How Do I prevent users to use UC Browser



  • Hello everyone,

    I am running pfsense 2.2.3  with squid3 squidguard in transparent mode.

    I am facing a strange problem. I have blocked facebook ( by blocking all the ips of facebook. Creating an alias for facebook ips and writing a firewall rule) The facebook get blocked if accessed from facebook app and all the browsers ( mozilla, chroms…) except UC browser. I have heard that UC browser is a proxy browser. It connects to UC Server in encrypted mode. So I guess it is able to bypasss my proxy and firewall rules. Can I do some kind of settings to completely block users to use UC or any other proxy web browser.
    Blocking by user-agent. Any pointers ?

    regards,
    Ashima



  • It connects to UC Server…

    So block access to the UC server.



  • Well its not easy to block UC Server IPs as they keep changing them.Still I googled for UC Server ips. I have blocked all of them. Still few of my users ( lenovo mobile  with preinstalled uc browsers) are able to access facebook and other apps that come with uc browser. Its just driving me crazy. Is there no category as web proxy in squidguard which blocks such browsing. Or if it is possible to block through snort. Any help please….

    with warm regards,
    Ashima



  • It connects to UC Server

    Block the domain and IP addresses.

    Still few of my users (lenovo mobile  with preinstalled uc browsers)

    Identifying them over their MAC address and block then the services for them.

    Perhaps and if your appliance has enough performance you can still try to block this
    by DPI Layer7 filtering, but this is often using much CPU power!!!

    Or you should have a look to a so called NGFirewall (Next Generation Firewall) that works
    application based.



  • @ashima:

    Well its not easy to block UC Server IPs as they keep changing them

    That's the drawback of using IP address in FW rules where proxy should be used  8)
    When using Squid/Squidguard, goal is not to maintain list of IP addresses to be blocked/allowed but rather rely on URL.



  • @chris4916:

    @ashima:

    Well its not easy to block UC Server IPs as they keep changing them

    That's the drawback of using IP address in FW rules where proxy should be used  8)
    When using Squid/Squidguard, goal is not to maintain list of IP addresses to be blocked/allowed but rather rely on URL.

    In another thread here in the forum was someone speaking about Proxy authentication and building user groups and then preventing the hole group from using the service. Perhaps this will also matching here?



  • @BlueKobold:

    In another thread here in the forum was someone speaking about Proxy authentication and building user groups and then preventing the hole group from using the service. Perhaps this will also matching here?

    For sure  8)

    These are 2 different aspects which can, however, be combined.

    IMHO, neither FW and DNS are very suitable when it comes to control HTTP flow. These doesn't mean that neither FW and DNS are involved in this process but corner stone is definitely HTTP proxy.
    Using proxy will provide you with capability to deny/allow access to URL (regardless IP address(es)), rely on blacklists and plug anti-virus engine.

    This obviously requires to prevent access to internet without using your own HTTP proxy: this is where FW is really useful.
    DNS is also used because when using explicit proxy, component performing name resolution (and therefore using DNS) is proxy server itself instead of end-user workstation when no proxy (or transparent proxy) is used.

    If you combine this with authentication (which does mean explicit proxy) then you can apply some profiling and decide to whom rules apply.



  • Hi chris,

    I am confused. I am new to pfsense. I am using squid3 with squidguard. Iam trying to  block uc server by adding
    ucweb.com in blacklist domain in squid. Part of it is blocked but for few users its still working.

    I am not able to understand FW and DNS which you are talking about. Can you please explain how do I use them to block users.

    Also I want know in what order the rules  are applied on a  packet originated from a lan network. Is this correct:

    LAN –--  squid+squidguard rules --- traffic shaper rules -- firewall rules --- Wan

    WAN--- snort rules---Lan user

    Does the packet bypass traffic shaper rules and firewall rules if a packet pass form squid running in transparent/nontransparent mode.

    Thank you
    regards,
    Ashima



  • Hello,

    I have managed to break the browsing through uc browser. This is what I have done… it might be of any use for someone trying to stop users using uc browser.

    Blacklist these domains :

    .ucweb.com
    .ucweb.co
    .umeng.com
    .9apps.com            (to prevent users to download apps thr uc browser)
    .9game.com            (to prevent users to download games through uc browser)

    All these  breaks most of the features of uc browsers.

    Thanks everyone for your help and suggestions. Still the DNS and FW suggestion given by cris is not clear to me.
    Also I would like to know what kind of cpu usage will be there for 50 users if I do DPI layer 7 as suggested by one of the user. Right now I am using

    Intel core 2 duo E5300, Motherboard Intel G31 chipset with 8 GB DDR2 with Intel PRO/1000MT PCI network adapter X  2      160 GB Seagate Barracuda 7200 rpm SATA-2 drive.

    The dashboard shows 0-3% CPU usage.

    Do I have to go for something higher if I have to do dpi layer7 traffic shaping ?

    Regards,
    Ashima



  • Still the DNS and FW suggestion given by cris is not clear to me.

    FW = firewall = firewall rules.  Control access via firewall rules.
    DNS = Domain Name Services = resolves domain name to IP addresses.  Block resolution of domains to prevent access.

    Also I would like to know what kind of cpu usage will be there for 50 users if I do DPI layer 7 as suggested by one of the user.

    Nobody could possibly answer this with any degree of certainty or accuracy.  Try it and find out for your situation.  Deep packet inspection is very CPU-intensive.



  • Sorry if using acronyms made my reply unclear  :-[  and thank you KOM for the translation  ;)



  • Well, honestly, if you're in the position of configuring pfSense, you shouldn't have to have DNS explained to you.



  • Hello Everyone,
    This is my first post on pfsense.org
    As a System / Network admin it is really difficult to adapt new changes happening in technology or in Internet World. As well as end users on a Restricted network always look for bypass & which leads to serious flaws to the security policies deployed by System Admin or to the entire company.
    I am not a System / Network admin but I am a geek & want my Home Network to be secured from External attacks as well as I make sure that no one will breach the policies that I deploy for my network.
    (My home network used by 6 homes of my Family & friend with extended routers or repeaters) To secure the whole network & ensures that everything on my network stay under control, I strictly monitor whole traffic every time using OpenDNS. I have been using OpenDNS for a long time & I am a kind of expert in that. Now if you want to block an access to the UC Browser that I found sometime back was able to bypass my OpenDNS rules, so I did an extensive research & continuously monitoring my network traffic, reading hundreds of forums. Simultaneously I was using UC Browser as well as mini to understand its working.
          i found following hosts of UC Browser & blocked access to them using OpenDNS. Now not a single query or single request disobey my OpenDNS law. i ruled UC & I am having complete control over my network.

    BLOCK THE FOLLOWING DOMAINS & THEIR SUB-DOMAINS:

    1. baidu.com
    2. mandriva-art.org
    3. meego-central.org
    4. ucweb.com
    5. ijinshan.com (This is I think DNS Resolver for UC Browser which leads to proxy server connections & allows users to access blocked sites.)
    6. umengcloud.com
    7. uc.cn
    8. 9game.com (UC Game Market Place)
    9. 9apps.com (UC App Market Place)
    10. umeng.com
    11. ucweb.co

    Block all above domains to restrict access on UC & remain under control of your firewall.

    No difficult firewall rule creation, no hassle. Just add above domains in block list.

    NOTE: Block all the sub-domains of above mentioned domains. Then only you will receive 100% result. BLOCK ALL SUB-DOMAINS OF ABOVE DOMAINS!

    Please let me know that whether this works for you or not.





Log in to reply