Topic: instant messanger

[nick]

Hi everyone, I was wondering if there is a way to use e-smith server to block all the instant messanger software.

regarads
nick

[Joey P]

http://www.martintechnology.com/howto_block_aim.htm

Have u read  ipchains-HOWTO from www.tldp.org?

Because one way of doing that  is to edit your firewall rules.
The only problem in blocking those IMs port by port is that there's a lot of them, yahoo, msn,,jabber,aim,icq,irc..without mentioning peer-to-peer like imesh,aimster,gnutella,kazaa etc etc...  and there is http/java based yahoo/hotmail/netpiper chats  They would even plug a usb modem and pay for dial up if you succeed in port blocking.
The real solution is (if it involves emplyees) have a company policy regarding the use of network services (whats allowed and whats not)  have it signed by superiors  and enforce it.  Search GOOGLE for "acceptable use policy templates".

[schotty]

Im gonna jump at Joeys answer on this one.
whats the point in having a firewall/proxy when i cant configure it just to use services that I want on my network.

I believe that all unwanted services have to blocked by the firewall and that users must be explained (sign) an acceptable use policy, ANd also be warned of other dangers in using the internet.

there are alot of ports that have to be blocked and daily new ports are being opened for new peer to peer services, but it must be up to the admins to find them and block them.

cheers

schotty

[chris meredith]

Your best bet may be to block all outgoing ports, then unblock what you want to allow (80,110,25,etc).  You will want a policy in place though, to cya and give you something to point to when people complain.  Also, are you running a proxy?  You might want to so you can go ahead and block some of the web IM clients as well as any other "questionable" sites.

[Rich Lafferty]

chris meredith wrote:
>
> Your best bet may be to block all outgoing ports, then
> unblock what you want to allow (80,110,25,etc).

Alas, MSN and AIM fall back to port 80 (and AIM also tries 25 and 110,
as well as a bunch of other probably-open ports) if their usual port is
closed.

--Rich

[nick]

Thanks for all your input.
I think I'll leave this one alone for a while sounds like a real hassle.
regards
Nick

[Simeon]

I am using 4.1.2 and have put the following into /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/36masqLAN


#deny ICQ Messaging (login.icq.com, icq.mirabilis.com, www.icq.com)
ipchains -A input -b -d 205.188.179.0/24 -j DENY -l
ipchains -A input -b -d 64.12.162.0/24 -j DENY -l
ipchains -A input -b -d 205.188.153.0/24 -j DENY -l
ipchains -A input -b -d 205.188.248.0/24 -j DENY -l
ipchains -A input -p TCP -b --source-port 4000 -j DENY -l
ipchains -A input -p UDP -b --source-port 4000 -j DENY -l

#deny MSN Messaging (messenger.microsoft.com, block port 1863, MSN IP)
ipchains -A input -b -d 207.46.183.0/24 -j DENY -l
ipchains -A input -p TCP -b --source-port 1863 -j DENY -l
ipchains -A input -p UDP -b --source-port 1863 -j DENY -l
ipchains -A input -b -s 64.4.13.0/24 -j DENY -l

#deny IRC (Block entire 6660-7001 range)
ipchains -A input -p TCP -b --source-port 6660:7001 -j DENY -l
ipchains -A input -p UDP -b --source-port 6667:7001 -j DENY -l

*You will have to create the 36masqLAN file as it doesn't exist otherwise.  

Once you've created the 36masqLAN file you will need to expand the template and perform a network create.
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/signal-event network create

[Simeon]

think i meant:

/sbin/e-smith/signal-event network-create

[nick]

Thanks simeon,
 I'll give it a go. I'll see how it works with sme 5+

regards
Nick

[nick]

Simeon..I've looked at  Aol on my computer and the following is the default.

aim... server host " login.oscar.aol.com"  port  5190
 How can I add the above to your  list. and implement it?
I
regards
Nick

[Simeon]

I'm no expert mind, but try this:

Put the following into /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/36masqLAN

#deny aol
ipchains -A input -p TCP -b --source-port 5190 -j DENY -l
ipchains -A input -p UDP -b --sourceport 5190 -j DENY -l

#deny ICQ Messaging (login.icq.com, icq.mirabilis.com, www.icq.com)
ipchains -A input -b -d 205.188.179.0/24 -j DENY -l
ipchains -A input -b -d 64.12.162.0/24 -j DENY -l
ipchains -A input -b -d 205.188.153.0/24 -j DENY -l
ipchains -A input -b -d 205.188.248.0/24 -j DENY -l
ipchains -A input -p TCP -b --source-port 4000 -j DENY -l
ipchains -A input -p UDP -b --source-port 4000 -j DENY -l

#deny MSN Messaging (messenger.microsoft.com, block port 1863, MSN IP)
ipchains -A input -b -d 207.46.183.0/24 -j DENY -l
ipchains -A input -p TCP -b --source-port 1863 -j DENY -l
ipchains -A input -p UDP -b --source-port 1863 -j DENY -l
ipchains -A input -b -s 64.4.13.0/24 -j DENY -l

#deny IRC (Block entire 6660-7001 range)
ipchains -A input -p TCP -b --source-port 6660:7001 -j DENY -l
ipchains -A input -p UDP -b --source-port 6667:7001 -j DENY -l


then after creating the 36masqLAN file, you need to:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/signal-event remoteaccess-update

*i know that everything but the AOL bit works.  (I made a mistake in my previous message.  think i wrote network-create instead of remoteaccess-update.  So please follow the instructions in this message.  Hope it works.  Let us know.

[nick]

Hi Simeon.
Thanks for the update. I'll give it a go.
Looking at your DENY list raises a great deal of questions. To list a few.

1. To reverse all the changes to your DENY list,  what do I do?
2. There appears to be thousands of ports, and quite a lot were open according to you list. (Block entire 6660-7001 range). I thought e-smith defaulted to only a few ports being open?
4.  I applied the deny Aol on my test server as you suggested and it blocked the port 5190. Then I went to the preferences section in netscape 7 ( aim and icq are part of the browser ) and changed the port from 5190 to 5191. I was able to get out. Would I still be able to receive a message now that I am on port 5191?
5. I need to read up on this whole area. ( ipchains and ports) etc!
6. My head is spinning.
regards
Nick

[Simeon]

1) To reverse the changes (return it to normal setup) simply remove the lines we've added to the 36masqLAN file, then expand the template again and remoteaccess-update again.  It'll then be back to how it was.

2)  Don't know.  I'm at the edge of my knowledge with all of this.  Only picked up bits from reading the e-smith forums over last couple of years.

4) OK.  So instead of blocking packets going to port 5900 lets block data going to the login.oscar.aol.com servers. Try this instead of the block aol lines we've already tried:

  #deny aol instant messenger
ipchains -A input -b -d 205.188.7.164/24 -j DENY -l
ipchains -A input -b -d 205.188.7.168/24 -j DENY -l
ipchains -A input -b -d 205.188.7.172/24 -j DENY -l
ipchains -A input -b -d 205.188.7.176/24 -j DENY -l
ipchains -A input -b -d 205.188.3.160/24 -j DENY -l
ipchains -A input -b -d 205.188.3.176/24 -j DENY -l
ipchains -A input -b -d 205.188.5.204/24 -j DENY -l
ipchains -A input -b -d 205.188.5.208/24 -j DENY -l
ipchains -A input -b -d 64.12.161.153/24 -j DENY -l
ipchains -A input -b -d 64.12.161.185/24 -j DENY -l  

(so put the above lines into 36masqLAN and expand/remoteaccess-update again then try it again).

If it still lets them access oscar.aol.com for aol instant messenger then type nslookup login.oscar.aol.com and add similar ipchains lines for the ip address it gives for the oscar servers.  Isn't there another type of AOL IM server too?  I'm sure that oscar is the older one?
I'm not an expert on any of this.  Let me know if it works or not.

[nick]

Hi Simeon,
I appreciate your patience and time spent on this.
Your answer to question 4.
"Lets block data going to the login.oscar.aol.com servers."
I understand what you mean. Find  the actual address of the servers you want to block and then Deny.
What is the best way to find the ip address  eg  www.anyone.com =  0.0.0.0  ?
 I thought I could get the answer here “ http://www.uwhois.com “ but I'm not quite sure.
You are definitely helping me understand this topic better and I am sure others reading this topic will be as well.
I'll report back here soon.
Regards
Nick

[Simeon]

what i meant was that rather than just blocking data packets coming into a specific port, lets block ALL data packets coming from the login.oscar.aol.com servers.

i've did a search on the internet and found a web page that listed the five 205.188.x.xxx servers (the first five below) that AOL use for login.oscar.aol.com.  Unsure whether they were correct or upto date  (apparently aol change their servers around quite a bit), i typed nslookup login.oscar.aol.com on my Linux box, it gave me the 64.12.161.153 and 64.12.161.185 IP addresses so I think that be putting the below lines into 36masqLAN should block all data coming from or going to the login.oscar.aol.com servers.

 #deny aol instant messenger
ipchains -A input -b -d 205.188.7.164/24 -j DENY -l
ipchains -A input -b -d 205.188.7.168/24 -j DENY -l
ipchains -A input -b -d 205.188.7.172/24 -j DENY -l
ipchains -A input -b -d 205.188.7.176/24 -j DENY -l
ipchains -A input -b -d 205.188.3.160/24 -j DENY -l
ipchains -A input -b -d 205.188.3.176/24 -j DENY -l
ipchains -A input -b -d 205.188.5.204/24 -j DENY -l
ipchains -A input -b -d 205.188.5.208/24 -j DENY -l
ipchains -A input -b -d 64.12.161.153/24 -j DENY -l
ipchains -A input -b -d 64.12.161.185/24 -j DENY -l

If it doesn't work, then type nslookup login.oscar.aol.com and if it returns an ip address different to any of the above ones, say xxx.xxx.xxx.xxx then add another line into 36masqLAN in the form:

ipchains -A input -b -d xxx.xxx.xxx.xxx/24 -j DENY -l

then expand the template and remoteaccess-update again (or is it network-create? - can never remember - so do both!  lol).  


I think I'm right on all of this.
but as i said i'm not expert.