How to block a website PERMANENTLY ?
 

Firefox 3.6.8
OpenSuse 11.2

I have the root password of my computer.
I want to block a website on my computer such that even root cannot unblock it !

I *desperately* need help !!!

UID 0 is very powerful and can almost do anything so I can only think of three things for that: configure/modify the kernel, use another machine or create a virtual machine that will filter your connections, create a chroot-ed environment that will handle filters (not really effective I think since root will still be in the main environment).

Hi,

Root is all powerful on a unix/linux box, you can make it a bit harder for root to change files, but you cannot stop it.

Hope this helps.

konsolebox,

Many thanks for replying !
That's out of question for me.

Kindly explain this one more, how and what should I do about it. Direct answers are not expected, you can point me to some links too.

Best do it on a piece of tertiary hardware...
 

Hi Anisha,

I've gone through this a few times... Problem is that any time someone has root on a system they can, if they know what they're doing, reinstate the service you've tried to kill.

I'm not sure of the exact intent behind the block, but I'll say this: If you want to ensure that a site/service is not accessible and it's got to traverse the network, the best way to accomplish this is through configuration of some third-party device... Like the router.

Some may say that a simple mod to the routing table will kill it, others might suggest adding it manually to the resolution stack for your distro... Problem is that they're both on the system you're trying to block the site from and, sadly, that means that if you can do it as root, root can undo it.

You have the following options:

- If this is going to be a regular practice, implement a robust proxy server and block the sites you want blocked on that.
- If this is a one-off thing, just log into your router and (if it allows such a thing, which I believe most do now) block the remote address or set up a name resolution to resolve back to 127.0.0.1 or something of the sort...

Sorry I can't help more, but as I said, if root can do it, root can undo it in Linux.

Block it outside of the machine them, in the way of it to internet: maybe in your router?

... or use something like http://www.opendns.org/ (it's very simple to avoid, by changing the DNS entries - but a normal user normally don't know how to do this :P)

The purpose is to create a system that is not accessible by root so in order to that, you can add another adjacent system where you'll pass or tunnel your connections. In that system, your connections will be filtered.

Creating a virtual system is a same concept only that the system is also hosted in the system where the root account in question is placed. There are two ways to do this but only one is really applicable. Either you place the virtual system inside the same system where you have root (with this it appears that root still have access) or you place the two system (the virtual and the system that contains root) as two virtual systems placed in a third main system. The third main (which will turn out to be the first now) will be hosting the virtualization software like VirtualBox or VMWare that will create and emulate your virtual systems. This is quite heavy though.

For more info about virtualization, here are the links:
http://en.wikipedia.org/wiki/Virtualization
http://en.wikipedia.org/wiki/Virtual_machine
http://en.wikipedia.org/wiki/VirtualBox
http://en.wikipedia.org/wiki/VMware

P.S. I'm getting a feeling that there's already a feature in the kernel where you can easily solve your approach. Something like a special layer for summoning special processes or userspace applications that are not preemptible by root and will handle the filter. Maybe also a special rule like the iptables that's only configurable on compile time.

Hi,

@konsolebox: If I understand correctly you are still on the same physical machine, the only thing one does is create one or more (maybe encrypted) VM's. The root user can still change/edit/remove parts (if it is encrypted, root cannot access it but can remove it). Looks like extra layers that will not protect you from root when it comes down to it.

@anishakaul: You mention the following: I have the root password of my computer. If this is your computer, aren't you making it too hard for yourself to exclude root? If others do have access to your box, make sure that they do not have root access whatsoever (use sudo if they need some/limited access to specific files/commands).

Well, I have to admit now.

This computer is in my office.
I am *HIGHLY ADDICTED* to a particular site.

I have requested the (windows based) system admins to block that site on my computer. They said that the site blocking software license has expired so they cannot block any site anywhere now.:banghead:

I think this is a good solution. Same also as asking a friend to host your dns queries. At least with that method even you won't be able to easily change the settings.
Let's say the place where the root account is placed in system B0 and the filter system is system B1. Both systems are hosted virtually by system A. Do you mean root in system B0 is still capable of accessing system A even if memory allocations and other resources are already isolated?

As I was expecting :p

Indeed I was thinking before about redirecting your dns queries to somewhere else but I haven't thought the obvious... It appears that you can still change it back to normal dns settings anytime you like. Guess I was wrong.

Btw if it's only a site block software that's required, maybe somewhere there's a free software that you can use? Did you try to search the web already. The concept about filtering your connection is still possible I think.

Hi,

root_b0 and root_b1 cannot access each other (depends on how things are set up on VM B0 and VM B1, but lets assume this is true).
root_a, however, can access the physical machine A and both VM's B0 and B1.

@anishakaul: Expired license..... LOL.
Seriously: This is probably the safest way to block a site (use a machine you do not have [enough] access on). I also find it kinda strange that the license is not renewed by your company, puts them in a precarious situation if they get audited.

BTW: You aren't talking about blocking LQ, are you ;)

With that my arguments should be invalid... but if it's only about root_b0 then it could still be valid (if with respect to applications and control inside B0). Up until now I don't really know if it's about the root account or the user who holds the root account that should have no access :).
Not unless anishakaul's work is administrative?
LOL

Anything you can do to block it, you yourself can undo, you need to create personal restraint and self control over this issue, you can manage the computer, the computer CAN NOT manage you. If this really is such an issue for you, go to the admins and ask them to block all associated IPs to the site in question on the office router, this will block you out... however you yourself should be learning self-control and not relying on a machine to do for you, what you should be doing yourself.

We'll miss you ;D

But there should be some router hardware between you and the internet. Have them set up an ACL to block that websites IP(or group thereof) and continue to allow all other traffic that is currently accepted.

[EDIT]also[/EDIT], perhaps they can put a decommissioned machine between you and the internet that filters out this traffic. There are specific linux distros that are built just to be firewalls.

http://en.wikipedia.org/wiki/List_of..._distributions

You can set the whole thing up and have them change the root pw and throw away the key =)

lylemwood and fbobraga,
Thanks to both of you for the suggestions !

Thanks for the suggestion, though I could have installed virtual system on my computer but as you said that would not be very useful. And since I am in office I do not have enough rights to ask for another system for such purposes ! Thanks for the nice links too.

Thanks,

I asked them about the router settings, to which they replied that they cannot do it, perhaps they were trying to avoid me !!! I am not technically sound in terms of networking so I cannot convince them how that should be done !

If I could get some manual on how to do that, then perhaps they will not find any excuse to be lazy !

You could always get a router and filter it yourself. We do that often on the PCARD where I work. I'm a lab tech at a university and the uni IT staff is sluggish for certain things so that's usually the best solution.

Yes I also found it very strange that they had not renewed the license!

And I had an intuition someone would guess it right !
Ofcourse I am talking of blocking LQ !!!!
How did you guess it by the way ? Through my blog or through my other thread in LQS&F forum ? :)

*Ahem* I hope this is not a sarcastic comment, Mr. Moderator ;) *Ahem*

Could you tell us which site it is that you're *HIGHLY ADDICTED* to? ;) :)

Thanks to you :hattip:

Well, your words worked as a pep talk for me !
I restrained myself and didn't lurk/post on that site for 6 hours. That's an achievement for me :) But this can't go long ... I need to block that site from the router itself.

As if you don't know !!! Trying to embrass me further now ?

Yeah, that's what I'm *HIGHLY ADDICTED* to: embarrassing young women. :D

brianL,

You should not give your LQ password to brainL, he is desperately trying to malign you in post 25 !

Hi,
It was meant as a joke actually.......

I just Looked at the LQ Stats (haven't been there in ages) and I do see you are one of the top posters, which isn't necessarily a bad thing but might become a problem if your work suffers as a direct result. Show some restraint while at work (use the force anishakaul, use the force!) ;)

It really is LQ. :)

Please remove that link Briany, I don't want any further embarrassments now !!

OK? :)

Brian !!!!! Remove that comment "To save poor Anisha further embarrassment. " I'll never talk to you again now !

Done it. :)

And I thought she was a he!... didn't parse the username properly where it should have been 's/\(anisha\)\(kaul\)/\1 \2/' not '(anis)(hakaul)'. Good thing I haven't known it soon or else I would have made comments in a more careful manner.

Hi Anisha,

As stated before, don't let a computer (or a site for that matter) take control over your life. When the urge arises to go to LQ, just think about other things you like and try to restrain yourself. I know it's hard, but that's the only way to overcome an addiction this strong, by shear will power and mind control. Best of luck, and don't stay away too long ;)

Don't try things like laser therapy as done when trying to quit smoking or patches or stuff like that. It just doesn't work!! Your mind and will is the strongest medicine you can find.

It will be a sad day at LQ when you don't post.

Best of luck!

Kind regards,

Eri

Nope. And I figured it was LQ w/o other threads or reading
your blog. Male intuition ;}



Cheers,
Tink

@EricTRA

She already said that the *HIGHLY ADDICTIVE* site isn't LQ.

@MTK358: Have a look at post #21...... ;) It is LQ.

Thanks druuna, already started thinking that my eyes are playing tricks on me.:D

Kind regards,

Eric

Eric,

Many thanks to you for the soothing words...You were right, I should not let any website control me. Somehow I feel I don't need to use the router blocking technique anymore now ! It is time for me to pay attention to self improvement rather than LQ !

Thanks again :)

Hello Anisha,

You're very welcome. I'm glad that you found the force to carry on and take control of your mind :).

The best control you can find is your own mind, believe me, I know for a fact that this is the truth.

Kind regards,

Eric

It also seems better to me to just decide not to look at LQ when you don't need to rather than block it. What if there is a good reason to come back? :)

Also, it's obviously not possible to do something that even root cannot change. Just think.

Why ? Others have suggested the router blocking methods, if you care to read the above posts !

I meant within the computer. If it's an external piece of hardware then sure...

Actually even root can't decrypt the /etc/shadow file with all the passwords...If the password is lost, one can set a new password but can never recover the old one ...

Actually there is a way but not directly and it's not easy.

Anisha,

You may enjoy the read of this one ;}



Cheers,
Tink

I have to agree, but should the system administrator be reading this there is a terribly simple way of doing this. From the description of the network they are running a Microsoft Active Directory based network. If this is a true AD setup, then all workstations would be using the AD enabled DNS resolvers. Even though they are resolving DNS server, you can still host DNS zones on the resolver. Simply create a zone for the domain in question and create dummy "A" records that point to 0.0.0.0 or 127.0.0.1 or some internal IP address with an HTML index page saying "You Fired!" or something like that. I used to track website URL's that were known for offloading viruses and malware and that was how I blocked them. Made life so much easier!


"No you can not click on that add in yahoo.com, and no it will not display! It is a good thing now stop pestering me!"

I enjoyed this link you posted in that thread !
It's worth book marking !

Now stop making fun of me :D

May be, but I quoted what Pixel said here !

Strictly speaking pixel's statement is not correct; firstly
the passwords aren't stored encrypted (hence a 'decrypt'
is indeed impossible) but hashed. Secondly, depending on
the password quality, length and hash-algorithm used it is
impractical to try and crack the hashes, but it's not impossible.

You could compare it to winning lotto ;} - just a few levels
more improbable.



Cheers,
Tink