We help IT Professionals succeed at work.

Prevent users from accessing sites and web email

ksilvoso
ksilvoso asked
on
293 Views
Last Modified: 2010-04-11
I want to  prevent students from accessing their web email.  I also want to restrict several sites like facebook.com, etc.  I have restricted these sites on my router but students are accessing their web based email accounts and clicking on links that take them to sub pages of the restricted sites.  How can I block the whole site and also how to prevent accessing web email?

Thanks,
Karen
Comment
Watch Question

Commented:
Do you control the machines that they're using.  If so, you could try changing the host file.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Bruce,
  I've tried the loopback address on a host file, even blocking the keyword on the router, to no avail.  How do I block it on my dns server?
If this host file didn't work, the DNS won't help.  DNS at it's most basic level is simply a glorifed host file, centrally managed (yes, I'm being very high-level and basic there).

I would guess that you may not have all the host names your students are using, or maybe they're going directly to IP addresses.

But if you want to try to use your DNS server to block hosts, create a new zone for the domain and add the host A record with an ip address of 127.0.0.1

If you use BIND, it's relatively easy to add a boatload of zones in one file - I can explain how if that's what you're using.  If your using Windows DNS, it's all GUI and you'll have to go through and add each one.

Does that help?
- Bruce

Commented:
Even if you did get the DNS thing to work, kids could simply use a proxy to get around it (we did that at school).    Do you want them to not surf the net at all?   Or just stop these few sites.  IF you dont want them to surf at all, just change the default gateway...  simple but it works!     If you only want them browsing a certain site or sites, you should get somekind of firewall that helps.   I saw dans guardian was mentioned here and I also suggest that one.  It is very good.  

Commented:
Karen,

I do not see what router you are using. This might be helpful to know.

Some firewalls are good, but will not always work. Many firewalls are good at blocking incoming traffic, but unless setup properly, may not help for web traffic. Generally speaking a firewall is good at blocking at the IP and Port level.

The solution may be to impliment a proxy server that meets your specific needs. A good proxy will block specific web sites, and even content.

Hopefully this helps out. If not let us know what router you are using, there may be settings there that we can reccomend.

Jon

Author

Commented:
It's just a linksys router - wrt54gs.  I looked at Dan's guardian and noticed the download is a tar.gz file.  I have almost no experience with linux but what I have I found installations to be extremely grueling.  Plus I have a windows 2003 server.  Would Dan's guardian work with it?
Karen

Commented:
Hello Karen,

Given the limited abilities of the router that you are using DansGuardian is definitely a great solution.

Assuming the Windows 2003 server is not being used as a workstation there is no reason at all that there will be an incompatibility on the network. You will literally set up a stand alone computer to serve as the proxy (the machine that will have DansGuardian installed on it). In most cases you will configure theproxy settings in the browser for each client PC to point to the IP address of the DansGuardian machine, typically with a port of 8080 (of course you configure the port and IP address).

Here is some general documentation that should make the full task of setting this up pretty easy:

http://sourceforge.net/docman/display_doc.php?docid=27211&group_id=131757

You could possibly take things a bit further and forward the ports that you want filtered to the machine running DansGuardian, some crafty configuration and you could basically filter all HTTP traffic even if the browser was not configured to point at the proxy.

This should go a long way to helping keep those kids safe.

Jon


Karen,

The reference that John provided is a great walk through on installing DansGuardian.  But given your admitted inexperience with linux, if you don't have the time to go through standing up a linux box and then installing and configuring DansGuardian, then I suggest using a "bundled" or "turn-key" solution.  IPCop is nice but the DansGuardian piece is not included without add-ons.

My suggest for you is to use the community version of Endian firewall.  While it's main purpose is a firewall, it comes with several other pieces built-in, like Advanced Proxy and DansGuardian.  I use it at a couple of clients as just a proxy with DansGuardian while using something else for their primary firewall (in my case, Cisco PIX's but in yours it would be the Linksys router).  Although, if you wanted, you can easily replace your Linksys with Endian and make your network even more secure.

The install is relatively simple, even with no linux experience.  Download an .iso image, burn a CD, boot the CD on a stand-alone box, answer a few questions about the network, and it installs.  Then you manage the entire product through a web interface.  It's put together very nicely and is what I personally had wanted from IPCop for a long time.

Check it out here:  http://www.endian.it/en/community/about/

If you'd like, I've even put together step by step procedures for installing Endian and configuring the web filtering.  Feel free to check out how easy it is to setup and configure: http://www.thewestbrooks.com/downloads/Endian_Installation_and_Configuration.pdf

Hope this helps!
- Bruce

Author

Commented:
If I do try to tackle Dan's guardian - which I'm considering.  I have installed linus suse 9 in the past and managed to get a wireless network card working.  If I do - would the kids be able to circumvent it by going straight to an IP address?  That is what they're doing.  Also how fast does the machine have to be that's serving as the proxy server?
Karen
Hi Karen,

DansGuardian (DG) approaches web filtering differently then most products.  It does actual content filtering, which makes it so powerful.  What this means that instead of comparing a site name or IP address against a blacklist of sites, DG scans each and every web page for content and adds or subtracts points based on the words and images found.  It then totals it up and compares it to what you've set as the limit for content.  Since DG is acting as a proxy, it can do all this before ever presenting the site to the end user.

So no, your kids cannot circumvent this by going directly to an IP address.

As for the power of the box, that depends on the number of users/kids you have.  Here's the requirements straight from Dan:  http://dansguardian.org/?page=requirements

In my experience, I've almost always used old, tossed aside PCs for setting up DG.  I've run it successfully under small loads (20-30 users) with 350Mhz PCs with 512Mg RAM.  So it doesn't take much.  Of course, the faster the machine and especially the more the RAM the better.

I'd still suggest trying out Endian because of the interface and very simple ease of use, at least to start with.  But if you're up to it and have the time to hack and learn, go for DG.  Here's the procedures I created and use to setup DG on Red Hat and Suse, if you're interested.  

http://www.thewestbrooks.com/downloads/Content_Filtering_with_DansGuardian.pdf

They're older procedures that I haven't updated in a while, and it's based on either Suse 9.2 or RH Fedora Core 3, but it includes everything you need to install and configure Squid, DG and a log analyzer.

Have fun!
- Bruce

Author

Commented:
Well I've installed Linux suse on a box and managed to install Dan's Guardian - for the most part anyway.  Here's where I got my how to:
http://dansguardian.org/downloads/garylamprecht/The_Newbies_guide_to_installing_Suse_9.pdf

The issues I'm having:
1)I was never able to find Zlib-dev1 to install it.

2)  The guide said:
Do a crontab –e and enter in the following
59 23 * * sat /etc/dansguardian/logrotation
Now save and exit.

I did the above from a command prompt but couldn't figure out how to save it.

3)When I tried to start Dan's Guardian I got this error message:
Error connecting to parent proxy

I know it's been a while since I posted.  Any help would be greatly appreciated!

Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.