First, in fact, when QQ logs in, it mainly uses TCP/UDP port 8000. Therefore, we first prohibit all intranet machines from accessing port 8000 of the remote host. In NETCORE's high-end routers, we can add rules to the internet access control. First, we can choose to be effective for all internal hosts (the second step can be handled with emotion, for example, you can choose to be effective for some hosts, or choose to be effective for a host, and so on. ). Select valid for all internal hosts, then specify valid for the following applications, specify TCP/UDP protocol, specify port as 8000, and select no Internet access. In this way, all servers using port 8000 cannot log in.
Second, some other servers log in using ports 80 and 443 of TCP protocol. These servers will use domain names to resolve their IP addresses. The statistical domain names are: tcpconn 1.tencent.com, tcpconn2.tencent.com, tcpconn3.tencent.com, tcpconn4.tencent.com, tencent.com and tencent.com.cn. Then, how effective it is for all applications of these servers or specify that ports 80 and 443 of TCP/UDP are effective, and internet access is prohibited.
Third, we can't completely control QQ at this time, but most of them will log in with QQ software to see if he will log in from those servers and from what port. These servers are individually restricted.
Fourth, this completes the whole process of banning QQ.
The verb (abbreviation of verb) lists the IP addresses of MSN and QQ servers.
Msn server address
65.54.225.254 65.54.226.254 65.54.228.244 65.54.228.253 65.54.229.248
65.54.229.253 65.54.225.24 1 65.54.226.247
Qq server address
2 19. 133.40. 15 2 18. 17.209.23 202. 104. 129.252 2 18. 18.95. 153
202. 104. 129.25 1 6 1. 144.238. 145 202. 104. 129.253 6 1. 14 1. 194.203
202. 104. 129.254 2 18. 18.95. 165 6 1. 144.238. 146 2 19. 133.40.9 1
2 1 1.248.99.252 2 18. 17.2 17.66 6 1. 144.238. 156 2 19. 133.40.89
2 19. 133.40. 1 15 2 19. 133.40.90 2 19. 133.40. 1 13 2 19. 133.40. 1 14
2 10.22. 12. 126 6 1. 14 1. 194.223 6 1. 172.249. 135 202. 104. 128.233
202.96. 170. 164 2 18. 17.2 17. 103 2 18.66.59.233 6 1. 14 1. 194.207
202.96. 170. 163 202.96. 170. 166 202.96. 140. 18 202.96. 140. 1 19
202.96. 140.8 202.96. 140. 12 2 18. 18.95.22 1 2 19. 133.45. 15
6 1. 14 1. 194.224 2 18. 17.209.42 6 1. 14 1. 194.227 2 18. 18.95. 17 1
2 19. 133.49.6 2 19. 133.49.73 2 19. 133.48.56 2 19. 133.40.2 15
2 19. 133.38. 132 2 19. 133.38.30 2 19. 133.40. 177 2 19. 133.38.232
2 19. 133.38.29 2 19. 133.48.88 2 19. 133.38.3 1 2 19. 133.60.34
2 19. 133.49.2 1 1
(The number of servers will increase. I hope my friends can find out for themselves. At present, my route has banned so many IPS, and some domain names have to be filtered. )
sz.tencent.com:8000
sz2.tencent.com:8000
sz3.tencent.com:8000
sz4.tencent.com:8000
sz5.tencent.com:8000
sz6.tencent.com:8000
sz7.tencent.com:8000
tcpconn.tencent.com:80;
tcpconn2.tencent.com:80
tcpconn3.tencent.com:80
tcpconn4.tencent.com:80
tcpconn2.tencent.com:80
tcpconn3.tencent.com:80
tcpconn4.tencent.com:80
/
:443/
QQ servers are divided into three categories:
There are 1 and 13 UDP 8000 port classes: the fastest and most servers.
When QQ goes online, it will send UDP packets to this 1 1 server, and choose the one with the fastest reply as the connection server.
The names of these six servers all start with SZ, the suffix of domain name is tencent.com, and the domain name corresponds to IP.
SZ sz2:6 1. 144.238 . 145 6 1. 144.238 . 146 6 1. 144.238 . 156
sz3 sz4 sz6 sz7:202. 104. 129.25 1 202. 104. 129.254 202. 104. 129.252
202. 104. 129.253
sz5:6 1. 14 1. 194.203 202.96 . 170. 166 2 18.95 . 22 1.2 19. 133.45.65438
6 1. 14 1. 194.224 202.96. 170. 164
2.TCP TCP HTTP connects 4 servers, using HTTP 80 and 443 ports to connect.
The names of these four servers all start with tcpconn, and the suffix of the domain name is tencent.com. The corresponding IP of the domain name is as follows.
TCP conn TCP conn 3 2 18. 17 . 209 . 23
tcpconn 2 tcpconn 4 2 18. 18.95 . 153 6 1. 14 1. 194.227 2 18. 18.95 . 17 1
3. Member VIP logs into the server and uses HTTP 443 for secure connection.
Server IP 2 18. 17.209.42
Knowing these server addresses, all of them can be blocked, and no one can access QQ.
If it is accessible, it means that a new server has been added! Kill one if you see one! Hee hee!
QQ: At present, the default port is 4000, which transmits UDP. However, 1080, 8000, 800 1 and 28 120 can also be used for UDP transmission. No matter 372 1, it is completely prohibited.
☆ If you use proxy software,
Sealing agent is far less complicated than sealing QQ. For example, someone from Tong Tong Company has successfully used QQ. I also installed it, and found that there is only one free server in Tong Tong, and everything else costs money. Not many people are willing to spend money on this little software, are they? I blocked the server IP in the route. Finally, I can't get on QQ with my own' TTT' agent. I think other proxy software is similar. Ha ha. Please correct me ... 440) {this.resized = true; this . style . width = 440; } " & gt
If the local system is not reinstalled, and you use the QQ you used to log in this machine, and a new server appears in QQ, QQ will still be unable to log in. I think QQ will always find the fastest server that has logged in before. (This is really hard to say) ... 440) {this.resized = true; this . style . width = 440; } " & gt
If friends passing by still can't ban QQ through the above methods, you can leave me a message and I will try my best to help ... 440) {this.resized = true; this . style . width = 440; } " & gt
☆ Ask some friends how to disable MSN supplement?
The port used by MSN client login service is 1863 in TCP protocol. As long as this port is closed, it is difficult for you to log on to MSN. You should also pay attention to several ports, because MSN uses TCP ports 689 1 and 6890, 80 and 443 for file sharing transmission, while video and voice are UDP ports 13324 and 13325, 3544 -3579, 68. However, the program * * Knowing this, you can restrict MSN according to your specific environment.
-
ISA prohibits instant messaging tool MSN/QQ from using proxy [Figure]
MSN and QQ, good communication tools, have brought people closer together. But for many busy companies that don't rely on instant messaging tools, it is a scourge, which will seriously affect the normal work of employees and the normal operation of the company.
In view of the above situation, many network administrators will take measures to disable instant messaging tools such as MSN and QQ. But simply disabling it will not solve the problem. Because of the need of network office, the network administrator can't disable the HTTP protocol, so many unconscious employees use HTTP proxy to secretly use MSN and QQ. This is not bad, is it? Isn't this a challenge to the authority of network management? It is imperative to block instant messaging tool agents.
Blocking principle
Because the network administrator must ensure that employees can work online normally, it is impossible to disable the HTTP protocol, which is also the difficulty in prohibiting instant messaging tools MSN and QQ from using HTTP proxy. How to solve this problem? Just now, many enterprise-level network firewalls have added the concept of "deep protection", such as ISA Server2004, which can not only check the network packets in communication, but also check the contents in the application layer of packets, and filter and detect the HTTP application layer data.
ISA Server 2004 can discard the data packet once it finds that the HTTP application layer data contains the keyword information of MSN and QQ, so as to prohibit instant messaging tools such as MSN and QQ from using the HTTP proxy.
solution
The most effective and simplest way to prevent MSN and QQ from using HTTP proxy is to filter IM packets in network communication. This filtering measure is realized by identifying the IM keyword contained in the IM packet, which can be easily achieved by using the "signature" function provided by ISA Server 2004 firewall.
Network environment: the network managed by ISA Server 2004 server.
Blocking tool: ISA Server 2004 firewall
Tip: ISA firewall provides powerful network monitoring and management functions, such as deep protection and filtering functions, which can prohibit MSN and QQ from using HTTP proxy. Of course, you must know the characteristic keywords contained in MSN and QQ packets.
Screening step: get the keywords of MSN and QQ; Enable ISA signature function; Start the "Block" function.
Master "keywords"
After making the above preparations, you can start the setting of "shielding". After finding the keywords in MSN and QQ package, configure ISA firewall and complete the setup.
Because ISA firewall uses the characteristic keywords contained in MSN and QQ packets to filter out the IM packets contained in HTTP packets, so as to disable the HTTP proxy, it is necessary to find out the keywords in MSN and QQ packets first.
The "signature" function provided by ISA Server 2004 acts on the HTTP application layer, and uses the "keywords" in the packets of instant messaging software to filter. For example, the keyword in the packet sent by MSN is "MSMSGS", while the keyword used in the QQ packet is "tencent.com". After mastering this information, it is easy to use the "signature" function to block the HTTP proxy.
Tip: It is easy to find the "keyword" information in MSN and QQ packets on the Internet. How did others get it? This is complicated, and it is necessary to use the tool Sniffer to monitor and analyze these IM packages. For example, the protocol analysis tool "Sniffer Pro" launched by NAI Company will not be introduced in detail because of its troublesome operation.
Start "sealing"
After mastering the keywords in the packets sent by chat tools using HTTP proxy, we can follow the trail and seal their mouths with these keywords.
ISA firewall uses the built-in "signature" function to prohibit MSN and QQ from using HTTP proxy, so the "signature" function must be configured reasonably.
In the console window of ISA Server 2004 server, right-click the "Allow users to access external networks" rule and select the "Configure HTTP" option from the pop-up menu. Then, in the Configure HTTP Policy for Rules dialog box, switch to the Signature tab, and now you can use the signature function to disable the HTTP proxy.
Tip: After installing ISA Server 2004 network firewall, by default, no user is allowed to access the external network. Therefore, it is necessary to create an access rule to allow employees in the internal network to access the Internet. This rule is the "allow users to access the external network" rule just mentioned.
1. Disable MSN.
MSN is forbidden to use HTTP proxy, as long as the packets containing the keyword "MSMSGS" are filtered out.
In the Signature tab, click Add to open the Signature Configuration dialog box (figure 1), enter MSN Messenger in the Name column, select the Request Header option in the Search Scope drop-down list box, enter User-Agent: in the HTTP Header column, and then enter.
...440){ this . resized = true; this . style . width = 440; } " & gt
2. Disable QQ
Just as MSN prohibits the use of HTTP proxy, QQ also prohibits the use of HTTP proxy, as long as the packets containing the keyword "tencent.com" are filtered out.
Click "Add" in the signature tab to open the signature configuration dialog box (Figure 2), enter "QQ" in the name field, then select "Request URL" in the search scope drop-down list box, enter "tencent.com" in the signature field, and click "OK" for the last two times to complete the setting.
...440){ this . resized = true; this . style . width = 440; } " & gt
3. Disable other chat software
The method of prohibiting other IM tools from using HTTP proxy is the same, as long as you know the characteristic keywords contained in the IM package and then configure them in the "signature" function of ISA firewall.
Finally, select the "Allow users to access external networks" rule in the ISA Server 2004 firewall policy window, and click the "Apply" button above to make the above signature configuration effective, so that chat tools such as MSN and QQ can be completely prohibited from using HTTP proxy.
Summary: The principle of prohibiting MSN and QQ from using HTTP proxy is simple. The key is to know the characteristic keywords in the IM package, and then configure the signature function of ISA firewall to filter accordingly.
Little knowledge: the principle of "proxy" service chat software
Although different IM tools use different communication protocols, almost all IM tools support HTTP proxy function. This is because once the network administrator blocks the IM tool, you can't log in. At this time, you can use HTTP proxy to convert the packets of IM tools into HTTP packets to break through the firewall. After all, most LANs will not block the HTTP protocol.