Blocking Chat

Hi All,

Anyone sussed a way of blocking the msn chat client. First thing i
tried was blocking port: 1863

iptables -A FORWARD -p tcp --dport 1863 -j REJECT

and then

iptables -A FORWARD -p tcp -s 10.0.0.0/24 -d messenger.hotmail.com -j
REJECT

and then iptables -A FORWARD -p tcp -s 10.0.0.0/24 -d 64.4.0.0/18 -j
REJECT

And loads of other combos as well.

Just had a google around. And it turns out that the little bastard
will continue to probe for other ports when denied access to 1863. It
can also http tunnel!

I could drop an acl on squid. But i would prefer to use netfilter as i
can then run it a cron job with my other firewalll scripts. Its been
requested that i limit the times that people can chat.

Many Thanks

Luke

On Wed, 23 Jul 2003 16:27:01 +0100, Lord Shaolin wrote:

> "luke" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
>> Hi All,
>>
>> Anyone sussed a way of blocking the msn chat client. First thing i
> <snip>
>
> Block access to the whole MSN subnet.
>
> http://www.security-forums.com/forum...pic.php?t=1545
>
> 64.4.13.*
>
> --
>
> -+ Shaolin +-
> Discard what is useless, absorb what is not and
> add what is uniquely your own.
>
> .: http://www.security-forums.com :.


Thanks for that Shaolin,

In the end i had to block a whole other subnet;

iptables -A OUTPUT -p tcp -d 207.46.106.0/24 --dport 1863 -j REJECT

01:01:12.367487 81.135.90.97.35429 > 207.46.104.20.1863

This was on my home box. Might be different at work as i am running a
transparent proxy. Still port 80 is wide open here as well!!

Cheerz,
Luke

"luke hinds" <(E-Mail Removed)> wrote in message news:<pan.2003.07.24.00.11.26.329230@REMOVEbtopenw orld.com>...
> On Wed, 23 Jul 2003 16:27:01 +0100, Lord Shaolin wrote:
>
> > "luke" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> >> Hi All,
> >>
> >> Anyone sussed a way of blocking the msn chat client. First thing i
> > <snip>
> >
> > Block access to the whole MSN subnet.
> >
> > http://www.security-forums.com/forum...pic.php?t=1545
> >
> > 64.4.13.*
> >
> > --
> >
> > -+ Shaolin +-
> > Discard what is useless, absorb what is not and
> > add what is uniquely your own.
> >
> > .: http://www.security-forums.com :.
>
>
> Thanks for that Shaolin,
>
> In the end i had to block a whole other subnet;
>
> iptables -A OUTPUT -p tcp -d 207.46.106.0/24 --dport 1863 -j REJECT
>
> 01:01:12.367487 81.135.90.97.35429 > 207.46.104.20.1863
>
> This was on my home box. Might be different at work as i am running a
> transparent proxy. Still port 80 is wide open here as well!!
>
> Cheerz,
> Luke

The above scenario worked on the nix variety of aim - i.e. gaim.

Well came in to work today and dropped the above rule onto the
firewall. Tried to start msn mess (version 5) and logged on first time
:¬(

Anyway couple of hours later one of the staff called me over. 'Hey
tech buddy! 'Look at this, i can logon with MSN 5 but i can't with my
newly obtained msn mess version 6 with all the flashing lights and
shit!'( a new version that supports sharing backgrounds and launching
webcams). So it seems that may be (only 'may be') MS have put aside
the above subnet for their new version of IM.

But why does gaim use the 207.46.106.0/24 as well as the new version
(thought it would be the same as the old one)? Does the client get
assigned a subnet from some sort of process running on the
messenger.hotmail.com server??

Think i'll have to dump some more packets of the login moment. Talking
of which have you seen some of the stuff that go's out during a
'Windows update service'. Ok may not the right newsgroup!

Cheerz,
Luke

luke wrote:
> Hi All,
>
> Anyone sussed a way of blocking the msn chat client.

I think you'll find that the best solution is not technical, but
disciplinary...