Community discussions

MikroTik App
 
danniell2
just joined
Topic Author
Posts: 3
Joined: Tue Sep 24, 2019 7:21 pm

Block Anydesk

Mon Oct 14, 2019 7:14 pm

Hey everyone.
Is it possible to block anydesk?
how do i do it?

Thanks in advance.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2747
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Mon Oct 14, 2019 7:24 pm

Block its listening port...
 
User avatar
ingdaka
Member
Member
Posts: 405
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Block Anydesk

Mon Oct 14, 2019 10:20 pm

L7 firewall block *.net.anydesk.com with regexp
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
Zacharias
Forum Guru
Forum Guru
Posts: 2747
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Mon Oct 14, 2019 10:23 pm

L7 firewall blocking is not recommended anymore...!
Especially when what you want can be achieved by a simple TCP port block..!
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1072
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Mon Oct 14, 2019 11:29 pm

L7 firewall blocking is not recommended anymore...!
Especially when what you want can be achieved by a simple TCP port block..!
I don't think that a simple block will do it.

https://support.anydesk.com/FAQ
Which ports does AnyDesk use?
To connect to the AnyDesk network port 80, 443 or 6568 is used. For standard listening port direct line connection is 7070 (TCP).
You could block port 7070, but IIRC this is user configurable.
Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.

I've used Anydesk using squid proxy (on networks without even a default gateway to the outside world) that did not allow port 7070 and it still worked perfectly fine.

I think both Anydesk and Teamviewer fallback to port 443 which is almost universally allowed in firewalls. And both can even use an http proxy to still receive incoming connections.

@danniell2 if you control the DNS that the clients use then you may have more luck by blocking *.anydesk.com from resolving. But still, the anydesk client may have hardcoded IPs that directly connect to to bootstrap itself.

I would personally start capturing traffic to see where it connects to and how it behaves every time I block something until I manage to block it completely.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2747
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Tue Oct 15, 2019 12:39 am

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.
I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 either...
Am sure it can be blocked.. i ll try it when i find some time and i ll let you know if no solution has been found yet...
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1072
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Tue Oct 15, 2019 1:50 am

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.
I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 either...
Am sure it can be blocked.. i ll try it when i find some time and i ll let you know if no solution has been found yet...
Blocking the listening port doesn't block Anydesk. It just blocks the direct connection between the two clients.
When the listening port is blocked, it will connect via an outgoing connection to port 80 to an Anydesk relay server, essentially punching through your firewall (assuming that port outgoing TCP 80 is allowed).
I just tried it and the traffic was flowing through 217.182.196.53 (relay-b78965e4.net.anydesk.com).
I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ.

Also, I just checked and the listening port IS user configurable - so a simple TCP port block can be bypassed in matter of seconds.

In other words, blocking the listening port doesn't block Anydesk, and blocking outgoing connections to port 80 & 443 is... unrealistic.
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Wed Jan 03, 2018 5:45 pm

Re: Block Anydesk

Thu Oct 17, 2019 4:48 pm

Hi everyone,

im here, cuz im was searching for this too, because unlike teamviewer this is a peer-to-peer connection, so the dest address will be the computers public ip what you want to reach.
Default listening port is 7070, i could achieve that i can log activity (not truly tested, but i saw my computers private ip in the logs, so i think its good).
I tried tls host blocking, not working. If someone finds out, how to block/audit, please share with us!
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1072
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Sat Oct 26, 2019 8:06 pm

I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ.
Here are some logs from a corporate proxy blocking anydesk.
1572105939.836      0 x.x.x.x TCP_DENIED/403 2045 CONNECT 144.76.103.6:80 - NONE/- text/html
1572105941.837      0 x.x.x.x TCP_DENIED/403 2059 CONNECT 144.76.103.6:443 - NONE/- text/html
1572105943.836      0 x.x.x.x TCP_DENIED/403 2049 CONNECT 144.76.103.6:6568 - NONE/- text/html

1572105926.513      0 x.x.x.x TCP_DENIED/403 2042 CONNECT 5.9.105.232:80 - NONE/- text/html
1572105928.529      0 x.x.x.x TCP_DENIED/403 2056 CONNECT 5.9.105.232:443 - NONE/- text/html
1572105930.529      0 x.x.x.x TCP_DENIED/403 2046 CONNECT 5.9.105.232:6568 - NONE/- text/html
It appears that even if *.anydesk.com is blocked, the Anydesk client will still try to connect to the Anydesk network via hardcoded IPs on port 80, then port 443, then port 6568.
Which makes it that much harder to block reliably.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun May 03, 2015 5:22 pm

Re: Block Anydesk

Sun Oct 27, 2019 2:32 pm

Also you need to block dns request to other dns server. In my tests anydesk used 1.1.1.1, 8.8.8.8 and 9.9.9.9 beseide my local dns server. I had to block two ip addresses, 5.9.51.75 and 37.61.223.15. But i'm not sure if they are hardcoded or just cached.
 
nastit
just joined
Posts: 1
Joined: Thu Dec 05, 2019 12:42 pm

Re: Block Anydesk

Thu Dec 05, 2019 2:03 pm

Hi All,

is there anyone can block anydesk?
I have followed all step on this forum but it still failed. Due to anydesk use port 443, if I block the port, all user cannot access internet. And I cannot block by IP address because I always get different IP address.

Regards,
Tisna
 
spaxton
Member Candidate
Member Candidate
Posts: 184
Joined: Fri Jan 01, 2010 12:18 pm

Re: Block Anydesk

Mon Dec 21, 2020 10:37 pm

Hi All,

is there anyone can block anydesk?
I have followed all step on this forum but it still failed. Due to anydesk use port 443, if I block the port, all user cannot access internet. And I cannot block by IP address because I always get different IP address.

Regards,
Tisna

Hi,

Maybe late to reply about this.

You can add this in Your firewall rules

chain=forward action=drop protocol=tcp dst-port=443 content=anydesk log=no log-prefix=""

This will for sure block anydesk website to all clients and will leave all other 443 port related things but will not block anydesk client. I am also looking for a solution.
 
opensourc
just joined
Posts: 2
Joined: Sat Dec 21, 2013 11:28 am

Re: Block Anydesk

Fri Feb 26, 2021 12:52 pm

Hello.
I block anydesk by some steps:
(sorry for my english)
1. add layer7 protocol entry with name=AnyDesk and simply text "anydesk.com" without any special chars
2. add mangle(prerouting) rule with packet mark rule by filters:
new-packet-mark=drop_udp
dst-port=53 protocol=udp layer7protocol=AnyDesk
3. if you know even one AnyDesk's server, make ip address list for it with name for ex: name=ban_remote_anydesk
4. add mangle(prerouting) rule with new packet mark rule by filters:
new-packet-mark=drop_tcp
dst-port=80,443,6568 protocol=tcp dst-address-list=ban_remote_anydesk

Finnaly, filter packets:
5. add filter (input) rule with drop action by filters:
protocol=udp dst-port=53 packet-mark=drop_udp
6. add filter (forward) rule with drop action by same filters:
protocol=udp dst-port=53 packet-mark=drop_udp
7. add filter (forward) rule with reject action by filters:
protocol=tcp packet-mark=drop_tcp

Also, need block dns requests to foreign dns servers, exept a group who can do it
8. add filter (forward) rule with drop action by filters(you must have address list for ex "allow_alternate_dns"):
protocol=udp dst-port=53 src-address-list=not allow_alternate_dns

That's all. From this time, you can't run AnyDesk.
But, if you need to stop already running instances, you must have full list of AnyDesk's IPs.

So, If you need full list of AnyDesk's servers, you can do it like me.
1. Install "dedicated" Virtual PC with Windows 7(or other, but I like W7) onboard on virtual machine. Now, we are know some IP, leased by Virtual PC. For ex 192.168.88.200
2. Make change to step 2 (mangle rule, above) to do dns request from 192.168.88.200. We dont need to block dns requests for Virtual PC.
3. All request to tcp port 80 and 443 from 192.168.88.200 we must mark, save to address-list (for example TCP_80_443) and then drop in filter rule
4. All request to tcp port 6568 and destination TCP_80_443 from 192.168.88.200 we must add to address-list "ban_remote_anydesk" (step 3 above)
5. Run AnyDesk on it. Find IP-address where AnyDesk connected to. Add it to address list ban_remote_anydesk
Wait some minutes, and our address-list will fulled by anydesk's IPs.
When list fulled, even running AnyDesk instances will disconnected. Including 192.168.88.200.

BTW. If you have rules for fasttrack or simply accepted forward rules for established/related connections on top of rules, you must disabled they for some time.
P.S. Sorry for my english one more time.
P.S.S. RouterOS 6.43.13
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 267
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block Anydesk

Fri Feb 26, 2021 2:17 pm

One simple solution :
1. redirect to router the DNS querys on port 53 udp and tcp .
2. block DOT port 453, 853 .
3. add stаtic record with regexp - ^(.*)(anydesk)(.*)$ and address 127.0.0.1 .
4. Try to block DOH dropping tcp 443 with dst.addr. list with known doh servers ip addresses .
 
mitzone
just joined
Posts: 22
Joined: Mon Jan 02, 2012 1:17 pm

Re: Block Anydesk

Sat Mar 27, 2021 10:37 am

Just logged in to say thanks for sharing your experience.
I was struggling for the last 2 days to find a way to block this crap.
Greetings!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Anydesk

Sat Mar 27, 2021 6:46 pm

4. Try to block DOH dropping tcp 443 with dst.addr. list with known doh servers ip addresses .
That will only be a short term solution since new server arrives all the time.
Here is one list.
https://dnscrypt.info/public-servers/
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
mitzone
just joined
Posts: 22
Joined: Mon Jan 02, 2012 1:17 pm

Re: Block Anydesk

Tue Apr 06, 2021 12:21 am

Here's what worked for me :

1. redirect to router the DNS querys on port 53 udp and tcp .
2. add stаtic record with regexp - ^(.*)(anydesk)(.*)$ and address 127.0.0.1 .

Problem solved. Did not see any traffic to hard-coded IPs. Tested with latest AnyDesk version.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block Anydesk

Tue Apr 06, 2021 12:12 pm

Just add a DoH client on your PC and you bypass the DNS server completely.
Also adding static name would bypass a DNS server.

Your approach only work for user that accidental tries to reach a site. For any user who know some about network, this does not work.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 

Who is online

Users browsing this forum: Bing [Bot], mikeeg02, Semrush [Bot], wotoni and 45 guests