Forums

alahwany
alahwany
Offline
Resolved
0 votes
Hello,

can anyone share any idea about blocking tor browsing?

i am using clearos with web proxy for web filtration but i found some employees can access yourtube and others blocked sites over tor browser!!

and i have tried this browser and i it it's working very nice and opened all blocked site smoothly

is there any way to block this application when user start browsing by it?

is there any way to block all web browser applications and allow only google chrome, firefox and internet explorer to browse sites?

is there any solution can fix this problem and make the security stronger ?

thank you very much
Sunday, November 27 2016, 06:42 PM
Share this post:
Responses (13)
  • Accepted Answer

    Monday, January 16 2017, 08:47 PM - #Permalink
    Resolved
    0 votes
    This script should make you an ipset set called tor-block:
    #!/bin/bash

    wget -q -O /usr/src/torexitnodes https://check.torproject.org/exit-addresses


    ipset destroy -q tor-block-temp
    ipset -N tor-block-temp nethash -exist
    ipset -N tor-block nethash -exist

    for IP in `cat /usr/src/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`; do
    CLEANIP=$(echo "$IP" | egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}(/[[:digit:]]{1,2})?')
    if [ -n $CLEANIP ]; then
    ipset -A -exist tor-block-temp $CLEANIP
    fi
    done

    # swap sets
    ipset swap tor-block tor-block-temp

    # ensure that temp sets do not exist
    ipset destroy -q "tor-block-temp"

    ipset save tor-block > /usr/src/ipset_tor-block.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_tor-block.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_tor-block.save

    and it can be run from cron.hourly. You'll need to modify the other three scriptlets to make it fully working.

    Note, the ET list had 801 IP's and this has 1020. Which do you believe? :S
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 16 2017, 07:37 PM - #Permalink
    Resolved
    0 votes
    I was going to say that every time you run the script it will just add to the firewall! Replacing firewall rules is not easy. To get back to where you want to be, restart the firewall then rerun the script, but don't keep rerunning the script.

    The script adds 1080 rules (of which 60 are duplicates) which is not brilliant although IDS is adding many more. Also the firewall is not so efficient when the rule set is huge. Much better would be to use the firewall with ipset, similar to my rules. This also gets an update mechanism as you put your fresh rules into a new set then swap the new set for the old, similar to my script.

    To run a script hourly, don't bother setting up a cron job. Just put the script in /etc/cron.hourly.

    Also his script blocks the INPUT chain only. This is OK if all traffic goes through the proxy, but if you don't use the proxy you'll want to block the FORWARD chain instead and use -I and not -A in the firewall rule.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, January 16 2017, 05:53 PM - #Permalink
    Resolved
    0 votes
    alahwany wrote:

    finally i blocked the TOR by this topic HERE
    and i saw my iptabel it's has been updated with TOR exit node from this
    TOR EXIT NODE

    but i need to know how to make this script run automatically every hour in my clearos pro 6.8.
    what is the command for this ?? and what do you think for this solution to block TOR MR. NICK ??


    after running the script i found he make duplicate the rule for each time because i found same IP with same action so the script when create exit TOR from site he make rule reject for each address and not replaced it if this rule still created for the same address.

    how to remove the duplicated rule in iptables or where is this file can i edit it and remove this rules?
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, January 16 2017, 12:27 AM - #Permalink
    Resolved
    0 votes
    after update the clearos i found new update for Intrusion Protection Updates

    and i saw new rule called TOR detection :D :D

    i think after this update the TOR problem has been resolved

    thank you very much for everyone here and thank you very much for Mr. NICK for your help really i appreciated your effort with me.
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 10:18 PM - #Permalink
    Resolved
    0 votes
    finally i blocked the TOR by this topic HERE
    and i saw my iptabel it's has been updated with TOR exit node from this
    TOR EXIT NODE

    but i need to know how to make this script run automatically every hour in my clearos pro 6.8.
    what is the command for this ?? and what do you think for this solution to block TOR MR. NICK ??
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 07:36 PM - #Permalink
    Resolved
    1 votes
    The first script needs cutting down a bit. If you just want to block tor, something like:
    #!/bin/bash

    cd /etc/snort.d/rules/emerging_threats/temp

    wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules

    mv -f * ..

    INPUTFILES='/etc/snort.d/rules/emerging_threats/emerging-tor.rules'

    # remove and recreate temp sets
    ipset destroy -q blocklist-temp
    ipset -N blocklist-temp iphash --exist

    for INPUTFILE in $INPUTFILES; do
    OLDIFS="$IFS"
    IFS=","
    sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
    for IP in $IPS; do
    ipset -A -exist blocklist-temp $IP
    done
    done
    IFS="$OLDIFS"
    done

    # ensure that ipsets exist
    ipset create blocklist iphash -exist

    # swap sets
    ipset swap blocklist blocklist-temp

    # remove temp sets
    ipset destroy -q blocklist-temp

    ipset save blocklist > /usr/src/ipset_blocklist.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save


    You'll need to create the folder /etc/snort.d/rules/emerging_threats/temp. This bit is a bit ungainly as it is cut down from a bigger script. Also I have not removed the bit which loops through the files listed as inputfiles which is unnecessary as there is only 1 file to loop through now. You could add the compromised-ips.txt bit back in (both the wget and the file in inputfiles) as it is a good block to have in any case. Put the file in either /etc/cron.daily or /etc/cron.weekly depending on how often you want it to update - I did my tor list weekly. Call it what you want but make it executable. File extensions don't mean anything.

    Make all four files executable and remove any "--hashsize 26244" as it is unnecessary but must be done everywhere. Also make sure you have wget and ipset installed.

    To test, do a "modprobe ip_set". Then run the file in cron.whatever just by putting its full name with path into the terminal. It should run without errors. Do an "ipset list blocklist" to see your TOR IP's listed. If that is OK, then restart your firewall and the firewall rules should be added. Do an "iptables -nvL" to check the rules have been added. If that works you are more or less OK, but you need to reboot and check it still works.

    If you're ambitious you could change the ipset list name from blocklist to torblock or something more memorable.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 07:00 PM - #Permalink
    Resolved
    0 votes
    Mr. Nick;

    can you please tell me in the steps to make block TOR by your script
    first i will use winscp and create file to past it: but i need to know the extension of this file and where the location must be ??
    #!/bin/bash

    cd /etc/snort.d/rules/emerging_threats/temp

    # Execute some rules on Saturday only
    if [[ $(date +%u) = 6 ]] ; then
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_specific_apps.rules
    wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/classification.config
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config
    fi
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt
    wget -q https://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules


    mv -f * ..

    service snort restart > /dev/null




    INPUTFILES='/etc/snort.d/rules/emerging_threats/compromised-ips.txt /etc/snort.d/rules/emerging_threats/emerging-tor.rules'

    # remove and recreate temp sets
    ipset destroy -q blocklist-temp
    ipset -N blocklist-temp iphash --hashsize 26244 --exist

    for INPUTFILE in $INPUTFILES; do
    OLDIFS="$IFS"
    IFS=","
    sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
    for IP in $IPS; do
    ipset -A -exist blocklist-temp $IP
    done
    done
    IFS="$OLDIFS"
    done

    # ensure that ipsets exist
    ipset create blocklist iphash --hashsize 26244 -exist

    # swap sets
    ipset swap blocklist blocklist-temp

    # remove temp sets
    ipset destroy -q blocklist-temp

    ipset save blocklist > /usr/src/ipset_blocklist.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save


    second
    go to
    /etc/sysconfig/modul
    and create file called ip_set.modules contained:
    #!/bin/bash

    # Added by njh - see https://www.clearos.com/clearfoundation/social/community/what-is-the-best-way-to-load-the-ip_set-module#reply-136071
    modprobe ip_set



    third
    create file called 20-ipset_blocks in /etc/clearos/firewall.d/
    contained
     
    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    $IPTABLES -N IPSET_BLK > /dev/null 2>&1

    # ensure that ipsets exist
    ipset create blocklist iphash --hashsize 26244 -exist


    $IPTABLES -I INPUT -m state --state NEW -p tcp ! --dport 25 -j IPSET_BLK
    $IPTABLES -I INPUT -m state --state NEW -p udp -m multiport ! --dports 1194,51413 -j IPSET_BLK
    $IPTABLES -I FORWARD -m state --state NEW -j IPSET_BLK
    $IPTABLES -I OUTPUT -m state --state NEW -p tcp -m multiport ! --dports 25,53 -j IPSET_BLK
    $IPTABLES -I OUTPUT -m state --state NEW -p udp ! --dport 53 -j IPSET_BLK


    $IPTABLES -I IPSET_BLK -m set --match-set blocklist src -j DROP
    $IPTABLES -I IPSET_BLK -m set --match-set blocklist dst -j DROP


    Fourth
    edit this file /etc/rc.d/rc.local and make it:
     
    # Load in all previously saved ipset sets
    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    for file in /usr/src/ipset_*.save ; do
    ipset restore < $file
    done


    this steps right MR. Nick ? or can you please teach me to make this way for TOR Block
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Friday, January 13 2017, 04:18 PM - #Permalink
    Resolved
    0 votes
    Asad Zia Siddiqui wrote:

    You can block it by using two methods
    1) By using extension used by said browser
    2) By using specific IP used by said browser

    Both can be done by defining acls


    can you please tell me how to make it ? especial no.1 by using extension ?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 27 2016, 04:48 AM - #Permalink
    Resolved
    0 votes
    You can block it by using two methods
    1) By using extension used by said browser
    2) By using specific IP used by said browser

    Both can be done by defining acls
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, November 28 2016, 05:40 PM - #Permalink
    Resolved
    0 votes
    Thank you Mr. Nick Howitt, for your reply to me.

    yes you are right about group policy under Domain controller environment but in my work we don't have it now and my plan to make it ASAP.

    i think the best solutions about the new tool Protocol and Application Filters i will try it to see what's news with it.

    thank you very much my friend
    The reply is currently minimized Show
  • Accepted Answer

    Monday, November 28 2016, 09:07 AM - #Permalink
    Resolved
    0 votes
    I think blocking browsers comes down to Windoze Group Policies blocking user installations but I am not sure if that will totally help. There are browser addons for Firefox which allow VPN connections, for example. I don't know if you can block these through group policy by blocking changes to the proxy settings. It is way beyond my knowledge.

    [edit]
    Have a look at the Protocol and Application Filters and see if they'll help (but the links are broken in the thread :( ).
    [/edit]
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, November 28 2016, 03:10 AM - #Permalink
    Resolved
    0 votes
    Thank you Mr. Nick Howitt,

    but this solution can't make it on my server because there many files must be edit it also my level with linux not expert if i edited it and found other problems on my work can't fix it and must restore backup if i fail. i think i must try it in test environment first.

    is there any solution to make block all browsers application except google chrome & firefox & internet explorer ?
    i mean denied any traffic from web browser except my legal browsers in my work environment.

    because i think there are many applications my employee can find it to open the block sites via my proxy method.

    if you have any idea to make strong rule for it please tell me it and i will appreciated your effort with me.

    thank you very much
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, November 27 2016, 07:38 PM - #Permalink
    Resolved
    1 votes
    Emerging threats carry a list of TOR routers and exit points here. Snort is not a good blocking tool for what should essentially be firewall blocks. It is possible to parse this rule set to pick out just the TOR exit points and feed the IP's into an ipset set. You then use the ipset set in a firewall rule. Ipset sets are much more efficient at blocking than plain iptables rules.

    I effectively do it with this cron.daily job (which does much more):
    #!/bin/bash

    cd /etc/snort.d/rules/emerging_threats/temp

    # Execute some rules on Saturday only
    if [[ $(date +%u) = 6 ]] ; then
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_specific_apps.rules
    wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/classification.config
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config
    fi
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules
    wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt
    wget -q https://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules


    mv -f * ..

    service snort restart > /dev/null




    INPUTFILES='/etc/snort.d/rules/emerging_threats/compromised-ips.txt /etc/snort.d/rules/emerging_threats/emerging-tor.rules'

    # remove and recreate temp sets
    ipset destroy -q blocklist-temp
    ipset -N blocklist-temp iphash --hashsize 26244 --exist

    for INPUTFILE in $INPUTFILES; do
    OLDIFS="$IFS"
    IFS=","
    sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
    for IP in $IPS; do
    ipset -A -exist blocklist-temp $IP
    done
    done
    IFS="$OLDIFS"
    done

    # ensure that ipsets exist
    ipset create blocklist iphash --hashsize 26244 -exist

    # swap sets
    ipset swap blocklist blocklist-temp

    # remove temp sets
    ipset destroy -q blocklist-temp

    ipset save blocklist > /usr/src/ipset_blocklist.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save

    You need to load ip_set, perhaps with a file like /etc/sysconfig/modules/ip_set.modules with:
    #!/bin/bash

    # Added by njh - see https://www.clearos.com/clearfoundation/social/community/what-is-the-best-way-to-load-the-ip_set-module#reply-136071
    modprobe ip_set
    This will load ip_set at boot up if you make the file executable. You can also "modprobe ip_set" manually.

    You then need a firewall rule. I have /etc/clearos/firewall.d/20-ipset_blocks, and a subset of it is:
    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    $IPTABLES -N IPSET_BLK > /dev/null 2>&1

    # ensure that ipsets exist
    ipset create blocklist iphash --hashsize 26244 -exist


    $IPTABLES -I INPUT -m state --state NEW -p tcp ! --dport 25 -j IPSET_BLK
    $IPTABLES -I INPUT -m state --state NEW -p udp -m multiport ! --dports 1194,51413 -j IPSET_BLK
    $IPTABLES -I FORWARD -m state --state NEW -j IPSET_BLK
    $IPTABLES -I OUTPUT -m state --state NEW -p tcp -m multiport ! --dports 25,53 -j IPSET_BLK
    $IPTABLES -I OUTPUT -m state --state NEW -p udp ! --dport 53 -j IPSET_BLK


    $IPTABLES -I IPSET_BLK -m set --match-set blocklist src -j DROP
    $IPTABLES -I IPSET_BLK -m set --match-set blocklist dst -j DROP
    Lastly I've made /etc/rc.d/rc.local executable and in it I've put:
    # Load in all previously saved ipset sets
    if [ "`lsmod | grep ip_set`" = "" ]; then
    modprobe ip_set
    fi

    for file in /usr/src/ipset_*.save ; do
    ipset restore < $file
    done
    So the ipset sets reload automatically on reboot. I "modprobe ip_set" everywhere as I have no idea which one runs first but it has to be loaded before any ipset command is executed.

    This won't help you with other VPN software.
    Like
    1
    The reply is currently minimized Show
Your Reply