eptexascrazy
asked on
How to block anonymous web proxies?
Hello, I work for a school district and I am being told to block anonymous web proxies. We currently use Bess / N2H2 Filtering but unless I specify the proxy's URL, it wont block anything. Does anyone out there know how to block anonymous web proxies?
you really cant block that outbound conection unless your going to filter the port used but it still would help there is a way around it
The only way is to block based on their URL and/or IP address. Because of the way they work they look like any other Web server on the Internet.
you mean outgoing connections to an proxy?
then redirect all traffic to your own proxy, ready.
Works as long as you have no SSL and/or accept that your proxy terminates SSL (which breaks the basic intention of SSL:)
then redirect all traffic to your own proxy, ready.
Works as long as you have no SSL and/or accept that your proxy terminates SSL (which breaks the basic intention of SSL:)
You need to "fix" your network, probably by changing your router's settings, so that NONE of the client PCs can directly access the internet on ANY port. That way your default settings of the BESS/N2H2 proxy will be the only way out.
I'm assuming you don't have an active domain setup here where you can force the proxy settings with group policy and that even though you have setup the proxy for the web browser, users are changing these settings themselves and using an outside proxy. Fix the problem at a place where they don't have control. So then even if they do change the client PC proxy settings, it will do them do good because YOUR proxy is the only way out.
I'm assuming you don't have an active domain setup here where you can force the proxy settings with group policy and that even though you have setup the proxy for the web browser, users are changing these settings themselves and using an outside proxy. Fix the problem at a place where they don't have control. So then even if they do change the client PC proxy settings, it will do them do good because YOUR proxy is the only way out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you do it by use of blacklists ... and there are a ton of them ... add them to your filtration application/iptables
http://www.google.com/search?hl=en&q=proxy+blacklist
http://www.google.com/search?hl=en&q=proxy+blacklist
What you're really asking is if there's a way to have a computer "know" the contents of a webpage.
The short answer: no.
However, i suppose if your filtering system will allow it you could add certain words, both in the URL, and in the actual body of the page to the automatic block list (i.e. if the URL of the webpage, or part of the main body of the page contain the phrase "free anonymizer service"... auto-block).
I do stress that if the users want to get around all this, some spark that knows what they are doing can simply create their own website to do this, that could be as simple as a form on its own, that will show the contents of whatever URL is typed into the form. Another method is to simply find the IP of the site (e.g. the "blocked anonymiser site"), and use that, as it will get around the URL-based filtering with ease.
Personally, i'm very much against the concept of filtering, and various restrictions. It's wrong, although i can understand that you would have to in schools to stop some very angry parents. Although i suppose i'm biased, as i'm one of the students that takes pleasure in simply evading restrictions, and dislikes being mommy-coddled (I can check my own browsing habits, thank you). Basically, if you can think of a way to avoid using the restrictions while maintaining "clean" browsing, i am sure 99% of the userbase would be pleased, as the filtering can often catch sites that are used for work purposes (An example, an english assignment on Leicester City football club. Oh look, the website's blocked ;) )
The short answer: no.
However, i suppose if your filtering system will allow it you could add certain words, both in the URL, and in the actual body of the page to the automatic block list (i.e. if the URL of the webpage, or part of the main body of the page contain the phrase "free anonymizer service"... auto-block).
I do stress that if the users want to get around all this, some spark that knows what they are doing can simply create their own website to do this, that could be as simple as a form on its own, that will show the contents of whatever URL is typed into the form. Another method is to simply find the IP of the site (e.g. the "blocked anonymiser site"), and use that, as it will get around the URL-based filtering with ease.
Personally, i'm very much against the concept of filtering, and various restrictions. It's wrong, although i can understand that you would have to in schools to stop some very angry parents. Although i suppose i'm biased, as i'm one of the students that takes pleasure in simply evading restrictions, and dislikes being mommy-coddled (I can check my own browsing habits, thank you). Basically, if you can think of a way to avoid using the restrictions while maintaining "clean" browsing, i am sure 99% of the userbase would be pleased, as the filtering can often catch sites that are used for work purposes (An example, an english assignment on Leicester City football club. Oh look, the website's blocked ;) )
NO THAT REALLY ISNT WHAT HE IS ASKING AT ALL.
HE IS ASKING ABOUT BLOCKING PROXY SERVERS SO USERS CAN NOT BYPASS PORT/PROTOCOL/USE RESTRICTIONS.
HE IS ASKING ABOUT BLOCKING PROXY SERVERS SO USERS CAN NOT BYPASS PORT/PROTOCOL/USE RESTRICTIONS.
AND NO ONE CARES WHAT YOU ARE AGAINST ..IT ISNT YOUR RESOURCES BEING CONSUMED ... ITS THE SCHOOLS AND THE TAXPAYERS.
STUDENTS ARE THERE FOR THE CURRICULUM, ITS EDUCATION, AND THE ADMINISTRATION NOT ONLY HAS THE RIGHT, BUT THE OBLIGATION TO RESTRICT ACCESS TO AREAS EXCEPT THOSE PERTAINING TO SAID.
IF THE SITES ARE BLOCKED, DNS BLOCKED, PORTS ARE SHUT DOWN, AND THE PROXIES ARE BLOCKED, YOU CANT GAIN ACCESS BY THE SIMPLE CREATION OF A WEB SITE.
YOU REALLY DO NOT KNOW WAHT YOU ARE TALKING ABOUT. iF THE RESOURCES ARE FILTERED/BLOCKED, THEY WONT EVEN LOAD.
wHAT YOU TRYING TO EXPLAIN IN ANONYMIZER IS CALLED A PROXY SERVER.
STUDENTS ARE THERE FOR THE CURRICULUM, ITS EDUCATION, AND THE ADMINISTRATION NOT ONLY HAS THE RIGHT, BUT THE OBLIGATION TO RESTRICT ACCESS TO AREAS EXCEPT THOSE PERTAINING TO SAID.
IF THE SITES ARE BLOCKED, DNS BLOCKED, PORTS ARE SHUT DOWN, AND THE PROXIES ARE BLOCKED, YOU CANT GAIN ACCESS BY THE SIMPLE CREATION OF A WEB SITE.
YOU REALLY DO NOT KNOW WAHT YOU ARE TALKING ABOUT. iF THE RESOURCES ARE FILTERED/BLOCKED, THEY WONT EVEN LOAD.
wHAT YOU TRYING TO EXPLAIN IN ANONYMIZER IS CALLED A PROXY SERVER.
bloodrazor, you need to learn to think outside of the box. If you don't will be in one the rest of your life. Filtering is NOT wrong. It is no different that preventing a under age person from buying beer, wine, liquer, or anything else they should not have because they are not mature enough to handle it. They have done studies and have shown that the part of the brain that is responsible for making "informed decisions" does not mature until the age of 25 on average.
You may beleive that you can check your own browsing habit, and you may, but the average school age child can't. It's been proven. I personally do not want my 6 year old to accidently see something because a 15 year old setup a computer to bypass normal filtering.
Yes, somebody can get around it, in fact people can get around most anything. Sooner or later the odds are they will get caught.
If a site is valid, it can be unblocked.
One day hopefully you will have a child and your attitude will change. Some mommy-coddlling is needed in every childs life.
You may beleive that you can check your own browsing habit, and you may, but the average school age child can't. It's been proven. I personally do not want my 6 year old to accidently see something because a 15 year old setup a computer to bypass normal filtering.
Yes, somebody can get around it, in fact people can get around most anything. Sooner or later the odds are they will get caught.
If a site is valid, it can be unblocked.
One day hopefully you will have a child and your attitude will change. Some mommy-coddlling is needed in every childs life.
You could also take a look at what proxies your students are using. You can check the logs for commonly visited sites. Generally, using an anonymous proxy server means the user will spend an extended amount of time on that site. That will be a red flag to you. The sites are fairly obvious, for example, proxyspinner, etc... You can manually block these entries, however, that all depends on how large the problem at hand is. If it's on a small scale, the manual way isn't a bad way to go.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would recommend you look into Bloxx, Inc. http://www.bloxx.com. Anonymous proxies which let students bypass filters are blocked instantly with Bloxx meaning your students can't access the internet through the back door. You can also choose to enable the Safesearch feature on Internet search engines so that students cannot bypass it and access inappropriate material. Due to the essential nature of education, many types of sites need to be accessed by users and the flexible group policies within the Bloxx internet filtering system provide for these diverse requirements. Also, Bloxx's thorough and clear reporting allows you to see if your group Internet policies are working sufficiently or if they need fine tuning, and provides invaluable real time monitoring to see which users are frequently violating policies.
OK some time has passed since my post but my final solution was the school guardian from Smoothwall.
Dam good product and the best part about it is the students at the school i work in have presented me with a nice petition about over blocking. When i looked into it in more detail they really wanted me to unban game sites and proxies. This product works well and the tech support we bought into are great to help with any new features you want or issues.
what you waiting for buy it
Dam good product and the best part about it is the students at the school i work in have presented me with a nice petition about over blocking. When i looked into it in more detail they really wanted me to unban game sites and proxies. This product works well and the tech support we bought into are great to help with any new features you want or issues.
what you waiting for buy it
As far as I know, BESS (along with just about every other content filter) has Control categories for Anonymizers and Anonymizing Utilities.