LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 08-20-2010, 07:00 AM   #1
TheIndependentAquarius
Senior Member
 
Registered: Dec 2008
Posts: 4,622
Blog Entries: 29

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
How to block a website PERMANENTLY ?


Firefox 3.6.8
OpenSuse 11.2

I have the root password of my computer.
I want to block a website on my computer such that even root cannot unblock it !

I *desperately* need help !!!

Last edited by TheIndependentAquarius; 08-20-2010 at 07:20 AM.
 
Old 08-20-2010, 07:24 AM   #2
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by anishakaul View Post
such that even root cannot unblock it !
UID 0 is very powerful and can almost do anything so I can only think of three things for that: configure/modify the kernel, use another machine or create a virtual machine that will filter your connections, create a chroot-ed environment that will handle filters (not really effective I think since root will still be in the main environment).
 
Old 08-20-2010, 07:26 AM   #3
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

Root is all powerful on a unix/linux box, you can make it a bit harder for root to change files, but you cannot stop it.

Hope this helps.
 
Old 08-20-2010, 07:29 AM   #4
TheIndependentAquarius
Senior Member
 
Registered: Dec 2008
Posts: 4,622
Blog Entries: 29

Original Poster
Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
konsolebox,

Many thanks for replying !
Quote:
Originally Posted by konsolebox View Post
configure/modify the kernel
That's out of question for me.

Quote:
Originally Posted by konsolebox View Post
create a virtual machine that will filter your connections,
Kindly explain this one more, how and what should I do about it. Direct answers are not expected, you can point me to some links too.
 
Old 08-20-2010, 07:29 AM   #5
lylemwood
Member
 
Registered: Jan 2008
Location: Toronto, Canada
Distribution: Slackware, CentOS
Posts: 47

Rep: Reputation: 18
Best do it on a piece of tertiary hardware...

Hi Anisha,

I've gone through this a few times... Problem is that any time someone has root on a system they can, if they know what they're doing, reinstate the service you've tried to kill.

I'm not sure of the exact intent behind the block, but I'll say this: If you want to ensure that a site/service is not accessible and it's got to traverse the network, the best way to accomplish this is through configuration of some third-party device... Like the router.

Some may say that a simple mod to the routing table will kill it, others might suggest adding it manually to the resolution stack for your distro... Problem is that they're both on the system you're trying to block the site from and, sadly, that means that if you can do it as root, root can undo it.

You have the following options:

- If this is going to be a regular practice, implement a robust proxy server and block the sites you want blocked on that.
- If this is a one-off thing, just log into your router and (if it allows such a thing, which I believe most do now) block the remote address or set up a name resolution to resolve back to 127.0.0.1 or something of the sort...

Sorry I can't help more, but as I said, if root can do it, root can undo it in Linux.
 
Old 08-20-2010, 07:30 AM   #6
fbobraga
Member
 
Registered: Jul 2010
Location: São Paulo - Brasil
Distribution: Debian 7 / Crunchbang 11
Posts: 229

Rep: Reputation: 41
Block it outside of the machine them, in the way of it to internet: maybe in your router?
 
Old 08-20-2010, 07:36 AM   #7
fbobraga
Member
 
Registered: Jul 2010
Location: São Paulo - Brasil
Distribution: Debian 7 / Crunchbang 11
Posts: 229

Rep: Reputation: 41
... or use something like http://www.opendns.org/ (it's very simple to avoid, by changing the DNS entries - but a normal user normally don't know how to do this :P)
 
Old 08-20-2010, 07:46 AM   #8
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by anishakaul View Post
Kindly explain this one more, how and what should I do about it. Direct answers are not expected, you can point me to some links too.
The purpose is to create a system that is not accessible by root so in order to that, you can add another adjacent system where you'll pass or tunnel your connections. In that system, your connections will be filtered.

Creating a virtual system is a same concept only that the system is also hosted in the system where the root account in question is placed. There are two ways to do this but only one is really applicable. Either you place the virtual system inside the same system where you have root (with this it appears that root still have access) or you place the two system (the virtual and the system that contains root) as two virtual systems placed in a third main system. The third main (which will turn out to be the first now) will be hosting the virtualization software like VirtualBox or VMWare that will create and emulate your virtual systems. This is quite heavy though.

For more info about virtualization, here are the links:
http://en.wikipedia.org/wiki/Virtualization
http://en.wikipedia.org/wiki/Virtual_machine
http://en.wikipedia.org/wiki/VirtualBox
http://en.wikipedia.org/wiki/VMware

P.S. I'm getting a feeling that there's already a feature in the kernel where you can easily solve your approach. Something like a special layer for summoning special processes or userspace applications that are not preemptible by root and will handle the filter. Maybe also a special rule like the iptables that's only configurable on compile time.
 
Old 08-20-2010, 08:00 AM   #9
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

@konsolebox: If I understand correctly you are still on the same physical machine, the only thing one does is create one or more (maybe encrypted) VM's. The root user can still change/edit/remove parts (if it is encrypted, root cannot access it but can remove it). Looks like extra layers that will not protect you from root when it comes down to it.

@anishakaul: You mention the following: I have the root password of my computer. If this is your computer, aren't you making it too hard for yourself to exclude root? If others do have access to your box, make sure that they do not have root access whatsoever (use sudo if they need some/limited access to specific files/commands).
 
Old 08-20-2010, 08:10 AM   #10
TheIndependentAquarius
Senior Member
 
Registered: Dec 2008
Posts: 4,622
Blog Entries: 29

Original Poster
Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
Well, I have to admit now.

This computer is in my office.
I am *HIGHLY ADDICTED* to a particular site.

I have requested the (windows based) system admins to block that site on my computer. They said that the site blocking software license has expired so they cannot block any site anywhere now.
 
Old 08-20-2010, 08:11 AM   #11
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by fbobraga View Post
... or use something like http://www.opendns.org/ (it's very simple to avoid, by changing the DNS entries - but a normal user normally don't know how to do this :P)
I think this is a good solution. Same also as asking a friend to host your dns queries. At least with that method even you won't be able to easily change the settings.
Quote:
Originally Posted by druuna View Post
Hi,

@konsolebox: If I understand correctly you are still on the same physical machine, the only thing one does is create one or more (maybe encrypted) VM's. The root user can still change/edit/remove parts (if it is encrypted, root cannot access it but can remove it). Looks like extra layers that will not protect you from root when it comes down to it.
Let's say the place where the root account is placed in system B0 and the filter system is system B1. Both systems are hosted virtually by system A. Do you mean root in system B0 is still capable of accessing system A even if memory allocations and other resources are already isolated?
 
Old 08-20-2010, 08:21 AM   #12
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by anishakaul View Post
Well, I have to admit now.

This computer is in my office.
I am *HIGHLY ADDICTED* to a particular site.

I have requested the (windows based) system admins to block that site on my computer. They said that the site blocking software license has expired so they cannot block any site anywhere now.
As I was expecting

Indeed I was thinking before about redirecting your dns queries to somewhere else but I haven't thought the obvious... It appears that you can still change it back to normal dns settings anytime you like. Guess I was wrong.

Btw if it's only a site block software that's required, maybe somewhere there's a free software that you can use? Did you try to search the web already. The concept about filtering your connection is still possible I think.

Last edited by konsolebox; 08-20-2010 at 08:41 AM.
 
Old 08-20-2010, 08:38 AM   #13
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

Quote:
Originally Posted by konsolebox View Post
Let's say the place where the root account is placed in system B0 and the filter system is system B1. Both systems are hosted virtually by system A. Do you mean root in system B0 is still capable of accessing system A even if memory allocations and other resources are already isolated?
Code:
 +------------------------+
 | A (Physical)           |
 | root_a                 |
 |  +------------------+  |    
 |  | B0 (VM)          |  |
 |  | root_b0          |  |
 |  +------------------+  |
 |                        |
 |  +------------------+  |
 |  | B1 (VM)          |  |
 |  | root_b1          |  |
 |  +------------------+  |
 |                        |
 +------------------------+
root_b0 and root_b1 cannot access each other (depends on how things are set up on VM B0 and VM B1, but lets assume this is true).
root_a, however, can access the physical machine A and both VM's B0 and B1.

@anishakaul: Expired license..... LOL.
Seriously: This is probably the safest way to block a site (use a machine you do not have [enough] access on). I also find it kinda strange that the license is not renewed by your company, puts them in a precarious situation if they get audited.

BTW: You aren't talking about blocking LQ, are you
 
Old 08-20-2010, 08:50 AM   #14
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by druuna View Post
root_b0 and root_b1 cannot access each other (depends on how things are set up on VM B0 and VM B1, but lets assume this is true).
root_a, however, can access the physical machine A and both VM's B0 and B1.
With that my arguments should be invalid... but if it's only about root_b0 then it could still be valid (if with respect to applications and control inside B0). Up until now I don't really know if it's about the root account or the user who holds the root account that should have no access .
Quote:
Originally Posted by druuna View Post
Seriously: This is probably the safest way to block a site (use a machine you do not have [enough] access on).
Not unless anishakaul's work is administrative?
Quote:
Originally Posted by druuna View Post
BTW: You aren't talking about blocking LQ, are you
LOL

Last edited by konsolebox; 08-20-2010 at 08:53 AM.
 
Old 08-20-2010, 09:03 AM   #15
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Quote:
Originally Posted by anishakaul View Post
This computer is in my office.
I am *HIGHLY ADDICTED* to a particular site.
Anything you can do to block it, you yourself can undo, you need to create personal restraint and self control over this issue, you can manage the computer, the computer CAN NOT manage you. If this really is such an issue for you, go to the admins and ask them to block all associated IPs to the site in question on the office router, this will block you out... however you yourself should be learning self-control and not relying on a machine to do for you, what you should be doing yourself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to block website in ubuntu 9.10 amritpalpathak Linux - Software 3 04-17-2010 08:46 AM
block website soumalya Linux - Networking 2 09-19-2008 09:06 AM
How to block a Website in Squid winxlinx Linux - Networking 1 02-21-2006 04:40 PM
access the block website by certain IP space_beyond Linux - Security 1 06-03-2005 12:33 AM
How many ways can u block a website? debug019 Linux - Newbie 4 11-07-2004 10:34 PM


All times are GMT -5. The time now is 11:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration