proxy user authentication and other issues
From: DaveT (bgates_at_sbcglobal.net)
Date: 09/19/03
- Next message: marm: "Digital photo camera@SuSE 8.2"
- Previous message: BoBo: "Re: NTP time syncronization"
- Next in thread: gjzhgnyij_at_cnvcmf.com.aj: "Re: proxy user authentication and other issues"
- Reply: gjzhgnyij_at_cnvcmf.com.aj: "Re: proxy user authentication and other issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 19 Sep 2003 18:45:43 GMT
hello,
I got an unusual request today. I site wants to control internet access for
it's users (a school). They are having a lot of problems with Microsoft
viruses/worms as well as trying to stop P2P stuff like Kazaa. They would
like to only let users who have been authenticated have internet access.
They currently have routers doing DHCP for IP addresses, so anyone can plug
into the network and get out.
So...after thinking about this for a while, I started thinking about using a
decent PC box running Suse with the Susefirewall, a few NICs and squid. The
next thing became setting up squid so it can do user authentication before
giving internet access, after some research I see that I'd have to use one
of the mod_auth_db or mod_auth_mysql modules. Since it's a school with a
bunch of kids, I started wondering about how to control user accounts and
passwords. For sure, I'd have to use mysql or something like it for the
ACL's and accounts/passwords. Then, I was wondering about an intranet
management website for this system, I've seen some CGI scripts for this.
So, the kids would come into school, sign in at the front desk, their info
gets entered into the system - at this point so they can get a user account
and password. The password would only last a few months and expire. The
susefirewall would control what traffic is allowed in ( I have to also
figure out a way to stop Kazaa or other P2P sharing), the squid running
proxy authentication would give only authenticated users access to the
internet. I don't want the internal machines to see each other (helps to
reduce spread of viruses) so I block Microsoft file sharing ports (135, 139,
etc.). The kids have no rights or say over the network! My goal is to make
it as fast and reliable as possible, if some Microsoft windows functionality
is lost, so be it.
The last thing is monitoring of IP addresses....I have to come up with a log
monitoring system that catches any IP addresses that are being used too much
(being abused - either virus, worms, P2P file-sharing, etc) and stop them.
The user account using that IP address would be emailed or called by the
school and told that their account has been disabled. Of course, they'll
know it's been disabled before the school will! So, the school just has to
wait for them to call.
I recall seeing pflog or some name like that which does log
monitoring........is this correct? I'd have to figure out a way to parse
the logs and if an IP address shows up too frequently within a period of
time, that IP address needs to be blocked somehow.
Basically...from what you see, am I on the right track? Any hints, advice,
experiences trying to tame crazy Microsoft windows machines are all welcome
! :)
Oskar
- Next message: marm: "Digital photo camera@SuSE 8.2"
- Previous message: BoBo: "Re: NTP time syncronization"
- Next in thread: gjzhgnyij_at_cnvcmf.com.aj: "Re: proxy user authentication and other issues"
- Reply: gjzhgnyij_at_cnvcmf.com.aj: "Re: proxy user authentication and other issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
