Re: can iptables block incoming http connections from open proxy servers?

[John Mason Jr <john.mason.jr () cox net>]

You might look at <http://www.projecthoneypot.org/httpbl.php>

John

White Hat wrote:
> Hi List,
>
> How can I block people from making http connections to an internal
> webserver when they are using open http proxies?
>
> While I think that open http proxies are an excellent tool for surfing
> the web anonymously and I often use them, they also present me with a
> big problem.
>
> I run a small forum, and don't have a good way of keeping users who
> are banned for flaming, not following the rules, and other bad conduct
> on the forums from returning and re-registering new accounts when
> using open http proxies.
>
> The web server is a Gentoo linux box and has packet filtering
> (netfilter code), etc built into the kernel. I have the iptables
> userspace ebuild installed.
>
> At the moment, I've added rules to the proxies chain which is checked
> by the input chain to stop inbound connections from proxy servers
> based on the source ports being used by the remote proxy server.
> However, this does not seem to be working at the moment.
>
> For example.
>
> iptables -N proxies
> iptables -A INPUT -j proxies
> iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP
>
> I also have rules for all of the other common proxy server ports in
> place in the proxies chain.
>
> I'm guessing that this does not work because the source port is randomized.
>
> To test this I configured firefox to use an open http proxy running
> squid on port 3128 and then connected to the remote site with
> wireshark running on the web server.
>
> In the packet dump, the http traffic does not come from or go to port
> 3128.  It seems that this port is never used for incoming our outgoing
> source or destination ports.
>
> My next thought is to use the excellent linblock perl script to just
> load lists of IP's of known proxy servers into iptables, and then
> setup a cron job to automate the whole thing every so often, but after
> thinking about this for a bit, I'm wondering how I'm going to keep up
> with the changes.  Often times a proxy will be there one day and gone
> the next and another system will replace it.  The web server has
> limited amounts of ram, and it would be exhausted after trying to load
> x amount of addresses.  Can snort be used to detect incoming
> connections from open http proxy servers?  Is there a pre-processor
> that can be turned on to kick off an alert to the alert file?
>
> I'm also having trouble finding an updated proxy list that I can use
> with linblock.  One of my favorite sites, bluetack, no longer has
> anyone maintaining the proxy list.
>
> I'm wondering, what's the best way to keep people using proxy servers
> from connecting to the site.  Is there a good way to do this with out
> having to load thousands of rules to block each particular proxy?
>
> I would greatly appreciate advice on how to handle this situation,
> especially from forum admin types who have experience with this
> problem.
>
> WhiteHat237
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards