A Myspace Lockdown - Is It Possible?

Raxxon asks: "We (my business partner and I) were asked by a local company to help 'tighten up' their security. After looking at a few things we ran some options by the owner and he asked that we attempt to block access to MySpace. He cited reasons of wasted work time as well as some of the nightmare stories about spyware/viruses/etc. Work began and the more I dig into the subject the worse things look. You can block the 19 or 20 Class C Address Blocks that MySpace has, but then you get into problems of sites like "MySpace Bypass" and other such sites that allow you to bypass most of the filtering that's done. Other than becoming rather invasive (like installing Squid with customized screening setups) is there a way to effectively block MySpace from being accessed at a business? What about at home for those who would like to keep their kids off of it? If a dedicated web cache/proxy system is needed how do you prevent things like SSL enabled Proxy sites (denying MySpace but allowing any potentially 'legal' aspects)? In the end is it worth it compared to just adopting an Acceptable Use Policy that states that going to MySpace can lead to eventual dismissal from your job?"

One way

[Zonk+(troll)]

Squid+SquidGuard

I had to do this for a school. Basically, set up Squid to act transparently. Set up an acl like:


acl myspace dstdomain .myspace.com
acl work_hours MTWHF 09:00-12:00
acl work_hours MTWHF 13:00-17:00
http_access allow myspace !work_hours
http_access deny myspace


That would allow access during lunch and before and after work.

If you want to block against proxies, use SquidGuard plus some blacklists. The ones at urlblacklist are good, as is the isakurldb list (it's based on dmoz). Another one is the one from shalla.de. All have social networking categories as well as proxy sites, though shalla's proxy and spyware lists tend to overblock.

I'd recommend merging urlblacklist's lists with isakurldb, and also shalla (but remove yimg.com from the redirector list manually) for both proxy and social networking. Then use SquidGuard to restrict the access.

Block the Class C

[mr100percent]

So block the class C's. Things like Myspace Bypass are not your problem, the average user probably won't know about that. At a certain point, you'll find a user who will just run an SSH proxy, and is it really worth the hassle for locking out the more advanced users like that?

Re:Definition of Draconian

[Aladrin]

American Heritage Dictionary - Cite This Source
draconian (dr-k'n-n, dr-) Pronunciation Key
adj. Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.

Words evolve. Deal with it.

Quick & dirty

[oatworm]

I had an employer ask me to do this for them as well. Since it was a Windows AD environment, I just set the internal DNS server to point myspace.com to 127.0.0.1 and set DHCP to hand out only the internal DNS server, which is what you want in an AD environment anyways. Obviously, it'd be fairly easy to circumvent (manually plug in an ISP's DNS server - problem solved), but it kind of ties into that "fence" idea mentioned in an earlier reply here, in that, for someone to figure out why Myspace wasn't working, they'd need to troubleshoot it, at which point they'd discover where Myspace was pointing and realize, "Hmm, someone probably intentionally did that."

I will point out that this was for a smallish company (25 people), not a school or anywhere else where the end-user can basically be assumed to be at least somewhat malicious. But, it does get the job done if you're in a hurry.