Blocking Psiphon, Ultrasurf, etc.

Hi Guys,


Good day!

 

If you are having a problem on blocking these kind of applications. Do not hesitate that the application filtering of SophosXG is not working or do not even try to block it on IPS (Custom IPS). Its a matter of adjustments in Console. See steps below:

 

1. Log in as a Super administrator (username: admin)

2. Go to admin drop-down options and choose CONSOLE.

3. As usual you have to log in again.

4. Chose option 4 which is Device Console.

5. Type this command "show ips-settings", maxpkts should be in default value = 8, and you have to change the value to 70.

6. Run this command "set ips maxpkts 70".

7. Run again to double check "show ips-settings".

8. Then try to test again if these applications are blocked already.

 

Warm Regards,

Deo Angelo Lim

  • Firstly I would to thank you , but the bad news is the PSiphon is still working after I set max pkts 70 as you explained, what I can do else to block this app permanently

  • its still working ,no way

  • In reply to nader alaa:

    First of all you need to determine if it is actually psiphon or a misclassified application. Some of the Apple communications get classified as psiphon on my XG.

    Ian

    edit- fixed stupid spellchecker error

  • In reply to rfcat_vk:

    Exactly...lot of genuine websites are being classified under psiphon,ultrasurf,thunder vpn etc.

    I would download psiphon proxy executable on a test network and check the logs.

  • NO way , I tried to block psiphon by many solution but every time Psiphon still working, Sophos couldn't block this backdoor tools until now.

    This is a serious matter and this application must be stopped permanently.

  • In reply to Sherif Hamed:

    If you can download psiphon executable that means your firewall rules and policies are not correct. Attempts to download psiphon should be blocked by the web proxy.

    Ian

  • In reply to rfcat_vk:

    Hi,

     

    What if I download the app at home?

  • In reply to GonFreecs:

    And then try to run it at school/work almost makes it a sackable action.

    I have not tried installing on a device then running it.

    Ian

    I can download and install but not run ultrasurf and xpvpn because if security settings on my MAC. Probably should try on W10 PC.

    Ian

  • In reply to rfcat_vk:

    Hi,

     

    Right now, I still can't block this app..

    Changed the maxpkts, enabled https scanning, block in app control, I even only allow http/s outgoing but SAD

     

    TIA

  • In reply to GonFreecs:

    Hi GonFreecs ,

    We have created a KBA for this issue , please refer

    https://sophos.com/kb/132436

    CLI settings

    1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
    2. Verify the current configuration by issuing the following commands.
      show advanced-firewall
      show ips-settings
    3. Issue the following commands for the recommended settings.
      set advanced-firewall midstream-connection-pickup off
      set ips maxsesbytes-settings update 0
      set ips maxpkts 80
      set ips packet-streaming on

    GUI settings

    Application filter policy settings

    Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

    • DNS Multiple QNAME
    • OpenVPN
    • QUIC

    Firewall rule settings

    The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

    For Psiphon Proxy

    1. HTTPs scanning needs to be enabled in firewall rule
    2. Web filter policy with below categories denied must be applied to the firewall rule
      1. IPAddress
      2. None
      3. Parked Domains
      4. Spam URLs (Available only in XG)
      5. Anonymizers
      6. Spyware & Malware
    3. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
    4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.
    5. Block Non-SSL/TLS traffic on port 443 application on the application filter policy.
  • In reply to Aditya Patel:

    Still needs HTTPS scanning. 

  • In reply to rfcat_vk:

    There are several ways to download the application. What we need to address here is how can SophosXG block the application itself.

  • In reply to Deo Angelo Lim:

    Any development on this ? my XG on SFOS 17.5.3 MR-3 still application filter cannote block psiphon .

     

     

    Regards

     

    Nirmal

  • I am blocking Psiphon Proxy with below setup. And you must use https decryption for active scanning and blocking web/apps. Nearly %80 of services running on https.

     

    Source Zone Lan

    Destination Zone WAN

    Source Service - Any

    Destination Service DNS,FTP,HTTP,HTTPS,IMAP,SMTP(S),POP3,SMTP,ICMP (if you want)

    Scan Options
    SCAN HTTP
    SCAN HTTPS
    BLOCK GOOGLE QUIC
    SCAN FTP

    Web Filter
    None - Warn
    Uncategorized - Warn
    Anonymizers - Block
    IPAddress - Block
    Peer-to-peer & torrents - Block
    Radio & Audio Hosting - Block
    Sex Education - Block
    Sexually Explicit - Block
    Spam URLs - Block
    Spyware & Malware - Block
    Unauthorized Software Stores - Block
    Video hosting - Block

    App Filter
    HTTP Tunnel Proxy - Deny
    SSH - Deny
    DNS - Deny
    Proxy and Tunnel - Deny

  • has anybody tried creating an IPS signature for Psiphon? were you successful if you have attempted? any insights is much appreciated

     

    thanks