Prevent hotspotshield?



  • Hi all,
    I would like to prevent user to use hotspotshield to pass pfsense. Please tell me how to configure it?
    Thanks.


  • Rebel Alliance Global Moderator

    Just took a look on their website, doesn't seem to list where it connects to for the vpn.  Or even what type of vpn it is?  PPTP, SSL?

    I would suggest you grab the client, and see where it tries to connect - then block said access.  Be it their IPs, Netblocks or Ports, etc.



  • They have L2TP, PPTP and OpenVPN according to their site



  • Realize that if you block that one, they'll just use another.  There's a fairly unlimited number of proxy/VPN services around, and nothing stops someone from simply building their own (from a rented server, or sometimes from their home.)

    Considering you've found that "people" are using it, I assume they're using it to bypass some kind(s) of content filters you have set up.  Often this becomes a policy issue that is solvable by tracking down the offender and applying said employment/student/user policy, or the punitive side of it.

    Also, considering you've found that "people" are using it, if you found it via some sort of logs, you should be able to find where they're connecting to and blocking it.  Then looking for other VPNs and possibly blocking them as they appear (which, if you can't apply a user policy punishment, it'll probably happen.)



  • block all ports except those that are needed by your network like 80 or 445.

    or you can install symantec endpoint protection and block the hotspotshield app using hash fingerprints. but i prefer the first one.


  • Rebel Alliance Global Moderator

    @SeventhSon:

    They have L2TP, PPTP and OpenVPN according to their site

    Really?  They hide that information pretty good then.. You looking at the same site?  Could you please point that out to me where they give any details at all about there vpn used.  All I can find is "employs the latest VPN technology, and is easy to install and use."

    While I agree with "if you block that one, they'll just use another."  Users can also be really really stupid ;)  You might have a couple of users that said hey if you use this software you can browse porn.

    If said software is then blocked, and say you sent out an email saying attempting circumvention of filtering will be dealt with next time on individual basis - your really going to lower the number of users.

    Also as mentioned only standard ports web ports 80, 443 should be open outbound - others should be on case by case bases, ftp, ssh, etc.



  • @johnpoz:

    While I agree with "if you block that one, they'll just use another."  Users can also be really really stupid ;)  You might have a couple of users that said hey if you use this software you can browse porn.

    If said software is then blocked, and say you sent out an email saying attempting circumvention of filtering will be dealt with next time on individual basis - your really going to lower the number of users.

    Also as mentioned only standard ports web ports 80, 443 should be open outbound - others should be on case by case bases, ftp, ssh, etc.

    We also don't know what "kind" of internet fansaty is providing, either.  Is this workplace, student, "free WiFi"?  There's a good chance that simply blocking all other ports may not be an option depending on what other applications may need access, especially if games need to be allowed, but he's trying to block people circumventing P2P blocks (like in a student housing situation.)



  • Hi all,
    This week i am rather busy, so i don't track topic continuously.
    I can prevent user access to xxx web by blacklist template and some specified websites but if user use hotspotshield, they can bypass those filters. My LAN: ADSL Router - pfsense - LAN
    @jikjik101:

    block all ports except those that are needed by your network like 80 or 445.

    or you can install symantec endpoint protection and block the hotspotshield app using hash fingerprints. but i prefer the first one.

    @matguy:

    Realize that if you block that one, they'll just use another.  There's a fairly unlimited number of proxy/VPN services around, and nothing stops someone from simply building their own (from a rented server, or sometimes from their home.)

    Considering you've found that "people" are using it, I assume they're using it to bypass some kind(s) of content filters you have set up.  Often this becomes a policy issue that is solvable by tracking down the offender and applying said employment/student/user policy, or the punitive side of it.

    Also, considering you've found that "people" are using it, if you found it via some sort of logs, you should be able to find where they're connecting to and blocking it.  Then looking for other VPNs and possibly blocking them as they appear (which, if you can't apply a user policy punishment, it'll probably happen.)

    @johnpoz:

    Just took a look on their website, doesn't seem to list where it connects to for the vpn.  Or even what type of vpn it is?  PPTP, SSL?

    I would suggest you grab the client, and see where it tries to connect - then block said access.  Be it their IPs, Netblocks or Ports, etc.

    It's hard to carry out it in my case  :-[ because there are many other factors, maybe i will try all cases. Thanks for comments.


  • Rebel Alliance Global Moderator

    Many other factors like what?  You can not download the free client and sniff to see what its doing?  Do you want to to do it for you and then export the rule base you should put in? :rolleyes:



  • your default rule should be BLOCK. Then allow only those ports that are needed by your LAN.

    Example:

    	 *	 *	 *	 *	 *	 *	 none	  	 Default block LAN to any 
    

    Then I will add ALLOW rules on top of my default block.

    TCP	StaffFullAccess	 *	 *	80       WAN	 none	  	 Allow http on staff pc
    TCP	StaffFullAccess	 *	 *	443     WAN	 none	  	 Allow https on staff pc
     *	 *	                         *	 *	 *	  *	         none	  	 Default block LAN to any 
    

    In this case, i am sure that my LAN can only access the ports 80 and 443 and no other else.



  • Yeah, maybe i will open each port and then come on so  :) i currently lock the following websites by Proxy filter SquidGuard:
    hotspotshield.net
    anchorfree.com
    openvpn.net
    anchorfree.net
    hotspotshield.com
    www.hsselite.com

    and block ports by Firewall Rules: 1194, 8245, 8040-8045.

    Is there anyone checked those ports?


  • Rebel Alliance Global Moderator

    Not saying block specific ports, your coming at it from the wrong direction.  Block ALL PORTS, other than standard - ie http, https (80,443) and any other specific ports that might be needed can be normally locked down to the destination.

    You blocking 1194, can just run on 1193  – there are lots to choose from.  Block them ALL but the standard ports.

    Sure your proxy can filter based on dest to prevent say 443 being used for the tunnel.  Where you run into trouble is someone running to 443 for openvpn to their home box.  Only way to stop this would be dpi looking for traffic on port that is not really https, and amount of traffic to a location that can not be identified as legit, and then blocking it.



  • johnpoz is correct. Block ALL ports and ONLY allow  the standard ports like 80 and 443.

    I haven't tried blocking hotspotshield with squidguard since i am running squid in transparent mode.

    try doing my suggestion and post your results here.


Locked