Windows and linux - prevent browser web access?

[put_down_the_sabre]

Hey all,

Is there a way to completely prevent browser-based internet access for an user account in Windows or Linux? I’d like to limit web access to an hour a day.

On the mac, what I did was to use leechblock to restrict firefox, and delete safari. Bingo!

On windows xp, I’ve used leechblock on firefox, and used ‘set program access and defaults’ to prevent ie access, but it’s still possible to reach ie using ‘windows update’ on the start menu. How can I prevent this?

On Linux, my worry is that it’s always possible to install another browser using apt or something similar. Can this be prevented?

I want to allow web browsing in firefox, but restrict it with leechblock - so it’s other browsers I want to block. I also want to allow non-web internet access, most importantly dropbox and email.

Thanks!
pdts

[Disheavel]

How about running a cron script to just kill any Firefox or Safari or other browser and its process?

I am broadly familiar with such scripts but couldn’t write one for you but couldn’t you just run a script that would search every(5?) minute that would do:
if time is not between allowable hour; do; ps auwx | grep Firefox |kill awk $2; for each Browser name; done

I bet on some scripting forums someone could give you a better framework.

[Chronos]

You could also block the port used by web browsers. Anything you do, though, depends on you being more computer-savvy than the person you’re restricting-- Anything can be circumvented.

[goldmund]

In Linux, you could do:

iptables -A OUTPUT -p tcp --dport 80 -m time --timestart 22:00 --timestop 21:00 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -m time --timestart 22:00 --timestop 21:00 -j DROP

This will block all outbound access on ports 80 and 443, but allow it between 7 and 8pm.

[Simplicio]

OP:

On Linux, my worry is that it’s always possible to install another browser using apt or something similar. Can this be prevented?

I don’t think you can install a browser (or much anything of consequence) without root access. I’d set up a cron job to change the permissions on your already installed browser so its only executable by the restricted user during the desired hours.

But if its a teenager, I kinda agree with Chronos, they probably have enough free time and energy to figure out how to circumvent what ever restrictions you put up. On the plus side, they’ll probably learn something about OSes in the process.

[Chronos]

I don’t think you can install a browser (or much anything of consequence) without root access.

There are browsers designed to be runnable without being installed at all. You can run them directly from a thumb drive, or I imagine from the same files sitting around in a home directory.

Probably the most secure thing you could do would be to take some piece of hardware required for internet access (an ethernet cable, perhaps) and physically lock it up, unless you need to allow other Internet access for some reason. Though even that could still be circumvented if the person in question buys their own cable or whatever.

[Reply]

On Windows you can theoretically restrict software from running via Group Policies or Software Restriction Policies (easier tutorial here).

This only works if their user account is a Limited one (non-admin), and you have to disable potential workarounds as well (command prompt, etc.). If you’re using SRP, you want to use the hash check method so they can’t simply rename files to make them run.

At the simplest level, Windows 7 includes Parental Controls which can do similar things with much less hassle, but IE is whitelisted by default for some reason… there may be a way around that, but I’m not sure.

On Linux, perhaps you can use user/usergroups permissions to limit execution of anything except what you specify? I’m not sure.

---

As for net filtering, it’s pretty much worthless unless you’re willing to do it with a whitelist (meaning ALL sites are blocked by default and only certain ones that you exempt can be accessed, as opposed to a blacklist where all sites are available by default and only certain ones are blocked). Due to the abundance of proxies, VPNs, scripts, etc., blacklist filters are worthless against any savvy user or teenager.

---

You should also filter traffic on the router such that during restricted hours, ALL ports (inbound and outbound, TCP and UDP) are blocked except email ports (POP3/SMTP/IMAP) and whatever Dropbox uses. Note that this will block Firefox’s web browsing during those hours as well, which I’m not sure you want.

---

And you should probably back up your technological defenses with physical security, whether that’s locking up your hardware in a closet, employing discipline, getting legal on their asses, etc., depending on the situation.

[Reply]

And if you plan on allowing any other programs (like MS Office) to run, you should also run a password-protected software firewall that blocks outgoing net traffic on a per-application basis.

Excel has a built-in web browser, and I think most Office apps can access the internet in different ways (embedded media and macros come to mind). Windows Media Player also has an integrated browser tied into the store.

They all run on the same ports as Firefox, so there’s no way Leechblock or your router will catch them; that’s where the software firewall comes in.

[Mangetout]

Dont some routers come with access scheduling now?

[psychonaut]

Chronos:

You could also block the port used by web browsers.

This is commonly used at workplaces to force employees to use a proxy server. It’s easy to get around if you have access to another machine on the Internet (such as your own computer at home): set up an ssh tunnel from the work computer to your home computer, and route all your web traffic through it.

[psychonaut]

Disheavel:

How about running a cron script to just kill any Firefox or Safari or other browser and its process?

How is the cron script going to know which processes are web browsers? Presumably it’s just going to look for the executable filename, which is trivial to get around: copy the executable to your own home directory and rename it to something else.

[psychonaut]

Simplicio:

I don’t think you can install a browser (or much anything of consequence) without root access.

Almost anything of consequence, including web browsers, can be installed just fine from a user account. For example, for GNU/Linux source packages using the Autotools (which is the majority of them), all you need to type is the following:

$ ./configure --prefix=/home/foo && make && make install

It’s similarly easy with many binary package formats, such as rpm.

[Reply]

Mangetout:

Dont some routers come with access scheduling now?

The scheduling on consumer routers is usually not intelligent enough to differentiate on anything more than a ports basis.

What really needs to happen here is deep packet inspection, but for that to be effective, you’d have to disallow encryption… and even then, you could probably disguise stuff inside standard web or email traffic as binary data or attachments.

psychonaut:

This is commonly used at workplaces to force employees to use a proxy server. It’s easy to get around if you have access to another machine on the Internet (such as your own computer at home): set up an ssh tunnel from the work computer to your home computer, and route all your web traffic through it.

Which is why there should be an IP whitelist to only specifically allowed sites.

psychonaut:

How is the cron script going to know which processes are web browsers? Presumably it’s just going to look for the executable filename, which is trivial to get around: copy the executable to your own home directory and rename it to something else.

(More to Disheavel than you) Blacklisting applications is likewise pointless as long as network access is unfiltered, since it’s trivial to download some obscure browser and run that instead. You’d have to auto-kill any program that tries to connect to the Internet (or just deny it through a firewall to begin with).

---

Also, put down the sabre, how do you plan on protecting Firefox itself? Couldn’t somebody just disable Leechblock? Or perhaps install another extension that works around it?

[put_down_the_sabre]

Hey all,

Thanks for the replies! The person I’m trying to prevent going online is myself (big internet addict, but need my computer for school unfortuntaely). I’ve given myself a limited user account on windows, and my wife an admin account and had her set the password and not tell me.

Leechblock on firefox works pretty well for me - it can self-protect so you can’t disable it when it is active. But at the moment I just find myself starting internet explorer using the ‘windows update’ entry on the start menu. So I don’t need a huge level of security.

On the mac, I installed leechblock and defeated safari, and that has been enough.

Thanks!
pdts

[Reply]

You’re fighting your own addiction? Silly software tricks like that won’t work long. Make a little gadget out of Lego Mindstorms instead. Connect one end to your router and the other to a tazer, and have it zap you whenever it detects unauthorized web activity. If you’re ethically concerned, have it beep for a few seconds before imminent discipline so you have time to behave. Pretty soon you should have a Pavlovian aversion to “bad internet” time.

That, or start a Webaholics Anonymous chapter… don’t rely on silly software tricks! They never work

(Guess how I know?)

[Stan_Shmenge]

And all they have to do is put in a linux live boot disk and all bets are off. Plus no history!

[BigT]

Nothing is going to be 100% effective. The idea is just to make it more trouble than it’s worth to fix it.