Securing Instant Messengers

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Contents

  1. Securing Instant Messengers
    1. Outline
    2. Applications
  2. AOL Instant Messenger (AIM)
    1. Details
    2. Squid Configuration File
  3. AOL
    1. Squid Configuration File
  4. Gizmo Project (Pidgeon IM, Fring, Taler, ICQ, IRC, AOL)
    1. Squid Configuration File
  5. ICQ ("I Seek You")
    1. Squid Configuration File
  6. MSN Messenger and Windows Live Messenger
    1. Details
    2. Squid Configuration File
  7. Skype Access Controls
    1. Squid Configuration File
      1. Blocking
      2. Permitting
  8. Trillian
    1. Squid Configuration File
  9. Yahoo! Messenger
    1. Squid Configuration File

Outline

Administrators often need to permit or block the use of IM (Instant Messengers) within Enterprises. While most use proprietary protocols and do not enter the Squid proxy at all, some have a port-80 failover mode, or may be explicitly configured to use a non-transparent proxy.

Applications

AOL Instant Messenger (AIM)

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Details

AIM natively uses TCP port 5190 and bypasses the Squid proxy. When configured to use an explicit proxy, it will use CONNECT tunneling to go through squid.

Squid Configuration File

# Permit AOL Instant Messenger to connect to the OSCAR service
acl AIM_ports port 5190 443

acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com

acl AIM_nets dst 64.12.0.0/16 205.188.0.0/16

http_access allow CONNECT AIM_ports AIM_nets
http_access allow CONNECT AIM_ports AIM_domains

AOL

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

  • /!\ AOL are known to change their Server IPs. The list below cannot be confirmed. 

# AOL

acl aol dst 64.12.200.89/32 64.12.161.153/32 64.12.161.185/32
acl aol dst 205.188.153.121/32 205.188.179.233/32

http_access deny aol

Gizmo Project (Pidgeon IM, Fring, Taler, ICQ, IRC, AOL)

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Gizmo Project include software to connect to a wide range of messaging protocols and VoIP services. This config does not include settings to block those IM which are not Gizmo Project provided services.

see Also:

If you know of other IM services available through Gizmo software please inform us.

Squid Configuration File

Configuration file to Include: 

# Gizmo Project
acl gizmo dstdomain .gizmoproject.com

# Gizmo VoIP
acl gizmo dstdomain .talqer.com .gizmocall.com .fring.com

# Gizmo Chat
acl gizmo dstdomain .pidgin.im

http_access deny gizmo

ICQ ("I Seek You")

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include: 

# ICQ
acl icq dstdomain .icq.com

http_access deny icq

MSN Messenger and Windows Live Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Details

Natively uses port 1863 and bypasses the Squid proxy. But when that has been locked down by the firewall admin it will failover to port 80 and enter Squid.

/!\

Microsoft This is only confirmed to work with MSN Messenger and Windows Live Messenger if there is any other parts to the formal name its maybe another program completely with different access needs.

Squid Configuration File

Configuration file to Include: 

# MSN Messenger

acl msn urlpath_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type application/x-msn-messenger

http_access deny msnd
http_access deny msn
http_access deny msn1

Skype Access Controls

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

  • /!\ Since FTP uses numeric IPs the Skype ACL must be exact including the port.

Blocking

# Skype

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype^

http_access deny numeric_IPS
http_access deny Skype_UA

  • /!\ Recent releases of Skype have been evading the above restriction by not sending their User-Agent headers and using domain names. The following can be used to catch those installs, but be aware it will likely also catch other agents. 

acl validUserAgent browser \S+
http_access deny !validUserAgent

Permitting

  • /!\ This needs to be done before any restrictive CONNECT http_access controls. 

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype^

http_access allow CONNECT localnet numeric_IPS Skype_UA

  • {i} Note that Skype prefers the port 443 which is by default enabled in Squid anyway so this configuration is only needed when you block HTTPS access through the proxy.

If you limit HTTPS access to known sites only, then permitting Skype will break that policy.

Trillian

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

  • /!\ Trillian may change their Server IPs. If you know of others please inform us. 

# Trillian

acl trillian dst 66.216.70.167/32

http_access deny trillian

Yahoo! Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include: 

# Yahoo! Messenger
acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
acl ym dstdomain .voice.yahoo.com

acl ymregex url_regex yupdater.yim ymsgr myspaceim

# Other protocols Yahoo!Messenger uses ??
acl ym dstdomain .skype.com .imvu.com

http_access deny ym
http_access deny ymregex

CategoryConfigExample

ConfigExamples/Chat (last edited 2009-04-24 00:58:58 by Amos Jeffries)