Hello someone can tell me how to block Ultrasurf… any solution.
Not a direct solution but here are some related old answers:
When I look on the web, most of paid solution (sophos, fortinet, paloalto, mcafee, …) are using DPI (Deep Packer Inspection) to decrypt the data (which are encrypted with SSL) to be able to identify the payload (it’s like the DNA but for data). Than these solution offer a plugin to add into the browser (chrome, firefox, …) to prevent the download of well-known threat. Example: https://cookbook.fortinet.com/blocking-ultrasurf/index.html
Suricata or DPI
By using Nethserver as gateway with these plugin, you might be able to block the EXE, but these plugins are also resource consuming.
- Suricata = Intrusion Prevention System (nethserver-evebox, nethserver-suricata)
- DPI = Deep packet inspection (nethserver-ndpi)
If we analyze what Ultrasurf it create a tunnel over the protocol HTTPS
So Mikrotik propose to block any traffic from you LAN on the port 443 which should be allowed only for a webserver anyway. ref: https://wiki.mikrotik.com/wiki/How_to_Detect_and_Block_UltraSurf_program_traffic
By logging this rules you will know which machine is infected and they will not being able to communicate with the Internet.
Egress filtering
Filtering the outside traffic is a common practice for big organization.