Blocking FTP (outbound) access'
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Blocking FTP (outbound) access'

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    267

    Blocking FTP (outbound) access'

    We have one user who constantly downloads from a 'friends' site via FTP.
    (mainly mp3's). The problem is they have read the Acceptable Usage policy, but believe they are above the 'NO download' policy. (after all, it's a friends site...what harm can that do ?) I cannot block port 21 on the router as others download data from clients. I tried putting the IP address into their HOSTS file and redirecting to 127.0.0.1...but that doesn't seem to work. Any suggestions ?

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Can you not create a firewall rule to block all traffic going to or coming from the "friends" site?

    Cheers:
    DjM

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    DjM has the right idea - what kind of firewall is in place on this network?
    - Maverick

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    it depends on what you are using to connect to the internet?

    Usually when I find a user "purposely" violating the acceptable use policy is I take the internet away from them.

    Then..after a couple of days when they realize it is not system wide...and just a problem with thier account they have to come and talk to me...and ask me to help them fix it...I then give them the lecture...


    You could always try that...

    Works for me

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    You can't put an IP Address into the HOSTS file and redirect it to an IP Address... (Which is what you attempted)...

    The HOSTS file is nothing more than the simplest form of DNS. It's simple where the computer looks to find the name to ip relationship before heading out to the listed DNS Servers... It has to be a Name to IP Address relationship.

    Anyways I'd follow DjM's advice if possible or teach the user a lesson and cut off his FTP Access.. Does he need it for a legitmate purpose? If so kill all FTP outbound access from his IP Address. He'll come to you because he can't get his work done and then you can sit him down and talk to him about the violation of the AUP... I'd also point it out the employees manager and have him with you while you talk to the employee.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    131
    I had the same problem on my home network, people would come over to play games or do work online, then next thing I know as soon as I go off to bed its like they decide to see how much junk they can download.

    I use smoothwall at home and found this great link on settings up Iptables.
    It should work for anything using iptables with very little alteration.

    http://martybugs.net/smoothwall/iptables.cgi

    I now block winmx, morpeus, kazaa, icq, msn, aol, and ftp from certain ip addresses.
    Whats a \"START\" button?

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    Thanks (all) for the info.
    I realize the HOSTS file is a form of DNS but thought it was worth a try.

    Our router is a Linksys - and limited to either blocking internal IP's, or blocking ports globally.

    Can't cutoff their internet access' or they couldn't do their job.

    I've blocked 'Bit Torrent' 'Kazaa' etc ports successfully (msn will use port 80 if available)

    Thanks for the help - i'll keep on trucking

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If the client is win2k or Xp you can enforce IPSec on the NIC for port 21 with Any other IP....

    That will screw him over and he'll never work it out....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    If you have access to the DNS server, redirect it there. He is totally stuck, but if he is smart he can use and external proxy. If you want to use the host file, boxes in active directory may ignore it. You have to select "Use LMHOST in the network properties on the box. And get the syntax correct.

    Since your firewall sucks and doesn't allow specific ip blocking, can you get some filtering software? If not, fire his ass.

    Forse IPsec on port 21 for the IP - lol, good one Tiger. Oh you could aslo block the FTP executable in local policy.

    //EDIT Like Spazz said, if you got smoothwall up you would have a lot of flex on your internet access options.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Road:

    The DNS server will work no better than the hosts file if the (L)user types:-

    ftp 123.123.123.123

    The DNS server becomes irrelevant and since it is a friends FTP server the liklihood is that that's what he is doing.....

    Pretty sure blocking the ftp exe in the policy won't work either because ftp support is built into IExplore and he can't stop that.

    I do believe my IPSec solution is... er... :elegant".....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •