[CentOS] IPTABLES and Hi-Risk blocking
John R. Dennison
jrd at gerdesas.com
Fri Nov 27 22:29:16 UTC 2009
On Fri, Nov 27, 2009 at 01:52:31PM -0800, nate wrote:
>
> As others have mentioned using a proxy would work..
Proxy would be the best as it offers a lot of additional
features such as logging ability to see how much time
people are wasting at work. Squid setup as a transparent
proxy negates having to do any client-side setup and can
not be easily bypassed by clueful end-users.
> Other ways would be using iptables to block access to those
> domain's name servers so the names do not resolve at all(they could
> still access via IP..)
Not as easy as one would think; most sites in this day
and age are still going to require proper Host: headers
be sent I would think.
Blocking by server ip addresses or even authoratative DNS
servers for the domains you wish blocked are not ideal as
you have *no* control over these resources. web server
or geoip redirectors / load balancers may change public
ip spaces and DNS servers are subject to similar.
> Also hosting the domains on your internal name server and pointing
> them to some internal address so that they can't be resolved as
> well could work.
I've done this in the past with great success; point them to
a "You've Been Busted Going To This Website" type page; access
logs can be processed to see who is trying to waste company
time with this solution also. The only real problem with this
is ensuring that /etc/hosts or \Windows\system32\drivers\etc\hosts
(and whatever Macs use) resolution is properly locked down so that
clueful users can not resolve locally thus bypassing your DNS server.
> Often times client side antivirus/spyware programs can be configured
> to block things on the client side as well.
While this indeed can be done, and I've seen it used to good
effect it just adds to workloads if you ever change to another
AV solution down the road; the local DNS server is set and
forget.
John
--
It is not bigotry to be certain we are right; but it is bigotry to be unable
to imagine how we might possibly have gone wrong.
-- G. K. Chesterton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20091127/3b0789e7/attachment.sig>
More information about the CentOS
mailing list