Block Ultra Surf

[brunodada]

hello, as I know my colleagues, I need a way to block ultra surf, because I know they are going to use! need a help from you for this! I await answers ...

[brunodada]

anyone?

[Tymanthius]

I briefly looked at UltraSurf's website.  As they use thier own dedicated servers, you could possibly set up IP blocking/DNS blocking so that even if they bring in the US client on a usb stick, they still couldn't even get to the US servers.

No idea how to implement this myself, but it's a thought.

[brunodada]

Well, I looked but could not very useful, even if someone could help me, I look forward to!

[robb]

Find out the IP addresses of ultrasurf and block those in your firewall...

/edit: more or less what Thymantius said.
//edit: here some more info: http://wiki.mikrotik.com/wiki/How_to_Detect_and_Block_UltraSurf_program_traffic
You can set up group policy that takes away the permission to adjust proxy settings in IE.

btw, I don't know in what kind of situation you are, but over here in .nl and .be when an employe gets caught bypassing company policies, he risks being fired at once. This said, you might want to communicate to your users that using this kind of software is illegal and not tolerated. PLaying cat and mouse is imo not the way to deal with this kind of issues.

[Tymanthius]

btw, I don't know in what kind of situation you are, but over here in .nl and .be when an employe gets caught bypassing company policies, he risks being fired at once. This said, you might want to communicate to your users that using this kind of software is illegal and not tolerated. PLaying cat and mouse is imo not the way to deal with this kind of issues.

Illegal might be the wrong word.  As you're in nl, I'm assuming English is a 2nd language (congratulations - I only have 1).  Illegal means against the law.  What you are describing is against company policy. Illegal could get you put in jail.  Company policy could get you fired. 



In a country where something like UltraSurf is illegal, I fully support it's use.  But useing it at work b/c you want to view YouTube, or whatever, I don't support.

[robb]

Well, the wording might be a bit strong, but yes I meant it would make the use against company policy. That would make its use within the company illegal/forbidden in the company.

Anyway, I think we both try to say the same. Personally I would make it clear that bypassing company proxy settings and bypassing company security settings would compromise the IT environment of the company.
Sometimes explaining why a certain rule is enforced often creates more understanding and goodwill to stay with company rules. But also explain that violation will have severe consequences. Being clear (and strict) in this is important.

In the meanwhile, google on 'block ultrasurf' and you get a LOT of hits. Some more useful than others, but there are options to block.

[he-jimenez]

Hi zentyal fan lovers 

I made a bash script to block ultrasurf sites. It Works for me:

1. Download the script
2. Put on /root or what ever you want
3. Execute like this: sudo /path_to_file/ultrasurf.sh

And that's it!

I hope help U

From Mexico HEJ

[robb]

Hello he-jimenez,
I see in your script that you block quite a large amount of Class A subnets. Are you sure you do not block too many IP addresses? (block IP addresses that do not belong to ultrasurf)

[Escorpiom]

Please take into account that blocking large ranges of IP addresses with the firewall will cause problems in the current Zentyal 2.2.
We have tried something similar with Facebook and while the blocking was effective, the firewall couldn't handle it and terminates all connections while saving.
Moreover, saving takes considerably longer when blocking IP ranges.

That said, in some situations like transparent proxy the only way to block services like Ultrasurf is to close all https ports and use whitelisting for the services you need.
Another method is deep https packet inspection, but this is not yet implemented in Zentyal.

Cheers.

[he-jimenez]

Hi everybody!!


I know i know about thats have large ips blocks, but it works for me! I got a zentyal as  transparent proxy and i can't block https port 'cause many banks runs over https...

at the moment work very well for me. My zentyal box runs with out problems. And i got the same situation with facebook on https...


Any comments?


Make the force be with You!

[brunodada]

pessoal, usei este método, mais nao resolveu :S
http://www.dotsharp.com.br/linux/como-fazer-para-bloquear-ultrasurf-solucao-definitiva-iptables-fail2ban.html

[robb]

Gracias brunodada,
After translating the blogpost I think it might be THE solution for 'dynamic' IP blocks like seemingly necessary for a 'service' like UltraSurf.

Thank you for mentioning this here. Maybe someone can create something automated or even a (community) module for Zentyal that implements this?

[Escorpiom]

brunodada says it did not work for him.
brunodada dice que no le sirvio.

Keep in mind that not Ultrasurf is being blocked, but the user trying to use that service.
In other words, if you have a client on your network say 192.168.1.20 who is trying to use Ultrasurf, he will be denied all network access for x amount of time.
That said, after reading on the fail2ban homepage, this kind of blocking is mainly used to block attackers from the outside, not so much from the local network.

This method MAY be used to deny access to Facebook, Ultrasurf, Windows Live and other services, but it's like punishing users for their bad habits.

Cheers.

[christian]

Adding mine on top of Escorpiom's comments:
- what is blocked here is not "user" (notice what, not who  ), meaning if user can change his IP address, then he will get access again and not be really "punished" (assuming this is the goal  ). However access to UltraSurf is denied 
- why all this quite complex solution while moving from transparent to explicit proxy should do the trick (well I need to read a bit more about UltraSurf in order to be 100% sure of what I state here  )