Page 1 of 1

disaster need help please

Posted: Wed Sep 07, 2011 6:56 am
by heleopless
in the company
i use open DNS to filter some kinds of sites
but lately some employees uses a disastrous program called #hotspot shield#
which make big problems in the routine
please help me
i want an active way to protect from this program
my mikrotik is version 3.3
thanks in advance

Re: disaster need help please

Posted: Wed Sep 07, 2011 7:25 am
by tjc
Searching for "how to block hotspot shield" should provide some answers. Apparently it uses a proxy service and you can block the addresses associated with that along with ports that it's known to use using simple firewall filter rules.

There's apparently even a mikrotik wiki page on this: http://wiki.mikrotik.com/wiki/How_to_De ... ication%29

Re: disaster need help please

Posted: Wed Sep 07, 2011 6:53 pm
by heleopless
that is wondeful
the way has succeeded
but there is still a problem
when an employee uses a manual proxy , the hotspot shield program easily worked
and when they use these proxies they bypass the whole rules too

so i want a way to prevent any manual proxies and use only mikrotik proxy

thanks in advance

Re: disaster need help please

Posted: Wed Sep 07, 2011 8:17 pm
by CCDKP
I have struggled with this issue a LOT in a corporate setting. You will always have employees that will get around your filter. It is impossible to fully block it while keeping high usability. Your best bet is to work with Human Resources and ENFORCE disciplinary action for intentionally bypassing the content filtering. I don't know where you are from or how the laws are, but in the companies we work with, all users are required to sign acceptable use policies, and anyone caught intentionally bypassing safeguards is disciplined. It only took two employees being put on 1-week unpaid suspension to stop everyone from using proxies.

If you aren't going the HR route, you are signing up for a cat & mouse game. I would make sure you are capturing all DNS traffic and forcing it to openDNS. If you are running a domain, use a group policy to enforce proxy settings and disable users from changing them. This blocks proxy use for IE and chrome, but not firefox (Firefox does not enforce windows Proxy settings).

If you don't have any legitimate reasons for users to VPN or proxy out, you can consider blocking outbound to the following:
TCP 8000 (Common Proxy Port)
TCP 8080 (Common Proxy Port)
TCP 1723 (PPTP VPN)
UDP 500 (IP Sec VPN)
UDP 4500 (IP Sec VPN)
UDP 1701 (L2TP VPN)

These aren't going to stop everything. SSH tunneling and SSL VPN's are always hard to stop, but at least it raises the bar a bit. Also, users can always resort to SSL proxy sites like https://www.clearlydrunk.com/. You best bet really is working on disciplinary action. There is no sense in making rules if you aren't going to enforce them.

Re: disaster need help please

Posted: Thu Sep 08, 2011 4:08 am
by heleopless
that is fantastic thank u
but the problem here is that wen i block these ports some chat programs stop working
any way to force them to use my specify protocol and not use any other proxy

Re: disaster need help please

Posted: Fri Sep 09, 2011 6:11 am
by heleopless
i want only to block porno sites by using open dns filter which is
208.67.222.123
208.67.220.123
and i do not want any one to bypass this
so i want to block access to proxy and block hot spot shield

now hotspot shield was done with the help of the above post


so i wannt to block the proxy or using the proxy but forced to use the open dns i put
208.67.222.123

please help
thanks,,,,,

Re: disaster need help please

Posted: Fri Sep 09, 2011 6:46 am
by fewi
To force everyone to use OpenDNS first start using them on the caching resolver on the router, and then force all DNS to the router itself.
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 action=redirect
add chain=dstnat protocol=tcp dst-port=53 action=redirect

Re: disaster need help please

Posted: Sat Sep 10, 2011 5:38 am
by heleopless
that is fantastic
thank you very much

Re: disaster need help please

Posted: Sun Sep 11, 2011 4:39 am
by heleopless
THE PROBLEM IS STILL THERE AND SOME CLIENTS BY USING SOME PROXIES BYPASS MY DNS

Re: disaster need help please

Posted: Sun Sep 11, 2011 6:23 am
by tjc
If you can tell what the proxy server addresses are blacklist them.

If there's a way to detect the problem connections automatically (you can obviously tell it's happening, what characteristics are you using to identify it?) you can automatically add the destination addresses to a blacklist which will save you a bunch of work.

If you can identify specific problem users, limit their bandwidth by their source address (IP or MAC).

If they complain about the network performance then they've fallen into your trap and you can ask in a horrified voice "you didn't get your machine infected with that porn/video/... virus did you!?!" This will then give you an opening to go in and clean up their machine (read "lock down").

Remember, while you can't always solve people problems with technology, sometimes you can with technology a good "story" and a bit of street theater. ;-)

Re: disaster need help please

Posted: Mon Sep 12, 2011 6:05 am
by heleopless
now i use open dns which is
208.67.222.123
208.67.220.123
i want to block proxy so when some body put any manual proxy in the browser it will not work
they use proxy like
155.98.35.7
port 3128
and it works very well

i dont want any manual proxy work
i want to stop them all with out get harm to chatting programs
please help

Re: disaster need help please

Posted: Mon Sep 12, 2011 10:50 am
by Chupaka
enable RouterOS proxy, then
/ip firewall filter add chain=forward action=reject place-before=0
after that, clients must have your proxy configured. any other proxy as well as direct access will not work

Re: disaster need help please

Posted: Mon Sep 12, 2011 7:00 pm
by Feklar
OpenDNS only filters by domain names, that is all it is able to do. You are expecting it to be able to do more than it can if you expect it to prevent people from directly going to IP addresses. When someone tries to access a website directly by an IP address they are able to bypass using DNS since their computer doesn't have to look up a domain name.

As several people have pointed out, there are many options open to you, but expecting just one simple solution to meet all of your needs isn't really all that realistic in a complex situation. If you absolutely want to grantee blocking all proxy, web chat, etc. kind of programs, invest in something that does layer7 packet inspection and block them at that level. A warning on those peaces of hardware though, they are very expensive.

Re: disaster need help please

Posted: Mon Sep 12, 2011 8:49 pm
by heleopless
enable RouterOS proxy, then
/ip firewall filter add chain=forward action=reject place-before=0
after that, clients must have your proxy configured. any other proxy as well as direct access will not work



SIR that is very good
it is able to block the proxy but unfortunatly it blocks the yahoo messenger also
and other programs
so i want to make this but enable yahoo messenger and skype , etc

Re: disaster need help please

Posted: Mon Sep 12, 2011 9:07 pm
by heleopless
OpenDNS only filters by domain names, that is all it is able to do. You are expecting it to be able to do more than it can if you expect it to prevent people from directly going to IP addresses. When someone tries to access a website directly by an IP address they are able to bypass using DNS since their computer doesn't have to look up a domain name.

As several people have pointed out, there are many options open to you, but expecting just one simple solution to meet all of your needs isn't really all that realistic in a complex situation. If you absolutely want to grantee blocking all proxy, web chat, etc. kind of programs, invest in something that does layer7 packet inspection and block them at that level. A warning on those peaces of hardware though, they are very expensive.




that is good
i know that opendns depends on domain name
is there any way to make any packet to be redirect to my mikrotik and be forced to use my specified dns which i use in ip dns ?
the second thing
most proxies they use is port 3128 how can i block this port ?
and when i block it , does it affect on some programs ?
thanks alot

Re: disaster need help please

Posted: Mon Sep 12, 2011 9:47 pm
by Feklar
If no domain lookup happens, how you redirect that domain lookup? The answer to your question is no, you cannot redirect something that doesn't happen. The way DNS works is this:
1.) Someone types in a domain name, the computer has no idea how to get to a domain name, so it asks a DNS server, "What is the IP address of this domain name?"
2.) DNS server replies back, and client then attempts to go to that IP address.

If someone types an IP address directly into their browser or otherwise, no domain lookup happens at all because the computer knows how to get to an IP address. The reason OpenDNS works is because most people don't know or won't remember IP addresses directly, so it's very inconvenient for them. That doesn't mean they can't get around it by going directly to IP addresses.

You can block common proxy ports, but that doesn't mean it won't break something or prevent people from using non-standard proxies.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=3128
add chain=forward action=drop protocol=tcp dst-port=8080
...
...