New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CentOS blocking P2P on OpenVPN
I've got several CentOS-5 LEB's on which I'm running OpenVPN. I have a bunch of users from many countries in the world who use these connections to ensure that their traffic won't be monitored by the government. Unfortunately, one of my users decided to torrent a copy of 'NCIS' on a US server and it resulted in a DMCA take down.
I sent out the nasty-gram notice to my users about doing illegal things like that. But what other steps could I take to prevent this from happening again? Is there a simple way of blocking bittorrent? If I pushed OpenDNS back to the user for their DNS, would that stop this? Open source or commercial solutions are welcome.
Comments
I'm in the same boat. looking for something like that.
The first thing is blocking access to trackers, but it's not that useful.
I've never liked OpenDNS as some of the categories their users put sites into don't really reflect what the site is actually about. I know some of the security sites that I monitor are labeled hacking and blocked but yet the commercial security sites, where they try to sell you subscriptions to view those same warnings are labeled as news and programming sites. Some hate sites are not labeled as such either.
And they seem to miss a lot of sites. For example @mrm2005's trackers up there. I know I can't view the torrent site I use but the trackers are wide open and resolve without issue. Needless to say, I'm not going to point that out to them.
Unfortunately there's really not anything at the same level and that's probably going to be your only choice.
Ignore this, stupid me skimming post again.
OpenDNS is used by a few people to control torrent access (like our old Portland datacenter - morons). It works OK but unless you find some way to force the users to do DNS lookups through your VPN (not really possible I don't think?) then you're kinda hosed.
I mean, OpenVPN should be routing DNS lookups through the VPN to another spot. It would be possible to just filter port 53 and run your own local caching servers. This is a jimmy rig of a solution but yea...
Francisco
Take a look at l7-filter
http://l7-filter.sourceforge.net/
http://l7-filter.sourceforge.net/protocols
or OpenDPI http://www.opendpi.org/opendpi.org/index.html
By the way, if anyone knows how to tell a Xandros based laptop how to use a specific set of DNS servers instead of what's being provided to it by DHCP, I'd love to know it. All the fixes that I've come across assume that you're only on a single wireless network instead of the 20 or so that I wind up using during the week.
Doesn't it help to simply specify the servers in the resolv.conf? As Xandros is based on Debian...
Yup, tried it. Changes got overridden on the next boot. And yes, I checked to see if they had been saved.
@drmike - that's because of DHCP.
One solution is do do like
chattr +i /etc/resolv.conf
as root
You'll need to remember to -i it whenever you want to modify it though.
Francisco
Think I tried that. I know I tried file ownership....
chattr is different :P
dhclient will run as root, but it won't be smart enough to remove a chattr
Francisco
Gives me this error:
chattr: Inappropriate ioctl for device while reading flags on /etc/resolv.conf
Google'ing for that error gives me a whole lot of broken links, 404's and a couple of "You must be typing it wrong."
edit: If wanderingwifi would just fix their network....
are you root?
You might need to sudo.
Francisco
Yes, I'm at root. Got the blue and red text instead of the normal green text.
edit: And if I didn't need to deal with 22 different wireless networks....
Welp, what I recommend is checking if /etc/resolv.conf is a symlink elsewhere or not. I'm not sure if you can chattr a symlink.
Other than that i'm not sure 'doc
Francisco
Yup, it' symlinks down to /etc/resolvconf/run/resolv.conf Tried that as well.
You chattr'd that file?
Francisco
Yup, same error.
edit: I did a temp work around and stuck the ip addresses of some of the sites in hosts to get around the opendns lookup. Not a real solution but it'll get me a bit further.
Is possible to override the dns servers that dhclient gets
I have something like this in /etc/dhclient.conf