Link to home
Start Free TrialLog in
Avatar of antioch_75
antioch_75

asked on

Block MSN Messenger and Yahoo Messager

Hi all,
Can someone tell me how to block yahoo and MSN messenger on a firewall. I have tried to block the following ports:

Yahoo Messenger = 5000 to 5010 and 5050
MSN Messenger = 1863

But all these blocking cannot works, For all these IMS, do I need to use the IP address. I block all ports on TCP ports.

I hope someone will enlighten me. thanks.

Avatar of ahoffmann
ahoffmann
Flag of Germany image

yahoo would be blocked with iptables like:
iptables -A FORWARD -p TCP --dport 5000:5010 -j REJECT
iptables -A FORWARD -d cs.yahoo.com   -j REJECT
iptables -A FORWARD -b scsa.yahoo.com -j REJECT

Think it's similar with MSN.
But keep in mind that some people know how to tunnel the ports, for example over port 80 or 443
Avatar of Jimmy_the_Saint
Jimmy_the_Saint

It depends what Firewall you're using ?

I assume you want to block them from getting OUT ?  By default, they should be blocked from getting IN.

If the Firewall can be configured in this way (many can), you should configure a specific rule that blocks ANY Traffic to/from their application names.

MSN Messenger is:  msmsgs.exe

Not sure on the name for Yahoo ?

That way, you won't have to worry about the IP addresses, or the port numbers, and it gets around the tunneling option mentioned by ahoffmann.
Jimmy_the_Saint, just stupid/lazy script kiddies will be blocked this way ;-)
Avatar of antioch_75

ASKER

Hi,
my firewall does not allow me to use scripts. for your information, I am using a 3com firewall. And it allows me to block by ip address, port (TCP,UDP) and domain name.

Regards,
>
> just stupid/lazy script kiddies will be blocked this way
>

Well, yeah, I know what you mean, but ......

I had made an assumption (and it was only an assumption - often a dangerous thing to do !) that antioch_75 wasn't really being specifically targetted by anyone.  The initial posting sounded like it was someone who wanted to prevent internal users from playing with IM software, and possibly bringing viruses or trojans etc. inside.

That's why I suggested just getting the Firewall to restrict at app. level.

After all, if we're talking specific targetting, any real hacker isn't going to be turned away, just because they can't get in via IM software and / or IM ports.

Perhaps think of the Firewall set-up in this way:

1.  Specify 'permit rules' for traffic you need / want on the Firewall.

2.  Have a 'catch-all' BLOCK rule as the last rule, so nothing that you haven't specifically allowed gets through.

3.  And if any of your 'permit rules' seem to be too global, or have left an obvious weakness, then you can always insert specific BLOCK rule(s) just above those.

So if you haven't allowed for IM, it shouldn't happen !

Although this might be getting too much into setting up a Firewall from scratch, and I'm not sure that's exactly what you wanted ?
Jimmy_the_Saint, we are drifting away from the question ..
antioch_75, if you firewall can only handle IPs and ports, see my first suggestion (just the relevant info, not the iptables command itself)
antioch_75,

If you wanted to allow IM software, I have listed the port numbers below you would have to allow.  You'll have to be careful - if conversely, you choose to block the numbers below, be aware that some of them will block genuine port numbers, so try to make sure you specify these blocks ONLY FOR THE RELEVANT APPLICATIONS - that's another reason why it's best to adopt the strategy I mentioned above in the Firewall - allow what you want, have a 'block all' to catch any that fall through, and insert specific blocks where any of your allow rules might let something through you don't want.

Ports listed apply to both LOCAL & REMOTE ports:

Yahoo:
TCP: 80, 5000-5050
UDP: 5000-5050

MSN:
TCP: 1863,
UDP: 1503, 3389, 5004-65535

AOL IM:
TCP: 5190-5193
UDP: 5190-5193

NetMeeting:
TCP: 1720, 1024-1503, 1504-65534
UDP: 1024-65534
Hi Jimmy the saint,
Thanks for the comment/suggestion, I will try onyour suggestion once my users stop bothering me with their desktop problems. Actually, I feel quite skeptical about the list of ports, which I can block for Yahoo messenger. As I have read about how the Yahoo Messenger works at the Yahoo page, I have realised that the Yahoo Messenger will try port 5000 to 5050 and if it failed, it will use port 80 and lastly it will try any available port(idiot Yahoo Messenger and MSN messenger). Of course, I cant block port 80 as it is http port. However, I will try out your suggestion soon.
My purpose of blocking IMS is to protect my network. As an I.T person, I have the responsibilty to ensure the security of the network. And I dont trust anything that is free in the I.T relam (except for Java and Linux).
I have managed to block ICQ and my boss has given me permission to block IMS.
Furthermore, a lot of I.T experts has been pointing out the security of the MS software and I want to filter out any possibility of hacker thru the holes in the MS software.
Hi antioch_75,

I understand your problem.  Sounds like this is on the TODO list, but only when you get some free time from the immediate tasks.

I don't think your Firewall would allow you to block by application name, but you should maybe think about the following:

1.  Block by domain name - if it's a business environment, there should be not be too many reasons why people HAVE TO have access to Yahoo or MSN as their search engines - there are others they can use, so by blocking sites like those at domain level, you could hopefully stop all the IM activity - client based or website based.

2.  If you don't already have one, think about a proxy-server / gateway type of set-up, so that all requests from your internal network are filtered, and you start to control some of the web content and which websites they can get to etc.  That way you're using both a Firewall and a proxy.  Your Firewall will protect you against 'brute force' port attacks from the outside, and Trojans getting back out, but your largest problem potentially is internal users using insecure software(s) which might expose vulnerabilities, so you have to tightly control that.

3.  POLICY - let them know that use of IM facilities is not permitted on business machines (you can choose to educationally inform them of the security weaknesses of IM software, and some hacking statistics if you want).  But spell it out - once they know that, they have something to lose if they choose to disobey.
And you're not being unreasonable.

Your job is to protect the organisation's network.

Anyway, Good Luck.

Hi Jimmy,
I have tried out all and I confirmed that the Yahoo and MSN Messenger will attempt to connect using Port 80 if it cannot find its port. Well, I think I will propose a better firewall for next round migration.

Regards,
you need a adaptive proxy/firewall (or application level firewall) to fix this
or block access to messenger.hotmail.com, etc... for any traffic whatsoever.  A simple proxy server will be as effective as a new firewall.  Configure your outbound rules so that only the proxy server has access and force users to authenticate with the proxy.
ASKER CERTIFIED SOLUTION
Avatar of slappedmonkey
slappedmonkey

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
> blocking 64.*.*
> blocking 207.68.*.*

.. and if I'd be behind such a configured firewall and whant to have access to these IPs, somehow, I'd simply use a proxy, or a http(s)-tunnel
ahoffmann,

Point taken - it is not an industrial strength solution, but it maybe all that antioch_75 requires.
If the 'users' being restricted do not have excessive abilities to download, or to install new software, then proxies and tunnels will hopefully not be such an issue anyway ?


slappedmonkey,

Quote <If this helps you please accept the answer.> Unquote

What is that all about ???   With every potential solution posted, that statement is automatically taken as read !

To actually add that statement to your post is kinda 'manipulative' I'd say.

It sort of comes under the heading of categories like "If you don't ask, you don't get", and "clinching the deal".

So, high marks for businessmanship, low marks for technical purity !

You can tell I didn't like it much !  ;o)
Jimmy_the_Saint ...


when i read your sour graped reply i instantly knew that you're some sad kid who previously replied to this guys question. I scrolled up and  found this true.

Are you mad that your reply (which probably took you half an hour) was no good?

The reason mine is so much better than yours is the fact that he doesn't need anything like a firewall on all client pc's, a fancy proxy server.

If you're so keen for him to spend, how about you spend money and buy your points if you're so desparate for them? huh?!

if you worked for half an hour instead of sitting at your computer whinging about peoples replies you'd earn enough money to buy some points !!!

"So, high marks for businessmanship, low marks for technical purity !"

???

This is a help forum, not a business ! I do not sell my points to other users.
slappedmonkey,

My point is still valid (and I can tell from your response, I've obviously touched a raw nerve).
The fact is - you don't need to add lines like "If this helps you please accept the answer."
Any new user to a forum, would feel pressurised by a statement like that into making an award of points.
I know that, and I think you do too.


'The points' don't concern me - but I guess they must concern you, to add that statement.  If you read my responses, either here or any other times I have posted, I am more interested in solving or at least explaining the problem to the person.


"Are you mad that your reply (which probably took you half an hour) was no good?"
This comes under "PROD, PROD - wait for a reaction ........ PROD, PROD, wait for a reaction !"

No, I don't think my reply was no good.  If it wasn't what antioch_75 wanted, I have no problem with that.

And just to put your own reply in some perspective, ahoffman had already suggested the equivalent of that in his first reply - don't you take the time to read what has already been suggested ?


So, once again, why exactly did you put "If this helps you please accept the answer." ?
hmm, don't want to join this latest struggle/discussion, but I'm also interested in just the answer to:

> So, once again, why exactly did you put "If this helps you please accept the answer." ?
hmm, don't want to join this latest struggle/discussion, but I'm also interested in just the answer to:

> So, once again, why exactly did you put "If this helps you please accept the answer." ?

the answer? pretty simple....

as a newbie myself i forget to accept answers (i'm sure mods don't like having to email people telling them to accept answers)when they're posted. Therefore i was reminding this poster that he should accept the answer (i didn't say "YOU BETTER ACCEPT MY ANSWER PUNK") anyway, i believe the person who posted the question was smart enough to know who's answer helped him the most. My answer obviously did. I know my was the most helpful.

"And just to put your own reply in some perspective, ahoffman had already suggested the equivalent of that in his first reply - don't you take the time to read what has already been suggested ?"

maybe he did, but i expanded on it. His technique wouldn't work, a few msn ip's don't have reverse dns, he'd therefore have to add ip ranges like i suggested.so.... What is YOUR problem? I obviously don't have enough time to read EVERYTHING and put EVERYTHING into my answers like you seem to have? You lacking in interesting things to do with your life?
> .. please accept the answer.
seems that most people read it like
     please accept my answer

So we learned to use some phrase more carefully
;-)
Hi antioch_75
I've just been having a play with it and have managed to stop MSN (for the moment at least).
I've blocked the port 1863 and also port 80 to the following sites
207.46.110.48
207.46.110.254
213.199.154.54
216.178.160.34
207.68.178.239
194.130.106.132
195.33.103.52
213.199.154.11
213.249.102.94
This seems to have stopped it, but if you find it still works you can (on NT/2000/XP) find the PID of MSN from task manager (view and select columns allows you to see this) the go to a command prompt and type 'netstat -nao' this will give you all the connections the computer has made, and the associated PID, match them up, block it and try to log in again. I've done this with MSN, but the idea is sound for any program that you want to block and can't find the ports/sites/whatever anywhere else.

Hope this helps,
Give it a go...
I found the best way to block yahoo/msn etc was to build up an IPTABLES firewall using linux red hat 9.. then build up SQUID proxy server...

now you can block by url (which is much easier) and you just have all requests blocked through the firewall except squid port 3128.

you have port 80 automatically forwarded (transparent proxy) to 3128 and thats it...

www.chrisliveonline.com/security/ has a detailed guide on how i did this...  including scripts and confs :)

Thanks
Chris
Hi All,

You can block MSN Messenger on your network by blocking the following network with range of IP addresses

In access rules on your firewall deny all the address on inside interface to access the outside interface with network IP address 207.46.104.0 mask 255.255.255.0

This should block MSN Messenger on your network.

In Case you want to see what IP address is being used to connect to MSN Messenger use Netstat when connected to MSN Messenger.

Thanks
Graham
Hi,

If you had block all those IP and ports in your firewall, which will stop most of the connection.  But if the user set the Yahoo or MSN messenger connection via a proxy server, then any idea how you block it?

There are some proxy server using port 80 for connection, rather than standard proxy ports.  So, you can't block based on the port 80.

Then, how to effectively block those?

Thanks!

Jimmy
jimmy, still answerd this: http:#9212984 http:#9212984
but the questioner decided to use other suggestions :-|
Avatar of mzzltijn
To block MSN-messenger, use the 207.46.110.0 range. Best way to figure out which range to block is described above. Connect a MSN-messenger and see which range it uses to establish a connection, as these seem to change every once in a while.
Just some aditional information, I too amd trying this without complete success.  After using group policy I discovered that users were changing the EXE name ( rename and add 1 character or tottally change the name ) and this along with yahoo and other instant messengers will still run.

even dragging a copy of the folder to the desktop and renaming the exe works.

how about a remote process monitor ??

at least we can find who is doing it

cheers

Gareth
Hi

I have tried blocking IP 207.46.104.* and 207.46.110.* and TCP port 1863
it works fine on my firewall.
maybe u guys can give it a try.
Btw i am using Sonicwall firewall.

CheerS!
you can also block passport.com and then nobody can log in....

darn, too late for poinks.
MSN Messenger can be blocked by following the steps on the following URL:
http://support.microsoft.com/kb/889829

Basically configure your firewall to block TCP port 1863 and the domains webmessenger.msn.com & messenger.hotmail.com

But in my opinion, a proxy server would be the best approach for restricting/monitoring all outbound activity.
I'm running a WatchGuard firewall which allows "Auto-Blocking" of sites attempting to use whatever port range you select.  Then if even ONE person on the network tries to get to MSN, Yahoo, or AIM with the application, not changed to go over 80, the site will be blocked for the next person.

Just a free 2 cents worth.
I was wanting to block Yahoo Instant Messenger and I found this article.  I am currently using a SonicWALL TZ180 and we are only using the content filter.  So I have been researching and researching trying to find a solution to just block Yahoo IM.

I tried Jimmy_the_Saint's suggestion above:

Yahoo:
TCP: 80, 5000-5050
UDP: 5000-5050

I created access rules (2 of them) based on the specs above.  Set them to Allow first, then once created I changed to deny and Yahoo IM could not connect.

If I was to keep those access rules set to deny - what other ramifications would I run into?
i agree with you all guys but that wasnt suffecent

i could block yahoo and msn by deny access to domains.

msg.msn.com
messenger.msn.com
messenger.live.com
messenger.hotmail.com
webmessenger.msn.com

scs.msg.yahoo.com
webmessenger.yahoo.com
messenger.yahoo.com

and i did block all other web messengers so users can not access thier yahoo and msn through web like
ebuddy.com
meebo.com

i had to block domain names because i found out that messengers will keep tring use internet explorer setting to loging in.  
but now everything is working fine. i just still need to block skype. and i will do it and let you know.
I found out that the port block I initiated

Yahoo:
TCP: 80, 5000-5050
UDP: 5000-5050

Only worked for anyone using Pidgin (www.pidgin.im).  I installed Yahoo IM (v.9) and I was able to connect.