Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorsteen42
    • CommentTimeMay 19th 2009
     permalink
    How can I block users from using Tor on my network? I'm using OpenDNS to block different categories but using Tor defeats the whole thing.

    Any ideas?
    • CommentAuthorrotblitz
    • CommentTimeMay 19th 2009
     permalink
    "but using Tor defeats the whole thing."
    Sure, because Tor really does not have much to do with DNS (Domain Name System): it doesn't hardly use it! So you can't catch it with DNS. It uses proxy technology.
    So, what can you do? Don't give the users admin rights on the computers, so they can't install Tor at all. And they cannot change the TCP/IP settings, e.g. the DNS server addresses, and, important for Tor, they cannot change the browser's proxy settings.
    If they have admin rights, you do not really need to worry about Tor, because they can do everything anyway. Tor or OpenDNS don't add (or subtract) any value then...
    • CommentAuthordiacon
    • CommentTimeMay 19th 2009
     permalink
    OpenDNS probably won't block Tor as I doubt it would use the network's DNS.

    Your best bet is going to use your hardware firewall to block all ports except those you need to do your day to day operations. That should keep Tor from working fully or at least cause some problems with it.

    You want to keep ports 25(smtp), 53(DNS), 80(http), 110(pop3), 443(https) open. Block everything else for both in and out bound traffic. That will keep the internet alive.

    Depending on your local network, there are other options you could use. You could also claim that Tor is a network insecurity and all employees using Tor are subjecting the corporate network to possible breach... that is if this is for a corporate environment.
    • CommentAuthorsjwalter
    • CommentTimeMay 20th 2009
     permalink
    It might be possible to block on the router level, but you would have to write a script for it.

    I recall reading about someone doing that somewhere. I'll go look for the article.
    • CommentAuthorRed Prince
    • CommentTimeMay 20th 2009
     permalink
    As far as I know, by default TOR servers listen on port 9001 and their directory is at the port 9030. So, blocking the outgoing traffic to these two ports on your router should pretty much block TOR, or at least make it very hard to use.
    • CommentAuthorcool110
    • CommentTimeMay 21st 2009
     permalink
    "As far as I know, by default TOR servers listen on port 9001 and their directory is at the port 9030. So, blocking the outgoing traffic to these two ports on your router should pretty much block TOR, or at least make it very hard to use."

    only on *nix servers, windows servers listen on 443 and directory on 80
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    >>windows servers listen on 443 and directory on 80<< Wouldn't that prevent them from running a web server?
    • CommentAuthordiacon
    • CommentTimeMay 21st 2009
     permalink
    It listens on those ports, but does it push data back out those ports. Most likely not as (US) ISP's block outbound traffic on those ports to prevent non-commercial accounts from serving websites.
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    My ISP does not block it. I run a number of web sites on my home computer. For example, http://mbr.adamsatoms.com is on my home computer.
    • CommentAuthorcool110
    • CommentTimeMay 21st 2009
     permalink
    "Wouldn't that prevent them from running a web server?"
    when providing a hidden service tor normally listens only on the real public or private ip and the web server on 127.0.0.1
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    What good would be a web server that only listens on 127.0.0.1? :shocked:
    • CommentAuthorrotblitz
    • CommentTimeMay 21st 2009 edited
     permalink
    "What good would be a web server that only listens on 127.0.0.1?"
    cool110 rather may have meant a local proxy. Many anonymizers work as proxy. The browser's proxy server settings need to point to 127.0.0.x:port (or whatever the local proxy is listening to), and from there the local proxy (e.g. Tor or UltraSurf or JAP) goes on, out to the internet with e.g. HTTP(S) requests.
    Same is with the other way around, when you provide anonymizer services with e.g. Tor or JAP. Some WAN or LAN IP address is translated (NAT) to a localhost address and port of the form 127.0.0.x:port, and then the anonymizer goes on as above.
    Btw, the localhost (as listener) is not only 127.0.0.1, but a range 127.0.0.0/255.0.0.0, i.e. 127.0.0.1-127.255.255.254.
    Do a "route print" or e.g. "ping 127.5.4.3", and you will see what I mean.
    If you like, you can also assign host names to these addresses... :wink:
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    Yes, yes, but that still does not stop TOR running at ports 80 and 443 from interfering with running a web server.
    • CommentAuthordiacon
    • CommentTimeMay 21st 2009
     permalink
    That's nice of your ISP. Do you have a static address?

    I know that the cable ISP's as well as the DSL carriers in my area (Southwest) block port 80 outbound unless you pay for a static IP, which means you have to upgrade to a business account. Your standard home accounts stay blocked. They mainly do this to prevent phishing sites popping up on bot controlled computers.

    Funny thing is if you just go up one port, you can connect fine.
    • CommentAuthorrotblitz
    • CommentTimeMay 21st 2009
     permalink
    @Red Prince
    "that still does not stop TOR running at ports 80 and 443 from interfering with running a web server."
    It may interfere with a web server on the same box only, but you can possibly configure the one or the other, web server or anonymizer client, to prevent this from happening. Port translation, listening to specific IP addresses only (normally all = 0.0.0.0) are appropriate measures to separate the traffic.
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    So, what you are saying is that to run a TOR server on Windows using its defaults and having a web site you would need two separate computers *and* a special router which can figure out which traffic should go to the TOR server and which to the web server? Wouldn't that be a major violation of the KISS principle? :devil:

    Are you sure the TOR server defaults to that on Windows? Why would it treat Windows differently from any other OS in that regard?
    • CommentAuthorRed Prince
    • CommentTimeMay 21st 2009
     permalink
    OK, folks. I just opened the TOR control panel on my Windows machine and checked "Relay traffic for the Tor network" to set up a TOR server. It instantly offered me port 9001 for the server and port 9030 for the directory.

    So, I'm sorry, but whoever claimed these ports are the default only under Unix and that under Windows it uses ports 80 and 443 by default is plain *wrong*.

    And I stand by my original advice to yeshiva: Block outgoing ports 9001 and 9030 on your router to either completely block TOR traffic or make it extremely hard.
    • CommentAuthorcool110
    • CommentTimeMay 22nd 2009 edited
     permalink
    i just downloaded the tor browser bundle to a usb drive and ran it on a new computer and it gave me 443 for the relay. the reason windows is treated differently is that root/admin is not needed to listen on ports below 1023.

    also with the web server i said when providing a "hidden service" where all traffic goes through tor.
    http://www.torproject.org/docs/tor-hidden-service.html
    example hidden service http://duskgytldkxiuqc6.onion
    • CommentAuthorRed Prince
    • CommentTimeMay 22nd 2009
     permalink
    The question posted at the beginning of this thread was how to block users from using TOR on a network. Hidden service has nothing to do with that. Closing outgoing ports 9001 and 9030 will prevent Tor clients to access (most) Tor servers and effectively block the use of Tor.

    Root/admin is not needed on ports 9001 and 9030 either. So that is not a reason to confuse the entire Tor network be assigning different ports on Windows.

    Though, quite frankly, I am surprised Tor even has default ports. When all or most of its servers use the same two ports, it is easy to block the entire Tor network by blocking the outgoing traffic to those two ports. If each server used a different port, the network would be pretty hard to block.
    • CommentAuthorcool110
    • CommentTimeMay 22nd 2009 edited
     permalink
    "The question posted at the beginning of this thread was how to block users from using TOR on a network. Hidden service has nothing to do with that. Closing outgoing ports 9001 and 9030 will prevent Tor clients to access (most) Tor servers and effectively block the use of Tor.

    Root/admin is not needed on ports 9001 and 9030 either. So that is not a reason to confuse the entire Tor network be assigning different ports on Windows."
    yes but blocking port 443 is a very bad idea making tor harder to block. tor has a restrictive firewall setting that when turned on defaults to 80 and 443

This discussion has been inactive for longer than 30 days, and is thus closed.