Community discussions

MikroTik App
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

disaster need help please

Wed Sep 07, 2011 6:56 am

in the company
i use open DNS to filter some kinds of sites
but lately some employees uses a disastrous program called #hotspot shield#
which make big problems in the routine
please help me
i want an active way to protect from this program
my mikrotik is version 3.3
thanks in advance
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: disaster need help please

Wed Sep 07, 2011 7:25 am

Searching for "how to block hotspot shield" should provide some answers. Apparently it uses a proxy service and you can block the addresses associated with that along with ports that it's known to use using simple firewall filter rules.

There's apparently even a mikrotik wiki page on this: http://wiki.mikrotik.com/wiki/How_to_De ... ication%29
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Wed Sep 07, 2011 6:53 pm

that is wondeful
the way has succeeded
but there is still a problem
when an employee uses a manual proxy , the hotspot shield program easily worked
and when they use these proxies they bypass the whole rules too

so i want a way to prevent any manual proxies and use only mikrotik proxy

thanks in advance
 
CCDKP
Member Candidate
Member Candidate
Posts: 170
Joined: Fri Jan 28, 2011 11:24 pm
Location: Midwest, United States

Re: disaster need help please

Wed Sep 07, 2011 8:17 pm

I have struggled with this issue a LOT in a corporate setting. You will always have employees that will get around your filter. It is impossible to fully block it while keeping high usability. Your best bet is to work with Human Resources and ENFORCE disciplinary action for intentionally bypassing the content filtering. I don't know where you are from or how the laws are, but in the companies we work with, all users are required to sign acceptable use policies, and anyone caught intentionally bypassing safeguards is disciplined. It only took two employees being put on 1-week unpaid suspension to stop everyone from using proxies.

If you aren't going the HR route, you are signing up for a cat & mouse game. I would make sure you are capturing all DNS traffic and forcing it to openDNS. If you are running a domain, use a group policy to enforce proxy settings and disable users from changing them. This blocks proxy use for IE and chrome, but not firefox (Firefox does not enforce windows Proxy settings).

If you don't have any legitimate reasons for users to VPN or proxy out, you can consider blocking outbound to the following:
TCP 8000 (Common Proxy Port)
TCP 8080 (Common Proxy Port)
TCP 1723 (PPTP VPN)
UDP 500 (IP Sec VPN)
UDP 4500 (IP Sec VPN)
UDP 1701 (L2TP VPN)

These aren't going to stop everything. SSH tunneling and SSL VPN's are always hard to stop, but at least it raises the bar a bit. Also, users can always resort to SSL proxy sites like https://www.clearlydrunk.com/. You best bet really is working on disciplinary action. There is no sense in making rules if you aren't going to enforce them.
CC_DKP: MTCNA, MTCRE, MTCWE, MTCTCE, part-time packet wrangler
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Thu Sep 08, 2011 4:08 am

that is fantastic thank u
but the problem here is that wen i block these ports some chat programs stop working
any way to force them to use my specify protocol and not use any other proxy
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Fri Sep 09, 2011 6:11 am

i want only to block porno sites by using open dns filter which is
208.67.222.123
208.67.220.123
and i do not want any one to bypass this
so i want to block access to proxy and block hot spot shield

now hotspot shield was done with the help of the above post


so i wannt to block the proxy or using the proxy but forced to use the open dns i put
208.67.222.123

please help
thanks,,,,,
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: disaster need help please

Fri Sep 09, 2011 6:46 am

To force everyone to use OpenDNS first start using them on the caching resolver on the router, and then force all DNS to the router itself.
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 action=redirect
add chain=dstnat protocol=tcp dst-port=53 action=redirect
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Sat Sep 10, 2011 5:38 am

that is fantastic
thank you very much
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Sun Sep 11, 2011 4:39 am

THE PROBLEM IS STILL THERE AND SOME CLIENTS BY USING SOME PROXIES BYPASS MY DNS
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: disaster need help please

Sun Sep 11, 2011 6:23 am

If you can tell what the proxy server addresses are blacklist them.

If there's a way to detect the problem connections automatically (you can obviously tell it's happening, what characteristics are you using to identify it?) you can automatically add the destination addresses to a blacklist which will save you a bunch of work.

If you can identify specific problem users, limit their bandwidth by their source address (IP or MAC).

If they complain about the network performance then they've fallen into your trap and you can ask in a horrified voice "you didn't get your machine infected with that porn/video/... virus did you!?!" This will then give you an opening to go in and clean up their machine (read "lock down").

Remember, while you can't always solve people problems with technology, sometimes you can with technology a good "story" and a bit of street theater. ;-)
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Mon Sep 12, 2011 6:05 am

now i use open dns which is
208.67.222.123
208.67.220.123
i want to block proxy so when some body put any manual proxy in the browser it will not work
they use proxy like
155.98.35.7
port 3128
and it works very well

i dont want any manual proxy work
i want to stop them all with out get harm to chatting programs
please help
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8464
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: disaster need help please

Mon Sep 12, 2011 10:50 am

enable RouterOS proxy, then
/ip firewall filter add chain=forward action=reject place-before=0
after that, clients must have your proxy configured. any other proxy as well as direct access will not work
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: disaster need help please

Mon Sep 12, 2011 7:00 pm

OpenDNS only filters by domain names, that is all it is able to do. You are expecting it to be able to do more than it can if you expect it to prevent people from directly going to IP addresses. When someone tries to access a website directly by an IP address they are able to bypass using DNS since their computer doesn't have to look up a domain name.

As several people have pointed out, there are many options open to you, but expecting just one simple solution to meet all of your needs isn't really all that realistic in a complex situation. If you absolutely want to grantee blocking all proxy, web chat, etc. kind of programs, invest in something that does layer7 packet inspection and block them at that level. A warning on those peaces of hardware though, they are very expensive.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Mon Sep 12, 2011 8:49 pm

enable RouterOS proxy, then
/ip firewall filter add chain=forward action=reject place-before=0
after that, clients must have your proxy configured. any other proxy as well as direct access will not work



SIR that is very good
it is able to block the proxy but unfortunatly it blocks the yahoo messenger also
and other programs
so i want to make this but enable yahoo messenger and skype , etc
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: disaster need help please

Mon Sep 12, 2011 9:07 pm

OpenDNS only filters by domain names, that is all it is able to do. You are expecting it to be able to do more than it can if you expect it to prevent people from directly going to IP addresses. When someone tries to access a website directly by an IP address they are able to bypass using DNS since their computer doesn't have to look up a domain name.

As several people have pointed out, there are many options open to you, but expecting just one simple solution to meet all of your needs isn't really all that realistic in a complex situation. If you absolutely want to grantee blocking all proxy, web chat, etc. kind of programs, invest in something that does layer7 packet inspection and block them at that level. A warning on those peaces of hardware though, they are very expensive.




that is good
i know that opendns depends on domain name
is there any way to make any packet to be redirect to my mikrotik and be forced to use my specified dns which i use in ip dns ?
the second thing
most proxies they use is port 3128 how can i block this port ?
and when i block it , does it affect on some programs ?
thanks alot
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: disaster need help please

Mon Sep 12, 2011 9:47 pm

If no domain lookup happens, how you redirect that domain lookup? The answer to your question is no, you cannot redirect something that doesn't happen. The way DNS works is this:
1.) Someone types in a domain name, the computer has no idea how to get to a domain name, so it asks a DNS server, "What is the IP address of this domain name?"
2.) DNS server replies back, and client then attempts to go to that IP address.

If someone types an IP address directly into their browser or otherwise, no domain lookup happens at all because the computer knows how to get to an IP address. The reason OpenDNS works is because most people don't know or won't remember IP addresses directly, so it's very inconvenient for them. That doesn't mean they can't get around it by going directly to IP addresses.

You can block common proxy ports, but that doesn't mean it won't break something or prevent people from using non-standard proxies.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=3128
add chain=forward action=drop protocol=tcp dst-port=8080
...
...

Who is online

Users browsing this forum: al3xeezer, antonsb, Bing [Bot], dadaniel, Google [Bot], Sob and 123 guests