Ultrasurf admin's nightmare


(Felipe) #1

Hello guys!

My scenario is Windows 2008 Server R2 “without AD”, and Windows 7 64bits at stations.

2 internet links into a TPlink dual wan routar as gateway setted by Server 2008 DHCP as 192.168.0.1

NethServer only as Proxy with 192.168.0.2 IP and setted at stations with 3128 port.

At TP link I blocked 80 and 443 ports for all stations excepting Proxy.

But some users using UltraSurf can access throught high ports like 60000 and others that I can’t preview.

Somebody can suggest me something that I can do, to block Ultrasurf without AD?


(Rafael González) #2

Hi Felipe,

The TP-Link is not a very good firewall… al least, in my experience. I suggest you to use the NS insteed, and with that, you could resolve that problem, and many others that may appear.

If you use NS as a gateway, with the proxy enabled, you will can block everything from the inside to the outside, leaving only the ports that you want. In your actual configuration, you must do it with the firewall of the TP-Link.

Cheers


(Filippo Carletti) #3

AFAIK, Ultrasurf is hard to block. I did a test some months ago and succeeded using openappid. I then stopped my tests due to lack of time. I still have a machine ready for testing and some notes.


(Stefano) #4

if you see who’s using ultrasurf, you’d use a “social” tecnique to block them… just inform your users that all traffic is logged, that using ultrasurf is forbidden and that such a behaviour will be punished…

solution some time doesn’t come from technical skills :wink:


(Filippo Carletti) #5

@zamboni, I challenge you doing it in a school! :smile:


(Stefano) #6

well…
in a school:

  • no clients except known ones
  • all pc joined to domain, user auth, all users are just “users”
  • in all clients I’d install a syslog client to send all logs to a syslog server
  • all users are informed about rules
  • every night a mail with all install/hacking info about clients is sent to admin

punish one to punish one hundred :smiley:


(Felipe) #7

I found this batch on internet:

@for /f "tokens=5 delims= " %%i in (‘netstat -ano -p tcp ^| find “127.0.0.1”’) do Taskkill /F /PID %%i

That use netstat to find which proccess are using 127.0.0.1 as socket connection then kill proccess.

I tested with success, so for now I will put this batch as a Windows Task running each minute :wink:

At the future, I will use NS as default Gateway, in this case which is the best way to block UltraSurf connections? Just closing port ranges?


(Bogdan Costin) #8

First: you need to use a way to block the ultrasurf file executable to reach the system.
Download links for ultrasurf, USB/CD access or other removable media disabled by default

add a program to watch for ultrasurf signature when a program is started (also add it to “disallowed programs” from windows)

Second: block at firewall level everything and then allow only what you want
Third: use a per user authentication on the PC/proxy so you will know who is using what.

Log the usage on each station (log the actions not the content, otherwise it will be illegal :slight_smile: )
Put a very big warning and disclaimer at login with “This station is monitored, any and all actions are logged bla bla bla…” And at the end put the relevant phrase.
“Any deviation from the mentioned rules will be sanctioned (you name what will happen)”

I hope this will help a little :smile:
BR.
Bogdan