|
|
Bloquear KaZaA |
 |
 |
 |
Artículo por saaib on
2003-06-18 11:38:03 Fuente: Sheng Long Gradilla (Email)
From: Sheng Long
>Sale, a ver si jala :P
>Va a haber que realizar algunas pruebas. No es >la solución así directa,
>pero son comentarios concretos.
>
>Esos hijos de su puta madre del Kazaa a cada >rato cambian cosas para
>sacarle la vuelta a los arreglos de >administradores de red que quieren
>trabajar a gusto.
=================================
Block Kazaa ports using Cisco NBAR. NBAR is a heck of a lot better than CAR considering it blocks Kazaa 2
traffic completely. That POS can't even default to port 80 without NBAR dropping its packets. I'm posting this
config because NBAR is not very well known or documented. I came up with this config myself & it is a
lifesaver. Kazaa can kiss my ass!!! Enjoy!
Assuming your using Cisco Routers, download the IP PLUS IOS v12.2(13)T1. Make sure you have at least 16megs of
Flash & 64megs of RAM. Purchase your upgrades from www.crucial.com considering Cisco rips you off w/ the same
memory.
Upgrade the IOS & add the following lines to your config:
ip cef
!
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol napster
match protocol http url \.hash=*
match protocol http url /.hash=*
match protocol kazaa2
!
!
policy-map p2p
class p2p
police cir 8000 bc 1500 be 1500
conform-action drop
exceed-action drop
THEN, add the following to both of your incoming & outgoing Router Interfaces: (You only need to apply it to
one but its just personal preference)
interface FastEthernet0/0
ip nbar protocol-discovery
service-policy input p2p
!
interface FastEthernet0/1
ip nbar protocol-discovery
service-policy output p2p
!
=================================
Great. Hope it works out. I've actually I've experimented further & have modified the config accordingly:
ip cef
!
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol napster
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"
match protocol kazaa2
!
!
policy-map p2p
class p2p
police cir 8000 bc 1500 be 1500
conform-action drop
exceed-action drop
THEN, add the following to both your internal or external Router Interface (I prefer internal):
interface FastEthernet0/0
ip nbar protocol-discovery
service-policy input p2p
service-policy output p2p
!
========================
Some modern firewall software has better protection for P2P and IM. CheckPoint FW-1 (NG FP3) for example, has
built in filters for ICQ, KaZaa, gnutella, MSN and others, most of this seems to be from matching the headers -
e.g. using the details posted above.
========================
Hello Spoofed packets... see my previous post - most IDS software can now detect P2P traffic even the HTTP
based stuff has very obvious headers, you can then get the IDS to issue a TCP RST or which ever kill mechanism
it uses to drop the traffic.
Plus firewall vendors are picking up on this too, e.g. SmartDefence in CheckPoint FW-1.
=================
X-Kazaa-Username
X-Kazaa-Network
X-Kazaa-IP
=================
Im trying like hell to get Kazaa to stop connect successfully... =
Whatever i do, blocking port 1214 in ANY possible way, it still resist =
and connect sucessfully, even with thoes firewall rules
iptables -A FORWARD -m string --string "X-Kazaa-Username:" -j DROP
iptables -A FORWARD -m string --string "X-Kazaa-Network:" -j DROP
iptables -A FORWARD -m string --string "X-Kazaa-IP:" -j DROP
iptables -A FORWARD -m string --string "X-Kazaa-SupernodeIP" -j DROP
iptables -A FORWARD -m string --string "Kazaa" -j DROP
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere STRING match = X-Kazaa-Username:
DROP all -- anywhere anywhere STRING match = X-Kazaa-Network:
DROP all -- anywhere anywhere STRING match = X-Kazaa-IP:
DROP all -- anywhere anywhere STRING match = X-Kazaa-SupernodeIP
DROP all -- anywhere anywhere STRING match = Kazaa
LOG all -- anywhere anywhere STRING match = User LOG level warning
DROP all -- anywhere anywhere STRING match = User
state_chk all -- anywhere anywhere
============================
I recommend REJECT --reject-with tcp-reset.
It will tell the clients that the connections is closed. If you drop the
packets, the clients will try to send packets on and on for some time.
============================
use a tool which is pretty new which works on =
a different ip layer. Below is a post recently sent regarding it.
The way it works is that it matches the packets content and pushes that =
into the shaped pipe, iptables can actually do that too with the "-m =
string" patch-o-matic module. I'm just not sure what happens after the =
SYN packet if the connection keeps goign through the shaped pipe or =
not..
hope this helps...?
=============================
There is a sourceforge project that has just released
application shaping tools for TC
http://l7-filter.sourceforge.net/
We are in the process of adapting their "application
detection code" into the arbitrator.. =20
Their code works by matching text patterns in data
packets. If you have any knowledge on this subject
please share your thoughts experiences.
================================
iptables -I FORWARD -p tcp -m string --string "KazaaClient" -j REJECT
--reject-with tcp-reset
"KazaaClient" is a fairly distinct string to search for, but again
would then catch this email. You'd have to ACCEPT tcp port 25,80,110
then drop anything with the string, then handle the remainder of your
rules to be safest with this approach. Apparently V1 and V2 Kazaa both
use this string in every connection attempt.
==================================
( Comentar
)
|
|
|
|
|
Todo el contenido de este sitio web a menos que se
haga notar la excepción estáa bajo licencia GPL. Para cualquier
aclaración sobre el contenido de esta licencia, favor de visitar GNU General Public License
Linux es una marca registrada de Linus Torvalds. Cualquier marca registrada que se referencíen en este sitio son propiedad de sus respectivas compañias. |
---|
|