Thursday, December 12, 2013

Obfuscating HTTP Proxy traffic to bypass DPI firewalls

Chinese and Iranian governments are well known for their hatred behavior against free internet. These two countries have implemented big Deep Packet Inspection units on their internet gateways to drop any known and recently unknown internet protocols normally being used to bypass internet censorship. It includes HTTP Proxy which could easily be implemented using well known tools like Squid, Microsoft TMG, etc.

In this article I'm trying to setup and run Obfsproxy on Ubuntu 12.04 LTS to obfuscate HTTP Proxy traffic in order to bypass firewalls and have access to free internet again.

Almost everybody knows Tor, a very well known project to help people stay anonymous on the web and bypass internet censorship in countries like China, Iran, Syria, etc. A few years a ago, they have started an add-on project to Tor named Obfsproxy to help people living in Iran and China, bypass DPI firewalls being newly used by these countries. This project is now reached to an stable condition and is ready to be implemented in small environments.

We are using Obfsproxy in server and client modes to provide an extra layer of obfuscation tunneling to achieve the above mentioned goal. Let's start by installing the latest edition of Obfsproxy on our Ubuntu server:
s1@p:~$ sudo -i

root@p:~# apt-get update

root@p:~# apt-get upgrade -y 
root@p:~# apt-get install gcc build-essential python-dev python-pip -y
root@p:~# pip install obfsproxy

I assume that a proxy server application like Squid is already installed and configured to listen on port 3128/TCP. So, let's run Obfsproxy for the first time:
root@p:~# obfsproxy obfs2 --dest 127.0.0.1:3128 server 0.0.0.0:8080

It will run Obfsproxy to listen on port 8080/TCP and redirects all the traffic to port 3128/TCP on localhost where Squid is waiting to serve proxy requests.

We can simply create an INIT script to run the following command on every system startup:
root@p:~# nano /etc/init.d/obfsproxy

Place the following line in the file and save it:
obfsproxy obfs2 --dest 127.0.0.1:3128 server 0.0.0.0:8080 > /var/log/obfsproxy.log 2>&1 &

Change the permission of the file and mark it as auto startup:
root@p:~# chmod 755 /etc/init.d/obfsproxy

root@p:~# update-rc.d obfsproxy defaults

That's all! From next reboot, it will automatically run Obfsproxy on system startup.

Let's go to client side. I'm just explaining the Windows configuration, because it's the most popular operating system at client side:

Download the following file and extract it on your computer:
https://www.dropbox.com/s/bfpo7l5hsgthmwq/obfsproxy.zip

Run CMD and change to Obfsproxy directory, then run obfsproxy in client mode:
obfsproxy.exe obfs2 --dest YOUR_Server_IP:8080 client 127.0.0.1:5050

It will listen on localhost port 5050/TCP and redirects all the traffic to your server on port 8080/TCP.

You can easily create a Windows service for Obfsproxy using third party tools like NSSM.
at No comments:
Labels: , ,

Wednesday, December 4, 2013

Block torrent and SMTP on Ubuntu Server

For us, I mean VPN providers, it's very important to block and control the traffic that is passing through our UK and US located servers. We all know, if we don't care, our servers would be suspended very soon due to many copyrights infringements from our clients.

In this case, I'm trying to block and control torrent activities on my Ubuntu server using a combination of Iptables and PeerGaurdian. To do so, I simply start by defining many rules in Iptables as follows:
root@VPN:~#

iptables -A OUTPUT -m string --algo bm --string "GET /announce?info_hash=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /announce?info_hash=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "GET /scrape?info_hash=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /scrape?info_hash=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "GET /announce.php?info_hash=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /announce.php?info_hash=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "GET /scrape.php?info_hash=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /scrape.php?info_hash=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "GET /announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /announce.php?passkey=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "GET /scrape.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "GET /scrape.php?passkey=" -j DROP
iptables -A OUTPUT -m string --algo bm --hex-string "|13426974546f7272656e742070726f746f636f6c|" -j DROP
iptables -A FORWARD -m string --algo bm --hex-string "|13426974546f7272656e742070726f746f636f6c|" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP
iptables -A FORWARD -m string --string "get_peers" --algo bm -j DROP
iptables -A FORWARD -m string --string "announce_peer" --algo bm -j DROP
iptables -A FORWARD -m string --string "find_node" --algo bm -j DROP
iptables -A OUTPUT -m string --algo bm --string "BitTorrent" -j DROP
iptables -A OUTPUT -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A OUTPUT -m string --algo bm --string "peer_id=" -j DROP
iptables -A OUTPUT -m string --algo bm --string ".torrent" -j DROP
iptables -A OUTPUT -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A OUTPUT -m string --algo bm --string "torrent" -j DROP
iptables -A OUTPUT -m string --algo bm --string "announce" -j DROP
iptables -A OUTPUT -m string --algo bm --string "info_hash" -j DROP
iptables -A OUTPUT -m string --string "get_peers" --algo bm -j DROP
iptables -A OUTPUT -m string --string "announce_peer" --algo bm -j DROP
iptables -A OUTPUT -m string --string "find_node" --algo bm -j DROP

If you still didn't block SMTP ports, go ahead and define these six rules:
iptables -A OUTPUT -p TCP --dport 25 -j DROP
iptables -A OUTPUT -p TCP --dport 465 -j DROP
iptables -A OUTPUT -p TCP --dport 587 -j DROP
iptables -A FORWARD -p TCP --dport 25 -j DROP
iptables -A FORWARD -p TCP --dport 465 -j DROP
iptables -A FORWARD -p TCP --dport 587 -j DROP

Now list your current Iptables rules to make sure all above mentioned rules are successfully entered:
root@VPN:~# iptables -L

At this moment we need to make all these rule persistent, so if we reboot the server, Iptables automatically reloads them:
root@VPN:~# apt-get install iptables-persistent

Next step is PeerGaurdian installation and configuration:
root@VPN:~# apt-get install python-software-properties

root@VPN:~# add-apt-repository ppa:jre-phoenix/ppa

root@VPN:~# apt-get update

root@VPN:~# apt-get install pgld pglcmd pglgui

Note: Be aware of PeerGaurdian automatic start during installation.

Now edit your PeerGaurding configuration file:
root@VPN:~# nano /etc/pgl/pglcmd.conf

Add these five lines to your config and save the file:
INIT="1"

CRON="1"

LOG_SYSLOG="0"

LOG_LOGFILE="0"

WHITE_TCP_OUT="https http ftp"

Now, let's edit PeerGaurdian block list configuration:
root@VPN:~# nano /etc/pgl/blocklists.list

There are many predefined block lists in this configuration file. Simply un-comment your preferred lists and save the file. I suggest you to go on with following lists:
http://list.iblocklist.com/lists/bluetack/bogon

http://list.iblocklist.com/lists/bluetack/level-1

http://www.botrevolt.com/lists/Bot-Revolt-Exclusive

http://list.iblocklist.com/lists/tbg/primary-threats
As you notice, most of these block lists are supplying by iBlocklist.com. They have also many commercial lists available for an small annual subscription fee. Subscription to iBlocklist.com is recommended to have the opportunity to use their Anti-Infringement list.

Our configuration is finished now. Just restart your PeerGaurdian:
root@VPN:~# pglcmd restart

It takes a few seconds to update all lists and it would start automatically. To make sure it's working correctly, just ping BBC website since it's available in block list and should be blocked by default:
root@VPN:~# ping bbc.co.uk

You will face with "Destination Port Unreachable" as ping reply. It means your PeerGaurdian configured properly and blocks any suspicious Anti-infringement IP address out there.

Now reboot your server and make sure both Iptables and PeerGaurdian are working properly.
at No comments:
Labels: ,

Monday, December 2, 2013

An additional configuration to zPanel installation

Recently, I've configured many A records on my zpanel DNS configuration with same name but different values. I was expecting the DNS server which installed with zPanel by default, reply a resolve request with a random value (IP address) but it was replying a fixed IP address, normally the first value that I had created for this A record. In order to resolve this issue, I was trying to change the BIND configuration:
root@hosting:~# nano /etc/bind/named.conf
Put the bold line in the "options" section and reboot your server:

options {
.....
recursion no;
dnssec-validation yes;
dnssec-lookaside auto;
rrset-order {order random;};
....
That will do the trick and from now on, the DNS server will respond with a random value upon a query request.
at No comments:
Labels: ,
Subscribe to: Posts (Atom)