Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: David Trask on November 18, 2003, 04:51:02 AM
-
Wasn't sure where to address this issue....I (and others in Maine) have kids using this URL https://4.5.74.236/cgi-bin/nph-088958.cgi
to bypass my filter...which incidentally is set up as a transparent proxy on E-Smith 5.6 using Stephen Noble's Dansguardian module. I've tried entering 4.5.74.236/cgi-bin/nph-088958.cgi as a URL in the deny url panel....no use.....I even put in the https.....also no good...tried it in the deny site....also...nada. Even tried denying IP addresses....since it's https I can't seem to stop it...Any ideas....I've got to get this under control. Thanks for any help you can provide
David Trask
-
I hope someone can help you to configure the SME to support what you seek.
When our children were smaller I used a Sonic firewall (sonicsys.com) for one simple feature - a built-in subscription based content filter which is granular to a huge degree. A discreet firewall is always superior to one using access lists and also is designed for the single purpose of being a firewall. You need to block a single address, you block it with a web GUI. Stateful inspection of packets, NAT so you can make up an infinite address scheme inside the firewall, etc.
I am not dismissing the SME as a very good firewall....but I am saying you can get a higher degree of flexibility from companies focused upon just firewalls and let the SME handle the rest of the load. So you may need to look outside the SME for this specific solution.
regards,
patrick
-
May be try using ipchains to block that ip.
Ed
-
Try watching your kids and quit using a computer for your baby-sitter.
-
Ahhh...sage advice.
Maybe you should troll the alt.pseudo.intellectual USENET groups?
regards,
patrick
-
Thank you so much Jack...
It's people like you we don't need here on this forum!
If you had any sense at all you'd realize that...
A.) I'm a network administrator asking for advice on how to be proactive and maintain as much CIPA compliance as possible.
B.) You'd know that kids will try anything they can to challenge you.
C.) My email address indicates that I'm from Maine....and in Maine everything 7th and 8th grader has a laptop. It's a little difficult for me to monitor an entire school of laptops (hence the proactive preventative piece)
So....cut the crap with the "geekier" than thou attitude and try using this forum for what it was designed for....helping people.
-
Actually I have managed to solve it for the most part....here's what I did....
Using the DG (DansGuardian) "regular expression URL" panel one can specify "words or strings" in a URL such as "chat"....which will block any URL with the string "chat" in it....such as www.chatzone.com.....www.teenchat.com...etc.
I found that many CGI proxies by design need to have a leading "nph-" as part of their URL. So I decided to enter "nph-" as an expression to be filtered. While I haven't done so....I may enter the word "proxy" as well and test to see how it does. I'm not having a big problem yet, but in Maine all 7th and 8th graders have laptops and email...so once an exploit gets out it travels like wildfire! Just trying to stay ahead of the kids. As for the SonicWall....my colleagues who use this report the same issue....since it's https....but making a deny rule seems to help with them. In any case....Thanks for the advice :-)
David
-
Good work.
What you are trying to do is often glossed by people who devise the otherwise superor code for products like the SME.I think it simply never occurs to them.
I would love to see some pre-built templates for using the not-intuitive interfaces of DansGuardian, for example. It may seem to be a niche issue, but I would argue a huge potential base of users exists who are looking for cookie cutter ways to filter content. This applies not only for children and porn, but for downloading movies and non-business related material. Sorry, it isn't that easy to work out.
Developers...think about the number of people who need this feature and who are not command line dwellers. The core functionality presumably is in place but the UI or some guidelines are not. Example templates would be awesome.
regards,
patrick
-
I was able to block the site using SquidGuard. Instead of blocking the URL, I have blocked the domain: 4.5.74.236. It worked for both http and https. When the users try to access the http site, they will receive the usual "Access Denied" page. For the https, they will receive a "Bad Gateway" msg.
good luck,
Samer
-
Thanks for that.
Not the fix, but the exploit. Now I and a few others can get to legitimate sites we need for work!
-
> Not the fix, but the exploit. Now I and a few others can get
> to legitimate sites we need for work!
:-))
http://www.anonymizer.com/ does the same thing and seems to be faster. Their commercial solution ($30/year) is really good.
-
Using "/sbin/iptables -I INPUT -s 4.5.74.236 -i eth1 -j DROP" from the command line, a script, or a template fragment for masq will stop access, at least it did for me. I have a custome template fragment that I use for several ip addresses and ports that I want blocked.
-
I just came across this wonderful website: http://www.samair.ru/proxy/. It lists 1.354 free anonymizer proxies, neetly sorted by country :-)
I'm afraid the State of Main has to wake up to the fact that they can't control what their kids can see and what not. And rightly so. Freedom of speech is worth nothing without the freedom to listen/read.
-
Jack...
Maybe if you spent just a wee more time on your studies and a little less time surfing the net for proxies you'd learn how to spell. (neatly) and (Maine)....nonetheless...it's obvious that you have no idea about the laws governing schools with regard to content filtering. If you did, you'd know about CIPA (child internet protection act) and the fact that failure to comply would mean the loss of lots of $$$ from the government. Aside from that is the obvious innocent attempts by young children to get to certain websites and as a result of unscrupulous web site operators who prey on this many times they stumble onto porn sites. I had a couple of third graders trying to find a site about KidPix (a wonderful piece of kid's drawing software) and stumbled on to a teen porn web site. One of about 4 incidents that drove us to purchasing an internet content filter, prior to my discovering the open source alternative. Freedom of speech? Get real! We're talking about minors here. Should we openly allow the sale of porno mags to any child who wants one? Why not sell cigarettes to young teens so it can be part of their "self-expression"? In fact, let's have strip clubs run a "kids night"! I sincerely hope that you are not an IT professional working anywhere near a school. I am...and I resisted filtering as long as I could, but I sleep better at night now knowing that my own children and their peers are going to have their "childhood innocence" preserved a little while longer....
D
-
Have struck a similar problem at a school and the little sneaks were changing the port in the browser to slip past Dans Guardian filtered. Stopped this trick by removing the Connections TAB in the browser through W2000 Server their logon machine, just passing this on for anybody interested.
-
an even easier method is to put the DG server at the "choke" point and do transparent proxy....no web browser settings needed....they're forced through....virtually bypass proof.
D
-
Mike wrote:
>
> by removing the Connections TAB in the browser through W2000 Server their
> logon machine, just passing this on for anybody interested.
How did you do this?
Samer
-
Good Afternoon,
Has anyone come up with a solution to this? After reading this, this issue is serious. I used the url in the initial posting and was able to get right around Bess at our school. I considered Bess pretty airtight but acckkk, if they can install this program on their home computers then, it's a wide open door. Here's a link regarding this program and how to install it: http://www.peacefire.org/circumventor/simple-circumventor-instructions.html
Eventually, you would be blocking the whole internet to stop this in my opinion. Since it is on the secure layer, you wouldn't be able to block via a weighted phrase right? Isn't all the information over this layer encrypted? One suggestion my friend had was to block all https traffic during school hours when students are present. This would be a serious inconvenience to anyone attempting to use https in some administrative function.
-
You have to hand it to the kids - considering most of the people I work with are amazed when I "recover" files from their recycle bin our kids are *streets* ahead.
-
<quote Patrick Hickey>
I would love to see some pre-built templates for using the not-intuitive interfaces of DansGuardian, for example. It may seem to be a niche issue, but I would argue a huge potential base of users exists who are looking for cookie cutter ways to filter content. This applies not only for children and porn, but for downloading movies and non-business related material. Sorry, it isn't that easy to work out.
Developers...think about the number of people who need this feature and who are not command line dwellers. The core functionality presumably is in place but the UI or some guidelines are not. Example templates would be awesome. </quote>
Try www.dungog.net
The have exactly what you are asking for. $49 cheep.
patrick
-
Good Morning,
I looked again at the dungog.net site for solutions to this issue. I downloaded the help file and looked for https. The solution provided is to use certification authorities. You can do this through dungog's package or use the Root Certification Authority (RCA) stuff in IE. This would only apply to folks running M$ stuff granted. In my situation, I will apply a Group Policy and restrict access to ssl sites through the RCA method. There is only one hitch to all of this while using this method, aging certificates. I have heard that the RCA folks won't recognize some of the aging cert's. This would present a problem with folks trying to get some valid sites with these aging cert's.
I'm beginning to think that for a small school, business, or home setup you would just block the entire https layer. If users needed to access certain https sites, use the exception list and add the url's that are needed. This would be a minor, in my humble opinion, maintenance hassle. For example, elementary students, K-6, wouldn't need to even look at a https site. High school students, 7-12, might need to access certain sites for contest information and/or other state educational resources.
Another solution would be just to install some type of network monitoring software and hammer the folks that have high traffic. After looking at the dansguardian log via SawMill, it shows the https request. Since I have users authenticating, I can apply filters and look for folks accessing these types of url's.
I'm going to be relying heavily on SawMill for information. I know it costs money but for $80 for 5 configurations, that's cheap. It also puts things in nice pie charts that principals and other beauracrats(?) like to look at. My opinion, on a tangent here, the principals need to look at the information, disseminate it and discipline accordingly. I'm tired, as an IT person, of handing out discipline or being put in a position that makes it look like I'm the one hammering the student. Now, back to the real world.
-
I heard about this exploit and did find that it gets right past the sonic wall. I also tried a IP cop with Dans guardian. Again straight through.
As I was reading some on the site that is posted in the beginning of this thread I saw that this is not only a proxy that you can get to, it is a proxy you can install on your home computer and access it from anywhere. This being the case you either have to block https allowing administrators either a time window to access state board of education sites that require it or access codes to bypass your firewall. The alternative is block every IP address that a child has the aability to get to that could possibly have any of these proxy applications installed, IE every cable modem and DSL IP address. This would include Jack's IP address as he sounds like someone that would install this and allow otheres to use his internet connection to bypass filters.
In the sonic wall you can not block block https any way I have found yet as they use it to access the management port of the firewall. I have a call in to find out what can be done in that reguard. I hope to have a solution before school starts back up in August.
Tim Taylor
-
Good Afternoon,
After looking at this issue and reviewing my SawMill analysis I believe there may be a solution but I don't know where to begin.
SawMill doesn't report anything outside of the initial https://4.x./??? url. I did notice though after browsing around a bit that if there was a way to capture the full url that is in the address bar it could be filtered. I don't think this can be done because of the SSL.
Another way to attack this is to somehow import a RBL(?) type of list into DansGuardian. I notice that if I have a dyndns.org domain setup on my home server that AOL, and others, won't accept my email because my IP address is in some sort of list. It appears that someone out there has a list of the IP addresses that the broadband ISP's assign to their customers. This might be something to look at and that would hopefully provide a broom to wipe out the majority of folks that would use this method.
-
Good Afternoon,
Here's something of interest that I got from https://listman.redhat.com/archives/k12osn/2004-June/msg00185.html ::
Here's how. Transparently proxy TCP 80 and TCP 443; do this, and your firewall setup--firewalls include your proxy/ICF server, let's all remember--will always control the connection. This applies to any Web content filtering application that supports transparent proxying, be it DansGuardian, I-Gear (ick!), squidGuard, or whatever. That's how you can block outside servers running circumventor, because it is quite correct that the external circumventor server will need a consistent IP address, which will indeed show up in the logs (you do review your logs, right? :-) ). Also have an internal DNS server in a split-DNS configuration, and configure your firewall such that only the internal DNS server can forward and receive requests to and from the external DNS server. Do this, and you'll stop circumventor...cold.
--TP
End Post
I'm not exactly sure if I totally understand how to setup the last part with regards to the DNS setup though.
-
Hello Guys,
Im a highschool living in Canada, thank you for all the info on how to bypass Dansguardian..
Eventhough i agree with the fact that inetnert should be safe for kids and teens, I also belive that young people with the right instruction will never be led to do anything bad.
Preventing kids from using the internet is just a way to impose adult rules. Remember, you cant make us blind!
I am one of the students that promotes the dansguardian bypassing technic and I also have tons of free time to find out new ways to do it..
Sorry for being such a punk, but we get the page blocked even when we try using google and we type "Gilmore Girls".
Im always Around,
p0rt3r