<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
I think I need to look for connect strings and such in the packets. I
think it's going to be a bear. Anyone had any luck with string matches
in IP tables I've never played with it.<br>
<br>
<br>
Richard Hubbard wrote:<br>
<blockquote type="cite"
cite="mid20030423145617.67669.qmail@web20422.mail.yahoo.com">
<pre wrap="">We had this issue at ITT and found that it keeps
hopping to all sorts of ports. The last time I tried
to check it went through approximately 15-20 ports,
each one trying to connect to several dozen ip
addresses. So trying to block a port or ip address
doesn't really work (especially since one of those
ports is port 80, trying to sneak through any kind of
packet filter.
There is a bass ackward way we have stopped kazaa, and
that was using a win2k resource kit utility to go to
each machine, list the processes on each machine (a
win2k version of ps) and send them to a filter to see
if kazaa turns up. if it does, then we kill the
process, log off the user, and disable their login.
You can leave it at kill the user.
The script cycles through about 100 computers in less
than a minute, and takes up little processor time on
each machine. So even if someone installs and fires
up kazaa, you can still kill it.
the bad news? you have to have admin priveleges on
those machines. so if someone plugs in their laptop,
then we can't shut down the process because we cant
run the script on their machine.
The only other way to block kazaa would be to look
more deeply into the packets and block them based on
the service being requested. much tougher.
--- Justin Bennett <a class="moz-txt-link-rfc2396E" href="mailto:justin.bennett@dynabrade.com"><justin.bennett@dynabrade.com></a>
wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I tried blocking 1241 It still works. I see stuff on
1697, I'll try
blocking that. I blocked that now it's on 1699. It
seems to keep moving
the ports to an open one.
Justin Bennett wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I'm loading it up now, I'll get out the good old
</pre>
</blockquote>
<pre wrap="">packet sniffer and
</pre>
<blockquote type="cite">
<pre wrap="">see what I can come up with.
Justin Bennett wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I found some info, they say to block 1214, but
</pre>
</blockquote>
</blockquote>
<pre wrap="">others say kazaa just
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">uses a diffrent port if that one is blocked. I
</pre>
</blockquote>
</blockquote>
<pre wrap="">don't know enough
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">about how Kazaa works to know if thats true. If
</pre>
</blockquote>
</blockquote>
<pre wrap="">it connects to a
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">central server or not (like napster) first if so
</pre>
</blockquote>
</blockquote>
<pre wrap="">maybe blocking that
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">can stop it... Let me know what you find I'll
</pre>
</blockquote>
</blockquote>
<pre wrap="">keep looking too.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Thanks
Justin
Cyber Source wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I took a quick look into our shorewall config
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">here because I could have
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">sworn I saw a commented out section for Kazaa in
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">there but I couldn't
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">find it this morning. I was looking for the port
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">number for you and
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">even
in a quick search on Google, found no quick
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">location of the port Kazaa
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">uses. If I find it I will pass it on.
On Wed, 2003-04-23 at 07:31, Justin Bennett
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">A buddy of mine asked me to block Kazaa for him
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">on his Frat's dsl
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">connection, he has a linux fw/router using
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">iptables. I have not
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">used kazaa anyone have a rule to block it.
Thanks
Justin
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">--
Justin Bennett
Network Administrator
RHCE (Redhat Certified Linux Engineer)
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
</pre>
</blockquote>
<pre wrap=""><!---->
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
<a class="moz-txt-link-freetext" href="http://search.yahoo.com">http://search.yahoo.com</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Justin Bennett
Network Administrator
RHCE (Redhat Certified Linux Engineer)
Dynabrade, Inc.
8989 Sheridan Dr.
Clarence, NY 14031
</pre>
</body>
</html>