Avatar of eptexascrazy
eptexascrazy
 asked on

How to block anonymous web proxies?

Hello,  I work for a school district and I am being told to block anonymous web proxies.  We currently use Bess / N2H2 Filtering but unless I specify the proxy's URL, it wont block anything.  Does anyone out there know how to block anonymous web proxies?
Security

Avatar of undefined
Last Comment
Serverman2001

8/22/2022 - Mon
tnapolitano

If I am misunderstanding your question, please give more information on requirements.

As far as I know, BESS (along with just about every other content filter) has Control categories for Anonymizers and Anonymizing Utilities.
venom96737

you really cant block that outbound conection unless your going to filter the port used but it still would help there is a way around it
giltjr

The only way is to block based on their URL and/or IP address.  Because of the way they work they look like any other Web server on the Internet.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ahoffmann

you mean outgoing connections to an proxy?
then redirect all traffic to your own proxy, ready.
Works as long as you have no SSL and/or accept that your proxy terminates SSL (which breaks the basic intention of SSL:)
jhance

You need to "fix" your network, probably by changing your router's settings, so that NONE of the client PCs can directly access the internet on ANY port. That way your default settings of the BESS/N2H2 proxy will be the only way out.

I'm assuming you don't have an active domain setup here where you can force the proxy settings with group policy and that even though you have setup the proxy for the web browser, users are changing these settings themselves and using an outside proxy.  Fix the problem at a place where they don't have control.  So then even if they do change the client PC proxy settings, it will do them do good because YOUR proxy is the only way out.
ASKER CERTIFIED SOLUTION
zgrp

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
floorman67

you do it by use of blacklists ... and there are a ton of them ... add them to your filtration application/iptables

http://www.google.com/search?hl=en&q=proxy+blacklist
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
bloodrazor

What you're really asking is if there's a way to have a computer "know" the contents of a webpage.
The short answer: no.

However, i suppose if your filtering system will allow it you could add certain words, both in the URL, and in the actual body of the page to the automatic block list (i.e. if the URL of the webpage, or part of the main body of the page contain the phrase "free anonymizer service"... auto-block).

I do stress that if the users want to get around all this, some spark that knows what they are doing can simply create their own website to do this, that could be as simple as a form on its own, that will show the contents of whatever URL is typed into the form. Another method is to simply find the IP of the site (e.g. the "blocked anonymiser site"), and use that, as it will get around the URL-based filtering with ease.

Personally, i'm very much against the concept of filtering, and various restrictions. It's wrong, although i can understand that you would have to in schools to stop some very angry parents. Although i suppose i'm biased, as i'm one of the students that takes pleasure in simply evading restrictions, and dislikes being mommy-coddled (I can check my own browsing habits, thank you). Basically, if you can think of a way to avoid using the restrictions while maintaining "clean" browsing, i am sure 99% of the userbase would be pleased, as the filtering can often catch sites that are used for work purposes (An example, an english assignment on Leicester City football club. Oh look, the website's blocked ;) )
floorman67

NO THAT REALLY ISNT WHAT HE IS ASKING AT ALL.

HE IS ASKING ABOUT BLOCKING PROXY SERVERS SO USERS CAN NOT BYPASS PORT/PROTOCOL/USE RESTRICTIONS.
floorman67

AND NO ONE CARES WHAT YOU ARE AGAINST ..IT ISNT YOUR RESOURCES BEING CONSUMED ... ITS THE SCHOOLS AND THE TAXPAYERS.

STUDENTS ARE THERE FOR THE CURRICULUM, ITS EDUCATION, AND THE ADMINISTRATION NOT ONLY HAS THE RIGHT, BUT THE OBLIGATION TO RESTRICT ACCESS TO AREAS EXCEPT THOSE PERTAINING TO SAID.

IF THE SITES ARE BLOCKED, DNS BLOCKED, PORTS ARE SHUT DOWN, AND THE PROXIES ARE BLOCKED, YOU CANT GAIN ACCESS BY THE SIMPLE CREATION OF A WEB SITE.

YOU REALLY DO NOT KNOW WAHT YOU ARE TALKING ABOUT. iF THE RESOURCES ARE FILTERED/BLOCKED, THEY WONT EVEN LOAD.

wHAT YOU TRYING TO EXPLAIN IN ANONYMIZER IS CALLED A PROXY SERVER.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
giltjr

bloodrazor, you need to learn to think outside of the box.  If you don't will be in one the rest of your life.  Filtering is NOT wrong.  It is no different that preventing a under age person from buying beer, wine, liquer, or anything else they should not have because they are not mature enough to handle it.  They have done studies and have shown that the part of the brain that is responsible for making "informed decisions" does not mature until the age of 25 on average.

You may beleive that you can check your own browsing habit, and you may, but the average school age child can't.  It's been proven.  I personally do not want my 6 year old to accidently see something because a 15 year old setup a computer to bypass normal filtering.  

Yes, somebody can get around it, in fact people can get around most anything.  Sooner or later the odds are they will get caught.

If a site is valid, it can be unblocked.

One day hopefully you will  have a child and your attitude will change.  Some mommy-coddlling is needed in every childs life.
Nightofthecow

You could also take a look at what proxies your students are using. You can check the logs for commonly visited sites. Generally, using an anonymous proxy server means the user will spend an extended amount of time on that site. That will be a red flag to you. The sites are fairly obvious, for example, proxyspinner, etc... You can manually block these entries, however, that all depends on how large the problem at hand is. If it's on a small scale, the manual way isn't a bad way to go.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Serverman2001

oooops  Web site should read www.codework.com

sorry
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SSPI

I would recommend you look into Bloxx, Inc. http://www.bloxx.com. Anonymous proxies  which let students bypass filters  are blocked instantly with Bloxx meaning your students can't access the internet through the back door. You can also choose to enable the Safesearch feature on Internet search engines so that students cannot bypass it and access inappropriate material. Due to the essential nature of education, many types of sites need to be accessed by users and the flexible group policies within the Bloxx internet filtering system provide for these diverse requirements. Also, Bloxx's thorough and clear reporting allows you to see if your group Internet policies are working sufficiently or if they need fine tuning, and provides invaluable real time monitoring to see which users are frequently violating policies.
Serverman2001

OK some time has passed since my post but my final solution was the school guardian from Smoothwall.
Dam good product and the best part about it is the students at the school i work in have presented me with a nice petition about over blocking. When i looked into it in more detail they really wanted me to unban game sites and proxies. This product works well and the tech support we bought into are great to help with any new features you want or issues.

what you waiting for buy it