Kazaa and iptables
Justin Bennett
justin.bennett at dynabrade.com
Wed Apr 23 11:29:47 EDT 2003
I think I need to look for connect strings and such in the packets. I
think it's going to be a bear. Anyone had any luck with string matches
in IP tables I've never played with it.
Richard Hubbard wrote:
>We had this issue at ITT and found that it keeps
>hopping to all sorts of ports. The last time I tried
>to check it went through approximately 15-20 ports,
>each one trying to connect to several dozen ip
>addresses. So trying to block a port or ip address
>doesn't really work (especially since one of those
>ports is port 80, trying to sneak through any kind of
>packet filter.
>
>There is a bass ackward way we have stopped kazaa, and
>that was using a win2k resource kit utility to go to
>each machine, list the processes on each machine (a
>win2k version of ps) and send them to a filter to see
>if kazaa turns up. if it does, then we kill the
>process, log off the user, and disable their login.
>You can leave it at kill the user.
>
>The script cycles through about 100 computers in less
>than a minute, and takes up little processor time on
>each machine. So even if someone installs and fires
>up kazaa, you can still kill it.
>
>the bad news? you have to have admin priveleges on
>those machines. so if someone plugs in their laptop,
>then we can't shut down the process because we cant
>run the script on their machine.
>
>The only other way to block kazaa would be to look
>more deeply into the packets and block them based on
>the service being requested. much tougher.
>
>
>--- Justin Bennett <justin.bennett at dynabrade.com>
>wrote:
>
>
>>I tried blocking 1241 It still works. I see stuff on
>>1697, I'll try
>>blocking that. I blocked that now it's on 1699. It
>>seems to keep moving
>>the ports to an open one.
>>
>>
>>Justin Bennett wrote:
>>
>>
>>
>>>I'm loading it up now, I'll get out the good old
>>>
>>>
>>packet sniffer and
>>
>>
>>>see what I can come up with.
>>>
>>>
>>>
>>>Justin Bennett wrote:
>>>
>>>
>>>
>>>>I found some info, they say to block 1214, but
>>>>
>>>>
>>others say kazaa just
>>
>>
>>>>uses a diffrent port if that one is blocked. I
>>>>
>>>>
>>don't know enough
>>
>>
>>>>about how Kazaa works to know if thats true. If
>>>>
>>>>
>>it connects to a
>>
>>
>>>>central server or not (like napster) first if so
>>>>
>>>>
>>maybe blocking that
>>
>>
>>>>can stop it... Let me know what you find I'll
>>>>
>>>>
>>keep looking too.
>>
>>
>>>>Thanks
>>>>Justin
>>>>
>>>>
>>>>Cyber Source wrote:
>>>>
>>>>
>>>>
>>>>>I took a quick look into our shorewall config
>>>>>
>>>>>
>>here because I could have
>>
>>
>>>>>sworn I saw a commented out section for Kazaa in
>>>>>
>>>>>
>>there but I couldn't
>>
>>
>>>>>find it this morning. I was looking for the port
>>>>>
>>>>>
>>number for you and
>>
>>
>>>>>even
>>>>>in a quick search on Google, found no quick
>>>>>
>>>>>
>>location of the port Kazaa
>>
>>
>>>>>uses. If I find it I will pass it on.
>>>>>On Wed, 2003-04-23 at 07:31, Justin Bennett
>>>>>
>>>>>
>>wrote:
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>A buddy of mine asked me to block Kazaa for him
>>>>>>
>>>>>>
>>on his Frat's dsl
>>
>>
>>>>>>connection, he has a linux fw/router using
>>>>>>
>>>>>>
>>iptables. I have not
>>
>>
>>>>>>used kazaa anyone have a rule to block it.
>>>>>>
>>>>>>Thanks
>>>>>>Justin
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>--
>>Justin Bennett
>>Network Administrator
>>RHCE (Redhat Certified Linux Engineer)
>>Dynabrade, Inc.
>>8989 Sheridan Dr.
>>Clarence, NY 14031
>>
>>
>>
>>
>>
>
>
>__________________________________________________
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo
>http://search.yahoo.com
>
>
--
Justin Bennett
Network Administrator
RHCE (Redhat Certified Linux Engineer)
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20030423/ac6bed77/attachment-0001.html
More information about the nflug
mailing list