Blockin msn? - Security

This is a discussion on Blockin msn? - Security ; Hi all! Does any one know a way to block microsoft messenger? I've tried blocking the tcp and udp ports with iptables, but it seems that it change port whenever I block the one it uses for the moment? I ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: Blockin msn?

  1. Blockin msn?

    Hi all!
    Does any one know a way to block microsoft messenger? I've tried blocking
    the tcp and udp ports with iptables, but it seems that it change port
    whenever I block the one it uses for the moment? I blocked 3940 as it was
    using that port then it changed to 3811 blocked it then it used 2360 and so
    on and on and on! Is it some kind of extreme virus? Changing to a randomly
    chosen port that is free?

    Thanks in advance!

    /Micke


  2. Re: Blockin msn?

    micke (06-03-02 10:10:54):

    > Does any one know a way to block microsoft messenger? I've tried blocking
    > the tcp and udp ports with iptables, but it seems that it change port
    > whenever I block the one it uses for the moment? I blocked 3940 as it was
    > using that port then it changed to 3811 blocked it then it used 2360 and so
    > on and on and on! Is it some kind of extreme virus? Changing to a randomly
    > chosen port that is free?


    Are you trying to block by local port number? If yes, you will fail,
    because it is chosen randomly (for every program).

    Regards.

  3. Re: Blockin msn?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Ertugrul Soeylemez wrote, On 03/02/2006 04:24 PM:
    > micke (06-03-02 10:10:54):
    >
    >> Does any one know a way to block microsoft messenger? I've tried blocking
    >> the tcp and udp ports with iptables, but it seems that it change port
    >> whenever I block the one it uses for the moment? I blocked 3940 as it was
    >> using that port then it changed to 3811 blocked it then it used 2360 and so
    >> on and on and on! Is it some kind of extreme virus? Changing to a randomly
    >> chosen port that is free?

    >
    > Are you trying to block by local port number? If yes, you will fail,
    > because it is chosen randomly (for every program).
    >
    > Regards.


    What about just blocking access to messenger.hotmail.com ? Port 1863
    should give a hint as well.

    Disclaimer: Users will still be able to access the service using a proxy
    server.

    - --
    - ----------------------------
    Kristian Fiskerstrand
    http://www.kfwebs.net
    - ----------------------------
    http://www.secure-my-email.com
    http://www.secure-my-internet.com
    - ----------------------------
    Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3rc1 (GNU/Linux)
    Comment: http://www.secure-my-email.com
    Comment: http://www.secure-my-internet.com

    iQIVAwUBRAcqdRbgz41rC5UIAQghhhAAozD6Ga51uk534q3Grw OAcskO/NuzStOu
    91nkUhKOPEY692TKH6Y1hFx58jXEBw8geN6soeF/UXSIcWYzI22DylVLB9AAz4rw
    FcfTLUgXOQbBU+DUoz//HuIyEVMOhiDCWWxrVYureMrY5B3Po3Z/Q3750KgWwVno
    eZw0lCJUsluXysPWPHwW8WmfBoott74Tt9QsA8vg7S9kFA7+N5 v0jafogEpWB13p
    4jgJpJDRp1IevAyGmlZ01nUGCuV6nvXth1EqAK7ddhF2qtUDPV UN9bhNsPATXRuI
    Pg2OunA86FUhvb7c6jMT7j4sYY1fGy+olXqcsXZbn4s4mB2yPj 8xFjaefDSBM/pA
    bkwODg9DY+1bYSHD15t3V7xwLSu0amp6ntR85cyAmPkkbmB/lkEqyczOUGSnAE/G
    WhiR7Kie6irW6dcP3lTroLRmL2GGjJd4LnjR2mScWAS34tgLgf 2TyaJKmTRklhKJ
    ciKvbIOk/jzCT2YbrUqMNgSjYNkfOuh9VrtwexUK0MOaREHoGfjswPvZWzz cabAc
    GGkAjFj2nSDOqbAMLCyRKefyu7CF8ZsgKibfJ/w0dKLWd10OZIPRhjL+TJZbxWNJ
    /4qZFvUGLEJZNRAb3BTj2xxHpfktAQiKz0gY7etwAViiSAdWC7s 8FKoSULmRHwPj
    qA/oajH8wAw=
    =66KF
    -----END PGP SIGNATURE-----

  4. Re: Blockin msn?

    Ertugrul Soeylemez wrote:

    > Are you trying to block by local port number? If yes, you will fail,
    > because it is chosen randomly (for every program).
    >
    > Regards.


    This is I don't understand? How can something be chosen randomly for every
    program? Ftp should use port 21 and since that is not allowed out it's
    blocked and that works. Perhaps I missunderstand you?

    To clarify it all I'm using a Slackware 10.2 computer as a firewall and
    connection to internet and some of the clients are Windows XP and it's on
    the Slack comp. that I would like to block all connections from and to
    microsoft messenger, this since it's a very good source to get viruses and
    such things in to the computers.


  5. Re: Blockin msn?

    hi, this is my firt reply, Regards to all.

    When we say that the port is random, is the port of client, the client
    out to a port random and it (client app) conect to a specific port in
    the server. You should DROP the packets to msn port on FORWARD, because
    your firewall gets INPUT on port random.


  6. Re: Blockin msn?

    hi, this is my firt reply, Regards to all.

    When we say that the port is random, is the port of client, the client
    out to a port random and it (client app) conect to a specific port in
    the server. You should DROP the packets to msn port on FORWARD, because
    your firewall gets INPUT on port random.


  7. Re: Blockin msn?

    micke (06-03-03 09:29:42):

    > > Are you trying to block by local port number? If yes, you will
    > > fail, because it is chosen randomly (for every program).

    >
    > This is I don't understand? How can something be chosen randomly for
    > every program? Ftp should use port 21 and since that is not allowed
    > out it's blocked and that works. Perhaps I missunderstand you?


    There are always two ports involved in a connection. An FTP connection
    connects from a randomly chosen (on most operating systems) port of your
    local machine to the port 21 on the remote machine.


    > To clarify it all I'm using a Slackware 10.2 computer as a firewall and
    > connection to internet and some of the clients are Windows XP and it's on
    > the Slack comp. that I would like to block all connections from and to
    > microsoft messenger, this since it's a very good source to get viruses and
    > such things in to the computers.


    Then you won't be blocking in the INPUT chain, but in the FORWARD chain.

  8. Re: Blockin msn?

    micke writes:

    >Ertugrul Soeylemez wrote:


    >> Are you trying to block by local port number? If yes, you will fail,
    >> because it is chosen randomly (for every program).
    >>
    >> Regards.


    >This is I don't understand? How can something be chosen randomly for every
    >program? Ftp should use port 21 and since that is not allowed out it's
    >blocked and that works. Perhaps I missunderstand you?


    A makes it initial call to B on a set port number. A's port number is
    randomly chosen, but B's port number is set by convention. (eg 21). A's
    port number is however some random number. B responds to A from a random
    port number and with a random port number. Thereafter A and B converse on
    those random numbers. Ie, ftp does NOT use port 21 on A. ftp sends the
    initial request to B on port 21, but its own port number that it is sending
    the request from and to which B replies is random. Thus if you try to block
    A from sending ftp requests, you cannot use A's port number to do so. A
    does not send the request from port 21.



    >To clarify it all I'm using a Slackware 10.2 computer as a firewall and
    >connection to internet and some of the clients are Windows XP and it's on
    >the Slack comp. that I would like to block all connections from and to
    >microsoft messenger, this since it's a very good source to get viruses and
    >such things in to the computers.





  9. Re: Blockin msn?

    On Fri, 03 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , micke wrote:

    >This is I don't understand? How can something be chosen randomly for every
    >program? Ftp should use port 21 and since that is not allowed out it's
    >blocked and that works. Perhaps I missunderstand you?


    1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
    (Format: TXT=65494 bytes) (Status: INFORMATIONAL)

    http://www.ietf.org/rfc/rfc1180.txt
    http://www.faqs.org/rfcs/rfc1180.html
    http://www.rfc-editor.org/rfc/rfc1180.txt
    http://www.ccd.bnl.gov/network/general/rfc1180.html
    http://www.cis.ohio-state.edu/htbin/rfc/rfc1180.html

    When you decide to connect to a remote server - lets say ftp.isi.edu
    (which also has the RFCs in the directory /in-notes/), your computer
    will initiate a connection from some semi-random port _ABOVE_ 1024
    (typically, the "next" number that hasn't been used recently) to port
    21 on the remote server. That server will _reply_ from it's port 21
    to that port number that you used. See RFC0959

    0959 File Transfer Protocol. J. Postel, J. Reynolds. October 1985.
    (Format: TXT=147316 bytes) (Obsoletes RFC0765) (Updated by RFC2228,
    RFC2640, RFC2773) (Also STD0009) (Status: STANDARD)

    available at those same URLs above (replace 1180 with 0959) for more
    details.

    >To clarify it all I'm using a Slackware 10.2 computer as a firewall and
    >connection to internet and some of the clients are Windows XP and it's on
    >the Slack comp. that I would like to block all connections from and to
    >microsoft messenger


    [compton ~]$ whatis tcpdump
    tcpdump (8) - dump traffic on a network
    [compton ~]$

    >this since it's a very good source to get viruses and such things in to
    >the computers.


    One of the benefits of using microsoft software. Blocking all access
    would be safer. Run a proxy on the Slackware box, and prevent the windoze
    boxes from accessing ANY Internet resources.

    Old guy

  10. Re: Blockin msn?

    On 2006-03-03, micke wrote:

    > Ertugrul Soeylemez wrote:
    >
    >> Are you trying to block by local port number? If yes, you will fail,
    >> because it is chosen randomly (for every program).


    > This is I don't understand? How can something be chosen randomly for every
    > program? Ftp should use port 21 and since that is not allowed out it's
    > blocked and that works. Perhaps I missunderstand you?


    The server will by default listen on a specific port number; e.g. port 21
    for ftp. But the client uses a random non-priveleged port number to
    recieve the server's response.

    > To clarify it all I'm using a Slackware 10.2 computer as a firewall and
    > connection to internet and some of the clients are Windows XP and it's on
    > the Slack comp. that I would like to block all connections from and to
    > microsoft messenger, this since it's a very good source to get viruses and
    > such things in to the computers.


    If ypu know the port the MS Messenger server uses, you can block outbound
    traffic to that destination port or inbound traffic originating from that
    port.

    --

    John (john@os2.dhs.org)

  11. Re: Blockin msn?

    Unruh (06-03-03 17:41:02):

    > A makes it initial call to B on a set port number. A's port number is
    > randomly chosen, but B's port number is set by convention. (eg
    > 21). A's port number is however some random number. B responds to A
    > from a random port number and with a random port number. Thereafter A
    > and B converse on those random numbers. Ie, ftp does NOT use port 21
    > on A. ftp sends the initial request to B on port 21, but its own port
    > number that it is sending the request from and to which B replies is
    > random. Thus if you try to block A from sending ftp requests, you
    > cannot use A's port number to do so. A does not send the request from
    > port 21.


    This is wrong. The server's port is never random. The client wants to
    connect to the server's port 21. He sends a SYN from a random port x to
    the port 21. The server sends SYN/ACK from port 21 to the client's port
    x. Afterwards the client sends the final ACK from port x to the
    server's port 21 to finally start the connection (he has the option of
    sending RST instead of ACK, to abort the handshake -- this is done, when
    the initial SYN wasn't actually coming from him, to prevent spoofing).

    If the server choosed a random source port, then the client wouldn't
    know the context of a packet. That would mean that you couldn't have
    more than one connection to another machine. A connection is uniquely
    defined by the two ports involved (and the hostnames of course).

    Maybe you are confusing this with the additional data channel, which an
    FTP connection uses to transfer actual filesystem data (i.e. directory
    listings or files). In the (default) active mode, this channel is
    initiated by the server, which connects to the client's port 21, turning
    the client into a server (which is the reason that, for using active
    FTP, you must not block port 21). In the alternative passive mode (if
    the client's port 21 is blocked for some reason), the client connects to
    a (mostly randomly chosen) port on the server. In this case, and only
    in this case, both ports are effectively "random". But still the target
    port is chosen by the FTP daemon, not by the operating system.


    Regards.

  12. Re: Blockin msn?

    Ertugrul Soeylemez wrote:

    > Unruh (06-03-03 17:41:02):
    >
    >> A makes it initial call to B on a set port number. A's port number is
    >> randomly chosen, but B's port number is set by convention. (eg
    >> 21). A's port number is however some random number. B responds to A
    >> from a random port number and with a random port number. Thereafter A
    >> and B converse on those random numbers. Ie, ftp does NOT use port 21
    >> on A. ftp sends the initial request to B on port 21, but its own port
    >> number that it is sending the request from and to which B replies is
    >> random. Thus if you try to block A from sending ftp requests, you
    >> cannot use A's port number to do so. A does not send the request from
    >> port 21.

    >
    > This is wrong. The server's port is never random. The client wants to
    > connect to the server's port 21. He sends a SYN from a random port x to
    > the port 21. The server sends SYN/ACK from port 21 to the client's port
    > x. Afterwards the client sends the final ACK from port x to the
    > server's port 21 to finally start the connection (he has the option of
    > sending RST instead of ACK, to abort the handshake -- this is done, when
    > the initial SYN wasn't actually coming from him, to prevent spoofing).
    >
    > If the server choosed a random source port, then the client wouldn't
    > know the context of a packet. That would mean that you couldn't have
    > more than one connection to another machine. A connection is uniquely
    > defined by the two ports involved (and the hostnames of course).
    >
    > Maybe you are confusing this with the additional data channel, which an
    > FTP connection uses to transfer actual filesystem data (i.e. directory
    > listings or files). In the (default) active mode, this channel is
    > initiated by the server, which connects to the client's port 21, turning
    > the client into a server (which is the reason that, for using active
    > FTP, you must not block port 21). In the alternative passive mode (if
    > the client's port 21 is blocked for some reason), the client connects to
    > a (mostly randomly chosen) port on the server. In this case, and only
    > in this case, both ports are effectively "random". But still the target
    > port is chosen by the FTP daemon, not by the operating system.
    >
    >
    > Regards.

    Thanks for clarifying this!
    The data transfer is not essential only the port 21 on the server side. Not
    on the client side. If I got it correct ? So I guess I made it correct when
    it came to the ftp transfer blocking all OUT going traffic FROM the server
    on port 21. Then I have to do it the other way around when it comes to
    Messenger, blocking all IN going traffic to the clients on port
    'whatevertheyuse' and don't bother about the OUT going request from the
    clients? Is this assumption correct. (I'm a bit slow on thinking so I have
    to make absolutely sure that I got it)

    /Micke


  13. Re: Blockin msn?

    micke (06-03-04 09:15:07):

    > The data transfer is not essential only the port 21 on the server
    > side. Not on the client side. If I got it correct ? So I guess I made
    > it correct when it came to the ftp transfer blocking all OUT going
    > traffic FROM the server on port 21. Then I have to do it the other way
    > around when it comes to Messenger, blocking all IN going traffic to
    > the clients on port 'whatevertheyuse' and don't bother about the OUT
    > going request from the clients? Is this assumption correct. (I'm a bit
    > slow on thinking so I have to make absolutely sure that I got it)


    In your case, you have to use the FORWARD chain, which doesn't
    differentiate incoming from outgoing packets, because for the routing
    host, there is no such thing as an "internal network" and an "outside
    world". If your local network is connected at eth1 and the internet
    connection is at ppp0, then for preventing clients to connect to port
    623, you would do something like this:

    # iptables -A FORWARD -i eth1 -o ppp0 -p tcp --dport 623 -j DROP

    Or in your case it might be better to do this via policy DROP and only
    allow certain ports. However, your clients can still use outside
    proxies, bypassing your firewall.


    Regards.

  14. Re: Blockin msn?

    Thanks to every one that have given me advice in this matter, Finally
    solved !

    /Micke


+ Reply to Thread