What is the best way to block Torrent Ports

[Fritz]

Hi,

I'm running OpenVPN for my friends. Is it possible to block certain ports used for torrents?

I've tried to use CSF but after enabled it, my OpenVPN can't reach other servers.

Any recommendation friends?

Fritz

 

[mikho]

Since most torrent clients can change ports it will be difficult to do it.

Perhaps some packet inspection can meet the needs?

 

[EarthVPN]

You may drop connections to common tcp and ports of public and private trackers.If you need more than that you have to implement level7 filtering via iptables.

 

[acd]

The easiest solution is to only allow outgoing connections to specific ports. The short list I use is as such:

• 22 - ssh default
• 80 - http
• 443 - https

Add more depending on your usage scenario. If you need FTP, you can allow 21 & turn on ftp conntrack to allow the second connection through. Basically, don't allow anything you can't protocol analyze on nonstandard ports.

The harder, but in my opinion, more hilarious way of doing it is to tarpit everything else. Use connmark & QOS to tag any connections that are not these three and put them in a shared bucket going maybe 50KBps across all connections and all users. Check out the lartc guide for how to set up HTB to rate limit. Users will quickly get the idea that your service is not good for bittorrent.

 

[Mun]

LOL @Acd

Mun

 

[WebSearchingPro]

Just tell your friends, that you see them downloading that pr0n, and GTFO. 

Of you can do something more sinister, for example when the bittorrent connections are connected you could cause it to flip all websites upside down 

http://www.ex-parrot.com/~pete/upside-down-ternet.html

This would still apply to your scenario since you have full control over their connections while on VPN, you could even go so far as replacing all images to saying "No Torrenting".

 

[wlanboy]

You can use L7-filter for that.

The list of supported protocols is quite huge.

 

[acd]

[..] you could even go so far as replacing all images to saying "No Torrenting".

 That's pretty clever, though a transparent squid proxy is a bit more than I'd put on most of my vpn hosts due to ram requirements.

I think the problem becomes detecting torrenting; most, if not all, modern clients at least try to use encrypted connections, which you pretty much have to allow because SSL is used to secure a lot of applications. From the L7 filter page, matching for bittorrent is fickle at best, it won't positively ID all bt connections and time to classification is bad.

Honestly, I would handle this with 4 tools,

1. QoS - known accepted traffic is prioritized above all others. A single user or group of users cannot be allowed to hose the entire service under any circumstance.
2. Accountability - Keep traffic logs for quantity of data transferred, samplings of number of active connections from conntrack, when a high number of concurrents include a sample of connections list from conntrack, login ip connected from, login time, associated NAT or public ip if more than one available, logout time, and anything else you find appropriate. Require communication with clients be retained through a unified, searchable system including automated mailers, helpdesk tickets, and staff email, tagged by client.
3. Education - Let your users know, be it through a once-per-login transparent squid redirect that shows a ToS/AUP, pre-notify them through signup, monthly newsletter, or what have you. Let them know that you're doing what you can to make the service as high performance as possible for legitimate uses. Be clear about what you think those uses are. Be clear about what you think is unacceptable. Let them know in your privacy policy what information you collect, why, for how long, and explicitly state how it is used and can be used by you. Keep your ToS/AUP up to date and notify users of changes including a brief summary of the change. Be succinct enough that users will at least briefly read it and verbose enough to cover the topic. Most users will listen; Ban the ones who don't.
4. Respectability - Stick to your guns; if your TOS says zero tolerance, enforce zero tolerance, no leeway, no exceptions. Back up your privacy policy with action; don't give out member info without a judge-issued warrant. If you suspect a user is defrauding, botnetting, CPing, or otherwise committing felonious activity, gather data and report to the police/FBI (note that you have the ability, authority, and willingness to do this in your privacy policy). Never ignore suspicion as cause to investigate further but never act without hard, actionable evidence. Enforcing policy is the one place you should really be a hardass, but never one inch beyond that line. Keep your systems up to date and secure; don't ever lose your customers'/clients' trust because of data breach, and if it happens, you have to let them know so that they can take appropriate action to defend themselves. Bottom line is this: You are ultimately responsible for what happens on your systems including the activities of your users and your users for their accounts regardless of any incident or circumstance. Hold yourself to that standard and your users as well and all will be good.

This changes a technical solution into a social engineering solution. It takes significantly more maintenance effort to do this, as opposed to implementing a few firewall rules, but it's a lot more flexible for your users and provides a much higher quality service.

 

[Fritz]

You may drop connections to common tcp and ports of public and private trackers.If you need more than that you have to implement level7 filtering via iptables.

That sounds very good.

Is that compatible with OpenVPN? Do you use it?

The easiest solution is to only allow outgoing connections to specific ports. The short list I use is as such:

• 22 - ssh default
• 80 - http
• 443 - https

Add more depending on your usage scenario. If you need FTP, you can allow 21 & turn on ftp conntrack to allow the second connection through. Basically, don't allow anything you can't protocol analyze on nonstandard ports.

The harder, but in my opinion, more hilarious way of doing it is to tarpit everything else. Use connmark & QOS to tag any connections that are not these three and put them in a shared bucket going maybe 50KBps across all connections and all users. Check out the lartc guide for how to set up HTB to rate limit. Users will quickly get the idea that your service is not good for bittorrent.

What is the best way to implement that? IPTABLES or CSF one?

Is it also possible to use Squid for this?

Just tell your friends, that you see them downloading that pr0n, and GTFO. 

Of you can do something more sinister, for example when the bittorrent connections are connected you could cause it to flip all websites upside down 

http://www.ex-parrot.com/~pete/upside-down-ternet.html

This would still apply to your scenario since you have full control over their connections while on VPN, you could even go so far as replacing all images to saying "No Torrenting".

I can tell them to not download torrent, but when they are keep downloading Torrent my VPS can automatically be suspended.

That's the concern.

You can use L7-filter for that.

The list of supported protocols is quite huge.

Same question for EartVPN, how do I implement L7-filter with VPN?

Any clear guide on this?

 That's pretty clever, though a transparent squid proxy is a bit more than I'd put on most of my vpn hosts due to ram requirements.

I think the problem becomes detecting torrenting; most, if not all, modern clients at least try to use encrypted connections, which you pretty much have to allow because SSL is used to secure a lot of applications. From the L7 filter page, matching for bittorrent is fickle at best, it won't positively ID all bt connections and time to classification is bad.

Honestly, I would handle this with 4 tools,

1. QoS - known accepted traffic is prioritized above all others. A single user or group of users cannot be allowed to hose the entire service under any circumstance.
2. Accountability - Keep traffic logs for quantity of data transferred, samplings of number of active connections from conntrack, when a high number of concurrents include a sample of connections list from conntrack, login ip connected from, login time, associated NAT or public ip if more than one available, logout time, and anything else you find appropriate. Require communication with clients be retained through a unified, searchable system including automated mailers, helpdesk tickets, and staff email, tagged by client.
3. Education - Let your users know, be it through a once-per-login transparent squid redirect that shows a ToS/AUP, pre-notify them through signup, monthly newsletter, or what have you. Let them know that you're doing what you can to make the service as high performance as possible for legitimate uses. Be clear about what you think those uses are. Be clear about what you think is unacceptable. Let them know in your privacy policy what information you collect, why, for how long, and explicitly state how it is used and can be used by you. Keep your ToS/AUP up to date and notify users of changes including a brief summary of the change. Be succinct enough that users will at least briefly read it and verbose enough to cover the topic. Most users will listen; Ban the ones who don't.
4. Respectability - Stick to your guns; if your TOS says zero tolerance, enforce zero tolerance, no leeway, no exceptions. Back up your privacy policy with action; don't give out member info without a judge-issued warrant. If you suspect a user is defrauding, botnetting, CPing, or otherwise committing felonious activity, gather data and report to the police/FBI (note that you have the ability, authority, and willingness to do this in your privacy policy). Never ignore suspicion as cause to investigate further but never act without hard, actionable evidence. Enforcing policy is the one place you should really be a hardass, but never one inch beyond that line. Keep your systems up to date and secure; don't ever lose your customers'/clients' trust because of data breach, and if it happens, you have to let them know so that they can take appropriate action to defend themselves. Bottom line is this: You are ultimately responsible for what happens on your systems including the activities of your users and your users for their accounts regardless of any incident or circumstance. Hold yourself to that standard and your users as well and all will be good.

This changes a technical solution into a social engineering solution. It takes significantly more maintenance effort to do this, as opposed to implementing a few firewall rules, but it's a lot more flexible for your users and provides a much higher quality service.

I am interested to know on how to use Squid Proxy as the main protection.

How do you do that?

 

[wlanboy]

Same question for EartVPN, how do I implement L7-filter with VPN?
Any clear guide on this?

This is quite simple. L7-Filter is an addon to iptables. Add iptable rules to your tun0 device. Done.


iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP

There is a really good book about this topic: http://www.packtpub.com/linux-firewalls/book

 

[acd]

What is the best way to implement that? IPTABLES or CSF one? Is it also possible to use Squid for this?

 
For port specific blocking, iptables is "how it's done". Whether you use a tool like CSF to manage it for you is up to you. I personally prefer not to use CSF as I find it kludgy, but it's much easier for a person new to linux firewalling to understand. You can't do port-specific blocking with squid.

I am interested to know on how to use Squid Proxy as the main protection. How do you do that?

 
tldp has a brief article on setting up transparent proxying.

A quick google search turned up this article on restricting web site access with squid

You cannot use squid to filter non-HTTP connections (not even HTTPS), to my knowledge, or even transparently tunnel them. The client must know they are connecting to an HTTP proxy to issue the connect command. I wouldn't bother, I'd just use iptables to blacklist things I don't like.