At present no reliable way to block Tor Browser?

Hi,

I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

Ian

I removed my web block and installed tor browser on my MBP running Mojave latest version.

I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

I have application and web policies using standard XG supplied lists.

Ian

Hi,

Tor Browser version 9.0.5 couldn't be blocked anymore with my Sophos XG85 (latest firmware).

Does anyone experience this, too?

Hi Sacha,

Do you happen to have a license for Sophos Central Endpoint Protection?  Synchronized Application Control should detect Tor Browser and keep detecting it as it requests information on uncategorized traffic and ties to to an application running on the endpoint.

https://community.sophos.com/kb/en-us/127565

Hi,

firstly, I tried to download load the test version and was blocked by the XG (V18).

What functions do you have enabled eg web proxy, block anonymises policy, https scanning etc?

Ian

Sacha,

you need to provide more information about your configuration, such as:

• http and https scanning
• IPS filter
• web filtering
• App filtering

Thanks

• https and https scanning is enabled, invalid or unknown certificates are blocked
• web filtering is enabled: proxy & tunnel category
• app filter: "filter avoidance apps" that include tor proxy, tor vpn etc. as well as "DNS Multiple QNAME, OpenVPN, QUIC, and Non-SSL/TLS traffic on port 443".
• ips settings: I didn't edit anything here

Sascha,

Please read and follow these instructions:

Regards

This KBA I already followed and implemented last year (rfcat_vk mentioned that kba on 25 May 2019 in this thread). After implementing it, Tor Browser was blocked successfully. But now it isn't blocked anymore. Checked settings in cli and re-implemented the kba, but without success.

I've been fiddling with this today. I'm also not able to prevent theTOR browser to start for 100%.
Sometimes it doesn't start sometimes it does.

What I was able to accomplish is to disable browsing from a TOR Browser session.
If you're interested please let me know.

Grtz, Peter-Paul

Yes, I am very interested in the way you disabled browser sessions.

Did you alter the settings mentioned here for better application detection?

First i created a new service (Hosts and services -> Services), like this:

(not sure if the UDP entries are necessary, added them just in case)

Then i added a new FW rule:

Finally i made sure no one is able to download the TOR Browser, so i added 'torproject.org' to URL group [Local TLS deny list] (Web -> URL groups)

The result (for me) is that the TOR Browser does start (most of the times) but browsing is not possible. I've tested with:
- "Check our Tor Browser Manual" on the opening tab of TOR Browser
- google.com
- nu.nl
- ibm.com
- sophos.com

(Also tested on an Android phone as well on an iPhone, both succesfull)

I'm interested to hear about your findings, succes.

Grtz, Peter-Paul

First i created a new service (Hosts and services -> Services), like this:

(not sure if the UDP entries are necessary, added them just in case)

Then i added a new FW rule:

Finally i made sure no one is able to download the TOR Browser, so i added 'torproject.org' to URL group [Local TLS deny list] (Web -> URL groups)

The result (for me) is that the TOR Browser does start (most of the times) but browsing is not possible. I've tested with:
- "Check our Tor Browser Manual" on the opening tab of TOR Browser
- google.com
- nu.nl
- ibm.com
- sophos.com

(Also tested on an Android phone as well on an iPhone, both succesfull)

I'm interested to hear about your findings, succes.

Grtz, Peter-Paul

Thank you,

I followed your suggestions, but tor is able to connect the internet.

Maybe I missed something: are the suggested changes all you did or did you something before (like application detection etc.)?

Here are my rules:

Honestly, I seriously doubt dropping some TCP/UDP ports is enough to stop tor. It is designed to work around obstacles, you have to use application signatures etc.

Best regards

Sacha

Sorry, forgot to mention two things:
1. i did alter the settings mentioned here for better application detection?

2. i added something to my default web policy (Web -> Policies):

Grtz, Peter-Paul

Hi Sacha Roland 

You have "any service" selected on your rules.  As you have stated TOR is designed to work around proxies and firewalls such as the XG.

We have to make it harder for them to do so.  As TOR is updated more frequently, we are only able to create signatures based on the files seen in the wild.  The TOR user/dev community will not give us the file before they release it so that we can have signatures created beforehand.  

So in order to make it harder for TOR to be blocked, you have to limit ports outbound.  For DNS outbound, limit to port and DNS providers.

There are a lot of posts on here about Psiphon being blocked.  Search for them to see what else has been done to limit that application.

You should also increase the maximum amount of packets that get scanned before IPS makes a decision on what type of traffic it is.  You can do this by going to the "Console" and running command: set ips maxpkts 100

Ensure that the following settings have been set on the web proxy:

Block PUAs

Enable pharming protection

Block invalid certificates

Block unrecognized protocols

The above settings are in addition to limiting outbound ports/services and locking down any other rules with "any service" to a specific IP.

Let us know how it goes.

Thanks!

Thank you for your in-depth information. But I didn't get what I'll have to do with my "any service" settings. I am not familiar enough with the general concept. What do I have to do specifically? (Is there a how-to?)

Hi,

you replace "ANY Service" with specific services eg https, http in the proxy rules. SMTP/s and IMAP/s and POP/s in the  mail rules with specific destinations.

Where you can you change ANY destination to specific destinations which I know is not practical for general internet access.

Ian

Thank you. I got the concept now and narrowed down outbound connections to specific Protokolls and IPs. Now Tor Browser is blocked.

It could be as easy as in any other firewall where you can feed the firewall with custom IP block list.

Then you take one of the multiple list available and that's all, TOR is completely blocked.

https://www.dan.me.uk/tornodes

https://check.torproject.org/torbulkexitlist

The problem is that Sophos XG lack of features that are commonly available in other firewalls.

Still can't even match what UTM is able to do, what a bad choice to pick Cyberoam over Astaro, 9 years later, Astaro UTM is still better.

I was celebrating too soon: in order to get Skype personal working with high quality, I had to open some ranges of UDP and TCP ports (Ports for Skype) because after one week of configuration attemps (How to free skype with SFOS) I couldn't get Skype calls working in combination with SSL decryption. For me, it seems that the XG is pretty useless if you have to block Tor Browser traffic in a reliable way while keeping Skype et al. functional: there's no way to skip SSL decryption based on application, nor there's a way to update tor exit nodes by an external database/list on a regulary basis as l0rdraiden suggested. I am frustrated having invested so much time in a hopeless endeavour. I am missing something?

You could simply import the list of the TOR Exit IPs as a Host IP List and block them in the Firewall. That would be a static process. 

There could be a automated process in pulling those IPs and converting them into XG via XML API. Or you simply copy paste them into Notepad, replace all /r /d with , and put them into the Webadmin. 

Hi Sacha Roland,

please advise which ports you used to provide Skype access. I would like to try and replicate your issue hopefully with a fix.

Ian