Need to block PSIPhon app
-
I have tried
- Forced users to use my DNS server
- Created rules to block VPN, IPSEC, PPTP, SSH and L2TPAny suggestions !!
-
To block an application, you need to determine at least one of the following:
- the server(s) the app talks to
- the port(s) the app uses to talk
This app appears to use common web ports, so blocking that way isn't practical. Next you try to see where this app tries to talk to and block all of those destination IPs. You can't do it based on domain names because it most likely resolves to one of many different IP addresses, and DNS resolution doesn't happen in realtime for every domain requested. SO you're left playing whack-a-mole with IP addresses.
A better way would be to have a clear usage policy, and suspend any users caught breaking the policy. Users can always find a way around filters.
-
you have to block DNS port 53
this worked for me if you are blocking 80 and 443 as well
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers -
Can you support us of how to you do it because i try what are you say but it didnt work
-
yes tried to solve that on my network but no approach seems to work on psiphon using pfsense
-
Yeah good luck with that one... Its designed to "circumvent" blocking... So it uses standard ports and through https to lots of IPs - served up common CDNs... So blocking the IPs your going to block lots of legit traffic as well.
Best way to block that to be honest is control of what users can install on company equipment..
your going to have to do really DPI on this to be able attempt to block it, and this would require doing mitm on their ssl connections... Look through many of the guides on blocking it on stuff like fortinet and sonicwall and PA devices... They all have guides that walk through all the different policies you have setup... You would then need to duplicate that on pfsense..
Sorry but its not going to be click this button sort of setup.. But sure it can be done,
Example
https://www.sonicwall.com/support/knowledge-base/?sol_id=170503540264426Look at all the steps required there to "attempt" to stop it.. Now duplicate that on pfsense, which all can be done.. With use of proxy, even dpi is possible with the openappid stuff.. Do they have an id in openappid for psiphon - not sure?? You would have to look... Or you could use one of the high cost solutions.. They cost 1000's in licensing for a reason ;)
blocking stuff on specific signatures can be done with either of the IPS packages.. That SID they mention for ssh in the above link... Keep in mind its prob going to attempt ssh over more than just the standard 22 port.
You do understand.. That even with all that - blocking users from bypassing your filters so they don't do xyz is going to be a never ending wack a mole game right. If any port is open outbound, without running through a proxy or it proxies the tcp directly.. Or does not mitm it sort of thing.. I can just run say rdp over 443 to my home IP and do whatever I want that way.. Now this does prevent the bad shit that might exe on the users machine - which normally is what your trying to prevent.. So just do that from the get go and prevent the user from running or installing such apps like psiphon in the first place.. This is way easier to accomplish then trying to wack a mole their outbound traffic.
-
@johnpoz
thanks let us try that and see, will share feed back -
@johnpoz said in Need to block PSIPhon app:
openappid for psiphon
I don't believe we have one for that in our detectors ruleset but you might be able to load one fro somewhere else.
That is likely the only way you will block it and even then it's not guaranteed if that app is specifically designed to prevent detection.
Steve