Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Spam

Using Firewalls to Block Spyware? 72

Posted by Cliff from the active-network-counterintelligence dept.
MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."
This discussion has been archived. No new comments can be posted.

Using Firewalls to Block Spyware? More

Using Firewalls to Block Spyware?

Comments Filter:

  • spybot search and destroy (Score:5, Informative)

    by joFFeman ( 574971 ) on Tuesday May 13, 2003 @08:05PM (#5950424) Homepage
    comes with a HOSTS.TXT that you can extract the data from.

    http://security.kolla.de/

    • Re:spybot search and destroy (Score:4, Informative)

      by Zocalo ( 252965 ) on Tuesday May 13, 2003 @08:25PM (#5950525) Homepage
      I was going to suggest the "hosts.txt" that comes with KaZaA Lite [doa2.host.sk], which is also pretty extensive (and available seperately). Your best bet is probably to "cat * | sort | uniq" to get the combined list, but it's going to be pretty extensive...

        • The "-u" flag to sort(1) only works on systems that implement the XPG4 standard. If you want to write portable shell scripts, you'll need to call uniq(1). Unfortunately for us script writers, not all the world uses GNU textutils.

          HTH. HAND.

      • With karma to burn, I would like nothing more than to congratulate you on your achievement of the Useless Use of cat Award [netsonic.fi].
        • Is cat EVER useful except in rare circumstances or with programs that naively accept one filename only? The page said "The purpose of cat is to concatenate (or "catenate") files. If it's only one file, concatenating it with nothing at all is a waste of time, and costs you a process. " Well, sort is kind enough to accept any number of filenames, so you don't need to concatenate -- sort will do it for you, in one less process.

          sort * | uniq

        • Actually, since all my boxes have GNU Textutils (even the Windows ones [sourceforge.net]) I'd have used "sort -u *", but since the poster may or may not even be using *NIX, I used the longhand command above more to get the concept across. For all we know, his preferred method of achieving this might me to load the two files into a text editor, copy one document to the clipboard and paste it into the other, then use the editor's inbuilt sort function to produce the required file. There are plenty of GUI only types who would

  • Firewall policy (Score:5, Informative)

    by Krandor3 ( 621755 ) on Tuesday May 13, 2003 @08:14PM (#5950467)
    A firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.
    • I hope you aren't advocating only allowing certain egress ports, because that right there is the cause of so much headaches for users it's not even funny. Block stupid crap like hotbar, gator, etc. etc.. but PLEASE do NOT make me have to stop my work to go bug the tech person to bug his superior, to bug their superiors to open an egress port. I have to deal with that at my school (work situations are slightly different, but still rather annoying). I have to basically tunnel everything that isn't ftp acc

      • Re:Firewall policy (Score:4, Insightful)

        by Anonymous Coward on Wednesday May 14, 2003 @12:55AM (#5952098)
        Huh? Either this is a troll, or you just don't get it.

        Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

        Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

        Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

        If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

        Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

        A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.
        • Ok, I was a bit harsh because I'm having problems with egress filtering in a school situation: I live there, and they prevent me from doing my school work and other things by their stupid rules. Places of employment I agree with you a bit more. My fault for saying that it's bad at all times, there are certainly times when it's ok..

          I still say egress filtering is a nuicance to people who know what they're doing, but I guess it is a necessary evil against people who think they know what they're doing, and

          • Re:Firewall policy (Score:1, Insightful)

            by Anonymous Coward
            A nusance yes, but a necessary evil - there are far too many people out there that think they know what they're doing, and dont have the slightest idea. Then there are the paper-traied MCSE/MBA people - knows enough to sound smart, but stupider than shit.

            These rules are very likely there for a good reason. I'm sure the admins are willing to listen to a good, well thought out argument against the filtering of something (I know I would).

            My rule basically goes like this; if you can present to me a good (mana
            • what they are doing are the worst, any true Guru generally downplays their knowledge because they know how much is out there and how fast it changes.

              I once read, the more you know, the more you know there is to know, the less you really know.

        • If you own a business and run a proxy server, please do not deny any users. You are doing a disservice to the Internet community by doing so, we already have a big enough problem with SMTP spam.
    • The poster wants to block spyware downloads, not spyware calling home. I've seen brand new, top-of-the-line Windows XP systems brought to their knees by loads of poorly designed and intrusive spyware and adware; in an enterprise system, filtering out incoming spyware downloads means less troubleshooting headaches, as well as no complaints from users that want to know what happened to their Bonzi Buddy. While a static block file might help things, new adware is being produced continiously. A user-maintain
      • Ghosting win2k clients every weekend?

        Nah. Get one of those hardware recovery cards.

        http://www.google.com/search?num=100&hl=en&lr=& i e= ISO-8859-1&safe=off&edition=&q=card+%22hardware+re covery%22

        http://www.magiccard.ca/MCnews/apex_summary.htm
        http://www.pnltools.com/printproduct.asp?producti d =196

        It doesn't stop a trojan from screwing up a user's files. Or exploiting other hosts on the network while the exploited PC is up. But reboot and most things are fine, just restore use
    • I deal with a lot of sites that are implementing security for the first time due to HIPAA regulation.

      If you are a stone-cold IP expert, that is, you can name at least thirty ports and their uses off the top of your head, you know exactly why DirectX v7 doesn't NAT properly, you are intimate with the ICMP packet structure, you know why FTP uses more than one channel (and how to proxy that) you are qualified to do this.

      If you aren't an expert, and you set up a firewall for an existing site using the philoso

      • Re:Yes and No. (Score:3, Insightful)

        by Istealmymusic ( 573079 )
        Okay, I'll bite.

        Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport [puffinsoft.com], which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.

        Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary. As for FTP, passive mode is preferred as it allows connections to

        • /.

          Okay, I'll bite.

          OUCH! Hey, cut that out.

          Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport, which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.

          Let me give you an example: If you are playing SMACX (Sid Meier's Alpha Centauri, Alien Crossfire expansion, which is a typical v7 multiplayer game) with players on both the inside (RFC1918 10.xxx addressing)

  • pix spam blocking (Score:3, Interesting)

    by Digita1Prophet ( 600549 ) <Digita1ProphetNO@SPAMyahoo.com> on Tuesday May 13, 2003 @08:29PM (#5950554)
    Try the CAUCE, Osiris Relay, ORBS, and other spam clearing house websites. I was able to pull down spam domains and ip addresses to route to a non-existent port on my firewall.

    And don't forget those weather news download sites and gotomypc.com!!!!

    If you need some starter lists drop me a note.

  • Maybe these? (Score:4, Informative)

    by Gryftir ( 161058 ) on Tuesday May 13, 2003 @08:32PM (#5950568)
    Spy Sites [cexx.org]
    As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

    Gryftir
    Death to all Fanatics!
    • Gryftir writes:

      As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

      On that topic, an instance of VMWare [vmware.com] works great for providing a test "victim workstation" on which to install spyware, document the filesystem and network behavior, and easily revert back to a clean system with a minimum of effort.

      It's even possible to execute two or more identical test systems on their own private "ethernet bridge" to watch the scanning and propagation behavior of a v

  • 10 domains will kill 90% (Score:3, Informative)

    by mattsouthworth ( 24953 ) on Tuesday May 13, 2003 @08:32PM (#5950571) Journal
    I asked myself the same question a few months ago - creating a blacklist for squid - and couldn't find a good resource. I grabbed the hostfile that came with spybot and started with that - I found that about 10 domain names account for 90% of the spyware out there.

    The list itself is at the office, but maybe I'll reply to myself tomorrow.
    • Wow, I can't cut or copy out of the reporting client. Anyway, a list of domains to block should include what I have below. I haven't modified this for a couple months, so I'm sure there are new offenders.

      Ideally, you don't do this on your PIX, but on your web proxy (you don't allow unauthenticated unproxied web browsing do you?) - a lot of DNS lookups could seriously impair your firewall. Also, I got better performance by noting and including all the subdomains below (like http://hotbar.com and http://www.

  • Firewalls + a good policy (Score:3, Interesting)

    by rogueMonkey ( 669464 ) on Tuesday May 13, 2003 @08:32PM (#5950575)
    Our site denies software installations of any type through Windows policies for anyone but power users (ie.: programmers and not even all of them). Sure there were complaints and groaning... But they weren't for crashing computers anymore. You'd be surprised of the kind of sh*t some cute screen savers (TM) install. DLL messups, preferences mangling! So while firewalling might prevent some of the symptoms of spyware (ie.: call homes) good policies both technically enforced and "socially" enforced go a long way.

  • Time wasters... (Score:5, Funny)

    by (H)elix1 ( 231155 ) <slashdot.helix@nOSPaM.gmail.com> on Tuesday May 13, 2003 @08:33PM (#5950581) Homepage Journal
    I don't have a complete list, but you may want to add 66.35.250.150 to your IP blocks banned. I've seen way to much time lost to that one...

    • Re:Time wasters... (Score:5, Informative)

      by muonzoo ( 106581 ) on Tuesday May 13, 2003 @08:42PM (#5950623)
      In case you can't figure it out; it's funny.
      Welcome to Darwin!
      bash-2.05a$ host 66.35.250.150
      150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
      150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org
      • Welcome to Darwin!
        bash-2.05a$ host 66.35.250.150
        150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
        150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org

        Yeesh, give these Mac kids a command line and they start goin nuts!
        • Oh, sorry, perhaps I should have done:
          OpenBSD 3.2 (GENERIC) #25: Thu Oct 3 19:51:53 MDT 2002

          -bash-2.05b$ host 66.35.250.150
          Name: slashdot.org
          Address: 66.35.250.150
          Although there is something amusing about being called a "Mac Kid".

  • Some spyware modifies firewalls to get through! (Score:3, Interesting)

    by StandardCell ( 589682 ) on Tuesday May 13, 2003 @09:17PM (#5950851)
    I can't remember which spyware apps did this, but they will actually go into the ZoneAlarm config and get through that way. It's scary, but it happens. IIRC I even read about it on /. (imagine that...).

    The other way firewalls get bypassed is if the spyware uses something already given permission to tunnel out on a system, like a web browser spyware plug-in would. In that case, what chance do you have of stopping it but to remove it?

  • hosts file works well (Score:5, Informative)

    by infonography ( 566403 ) on Tuesday May 13, 2003 @09:49PM (#5951063) Homepage
    Here is a copy of mine [66.123.75.177] in Text format.

  • Shutting the barn door (Score:3, Informative)

    by Demona ( 7994 ) * on Tuesday May 13, 2003 @09:53PM (#5951088) Homepage
    after the horse has left, but for what it's worth, there's Peer Guardian [methlabs.org], which uses a constantly updated list of IP addresses [methlab.tech.nu] which have been declared "bad".
  • After having a couple of calls regarding the Permissioned Media "trojan" from users at work (which will still install even if you decline the Software Install prompt at the warning), I decided to look around the Net for ways to block it. I stumbled across Symantec's listing [symantec.com] of the "trojan", which provided a list of IP addresses.

    So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the downloa

  • Be careful, you don't want to get sued [slashdot.org]
  • Windows XP supports application signing. Learn more at microsoft.com/windowsxp
  • I personally use Tiny Persona Firewall [tucows.com]. It doesn't have tons of features but it does the job. Every time a program tries to access the internet, I'm given the option to block or allow and can set up rules accordingly. So when adware tries to get out and report home, I block it's network connection. (Ver. 2 is free)

    In addition, it is nice because I can stop Outlook Express from accessing images from HTML docs, and may programs with built in images for ads can have their ads blocked as well.

    There are oth
  • My hosts file is here:
    http://www.froggy.com.au/mike.skinner/16bit win.htm

    It blocks lots of adds, cookies, trackers and XXX sites. It might even block Slashdot images and adds ;-) to load much faster...

  • http://www.slashdot.org
  • We had the same problem here, someone went and started to image our new sites, and hmm what do we find but Gator.. this thing was driving us nuts, but since we have our own internal DNS that gets used, we put an entry in the DNS that pointed all traffic destine for gator to 127.0.0.1 .. the gator traffic that was 75% of our outbound traffic dropped to 0%...

  • The easiest way to do this.. (Score:4, Informative)

    by Zeddicus_Z ( 214454 ) on Wednesday May 14, 2003 @08:13AM (#5953439) Homepage
    The easiest way to acheive what you want is to change your network security policy, and enforcing it by way of ACL's on the INSIDE interface of your PIX. By this, I mean:

    Go from your current "Internal users can access anything they want" (default allow), to "Internal users can ONLY access what we allow" (default deny). The beauty of this is that you *don't* waste time tracking down various ports for each and every application you want to block. Nor do you have to worry about keeping up with the latest spyware-ridden P2P client crap to be released. The only thing it *won't* cover is applications using protocols you allow (such as using port 80 for data xfers in $P2PappName). You can cover this with more specific ACL's on a per-shittyFsckingMakeMyNetworkAdminLifeMiserableP2 PApp basis. But i digress.

    The PIX makes this very easy - matter of fact, we do this exact same thing at work.

    First thing you need to do is take a list of all network applications (or protocols) that your users require to do their jobs. Things like FTP, WWW, SSH and the like. Next, you formulate your ACL list to be applied to the inside interface (or whatever name you gave to the interface your users sit on. It defaults to INSIDE with a security level of 100). Do this in a text file, and check it for sanity BEFORE you apply it to your PIX (otherwise you have irate users calling you 100 at a time, screaming that you broke $nameOfAppINeedToDoMyJob).

    Once you have this list and you think it's complete, add a default deny rule to the bottom. Now before you go pointing out that PIX already has default-deny, you should STILL add this because the PIX won't log packets that hit its default deny - only packets that match an explicitly defined Default Deny ACL.

    Very basic example ACL list:

    access-list PERMIT_OUT permit tcp any any eq 80
    access-list PERMIT_OUT permit tcp any any eq 21
    access-list PERMIT_OUT deny any any (denys all other traffic from any source to any destiation on any port, and logs it)

    The above will allow FTP and HTTP outbound for your users (you need to use protocol fixup on the FTP), and deny ALL other traffic! Problem solved, and it only takes about 10 minutes to do.
  • Don't mean to sound like an Internet Nazi, but...

    Denying all traffic while allowing only the bare minimum necessary is a good policy to implement on many levels. Here's some of the most important reasons why that are in my head right now (not necessarily in order of importance):

    - increased security: not only are outsiders unable to see what you have running inside (obscurity), they simply can't get to it. What can't be reached, cannot be easily (i.e. directly) exploited

    - simplifies management of rules: i
  • One of the very few mainstream websites to use totally wierd ports is FedEx. Their Java applet for shipping packages not only uses unusual ports, it requires that a connection be opened from the host side. If you're behind a NAT box, this is painful. Amazingly, Linksys has special support for this.
  • Make sure you block this ip address [66.35.250.150].

    Your employees will undoubtedly spend way too much time there, and its full of a bunch of opinionated, undereducated tech geeks anyway!

  • Better yet, block internal hosts from communicating to the Internet on port 53, and require all internal hosts to use the local nameservers instead.

    On these nameservers, override the zones for the biggest spyware domains and also for AIM, Yahoo Chat and the like, adding wildcard A records directing the request to the IP address of an internal machine running a HTTPd, or to 127.0.0.1.

    The effect is twofold -- this will break 90% of the spyware programs, and you will have a log of all of the internal clien

    • If I still had some mod points, I'd mod this post WAY up. Its one of the first few posts to deal with the original topic.

      In places where my clients were worried about spyware/trojans/web tracking/popups, I installed a split DNS with firewall rules blocking outgoing port 53 from all internal networks. The internal DNS server would only be allowed to contact the external, which would then perform the real world lookups. The internal server was made authoritative for hundreds (greps my master file, 322) domai

Slashdot Top Deals

The only possible interpretation of any research whatever in the `social sciences' is: some do, some don't. -- Ernest Rutherford

Close