Solved

Block skype with squid

Posted on 2011-02-25
13
4,384 Views
Last Modified: 2012-05-11
Hi

I know this question has been asked a lot and I did look at the others and google it.Most of  the answers are a few years old but they basically say the same thing. The one with the most details was this one and I followed it.

http://www.riccardoriva.com/archives/275

the sample config for squid from that site:
# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT

# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”

# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users

# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed

# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url

# Allow Internet access to all “mynetworks”
http_access allow mynetworks

# And finally deny all other access from this proxy
http_access deny all

Open in new window



I need to explain something before I show my config. I use squish to cap users individually. There is a perl script that runs and counts bytes. If above a specified threshold the username is written to a file called squish. Squid is configured to deny connect for all users in the squish file.


My config:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl SQUISHLOC dst $hostname
# webconfig: acl_start
acl webconfig_lan src 192.168.100.0/24  
acl webconfig_to_lan dst 192.168.100.0/24  
# webconfig: acl_end
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 81 83 10000
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 81 82 83 10000    # Web-based administration tools
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl https_url_allowed url_regex -i "/etc/squid/url_whitelist"
acl mynetworks src 192.168.100.0/24
acl CONNECT method CONNECT


# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

http_access allow CONNECT https_url_allowed
http_access deny CONNECT skype_url
http_access allow mynetworks

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports


deny_info http://localhost/squish/?squished& SQUISHED1
http_access allow SQUISHLOC
http_access deny SQUISHED1

# And finally deny all other access to this proxy
http_access allow localhost password
http_access allow webconfig_to_lan
http_access allow webconfig_lan password
http_access deny all

Open in new window



Am I doing something wrong here or is skype becoming more clever? Is it block skype possible at all to bock skype with a proxy?

thanx
0
Comment
Question by:QuintusSmit
13 Comments
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
Comment Utility
Blocking Skype is based on SSL connection verification
and since Skype using port 443 but has no SSL handshake,
the connection is blocked when the option
enforce-https-official-certificate is set ON.

Note that Squid already makes port 80 unusable for Skype and
your firewall must block direct connections to other
Skype nodes.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Your skyp_URL only consists of IP addresses.
you should ad *.skype.com

Note that skype can be configured to use HTTPS.
Do not install the application in the first place.
Limit the rights of the users such that the can not install it.

The other option is to monitor and identify the IPs associtated with skype and then block access to them on the firewall.  But you would have to checking periodically in the event new IPs are added.
0
 
LVL 12

Expert Comment

by:upanwar
Comment Utility
I guess *.skype.com, would be enough at the squid side, I have done same for youtube. :)
0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
Let me try that then

@ Arnold - it is a college and students and part time lecturers bring their own laptops so I have no control over what is installed. We give them an internet usage allowance hence the individual caps. Because we have three campuses in three cities we use skype extensively and it has never been a problem but now students have noticed that skype is not blocked when they are capped and come to campus just to make video calls to their overseas friends which is eating our bandwidth.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Do you block outgoing port 80/443 from all with the exception of the proxy servers?
unless you block any and all traffic that you do not want on the firewall, there are ways to bypass the proxy i.e. outgoing VPN connections.  One could find an external proxy through which they would be able to access skype.

What happens if a person connects their laptop to your network without configuring their browser for the proxy are they able to access any external website?

0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
hi. If they dont configure the proxy they cant access any websites. A page pops up asking them to configure the proxy settings first. We use clearOS for our servers
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Are you limiting the outgoing ports on your firewall outside that range?
i.e. 80, 443, 25, 20/21 configured to go through proxy?
What happens if a user goes o http://www.somesitesomewhere.com:8080 will it be blocked by your firewall with the same message directing the user to configure their proxy?
Is your instructions to the users to setup proxy for all protocols?

What about VPN.  Check the squid access log to see what are the URLs that are being accessed for skype and setup the skype url accordingly to restrict access to it.
0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
@arnold

Thanx - I will check all of that tomorrow when I am back at the office and report back.
0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
Arnold

I checked and all traffic goes trough the proxy. If you don't specify "use for all protocols" in the proxy setup no https websites are accessible.

I just thought of something. Since users have to log in with username and pwd to access the internet would it be possible for squid to block all un-authenticated traffic regardless of protocol?. Surely that will block skype traffic and everything else that does not use a password to connect?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
yes, do not have a IP based allow rule in the squid.conf.
http_access allow user_group
http_access deny mynetwork


Note though, that the user will likely be prompted for the login from every application they use except from IE if you use NTLM authentication.

if you specify the deny rule for skype.com does it work?
Check the logs to see if there are entries reflecting access from users that should not be able to access?
0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
Hi

The question is not abandoned - I am extremely busy and will get back to this issue as soon as things quiet down. Thank you for the help so far.
0
 
LVL 1

Author Comment

by:QuintusSmit
Comment Utility
So I finally managed to play around again and I think I found a working solution.

I changed the firewall to block all outgoing except what I specify. Basically only mail, internet and ipsec traffic is allowed out. Skype is then forced to use port 80.

Our squid proxy is set to use authentication. I then installed Squish (http://www.ledge.co.za/software/squint/squish/). This allows me to set a monthly/weekly/daily/time cap for individual users. They have to authenticate to use skype so if that is what they want to spend their cap on it is their choice.

Once capped skype will not connect.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now