How to block https://www.facebook.com ?

Discussion in 'Networking, Telephony & Internet' started by syzygy9, May 9, 2011.

  1. TaroT

    TaroT Member

    Joined:
    Jan 18, 2002
    Messages:
    8,708
    Location:
    Hazelbrook nsw 2779
    mines simple
    login to netgear
    filter words
    facebook
    youtube
    utube
    anything else i want
    set schedule
    done

    all depends on the router
     
  2. OP
    OP
    syzygy9

    syzygy9 Member

    Joined:
    Aug 10, 2001
    Messages:
    675
    Location:
    Perth, WA
    URL filtering for keywords does not work for https / encrypted streams where the word "facebook" does not appear in plain text; so while http://www.facebook.com does get filtered, https://www.facebook.com does not.
     
    Last edited: May 11, 2011
  3. FerrisXB9R

    FerrisXB9R Member

    Joined:
    Jan 18, 2005
    Messages:
    3,052
    Location:
    AB, CAN
    Buy a cheap cisco 800 series router and learn to config it.

    Have a username and password thats different to the enable password.

    in the dhcp pool:
    dns server <ro.ut.er.ip>

    ip name-server <isp.dns.server.1>
    ip name-server <isp.dns.server.2>
    ip dns server


    then use the command

    ip host facebook.com 127.0.0.1 when you want to restrict access.

    use no ip host facebook.com 127.0.0.1 when you want to allow access again.

    Like to see your kids fuck with a cisco router.

    BTW, I'm not saying this is easy, but it'll DEFINITELY be secure. :D
     
  4. cbb1935

    cbb1935 Guest

    Just on this.. should do.

    Tested on my DG834G just then and it does indeed work.
     
  5. FerrisXB9R

    FerrisXB9R Member

    Joined:
    Jan 18, 2005
    Messages:
    3,052
    Location:
    AB, CAN
    True, but I was combating this with the already spoken of problem in that the current router is easily configurable/hacked into.

    Just because it's readily apparent to you that a proxy will render any edited hosts file/hosts entry in a router useless doesn't mean it is for his kids.
     
    Last edited: May 11, 2011
  6. Whisper

    Whisper Member

    Joined:
    Jun 27, 2001
    Messages:
    8,297
    Location:
    Sydney
    I pity your children.

    If daddy doesn't want you to have access to Facebook, you damn well are not going to have access to Facebook, well at least if you 2 are.
     
  7. zerassar

    zerassar Member

    Joined:
    Apr 21, 2009
    Messages:
    346
    Location:
    Sydney
    Just to throw my 2c worth in as I was discussing this exact topic with my network security teacher last week.

    There is NO way to block only https traffic to facebook without blocking all of port 443 which would result in every other https site to not work as well.

    Squid proxies will not block https://facebook.com and in fact you will never even see it in the url proxy log at all.

    The best option is the OpenDNS option. In your routers config you direct it to use OpenDNS and then you log into open DNS and add a rule for facebook.com.


    This will block both https: and http. The way this works is the computers make a request to "open DNS" for the IP address of "facebook.com" open dns turns around and gives them an error.

    Having said all of this it is rather simple to bypass if they know their shiz. They would just have to manually use a different DNS or a VPN/Proxy service.

    This is why I disabled my URL filter at work as it is better the devil you know than the devil you don't. You could also enforce it through anti-virus URL filters on the computers themselves.

    But at the end of it you are better off using good policies and management of their computer use than using technological means of control.
    The 10th law of computer security "Law #10: Technology is not a panacea"
     
  8. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,230
    Location:
    Adelaide
    Couldn't you block DNS requests to any domain that isn't OpenDNS on the gateway?
     
  9. nimmers

    nimmers Member

    Joined:
    Dec 20, 2005
    Messages:
    1,176
    Location:
    Sydney
    There are a couple of ways to do it if you get yourself a little 800 series Cisco router. 877 or 887...

    Use the IPS capability or timed QoS policy with NBAR matching. The DNS way as mentioned above isnt very good. Its hard to stop users proxying out though since all the methods require you to match facebook in a regex.
     
    Last edited: May 16, 2011
  10. cbb1935

    cbb1935 Guest

    Tell your "Network Security Teacher" to at least get him/herself at least a TAFE degree before they start sprouting copious amounts of bullshit.

    It's called a proxy server. Setup the proxy, and block facebook on that. Should work a treat (including HTTPS).

    If it still gets throught disable outgoing Port 443 access and that will allow SSL sites but screw up on https facebook as it appears to require bi-directional communication.

    In other words any web request HAS to go via Port 8080 or 8001 or whatever, before it can go to 80 or 443 related sites.

    Have done this at quite a number of client sites as its one of the big questions we are always asked.

    Other solutions include using a content filtering device like the Astaro range, where they'll scan and do https filtering (so you apply a filter to https filtering re facebook), or use opendns configured correctly.

    There are a number of ways to do it.

    Heck even a $100 Netgear DG834 will have a reasonable crack. It's bypassable but every link in facebook requires the address manually typed in.
     
  11. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,375
    Location:
    Canberra
    errr mitch..... how about you get a TAFE degree.......

    there are a few ways to go about this, I CBF going into detail, just a proxy wont do shit considering the HTTP get request is within the encrypted stream.

    to use a proxy you need to terminate the SSL on it, to do this even remotely nicely you need to setup a CA, install the root on all the end points in question make the proxy an intermidate and have it dynamiclly generate server certs based off DNS.

    IAC sometimes i wonder why we bother repeating ourselves
     
    Last edited: May 16, 2011
  12. cbb1935

    cbb1935 Guest

  13. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682

    Just trololol, more fun.


    But I found a bigip in a box today, no one knows who it's for.. Wanna borrow it op?
     
  14. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,375
    Location:
    Canberra
    sigh, filtering port 443 on IP is nothing hard, filtering on the URL of a SSL/TLS session requires ssl decrypt which requires your proxy to masquerade as the destination SSL server which requires a trust relationship between the dynamicly generated server certs on the proxy and the client.

    edit:

    here is a SSL session setup please tell me what the destintion is:

    Code:
    ...........M.
    f..S..e...C'.)..d..}...l.;8.M..*.<./.=.5...
    .'.....+.#.,.$...
    .@.2.j.8.......E..........
    ..
    nab.com.au..........
    ...............
    ..........................F.....M.].......)...C[..0.X..,....\ ..._FN!...e/...b..$.XXXXM.
    f.....5....]..Z..
    0...0..........Z.x..u..m.......0
    ..*.H..
    .....0..1.0...U....US1.0...U.
    ..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://www.verisign.com/rpa (c)101604..U...-VeriSign Class 3 International Server CA - G30..
    110325000000Z.
    110630235959Z0..1.0...U....AU1.0...U....Victoria1.0...U....Melbourne1(0&..U.
    ..National Australia Bank Limited1.0...U....www.nab.com.au1.0...U....www.nab.com.au0..0
    ..*.H..
    .........0.......3O..D.V(G.9.A.fa.....x.L...:N.WRW}x8!..B.9w.o...%.2Sl..'..[.6wr.*...<.V.:...PRx.7....:.s..s!2..L*..T..[.P.R<s..j.p.....|.]s..<..........0...0...U....0.0...U........0A..U...:0806.4.2.0http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl0D..U. .=0;09..`.H...E....0*0(..+.........https://www.verisign.com/rpa0(..U.%.!0...`.H...B....+.........+.......0r..+........f0d0$..+.....0...http://ocsp.verisign.com0<..+.....0..0http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer0n..+........b0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif0
    ..*.H..
    ............b..{.6...f.......8X.e..7.\...)SaAEUDr..I|s.?.y.>.y......f$....5..10..f9...J.....qz..f....1."..j'.....-.......!...-...%.S@.....F...].N../M.3..NE..N.n..........t"C..T..|............@X-V.Qf.,...N.}..,)....:i.....{C;.3.kL.2.5Ej.(
    ..f.g..<...=.....H......?.E...-0..)0..........d.. .....-M-..~g0
    ..*.H..
    .....0..1.0...U....US1.0...U.
    ..VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50..
    100208000000Z.
    200207235959Z0..1.0...U....US1.0...U.
    ..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://www.verisign.com/rpa (c)101604..U...-VeriSign Class 3 International Server CA - G30.."0
    ..*.H..
    ..........0..
    ........b.....A.Y......Q...R...A....(...y.'.... ..(DA....R.MN.....v..V...U *...q.T.o..........hq..).~.;....&T.f.....1$...l..~..K..B.DK_....0.=...b.sT.....R.:.F.;.V!..QO...9...?...}.M`.% ...i.+..C7..A.k..Jf.OJ..~4..h..9..L..HM.F.X!....M..Kb...M..Q.....j.*8..O.-E.........0...0...U.......0.......0p..U. .i0g0e..`.H...E....0V0(..+.........https://www.verisign.com/cps0*..+.......0...https://www.verisign.com/rpa0...U...........0m..+........a0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif04..U.%.-0+..+.........+.........`.H...B...
    `.H...E...04..+........(0&0$..+.....0...http://ocsp.verisign.com04..U...-0+0).'.%.#http://crl.verisign.com/pca3-g5.crl0(..U...!0...0.1.0...U....VeriSignMPKI-2-70...U........|."....._.).X..F..0...U.#..0.....e......0..C9...3130
    ..*.H..
    ..........q.}sRJ..M4+...F.IP.O./.p....!...O|7<.Fx.]xo..Z...X6..b.E`.!..B.w.U.C.Q.n.H.]L.D.>...3..
    ..N.D.Zl...S..C....fz.\b.....}.vP...k....q..@V|3zw.[..S.._.h..*.07y..%.M..W..n;3!.y...Y-Cd..f....F....o..I.[...)....3....L.^i.....wj.Yoy...U..!f.en.|....~?.........xC.....0...0..9.......%...0a..+...M|..0
    ..*.H..
    .....0_1.0...U....US1.0...U.
    ..VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0..
    061108000000Z.
    211107235959Z0..1.0...U....US1.0...U.
    ..VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50.."0
    ..*.H..
    ..........0..
    ......$..)z5.`...K;N.|.<E..+..)..W..d..'....1.]".*..B....U...K...~.W..C.fb.a.`
    ......b.=T..I.YT.&.+........3I.CcjRK...pQM..i{.p....t.{]KV....w....%....g............:......<....7........=..u.3...@.t$.!.....*R....I..cG.<i...G.+~O.......C.gs...~.?.s.3
    .]?4....S.%..........0...0...U.......0....01..U...*0(0&.$.". http://crl.verisign.com/pca3.crl0...U...........0=..U. .60402..U. .0*0(..+.........https://www.verisign.com/cps0...U........e......0..C9...3130m..+........a0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif04..+........(0&0$..+.....0...http://ocsp.verisign.com0>..U.%.705..+.........+.........+.........`.H...B...
    `.H...E...0
    ..*.H..
    .................Z.. .Y.b....N..Y....8.N.f......
    .m>J. .<..eT..D...,k>......c..^..*g..3.*..V.#....:.Y..E5..[.f.P..mW..x....W...K.....~.....@0..<0.....p.....)4.8.{....0
    ..*.H..
    .....0_1.0...U....US1.0...U.
    ..VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0..
    960129000000Z.
    280801235959Z0_1.0...U....US1.0...U.
    ..VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0..0
    ..*.H..
    .........0.......\Y..........@..W.jE@.....3......X.%.*.D.....x.......#}....cE.r'..L.uq.9.OB.u.
    ... o....#_p)6...... .S...=.}..$E3.v....qdLe..hE......0
    ..*.H..
    ..........L.+.,&.O......
    ....(.g./|..........l,.Q.s...S.N.&.v.W..^!......!X.i..D...D9.\....V......EL....=.2.......Q..b....}.r..6:k.N..d
    d...............V$..a..vIP.L..+.....Ho...I=H...}h....p......K....E.G.x..
    y>)iK+M...#..3...}.Eo9....IH.{.rMI.6e#..Wl....J.}|X...l..`..qJD..................0,._.D....sg........I...V.Z...x..]..|.x.HG.2...=........... .f.H.$w...."....,].lGA!<).!H.2uJ
     
    Last edited: May 16, 2011
  15. LostBenji

    LostBenji Member

    Joined:
    Oct 5, 2007
    Messages:
    6,077
    Location:
    Up a tower somewhere....
    I am with the OP about all the kiddies offering parenting advice...TOOLs

    I have a simple way of dealing with it:
    FB is banned Full Stop. I see too many customers who have kids hooked on it, failing grades and finding material not appopriate for public. FB like most other public social networking sites are just that, PUBLIC.
    As for other distractions while supposed to be doing homework, wireless turns off with either a schedual or the push of a button and if found to be doing things they shouldn't then ZERO internet, they study the same way alot of us more seasoned did, with books and reading.

    The Suggestion of Qwerts was about the best if you have some older hardware laying around other wise just remove the net and computers from their rooms.

    They are our kids living under our roofs by our rules, don't like it then they better start dealing with it fast.
     
  16. nimmers

    nimmers Member

    Joined:
    Dec 20, 2005
    Messages:
    1,176
    Location:
    Sydney
    Back to the OPs original problem....

    I don't think blocking just Facebook will really stop a teenager determined to procrastinate from procrastinating..

    Probably better off with a whitelist of study related sites only if thats possible.
     
  17. cbb1935

    cbb1935 Guest

    My understanding is that you don't need any more than the bit in bold though.

    If you have filtering setup to block www.nab.com.au, then even if you go https://www.nab.com.au, that information read above from the SSL session should be enough to enable the site to be blocked.

    I'm not technically really up on *why* that is the case.. packet filtering?, but I'm telling you that I've set up a number of devices at client sites to block facebook, and it does block https://www.facebook.com traffic as well, yet allows internet banking and the like to work.

    How it does it .. well I'm no CCNSP/CCNA/Security+ certified tech (yet) so I don't really know, but it does work!
     
  18. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,375
    Location:
    Canberra
    "just" poision the arp cache, on a properly protected network not as easy as it sounds, as you would know.

    it is pretty much the same thing except using an exploit, you still need to dynamiclly generate a leaf certificate to perform decode.

    yay i dont match slide 51 :D
     
  19. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,375
    Location:
    Canberra
    wrong.
    that is the certificate CN, OU, etc. you have no idea of the URL i could be going to www.goatsex.com.-hlk the server or a proxy could present a certificate with any CN it likes and you cant check the actual URL.
     
    Last edited: May 16, 2011
  20. OPM881

    OPM881 Member

    Joined:
    Apr 21, 2009
    Messages:
    1,652
    Location:
    Cairns
    Just to clarify, wasnt trying to give parenting advice, simply saying that a kid, if they want something enough, will get to it. I completly agree with blocking facebook, god knows how much time I wasted on it when I was at uni.

    My only advice is, try and meet the kids half way, like give them a certain amount of time a day where Facebook/what ever other things you block to stop distractions that they can access, so then they wont get teased at school(yes, facebook has gotten so part of kids lives that some will tease other kids if they are not allowed to have facebook).
     

Share This Page

Advertisement: