Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Block skype with squid

Posted on 2011-02-25
13
Medium Priority
?
4,658 Views
Last Modified: 2012-05-11
Hi

I know this question has been asked a lot and I did look at the others and google it.Most of  the answers are a few years old but they basically say the same thing. The one with the most details was this one and I followed it.

http://www.riccardoriva.com/archives/275

the sample config for squid from that site:
# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT

# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”

# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users

# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed

# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url

# Allow Internet access to all “mynetworks”
http_access allow mynetworks

# And finally deny all other access from this proxy
http_access deny all

Open in new window



I need to explain something before I show my config. I use squish to cap users individually. There is a perl script that runs and counts bytes. If above a specified threshold the username is written to a file called squish. Squid is configured to deny connect for all users in the squish file.


My config:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl SQUISHLOC dst $hostname
# webconfig: acl_start
acl webconfig_lan src 192.168.100.0/24  
acl webconfig_to_lan dst 192.168.100.0/24  
# webconfig: acl_end
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 81 83 10000
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 81 82 83 10000    # Web-based administration tools
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl https_url_allowed url_regex -i "/etc/squid/url_whitelist"
acl mynetworks src 192.168.100.0/24
acl CONNECT method CONNECT


# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

http_access allow CONNECT https_url_allowed
http_access deny CONNECT skype_url
http_access allow mynetworks

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports


deny_info http://localhost/squish/?squished& SQUISHED1
http_access allow SQUISHLOC
http_access deny SQUISHED1

# And finally deny all other access to this proxy
http_access allow localhost password
http_access allow webconfig_to_lan
http_access allow webconfig_lan password
http_access deny all

Open in new window



Am I doing something wrong here or is skype becoming more clever? Is it block skype possible at all to bock skype with a proxy?

thanx
0
Comment
Question by:QuintusSmit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 34979280
Blocking Skype is based on SSL connection verification
and since Skype using port 443 but has no SSL handshake,
the connection is blocked when the option
enforce-https-official-certificate is set ON.

Note that Squid already makes port 80 unusable for Skype and
your firewall must block direct connections to other
Skype nodes.
0
 
LVL 79

Expert Comment

by:arnold
ID: 34979328
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Your skyp_URL only consists of IP addresses.
you should ad *.skype.com

Note that skype can be configured to use HTTPS.
Do not install the application in the first place.
Limit the rights of the users such that the can not install it.

The other option is to monitor and identify the IPs associtated with skype and then block access to them on the firewall.  But you would have to checking periodically in the event new IPs are added.
0
 
LVL 12

Expert Comment

by:upanwar
ID: 34979612
I guess *.skype.com, would be enough at the squid side, I have done same for youtube. :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:QuintusSmit
ID: 34980792
Let me try that then

@ Arnold - it is a college and students and part time lecturers bring their own laptops so I have no control over what is installed. We give them an internet usage allowance hence the individual caps. Because we have three campuses in three cities we use skype extensively and it has never been a problem but now students have noticed that skype is not blocked when they are capped and come to campus just to make video calls to their overseas friends which is eating our bandwidth.
0
 
LVL 79

Expert Comment

by:arnold
ID: 34981003
Do you block outgoing port 80/443 from all with the exception of the proxy servers?
unless you block any and all traffic that you do not want on the firewall, there are ways to bypass the proxy i.e. outgoing VPN connections.  One could find an external proxy through which they would be able to access skype.

What happens if a person connects their laptop to your network without configuring their browser for the proxy are they able to access any external website?

0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 34987089
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 34987091
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
0
 
LVL 79

Expert Comment

by:arnold
ID: 34987814
Are you limiting the outgoing ports on your firewall outside that range?
i.e. 80, 443, 25, 20/21 configured to go through proxy?
What happens if a user goes o http://www.somesitesomewhere.com:8080 will it be blocked by your firewall with the same message directing the user to configure their proxy?
Is your instructions to the users to setup proxy for all protocols?

What about VPN.  Check the squid access log to see what are the URLs that are being accessed for skype and setup the skype url accordingly to restrict access to it.
0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 34991736
@arnold

Thanx - I will check all of that tomorrow when I am back at the office and report back.
0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 34995884
Arnold

I checked and all traffic goes trough the proxy. If you don't specify "use for all protocols" in the proxy setup no https websites are accessible.

I just thought of something. Since users have to log in with username and pwd to access the internet would it be possible for squid to block all un-authenticated traffic regardless of protocol?. Surely that will block skype traffic and everything else that does not use a password to connect?
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 34998767
yes, do not have a IP based allow rule in the squid.conf.
http_access allow user_group
http_access deny mynetwork


Note though, that the user will likely be prompted for the login from every application they use except from IE if you use NTLM authentication.

if you specify the deny rule for skype.com does it work?
Check the logs to see if there are entries reflecting access from users that should not be able to access?
0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 35145716
Hi

The question is not abandoned - I am extremely busy and will get back to this issue as soon as things quiet down. Thank you for the help so far.
0
 
LVL 1

Author Comment

by:QuintusSmit
ID: 35887593
So I finally managed to play around again and I think I found a working solution.

I changed the firewall to block all outgoing except what I specify. Basically only mail, internet and ipsec traffic is allowed out. Skype is then forced to use port 80.

Our squid proxy is set to use authentication. I then installed Squish (http://www.ledge.co.za/software/squint/squish/). This allows me to set a monthly/weekly/daily/time cap for individual users. They have to authenticate to use skype so if that is what they want to spend their cap on it is their choice.

Once capped skype will not connect.
0

Featured Post

Amazon Web Services EC2 Cheat Sheet

AWS EC2 is a core part of AWS’s cloud platform, allowing users to spin up virtual machines for a variety of tasks; however, EC2’s offerings can be overwhelming. Learn the basics with our new AWS cheat sheet – this time on EC2!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question