[CentOS] IPTABLES and Hi-Risk blocking

Fri Nov 27 22:29:16 UTC 2009
John R. Dennison <jrd at gerdesas.com>

On Fri, Nov 27, 2009 at 01:52:31PM -0800, nate wrote:
> 
> As others have mentioned using a proxy would work..

	Proxy would be the best as it offers a lot of additional
	features such as logging ability to see how much time
	people are wasting at work.  Squid setup as a transparent
	proxy negates having to do any client-side setup and can
	not be easily bypassed by clueful end-users.

> Other ways would be using iptables to block access to those
> domain's name servers so the names do not resolve at all(they could
> still access via IP..)

	Not as easy as one would think; most sites in this day
	and age are still going to require proper Host: headers
	be sent I would think.

	Blocking by server ip addresses or even authoratative DNS
	servers for the domains you wish blocked are not ideal as
	you have *no* control over these resources.  web server
	or geoip redirectors / load balancers may change public
	ip spaces and DNS servers are subject to similar.

> Also hosting the domains on your internal name server and pointing
> them to some internal address so that they can't be resolved as
> well could work.

	I've done this in the past with great success; point them to
	a "You've Been Busted Going To This Website" type page; access
	logs can be processed to see who is trying to waste company
	time with this solution also.  The only real problem with this
	is ensuring that /etc/hosts or \Windows\system32\drivers\etc\hosts
	(and whatever Macs use) resolution is properly locked down so that
	clueful users can not resolve locally thus bypassing your DNS server.

> Often times client side antivirus/spyware programs can be configured
> to block things on the client side as well.

	While this indeed can be done, and I've seen it used to good
	effect it just adds to workloads if you ever change to another
	AV solution down the road; the local DNS server is set and
	forget.




							John
-- 
It is not bigotry to be certain we are right; but it is bigotry to be unable
to imagine how we might possibly have gone wrong.
                         -- G. K. Chesterton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20091127/3b0789e7/attachment-0005.sig>