Kazaa and iptables

Richard Hubbard rhubby at yahoo.com
Wed Apr 23 10:56:17 EDT 2003 

We had this issue at ITT and found that it keeps
hopping to all sorts of ports.  The last time I tried
to check it went through approximately 15-20 ports,
each one trying to connect to several dozen ip
addresses.  So trying to block a port or ip address
doesn't really work (especially since one of those
ports is  port 80, trying to sneak through any kind of
packet filter.

There is a bass ackward way we have stopped kazaa, and
that was using a win2k resource kit utility to go to
each machine, list the processes on each machine (a
win2k version of ps) and send them to a filter to see
if kazaa turns up.  if it does, then we kill the
process, log off the user, and disable their login.
You can leave it at kill the user.

The script cycles through about 100 computers in less
than a minute, and takes up little processor time on
each machine.  So even if someone installs and fires
up kazaa, you can still kill it.

the bad news? you have to have admin priveleges on
those machines.  so if someone plugs in their laptop,
then we can't shut down the process because we cant
run the script on their machine.

The only other way to block kazaa would be to look
more deeply into the packets and block them based on
the service being requested.  much tougher.


--- Justin Bennett <justin.bennett at dynabrade.com>
wrote:
> I tried blocking 1241 It still works. I see stuff on
> 1697, I'll try 
> blocking that. I blocked that now it's on 1699. It
> seems to keep moving 
> the ports to an open one.
> 
> 
> Justin Bennett wrote:
> 
> > I'm loading it up now, I'll get out the good old
> packet sniffer and 
> > see what I can come up with.
> >
> >
> >
> > Justin Bennett wrote:
> >
> >> I found some info, they say to block 1214, but
> others say kazaa just 
> >> uses a diffrent port if that one is blocked. I
> don't know enough 
> >> about how Kazaa works to know if thats true. If
> it connects to a 
> >> central server or not (like napster) first if so
> maybe blocking that 
> >> can stop it... Let me know what you find I'll
> keep looking too.
> >>
> >> Thanks
> >> Justin
> >>
> >>
> >> Cyber Source wrote:
> >>
> >>> I took a quick look into our shorewall config
> here because I could have
> >>> sworn I saw a commented out section for Kazaa in
> there but I couldn't
> >>> find it this morning. I was looking for the port
> number for you and 
> >>> even
> >>> in a quick search on Google, found no quick
> location of the port Kazaa
> >>> uses. If I find it I will pass it on.
> >>> On Wed, 2003-04-23 at 07:31, Justin Bennett
> wrote:
> >>>  
> >>>
> >>>> A buddy of mine asked me to block Kazaa for him
> on his Frat's dsl 
> >>>> connection, he has a linux fw/router using
> iptables. I have not 
> >>>> used kazaa anyone have a rule to block it.
> >>>>
> >>>> Thanks
> >>>> Justin
> >>>>   
> >>>
> >>>
> >
> 
> -- 
> Justin Bennett
> Network Administrator
> RHCE (Redhat Certified Linux Engineer)
> Dynabrade, Inc.
> 8989 Sheridan Dr.
> Clarence, NY 14031
>  
> 
> 


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

More information about the nflug mailing list