Blocking utorrent

[Stiflerz]

Hello. I need help. Im one of system administrators in large company. We are going to add alot more people under our control, and we are considered about utorrent downloads... If in our local place we can try to control utorrent (and other torrent) usage, then if we will become bigger, we wont be able to do that.

All network traffic will come true our servers, so we need to block as more torrent usage as possible.

We cannot just block most of ports, as this can make some of our system not fuctioning. We have made restrictions to utorrent and other programms, as they cannot be lunched from user computers, but if they just rename the programm -> everything works...

So is there any "weak spot" of blocking this programm ? We dont want to do some mass blocking, so we just want to block most of usage.

I understand that incomming traffic port is randomable, whats with outgoing traffic ? What ports it uses ?

[Ultima]

Ephemeral ports. Like any other application making outgoing connections it isn't particularly invested in.

[ovonrein]

This makes no sense. I dunno your setup but ordinary users have the power to rename executables? What security restrictions are those? Furthermore, while you may have a hard time locking down uTorrent's ephemeral port range, outgoing connectivity is useless to uTorrent w/o the ability to receive peer instructions on its service port. This port can be randomized in theory, as you acknowledge. In practice, however, the presence of firewalls frustrates that. (And I'd like to think that your users have no control over their firewalls?!?) If you locked down all incoming connections other than for the well known services your company supports, then users MAY still be able to use uTorrent but only by configuring it to recycle one of your supported ports (eg email) which in turn means that this supported service will not be available to them during that time. In practice, p2p life becomes so painful that people will shift the activity to their home computers. Where it belongs, frankly. If you allow p2p within your company, then you have far greater problems than bandwidth utilization...

[Ultima]

I understand that incomming traffic port is randomable, whats with outgoing traffic ? What ports it uses ?

Ephemeral ports. Like any other application making outgoing connections it isn't particularly invested in.

How does my answer make no sense? If the firewall is blocking ephemeral ports from being used for outgoing connections, then that firewall is made of fail.

[ovonrein]

Oops - disambiguation required - OP makes no sense

[Ultima]

Oh. Fair enough. My reading comprehension "skills" (or lack thereof) break sometimes

If you allow p2p within your company, then you have far greater problems than bandwidth utilization...

This I do tend to agree with. If you're going to allow it, then it's all or nothing. You'd be better of just making it company policy that P2P is disallowed, and warning employees when you detect that they are breaking that rule. Unless you feel like investing time and money into implementing some Sandvine-like system across your network.

[ovonrein]

No company can allow p2p to take place on its network. Just consider inter alia the legal and IT implications. It's a complete no-go. This should be totally obvious to any employee who just pauses to think for one second (before he pirates the latest Hollywood blockbuster in the company's name). It's not a question of giving a warning when such activity is detected - it's a sackable offense. Cut and dry. My $.02...

[crysis2]

) I really want to see what kind of job are doing these people on computers where ALL is disabled... ) and anyway, my frend, even in such computers even if the user is a poor Guest, you can re-enable all ) hundreds of tools FREE on interent.. ) so, good luck my poor system admin! )

[ovonrein]

You can have as many tools as you like. So long as your company computer is locked down properly (ie Win XP or higher, no admin privileges, locked BIOS), the average employee is not going to get in. Then make any violation of company IT policy a sackable offense, and you have put big enough a stick in place to skew the risk/reward calculation of those remaining employees who may have the smarts to engage in activities that are a genuine threat to the integrity of any corporation (*). There is no good reason whatsoever why an employee should have to use company resources for file sharing activity - all the while their personal computer is sitting idle at home.

(*) These few employees should of course also have the smarts to understand that the risks to their employer from such activities are genuine and intolerable.

[crysis2]

) its just a matter of opinion.. I believe that a blocked computer is not worth working with... its a personal freedom violation.. and blocking internet connection is a INTERNET FREEDOM violation.. mark my words my friend..

[ovonrein]

I mark your words. All good points, as regard your PERSONAL computer. But not your employer's. Anyway, it is a poor sys admin who hands out laptops to employees which aren't fully locked down.

PS: Am I the only one with the queer feeling (from the questions asked by both around the same time) that crysis2 and Stiflerz may be working for the same employer, and against each other??

[crysis2]

) maybe yes maybe no.. )

but I dont know where you live, but in the country where I live there are serious legal concerns about PRIVACY..

I repair computers of all kind every day, and for what I see everyday there is enough to send to court a lot of respectable private and PUBLIC companies...

Just check that out: in your computer is installed a software which logs all what you do and with which the admin can remotely SEE what are you doing in realtime.. but you just dont know it, as the pc is blocked enough not to rise you any suspects... do you like it?

Check that other, working with computers is not like hitting a hammer, right? you are used to make your job at 100% with your tools and ways.. but your working PC is locked enough to block your usual job way... are you going to adapt?

Even more, everybody does his own job with some trick and secrets that makes his job very good quality.. are you going to open your secrets to your admin just to let him unlock "a bit more" your PC?

I think nobody can have all is wanted in life, nor me nor any sysadmin.. there are limits.. and slave age is over already some thousands year ago..

[donjoe]

Related question: if a user who hasn't tweaked their default uTorrent settings at all has outgoing ports 6881 - 6999 blocked, will they still be able to connect to any peers?

[Switeck]

uTorrent doesn't use ports 6881-6999 in OR out by default. Blocking those ports would do almost nothing -- you won't be able to connect to the very few peers/seeds listening on those ports, but they may be able to connect to you on their ephemeral ports.

[donjoe]

OK, thanks. So the only efficient rule to apply would be to simply block all ports, otherwise uTorrent could still get out...

[Firon]

Even if you block all incoming traffic, it still won't block anything. You'd have to block all remote destination ports that weren't common ports, which is insane.

[donjoe]

Well, I'm just theoretically exploring the limits of the possible here, so bear with me please.

So you're saying that leaving the common ports (1 - 1023) open doesn't do anything for uTorrent? I seem to remember being able to enter 443 manually as my uTorrent port and getting no complaint about it...

[Switeck]

uTorrent can use nearly any port for its listening port. Only exceptions might be ports already in use by other programs that have "bound" to them.

[donjoe]

OK, that was also my understanding at #15, thanks.