Community discussions

MikroTik App
 
danniell2
just joined
Topic Author
Posts: 3
Joined: Tue Sep 24, 2019 7:21 pm

Block Anydesk

Mon Oct 14, 2019 7:14 pm

Hey everyone.
Is it possible to block anydesk?
how do i do it?

Thanks in advance.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Mon Oct 14, 2019 7:24 pm

Block its listening port...
 
User avatar
ingdaka
Member
Member
Posts: 349
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Block Anydesk

Mon Oct 14, 2019 10:20 pm

L7 firewall block *.net.anydesk.com with regexp
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE | MTCWE | RIPE NCC Certified Professional
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Mon Oct 14, 2019 10:23 pm

L7 firewall blocking is not recommended anymore...!
Especially when what you want can be achieved by a simple TCP port block..!
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 987
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Mon Oct 14, 2019 11:29 pm

L7 firewall blocking is not recommended anymore...!
Especially when what you want can be achieved by a simple TCP port block..!
I don't think that a simple block will do it.

https://support.anydesk.com/FAQ
Which ports does AnyDesk use?
To connect to the AnyDesk network port 80, 443 or 6568 is used. For standard listening port direct line connection is 7070 (TCP).
You could block port 7070, but IIRC this is user configurable.
Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.

I've used Anydesk using squid proxy (on networks without even a default gateway to the outside world) that did not allow port 7070 and it still worked perfectly fine.

I think both Anydesk and Teamviewer fallback to port 443 which is almost universally allowed in firewalls. And both can even use an http proxy to still receive incoming connections.

@danniell2 if you control the DNS that the clients use then you may have more luck by blocking *.anydesk.com from resolving. But still, the anydesk client may have hardcoded IPs that directly connect to to bootstrap itself.

I would personally start capturing traffic to see where it connects to and how it behaves every time I block something until I manage to block it completely.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2309
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Block Anydesk

Tue Oct 15, 2019 12:39 am

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.
I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 either...
Am sure it can be blocked.. i ll try it when i find some time and i ll let you know if no solution has been found yet...
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 987
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Tue Oct 15, 2019 1:50 am

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443.
I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 either...
Am sure it can be blocked.. i ll try it when i find some time and i ll let you know if no solution has been found yet...
Blocking the listening port doesn't block Anydesk. It just blocks the direct connection between the two clients.
When the listening port is blocked, it will connect via an outgoing connection to port 80 to an Anydesk relay server, essentially punching through your firewall (assuming that port outgoing TCP 80 is allowed).
I just tried it and the traffic was flowing through 217.182.196.53 (relay-b78965e4.net.anydesk.com).
I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ.

Also, I just checked and the listening port IS user configurable - so a simple TCP port block can be bypassed in matter of seconds.

In other words, blocking the listening port doesn't block Anydesk, and blocking outgoing connections to port 80 & 443 is... unrealistic.
 
User avatar
sjafka
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Jan 03, 2018 5:45 pm

Re: Block Anydesk

Thu Oct 17, 2019 4:48 pm

Hi everyone,

im here, cuz im was searching for this too, because unlike teamviewer this is a peer-to-peer connection, so the dest address will be the computers public ip what you want to reach.
Default listening port is 7070, i could achieve that i can log activity (not truly tested, but i saw my computers private ip in the logs, so i think its good).
I tried tls host blocking, not working. If someone finds out, how to block/audit, please share with us!
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 987
Joined: Tue Oct 11, 2005 4:53 pm

Re: Block Anydesk

Sat Oct 26, 2019 8:06 pm

I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ.
Here are some logs from a corporate proxy blocking anydesk.
1572105939.836      0 x.x.x.x TCP_DENIED/403 2045 CONNECT 144.76.103.6:80 - NONE/- text/html
1572105941.837      0 x.x.x.x TCP_DENIED/403 2059 CONNECT 144.76.103.6:443 - NONE/- text/html
1572105943.836      0 x.x.x.x TCP_DENIED/403 2049 CONNECT 144.76.103.6:6568 - NONE/- text/html

1572105926.513      0 x.x.x.x TCP_DENIED/403 2042 CONNECT 5.9.105.232:80 - NONE/- text/html
1572105928.529      0 x.x.x.x TCP_DENIED/403 2056 CONNECT 5.9.105.232:443 - NONE/- text/html
1572105930.529      0 x.x.x.x TCP_DENIED/403 2046 CONNECT 5.9.105.232:6568 - NONE/- text/html
It appears that even if *.anydesk.com is blocked, the Anydesk client will still try to connect to the Anydesk network via hardcoded IPs on port 80, then port 443, then port 6568.
Which makes it that much harder to block reliably.
 
almdandi
newbie
Posts: 46
Joined: Sun May 03, 2015 5:22 pm

Re: Block Anydesk

Sun Oct 27, 2019 2:32 pm

Also you need to block dns request to other dns server. In my tests anydesk used 1.1.1.1, 8.8.8.8 and 9.9.9.9 beseide my local dns server. I had to block two ip addresses, 5.9.51.75 and 37.61.223.15. But i'm not sure if they are hardcoded or just cached.
 
nastit
just joined
Posts: 1
Joined: Thu Dec 05, 2019 12:42 pm

Re: Block Anydesk

Thu Dec 05, 2019 2:03 pm

Hi All,

is there anyone can block anydesk?
I have followed all step on this forum but it still failed. Due to anydesk use port 443, if I block the port, all user cannot access internet. And I cannot block by IP address because I always get different IP address.

Regards,
Tisna

Who is online

Users browsing this forum: Tonete and 94 guests