Hello,
can anyone share any idea about blocking tor browsing?
i am using clearos with web proxy for web filtration but i found some employees can access yourtube and others blocked sites over tor browser!!
and i have tried this browser and i it it's working very nice and opened all blocked site smoothly
is there any way to block this application when user start browsing by it?
is there any way to block all web browser applications and allow only google chrome, firefox and internet explorer to browse sites?
is there any solution can fix this problem and make the security stronger ?
thank you very much
can anyone share any idea about blocking tor browsing?
i am using clearos with web proxy for web filtration but i found some employees can access yourtube and others blocked sites over tor browser!!
and i have tried this browser and i it it's working very nice and opened all blocked site smoothly
is there any way to block this application when user start browsing by it?
is there any way to block all web browser applications and allow only google chrome, firefox and internet explorer to browse sites?
is there any solution can fix this problem and make the security stronger ?
thank you very much
Share this post:
Responses (13)
-
Accepted Answer
This script should make you an ipset set called tor-block:
and it can be run from cron.hourly. You'll need to modify the other three scriptlets to make it fully working.#!/bin/bash
wget -q -O /usr/src/torexitnodes https://check.torproject.org/exit-addresses
ipset destroy -q tor-block-temp
ipset -N tor-block-temp nethash -exist
ipset -N tor-block nethash -exist
for IP in `cat /usr/src/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`; do
CLEANIP=$(echo "$IP" | egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}(/[[:digit:]]{1,2})?')
if [ -n $CLEANIP ]; then
ipset -A -exist tor-block-temp $CLEANIP
fi
done
# swap sets
ipset swap tor-block tor-block-temp
# ensure that temp sets do not exist
ipset destroy -q "tor-block-temp"
ipset save tor-block > /usr/src/ipset_tor-block.save
sed -i 's/create/create -exist/g' /usr/src/ipset_tor-block.save
sed -i 's/add/add -exist/g' /usr/src/ipset_tor-block.save
Note, the ET list had 801 IP's and this has 1020. Which do you believe? :S -
Accepted Answer
I was going to say that every time you run the script it will just add to the firewall! Replacing firewall rules is not easy. To get back to where you want to be, restart the firewall then rerun the script, but don't keep rerunning the script.
The script adds 1080 rules (of which 60 are duplicates) which is not brilliant although IDS is adding many more. Also the firewall is not so efficient when the rule set is huge. Much better would be to use the firewall with ipset, similar to my rules. This also gets an update mechanism as you put your fresh rules into a new set then swap the new set for the old, similar to my script.
To run a script hourly, don't bother setting up a cron job. Just put the script in /etc/cron.hourly.
Also his script blocks the INPUT chain only. This is OK if all traffic goes through the proxy, but if you don't use the proxy you'll want to block the FORWARD chain instead and use -I and not -A in the firewall rule. -
Accepted Answer
alahwany wrote:
finally i blocked the TOR by this topic HERE
and i saw my iptabel it's has been updated with TOR exit node from this
TOR EXIT NODE
but i need to know how to make this script run automatically every hour in my clearos pro 6.8.
what is the command for this ?? and what do you think for this solution to block TOR MR. NICK ??
after running the script i found he make duplicate the rule for each time because i found same IP with same action so the script when create exit TOR from site he make rule reject for each address and not replaced it if this rule still created for the same address.
how to remove the duplicated rule in iptables or where is this file can i edit it and remove this rules? -
Accepted Answer
after update the clearos i found new update for Intrusion Protection Updates
and i saw new rule called TOR detection
i think after this update the TOR problem has been resolved
thank you very much for everyone here and thank you very much for Mr. NICK for your help really i appreciated your effort with me. -
Accepted Answer
finally i blocked the TOR by this topic HERE
and i saw my iptabel it's has been updated with TOR exit node from this
TOR EXIT NODE
but i need to know how to make this script run automatically every hour in my clearos pro 6.8.
what is the command for this ?? and what do you think for this solution to block TOR MR. NICK ?? -
Accepted Answer
The first script needs cutting down a bit. If you just want to block tor, something like:#!/bin/bash
cd /etc/snort.d/rules/emerging_threats/temp
wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules
mv -f * ..
INPUTFILES='/etc/snort.d/rules/emerging_threats/emerging-tor.rules'
# remove and recreate temp sets
ipset destroy -q blocklist-temp
ipset -N blocklist-temp iphash --exist
for INPUTFILE in $INPUTFILES; do
OLDIFS="$IFS"
IFS=","
sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
for IP in $IPS; do
ipset -A -exist blocklist-temp $IP
done
done
IFS="$OLDIFS"
done
# ensure that ipsets exist
ipset create blocklist iphash -exist
# swap sets
ipset swap blocklist blocklist-temp
# remove temp sets
ipset destroy -q blocklist-temp
ipset save blocklist > /usr/src/ipset_blocklist.save
sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
You'll need to create the folder /etc/snort.d/rules/emerging_threats/temp. This bit is a bit ungainly as it is cut down from a bigger script. Also I have not removed the bit which loops through the files listed as inputfiles which is unnecessary as there is only 1 file to loop through now. You could add the compromised-ips.txt bit back in (both the wget and the file in inputfiles) as it is a good block to have in any case. Put the file in either /etc/cron.daily or /etc/cron.weekly depending on how often you want it to update - I did my tor list weekly. Call it what you want but make it executable. File extensions don't mean anything.
Make all four files executable and remove any "--hashsize 26244" as it is unnecessary but must be done everywhere. Also make sure you have wget and ipset installed.
To test, do a "modprobe ip_set". Then run the file in cron.whatever just by putting its full name with path into the terminal. It should run without errors. Do an "ipset list blocklist" to see your TOR IP's listed. If that is OK, then restart your firewall and the firewall rules should be added. Do an "iptables -nvL" to check the rules have been added. If that works you are more or less OK, but you need to reboot and check it still works.
If you're ambitious you could change the ipset list name from blocklist to torblock or something more memorable. -
Accepted Answer
Mr. Nick;
can you please tell me in the steps to make block TOR by your script
first i will use winscp and create file to past it: but i need to know the extension of this file and where the location must be ??
#!/bin/bash
cd /etc/snort.d/rules/emerging_threats/temp
# Execute some rules on Saturday only
if [[ $(date +%u) = 6 ]] ; then
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_specific_apps.rules
wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/classification.config
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config
fi
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt
wget -q https://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules
mv -f * ..
service snort restart > /dev/null
INPUTFILES='/etc/snort.d/rules/emerging_threats/compromised-ips.txt /etc/snort.d/rules/emerging_threats/emerging-tor.rules'
# remove and recreate temp sets
ipset destroy -q blocklist-temp
ipset -N blocklist-temp iphash --hashsize 26244 --exist
for INPUTFILE in $INPUTFILES; do
OLDIFS="$IFS"
IFS=","
sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
for IP in $IPS; do
ipset -A -exist blocklist-temp $IP
done
done
IFS="$OLDIFS"
done
# ensure that ipsets exist
ipset create blocklist iphash --hashsize 26244 -exist
# swap sets
ipset swap blocklist blocklist-temp
# remove temp sets
ipset destroy -q blocklist-temp
ipset save blocklist > /usr/src/ipset_blocklist.save
sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
second
go to
/etc/sysconfig/modul
and create file called ip_set.modules contained:
#!/bin/bash
# Added by njh - see https://www.clearos.com/clearfoundation/social/community/what-is-the-best-way-to-load-the-ip_set-module#reply-136071
modprobe ip_set
third
create file called 20-ipset_blocks in /etc/clearos/firewall.d/
contained
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
$IPTABLES -N IPSET_BLK > /dev/null 2>&1
# ensure that ipsets exist
ipset create blocklist iphash --hashsize 26244 -exist
$IPTABLES -I INPUT -m state --state NEW -p tcp ! --dport 25 -j IPSET_BLK
$IPTABLES -I INPUT -m state --state NEW -p udp -m multiport ! --dports 1194,51413 -j IPSET_BLK
$IPTABLES -I FORWARD -m state --state NEW -j IPSET_BLK
$IPTABLES -I OUTPUT -m state --state NEW -p tcp -m multiport ! --dports 25,53 -j IPSET_BLK
$IPTABLES -I OUTPUT -m state --state NEW -p udp ! --dport 53 -j IPSET_BLK
$IPTABLES -I IPSET_BLK -m set --match-set blocklist src -j DROP
$IPTABLES -I IPSET_BLK -m set --match-set blocklist dst -j DROP
Fourth
edit this file /etc/rc.d/rc.local and make it:
# Load in all previously saved ipset sets
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
for file in /usr/src/ipset_*.save ; do
ipset restore < $file
done
this steps right MR. Nick ? or can you please teach me to make this way for TOR Block -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Thank you Mr. Nick Howitt, for your reply to me.
yes you are right about group policy under Domain controller environment but in my work we don't have it now and my plan to make it ASAP.
i think the best solutions about the new tool Protocol and Application Filters i will try it to see what's news with it.
thank you very much my friend -
Accepted Answer
I think blocking browsers comes down to Windoze Group Policies blocking user installations but I am not sure if that will totally help. There are browser addons for Firefox which allow VPN connections, for example. I don't know if you can block these through group policy by blocking changes to the proxy settings. It is way beyond my knowledge.
[edit]
Have a look at the Protocol and Application Filters and see if they'll help (but the links are broken in the thread ).
[/edit] -
Accepted Answer
Thank you Mr. Nick Howitt,
but this solution can't make it on my server because there many files must be edit it also my level with linux not expert if i edited it and found other problems on my work can't fix it and must restore backup if i fail. i think i must try it in test environment first.
is there any solution to make block all browsers application except google chrome & firefox & internet explorer ?
i mean denied any traffic from web browser except my legal browsers in my work environment.
because i think there are many applications my employee can find it to open the block sites via my proxy method.
if you have any idea to make strong rule for it please tell me it and i will appreciated your effort with me.
thank you very much -
Accepted Answer
Emerging threats carry a list of TOR routers and exit points here. Snort is not a good blocking tool for what should essentially be firewall blocks. It is possible to parse this rule set to pick out just the TOR exit points and feed the IP's into an ipset set. You then use the ipset set in a firewall rule. Ipset sets are much more efficient at blocking than plain iptables rules.
I effectively do it with this cron.daily job (which does much more):#!/bin/bash
cd /etc/snort.d/rules/emerging_threats/temp
# Execute some rules on Saturday only
if [[ $(date +%u) = 6 ]] ; then
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_specific_apps.rules
wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/classification.config
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config
fi
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules
wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt
wget -q https://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules
mv -f * ..
service snort restart > /dev/null
INPUTFILES='/etc/snort.d/rules/emerging_threats/compromised-ips.txt /etc/snort.d/rules/emerging_threats/emerging-tor.rules'
# remove and recreate temp sets
ipset destroy -q blocklist-temp
ipset -N blocklist-temp iphash --hashsize 26244 --exist
for INPUTFILE in $INPUTFILES; do
OLDIFS="$IFS"
IFS=","
sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do
for IP in $IPS; do
ipset -A -exist blocklist-temp $IP
done
done
IFS="$OLDIFS"
done
# ensure that ipsets exist
ipset create blocklist iphash --hashsize 26244 -exist
# swap sets
ipset swap blocklist blocklist-temp
# remove temp sets
ipset destroy -q blocklist-temp
ipset save blocklist > /usr/src/ipset_blocklist.save
sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
You need to load ip_set, perhaps with a file like /etc/sysconfig/modules/ip_set.modules with:
This will load ip_set at boot up if you make the file executable. You can also "modprobe ip_set" manually.#!/bin/bash
# Added by njh - see https://www.clearos.com/clearfoundation/social/community/what-is-the-best-way-to-load-the-ip_set-module#reply-136071
modprobe ip_set
You then need a firewall rule. I have /etc/clearos/firewall.d/20-ipset_blocks, and a subset of it is:
Lastly I've made /etc/rc.d/rc.local executable and in it I've put:if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
$IPTABLES -N IPSET_BLK > /dev/null 2>&1
# ensure that ipsets exist
ipset create blocklist iphash --hashsize 26244 -exist
$IPTABLES -I INPUT -m state --state NEW -p tcp ! --dport 25 -j IPSET_BLK
$IPTABLES -I INPUT -m state --state NEW -p udp -m multiport ! --dports 1194,51413 -j IPSET_BLK
$IPTABLES -I FORWARD -m state --state NEW -j IPSET_BLK
$IPTABLES -I OUTPUT -m state --state NEW -p tcp -m multiport ! --dports 25,53 -j IPSET_BLK
$IPTABLES -I OUTPUT -m state --state NEW -p udp ! --dport 53 -j IPSET_BLK
$IPTABLES -I IPSET_BLK -m set --match-set blocklist src -j DROP
$IPTABLES -I IPSET_BLK -m set --match-set blocklist dst -j DROP
So the ipset sets reload automatically on reboot. I "modprobe ip_set" everywhere as I have no idea which one runs first but it has to be loaded before any ipset command is executed.# Load in all previously saved ipset sets
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
for file in /usr/src/ipset_*.save ; do
ipset restore < $file
done
This won't help you with other VPN software.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »