Page 1 of 1

anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:26 pm
by opstina
Hello there,


I have used to block some webpages, but now users have found a way how to pass the firewall with "TOR browser"..



Can someone help me to block it?

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:28 pm
by ZeroByte
Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:29 pm
by ZeroByte
Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS
Then Update the list frequently because it changes.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:35 pm
by opstina
Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS
Then Update the list frequently because it changes.


Bro, how to find EDGE ip'addresses? and.. i used to read a post in mikrotik and i followed their steps


http://wiki.mikrotik.com/wiki/How_to_De ... er_traffic


but no effect, seems they are old ips or ?




Thanks

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:49 pm
by ZeroByte
Bro, how to find EDGE ip'addresses? and.. i used to read a post in mikrotik and i followed their steps
http://wiki.mikrotik.com/wiki/How_to_De ... er_traffic

but no effect, seems they are old ips or ?
Thanks
Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 3:59 pm
by opstina
Hello there,


I have used to block some webpages, but now users have found a way how to pass the firewall with "TOR browser"..



Can someone help me to block it?




THanks for your post bro!



I see there are million ip's in the list, are they all TOR BROWSER ips? if i put all of them in address list mikrotik will block tor's traffic for sure?

is there any way to create commands for all these ips and put in mikrotik ?

or should i create manually /ip firewall / add blla blla and put the ip manually ?




Thanks

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 4:03 pm
by ZeroByte
Like I said, copy/paste the IP list into excell, then make sure excell splits the data into columns using the | character.
Then create a new column which uses concatenate() function to combine the standard "add address-list=tor address=" with the contents of the leftmost column. Slide that formula down the column (click the little black square at the bottom-r of the cell when you have it selected) and then drag the selection to the end of the list. This will apply the formula for all rows.

Then copy the cells which now show the ROS commands....
Go into Mikrotik, delete the TOR list and then manually type /ip firewall address [enter]
Then paste the results from excell.

Again - you might find a better source for this data or else write a perl/php/python/etc script to automate this task.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 4:17 pm
by emils
Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.
Your posted site actually contains a link to IP only list :D
You can also fetch https://www.dan.me.uk/torlist/ for a list of ips only, one per line - updated every 30 minutes. Ideal for constructing your own tor banlists.
Append that with something like this - http://wiki.mikrotik.com/wiki/Using_Fet ... ress_Lists (not sure if working on current versions). Add to scheduler and you are done!

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 4:28 pm
by ZeroByte
Cool. There's the answer.

(I didn't actually study the TOR site list too carefully myself because I'm not actually interested in blocking TOR myself - heck, I'm likely to be someone who USES it.) ;)

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 7:01 pm
by hossain2004a
@Zerobyte

Did you remember about evil software?? TOR is one of them.

:D :D

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Thu Apr 16, 2015 7:06 pm
by ZeroByte
@Zerobyte

Did you remember about evil software?? TOR is one of them.

:D :D
It's only evil if you use it to hide criminal activities....
Keeping the boss's middlebox from snooping on web browsing habits - or keeping the NSA out of your web browsing, that's the kind of use for me - not to go get access to illegal things on the "deep web"


(unrelated- I had my router's IPv6 firewall connections screen open, and just saw a udp packet sent to google on port 443.
Weird)

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Fri Apr 17, 2015 9:06 am
by hossain2004a
@Zerobyte

Did you remember about evil software?? TOR is one of them.

:D :D
It's only evil if you use it to hide criminal activities....
Keeping the boss's middlebox from snooping on web browsing habits - or keeping the NSA out of your web browsing, that's the kind of use for me - not to go get access to illegal things on the "deep web"


(unrelated- I had my router's IPv6 firewall connections screen open, and just saw a udp packet sent to google on port 443.
Weird)
Yes me don't wanted to change the topic but just noting that:
If you try Hotspot Shield you would notice that you have high SENT and RECEIVING but you are not using internet.
It's wired too.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Mon Apr 20, 2015 9:57 am
by opstina
Hi guys


Thanks for your posts!



i'm trying to make a php script to create me firewall commands automatically just to upload the list of ips
but if i block all these ip's are u sure that "TOR browser will die totally" ?


also.. i think users are using Free VPN connections to bypass our firewall that we created.. is there a possible way to block any port or something that will "DROP" all vpn connections?




Thanks.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Mon Apr 20, 2015 3:52 pm
by hossain2004a
If you wanna have script to add TOR's IP's you should see "emils" Post in above.

about other VPN and software like free gate.... I'm not sure you'll be able to make it...

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 3:48 pm
by opstina
If you wanna have script to add TOR's IP's you should see "emils" Post in above.

about other VPN and software like free gate.... I'm not sure you'll be able to make it...

Bro, you didn't understand me,



i asked you how to block "VPN tunnel traffic"?


for example users find free VPN in google and go to "my network place" 2."Create new connection" and there are two options like PPPoE and VPN .. so they chose vpn and use free vpns to connect and pass our firewall..


my question is : how to block VPN tunnel traffic in mikrotik ???


THanks

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 4:30 pm
by ZeroByte
whatever port number and protocol the VPN uses - make a firewall rule that blocks it.

If the user is motivated enough, and skillful enough, then you're fighting a losing battle. They can always switch to different ports and use protocols like SSL because you cannot simply "block all SSL"

It's better to have a policy and if the user violates policy, block them from your network.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 6:57 pm
by hossain2004a
then you're fighting a losing battle.
:D
I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe :D but because of loosing customers ( :lol: ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 7:04 pm
by ZeroByte
then you're fighting a losing battle.
:D
I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe :D but because of loosing customers ( :lol: ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.
Probably the most reliable way is to intercept DNS, use a server that has policies, and won't give the IP address of domains that you want. DNS is unencrypted, so you could still do packet inspection to match (and drop) DNS on unstandard ports. You can map all dns to your "policy-based" server, or ONLY allow dns to that server....

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 7:48 pm
by hossain2004a
then you're fighting a losing battle.
:D
I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe :D but because of loosing customers ( :lol: ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.
Probably the most reliable way is to intercept DNS, use a server that has policies, and won't give the IP address of domains that you want. DNS is unencrypted, so you could still do packet inspection to match (and drop) DNS on unstandard ports. You can map all dns to your "policy-based" server, or ONLY allow dns to that server....
yup, I heard of it. but didn't try it. But e.g If i block facebook this way I think users can open it via it's IP of website, ha?

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 7:55 pm
by ZeroByte
yup, I heard of it. but didn't try it. But e.g If i block facebook this way I think users can open it via it's IP of website, ha?
I just put https://173.252.88.66/ into my browser. It gave me a certificate warning, and then forced me to the host by name anyway, so I'm betting facebook won't work if you took away the DNS.... Turn off DNS in your computer and type in that IP address and see if it works... (now I'm curious)

Any user smart enough to use the hosts file / direct IP address is going to be smart enough to get around anything you do, and will most likely consider it to be a challenge and will go out of their way to defy your filters on purpose - just like climbing a mountain.

Ban this one user, or accept the fact that they're surfing facebook against the rules. Let the filtering capture 99.9% of your users, and live an easier life.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 8:05 pm
by hossain2004a
haha. I'm not gonna filter facebook (that's why I use "e.g."). I'm just curious of it's knowledge.
And as I said, In my country facebook is blocked ( :lol: ) so people use VPN and proxies and...

Can you give me the config so i can test it? :D
(I've got plenty of IPs and sample config but it's not available)

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 8:14 pm
by ZeroByte
Can you give me the config so i can test it? :D
(I've got plenty of IPs and sample config but it's not available)
There's no config - just turn off DNS in your computer and surf to that IP - that's facebook's IP.

Only do this if you're really bored, though... it's not important. I just wanted to see what facebook would do if I tried to reach them using the IP address as the URL. (as expected, it changed me over to the hostname)

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Apr 22, 2015 8:58 pm
by hossain2004a
facebook is blocked in country :D
but I redirect bing to google. that was fun :D
but when I tried some HTTPS, no luck. just open that page with delay.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Jun 24, 2015 6:48 pm
by davidnvega
Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.
Your posted site actually contains a link to IP only list :D
You can also fetch https://www.dan.me.uk/torlist/ for a list of ips only, one per line - updated every 30 minutes. Ideal for constructing your own tor banlists.
Append that with something like this - http://wiki.mikrotik.com/wiki/Using_Fet ... ress_Lists (not sure if working on current versions). Add to scheduler and you are done!

Hi Emils, I'm trying to fetch this file as you said. At first step I tried to download the file in this way:

/tool fetch src-path=text.txt mode=https url="https://www.dan.me.uk/torlist/"

And it says: failure: cannot open file

What i'm doing wrong? Thanks!

Sorry, it works... changing src-path for dst-path. Thanks!

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Fri Aug 28, 2015 6:56 pm
by rmmccann
Did you ever have success making this work? I've been playing around with it and the example and it appears as though the parse command can't be used on a file larger than 4096 bytes.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Nov 18, 2015 2:41 pm
by UsernameMT
Hi
If, in the 951G-2HnD enter the address-list on 7000 IP - he will die? (
https://www.dan.me.uk/tornodes
anyone tried?

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Tue Mar 01, 2016 12:30 pm
by UsernameMT
list of TOR IP addresses (~7000 IP)
banTOR-29.02.2016-14.07.08.rsc
on RB911G-5HPnD - works good
CPU - load low.

Re: anyone knows to block "TOR browser" in mikrotik?

Posted: Wed Dec 27, 2017 12:44 pm
by Arslan
Hello , Everyone. Please send the new link banTOR-29.02.2016-14.07.08.rsc , this links was expired.
Thanks in advance