXY> in this i put IP separated by comma > ########################################## > > I create and script [2] to search for Ultrasurf running on a specific > machine with no users and scheduled task running the program every 180 > seconds. > I do this because this program use TCP port number 443 and it´s not > possible to make any diference between Ultrasurf and Skype or https > > The question is i found a lot of IPs [3] and blocked this but i found > every time new IPs and have two doubts: > > 1. Shorewall will support so many IPs? about 5000 diferent IPs. > 2. Some day i will found every IP of this Program. This is a know > response: never . I know. > > I hope some people see this post and don´t try the same. > thi > There is another way to block but i don´t know how to do! When the > programs runs in tcpdump i see this line > > 162.128.69.91.53 > 192.168.122.178.1398: [udp sum ok] 2 q: A? > qmaigzn.info <http://qmaigzn.info>. 4/0/0 qmaigzn.info > <http://qmaigzn.info>. [3m] CNAME 35admq.3wllj9822.qmaigzn.info > <http://35admq.3wllj9822.qmaigzn.info>., 35admq.3wllj9822.qmaigzn.info > <http://35admq.3wllj9822.qmaigzn.info>. [3m] CNAME > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>., > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>. > [3m] CNAME 35admq.z979oefjm.qmaigzn.info > <http://35admq.z979oefjm.qmaigzn.info>., 35admq.z979oefjm.qmaigzn.info > <http://35admq.z979oefjm.qmaigzn.info>. [3m] A 206.223.154.230 (139) > > wich seems to be the way ultrasurft get information to get conected > again and again and again :P > > Any help will be appreciatted. > > Best regards. > > > [1] http://ultrasurf.us/ > > [2] http://pastebin.com/1jhRCJc7 > > [3] http://pastebin.com/0GXCEGak > > > > > -- > Emiliano Vazquez | PcCentro S.R.L. > White 1611 | C.P. C1407IJG| C.A.B.A. > Office: +54 (11) 4635-7764 > Celular: 15.6253.7165 > Mail: emilianovazquez@gmail.com <mailto:emiliano@pccentro.com.ar> > Web: http://www.pccentro.com.ar > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersThat tcpdump packet is a domain lookup for qmaigzn.info <http://qmaigzn.info>. Looks like the best way to block this is to have the DNS return 127.0.0.1 for anything in that domain. From the website, Ultrasurf even has a Firefox plugin. Bill ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks Bill! i will make a try. Best regards. Emiliano. On Mon, Sep 3, 2012 at 7:15 PM, Bill Shirley < bill@ultrapoly.polymerindustries.biz> wrote:> On 9/3/2012 1:09 PM, Emiliano Vazquez wrote: > > Hi to every one. > > > > I´m trying to block Ultrasurf program [1]. At this moment this is not > > working at all.I read a lot of docs over internet and try diferent > > ways to do this. > > > > In this time i try to block ultrasurf through Shorewall using > > /etc/shorewall/params > > > > I will explain everything i do, please feel free to ask. > > > > ########################################## > > /etc/shorewall/rules > > > > DROP loc net:$IPPROXY TCP - > > ########################################## > > /etc/shorewall/params > > IPPROXY> > in this i put IP separated by comma > > ########################################## > > > > I create and script [2] to search for Ultrasurf running on a specific > > machine with no users and scheduled task running the program every 180 > > seconds. > > I do this because this program use TCP port number 443 and it´s not > > possible to make any diference between Ultrasurf and Skype or https > > > > The question is i found a lot of IPs [3] and blocked this but i found > > every time new IPs and have two doubts: > > > > 1. Shorewall will support so many IPs? about 5000 diferent IPs. > > 2. Some day i will found every IP of this Program. This is a know > > response: never . I know. > > > > I hope some people see this post and don´t try the same. > > thi > > There is another way to block but i don´t know how to do! When the > > programs runs in tcpdump i see this line > > > > 162.128.69.91.53 > 192.168.122.178.1398: [udp sum ok] 2 q: A? > > qmaigzn.info <http://qmaigzn.info>. 4/0/0 qmaigzn.info > > <http://qmaigzn.info>. [3m] CNAME 35admq.3wllj9822.qmaigzn.info > > <http://35admq.3wllj9822.qmaigzn.info>., 35admq.3wllj9822.qmaigzn.info > > <http://35admq.3wllj9822.qmaigzn.info>. [3m] CNAME > > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>., > > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>. > > [3m] CNAME 35admq.z979oefjm.qmaigzn.info > > <http://35admq.z979oefjm.qmaigzn.info>., 35admq.z979oefjm.qmaigzn.info > > <http://35admq.z979oefjm.qmaigzn.info>. [3m] A 206.223.154.230 (139) > > > > wich seems to be the way ultrasurft get information to get conected > > again and again and again :P > > > > Any help will be appreciatted. > > > > Best regards. > > > > > > [1] http://ultrasurf.us/ > > > > [2] http://pastebin.com/1jhRCJc7 > > > > [3] http://pastebin.com/0GXCEGak > > > > > > > > > > -- > > Emiliano Vazquez | PcCentro S.R.L. > > White 1611 | C.P. C1407IJG| C.A.B.A. > > Office: +54 (11) 4635-7764 > > Celular: 15.6253.7165 > > Mail: emilianovazquez@gmail.com <mailto:emiliano@pccentro.com.ar> > > Web: http://www.pccentro.com.ar > > > > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today''s security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > That tcpdump packet is a domain lookup for qmaigzn.info > <http://qmaigzn.info>. Looks like the best way to block this is to have > the DNS return 127.0.0.1 for anything in that domain. > > From the website, Ultrasurf even has a Firefox plugin. > > Bill > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Emiliano Vazquez | PcCentro S.R.L. White 1611 | C.P. C1407IJG | C.A.B.A. Office: +54 (11) 4635-7764 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com <emiliano@pccentro.com.ar> Web: http://www.pccentro.com.ar ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/