[K12OSN] Blocking http tunnel and ssh tunnel

Jon Spriggs jon.spriggs at gmail.com
Thu Jun 9 07:03:52 UTC 2005 

I sent this direct to Marian, so have re-sent it to the list.
 How about... using snort to see where he's going, then use IPTables to drop 
that host. See, the problem with trying to block this stuff is that there's 
a HUGE list of available servers. Maybe he's connecting to his home machine 
- in which case, dropping that address will stop him, but if he's connecting 
to a public server, then you'll never stop him unless you connect to 
http://www.httport.com and get the list of the public servers. It might also 
be worth watching some http tunnel traffic and crafting your IP tables 
around that.
 I'm sorry I can't be more help than this, but I've never had to block http 
tunnel traffic, I've just used it...
 Regards,
 Jon


On 08/06/05, M.Pribik <mpribik at zoznam.sk> wrote: 
> 
> This one is possible, but I would like to prefere some kind of blocks, 
> maybe into iptables?
> Thanks
>  
>  ----- Original Message ----- 
> *From:* Jon Spriggs <jon.spriggs at gmail.com> 
> *To:* Support list for opensource software in schools. <k12osn at redhat.com> 
> *Sent:* Wednesday, June 08, 2005 8:46 PM
> *Subject:* Re: [K12OSN] Blocking http tunnel and ssh tunnel
> 
>  If it were me, I'd do the following.
>  1) Install Snort on the K12 server. Launch a HTTP tunnel yourself and 
> watch the traffic using snort.
> 2) Configure snort to watch for that signature.
> 3) Arrange for it to drop the log file into an e-mail hourly, daily or 
> weekly, depending on how often it's happening.
> 4) Enable "login recording" (I can't remember the exact local policy 
> option - I can look it up for you if needed) on the Windows PC
> 5) Confront the user who was logged in at the time in a subtle manner 
> first (such as, look kid - the rules are there for a reason) then the 
> heavier handed approach (do you want me to bring in your parents) followed 
> by the sledgehammer (OK, let's see the headmaster) and if that doesn't work 
> get the police (there's probably some sort of "Misuse of computing" laws? 
> perhaps if you speak to the officers and let them know that you initially 
> want to frighten the lad into behaving, and if that's doesn't work, you'll 
> want to start the formal route) 
>  Remember, most of the best white hats started as black hats - if you 
> teach this kid the meaning of right and wrong now (and most importantly, 
> this stuff can be monitored) then hopefully, he'll ease off.
>  Perhaps if you show him how you caught him, he'll show more interest in 
> the legitimate side of this game?
>  And of course, it's not necessarily a guy - I'm just using the male 
> gender for illustration purposes.
>  Regards,
>  Jon "The Nice Guy" Spriggs.
> 
>  On 08/06/05, M.Pribik <mpribik at zoznam.sk> wrote: 
> > 
> > Is it possible to block "http tunnel" and "ssh tunnel" created by 
> > students on Windows desktop PCs? The Internet traffic of the Window desktops 
> > are going through K12LTSP server and HTTP traffic is filtered by 
> > Dansguardian. The tunnels can override the filter! 
> >  Thank you, Marian
> >  
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com 
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see < http://www.k12os.org>
> > 
> > 
> -- 
> Jon "Four Star Gun" Spriggs AKA
> Jon "The Nice Guy" Spriggs 
> 
> ------------------------------
>  
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org> 
> 
> 


-- 
Jon "Four Star Gun" Spriggs AKA
Jon "The Nice Guy" Spriggs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20050609/eb068ed6/attachment.htm>

More information about the K12OSN mailing list