Re: [CentOS] IPTABLES and Hi-Risk blocking

Fri, 27 Nov 2009 14:29:49 -0800 

On Fri, Nov 27, 2009 at 01:52:31PM -0800, nate wrote:
> 
> As others have mentioned using a proxy would work..

        Proxy would be the best as it offers a lot of additional
        features such as logging ability to see how much time
        people are wasting at work.  Squid setup as a transparent
        proxy negates having to do any client-side setup and can
        not be easily bypassed by clueful end-users.

> Other ways would be using iptables to block access to those
> domain's name servers so the names do not resolve at all(they could
> still access via IP..)

        Not as easy as one would think; most sites in this day
        and age are still going to require proper Host: headers
        be sent I would think.

        Blocking by server ip addresses or even authoratative DNS
        servers for the domains you wish blocked are not ideal as
        you have *no* control over these resources.  web server
        or geoip redirectors / load balancers may change public
        ip spaces and DNS servers are subject to similar.

> Also hosting the domains on your internal name server and pointing
> them to some internal address so that they can't be resolved as
> well could work.

        I've done this in the past with great success; point them to
        a "You've Been Busted Going To This Website" type page; access
        logs can be processed to see who is trying to waste company
        time with this solution also.  The only real problem with this
        is ensuring that /etc/hosts or \Windows\system32\drivers\etc\hosts
        (and whatever Macs use) resolution is properly locked down so that
        clueful users can not resolve locally thus bypassing your DNS server.

> Often times client side antivirus/spyware programs can be configured
> to block things on the client side as well.

        While this indeed can be done, and I've seen it used to good
        effect it just adds to workloads if you ever change to another
        AV solution down the road; the local DNS server is set and
        forget.




                                                        John
-- 
It is not bigotry to be certain we are right; but it is bigotry to be unable
to imagine how we might possibly have gone wrong.
                         -- G. K. Chesterton

Attachment: pgpnZ5vJPpvxi.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to