I forget stuff… really!!!

Blocking Yahoo!Messenger

A simple policy within the company that caused many sleepless night… One day the CEO said…. “We shall not allow chatting”…. O boy… :( this is a bother… as much as i enjoy Yahoo!Messenger I have to comply….

To achieve this goal first I blocked all outgoing ports… then I had to hand pick some TCP and UDP ports allowed for default services… After that I had to create rules to and from branch offices connecting over VPN… Then I had SquidGuard, in my case URLFilter, screen the http port to disallow chat…

Looking at the logs… turns out that Yahoo Messenger is capable of communicating through the default services i allowed earlier… like a virus Yahoo!Messenger scans the network to identify opened ports and it was successfull with ports 20,21,23,25 and 443… is this legal?… anyway… I limit access of ports 20-25 only to my servers… but 443… Blocking it means no https… I thought SquidGuard could help me but… turns out that https or secure http cannot be proxied transparently…

From http://www.shorewall.net/Shorewall_Squid_Usage.html

…instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).

Temporary solution is to allow only a few people access to https… and bad users must live without webmail, web bank and online shopping…

Update : since IPCop can access port 443 and proxy is on 800, someone who manually enters the firewall as proxy can access https sites…

Be Sociable, Share!
  • milisdad

    weh mesak ke tenan too…
    nek wong IT mosok ra entuk ceting?
    isih ono cara kok nek arep ceting lewat tunnel ssh ae :D

    [Reply]

  • http://www.bigwisu.com Wisu Suntoyo

    hehehe… emang sih… akeh cara…

    Yang ditangkap managemen iku… ternyata terlalu banyak waktu terbuang karena staff pada ceting..

    [Reply]

  • milisdad

    gawe jabber server ae jd paling gak komunikasi internal ae.
    ning gon ku yo ngono okeh sing podo ceting akhir e digawe ceting internal.
    walo pun akhir e ra efektif. paling gak meminimalisir ceting kr pihak njobo.

    [Reply]

  • http://hahaha.rootbox.or.id slashdotfx

    sudah pernah coba l7-filter.sf.net?

    [Reply]

  • http://udienz.wordpress.com udienz

    wwah bener juga yah… chatting adalah dua sisi mata uang…

    eh tapi kalo pake meebo kkan bisa om?

    [Reply]

  • http://www.bigwisu.com Wisu Suntoyo

    @slashdotfx -> implementasi layer7 di IPCop bisa menggunakan QoS addon… http://en.wikibooks.org/wiki/Advanced_QoS_for_IPCop/HFSC#Rules_.E2.80.93_Layer-7 kebetulan saya sudah mencoba addon ini… dan ternyata butuh terlalu banyak resource CPU dari Firewall ber processor PIII milik saya… sebenarnya budget untuk upgrade mesin sudah ada… tetapi resource yang mengerjakan belum teralokasikan… eh sori jawabannya nyasar… :P

    @udienz -> seninya menggunakan list SquidGuard shalla.de adalah adanya klasifikasi chat di blacklistnya… jadi situs chatting web based seperti http://www.meeebo.com bisa saya block dengan SquidGuard…

    Update terbaru, setelah sedikit negosiasi sama CEO, akhirnya saya berhasil memperjuangkan keiinginan staff dengan diijinkannya web based chatting di jam makan siang dan diluar jam kantor… dan ini sangat mudah saya lakukan dengan URLFilter… tinggal setup time constraints… :D

    [Reply]

  • http://harry.sufehmi.com sufehmi

    Thanks tipsnya :D

    Satu cara lagi untuk blokir yahoo messenger di IPcop / squid dibahas disini :
    http://www.linuxsolved.com/linux-forums/other-devices/blocking-yahoo-messenger-on-transparent-proxy-t1363.0.html;msg4789#msg4789

    [Reply]

  • http://dhanyabe.co.cc dhany

    Maaf kelamaan isi koment nya
    Bisa kasih tahu caranya untuk block metacafe client ???
    Thanks

    [Reply]

  • http://www.bigwisu.com Wisu Suntoyo

    Saya belum pernah coba…

    tapi kalo anda mau bisa coba pakai addon advproxy http://www.advproxy.net/ install sesuai petujuk di website tsb…
    saat sudah terinstall anda coba masuk ke GUI dan scroll ke opsi “Web browser”… disitu
    coba anda centang opsi “Enable browser check:” dan pilih browser2 apa saja yang anda ijinkan untuk mengakses internet…

    mudah2an metacafe client dikenal sebagai browser yang berbeda…

    [Reply]

  • anhardeni

    met lebaran
    mungkin kebalikan,mhn infonya saya sdh install ipcop, kok ym saya jadi tidak bisa, padahal saya adminnya

    [Reply]

  • Pingback: BigWisu.com » Blog Archive » Facebook Time Restriction

  • http://wahyu.web.id wahyu

    Untangle wae mas, syip tenan..

    [Reply]

  • daniel

    Urusan nge-block YM, FB dsb emang bikin kita jadi ‘man in the middle’ :)
    Saya nyoba addon l7blocker on IPCop 1.4.21 di mesin saya yg PIII dan berjalan dgn mulus (cuma sedikit hacking saat jalanin l7update)
    Ada yg udah bisa berlakukan blocking layer tujuh ini dengan time constraint?

    [Reply]

  • http://wahyu.web.id/ wahyu

    Untangle wae mas, syip tenan..

    [Reply]

  • 0je9

    o_je9

    [Reply]

Powered by Wordpress | Designed by Elegant Themes