虚拟主机的操作系统拟机妙用
No matter how hard you try to keep your kids safe from undesirable websites on the Internet, it seems like there is always some method of circumventing any protection you set up. Today’s SuperUser Q&A post discusses the possibility of using a virtual OS to access websites blocked in the host OS’s hosts file.
无论您多么努力使孩子免受Internet上不良网站的威胁,似乎总有某种方法可以规避您设置的任何保护措施。 今天的SuperUser Q&A帖子讨论了使用虚拟OS访问被宿主OS的hosts文件中阻止的网站的可能性。
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
今天的“问答”环节由SuperUser提供,它是Stack Exchange的一个分支,该社区是由社区驱动的Q&A网站分组。
Screenshot courtesy of John M (Flickr).
屏幕截图由John M(Flickr)提供。
问题 (The Question)
SuperUser reader Vinayak wants to know if it is possible to use a virtual OS to access websites blocked in the host OS’s hosts file:
超级用户阅读器Vinayak想知道是否可以使用虚拟操作系统来访问在主机操作系统的主机文件中阻止的网站:
I was reading through a Net Nanny article that mentioned the various ways its web filter could be bypassed by kids.
我正在阅读Net Nanny的一篇文章,其中提到儿童可以绕过Web筛选器的各种方式。
I saw this among the methods listed:
我在列出的方法中看到了这一点:
- One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that will not have Net Nanny installed, and then surf the web with no filter. 青少年可以完全绕过过滤器的一种方法是在计算机上安装运行虚拟机的程序,该程序实际上是计算机中的一台计算机。 因此,例如,如果您的计算机的操作系统是Windows,则狡猾的青少年可以下载一个运行未安装Net Nanny的虚拟Windows操作系统的程序,然后在没有过滤器的情况下浏览网络。
Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites. Assume for the moment that such a huge, regularly updated hosts file does exist (including websites with adult content, web proxies, P2P file-sharing, etc.).
现在我想知道,如果主机操作系统上的主机文件阻止了对所有不需要的网站的访问,是否仍然有可能实现这一目标。 暂时假设确实存在如此庞大且定期更新的主机文件(包括具有成人内容的网站,Web代理,P2P文件共享等)。
Would it be possible to visit those blocked websites using a web browser running in the virtual OS? Also, assume that no VPN or TOR is used, nor Google’s “cached” view of the webpage.
是否可以使用在虚拟OS中运行的Web浏览器访问那些被阻止的网站? 另外,假设不使用VPN或TOR,也不使用Google的网页“缓存”视图。
Is it possible to access undesirable websites in the virtual OS or will the hosts file in the Host OS block access to them?
是否可以访问虚拟操作系统中不需要的网站,或者主机操作系统中的主机文件会阻止对它们的访问?
答案 (The Answer)
SuperUser contributor Darth Android has the answer for us:
超级用户贡献者Darth Android为我们提供了答案:
Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try going to google.com, the system will check its hosts file for that name, and if it exists, it will use the IP address there instead of looking up the IP address from a DNS server.
是。 hosts文件不会阻止任何内容,它只是告诉计算机可以在何处找到命名的网站。 当您尝试访问google.com时,系统将检查其主机文件中的名称,如果该名称存在,它将使用那里的IP地址,而不是从DNS服务器中查找IP地址。
A virtual OS has its own hosts file, and performs its own name resolution (i.e. checking its own hosts file and contacting its own DNS server) independent from the host OS.
虚拟操作系统具有其自己的主机文件,并且独立于主机OS进行其自身的名称解析(即检查其自身的主机文件并联系其自身的DNS服务器)。
Even if you redirected google.com to 127.0.0.1 (a common way of blocking a website), you can still get to Google simply by typing 173.227.93.99 into your web browser instead.
即使您将google.com重定向到127.0.0.1(阻止网站的一种常见方式),也仍然可以直接在网络浏览器中输入173.227.93.99来访问Google。
Additionally, IP-based filters on the host OS may be useless depending on how the virtual OS network is configured. Usually, the virtual OS is bridged with the host’s networking, meaning that all incoming traffic is duplicated and sent to the virtual OS so that it can see the same network traffic that the host OS does. Even if the host OS is configured to block or filter certain IP addresses (such as with a firewall), the virtual OS will still get to see its copy of the data, which will allow the virtual OS to browse the internet and ignore a filter installed on the host OS.
此外,取决于虚拟OS网络的配置方式,主机OS上基于IP的筛选器可能没有用。 通常,虚拟OS与主机的网络桥接在一起,这意味着所有传入流量都被复制并发送到虚拟OS,以便它可以看到与主机OS相同的网络流量。 即使将主机操作系统配置为阻止或过滤某些IP地址(例如使用防火墙),虚拟操作系统仍然可以查看其数据副本,这将允许虚拟操作系统浏览互联网并忽略过滤器安装在主机操作系统上。
Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it. Kids have lots of free time, and by no means are they an exception to this rule. It is trivial to reboot a system into safe mode and remove Net Nanny or any other piece of software installed upon it.
记住计算机和安全性的基本规则:如果我可以物理接触计算机系统,那么只要有时间我就可以完全控制它。 孩子们有很多空闲时间,但绝不是这条规则的例外。 将系统重新启动到安全模式并删除Net Nanny或安装在其上的任何其他软件都是很简单的。
If you wish to filter/restrict/monitor what your kids do on the Internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as Net Nanny Integration like @Keltari suggests) and if it will support alternate router firmware such as DD-WRT, which can do a scheduled disconnect of the child’s computer (such as 10 p.m. to 6 a.m. each day).
如果您希望过滤/限制/监视孩子在Internet上所做的工作,则需要在网络级别(而不是系统级别)执行此操作。 查看您的路由器支持哪些功能(例如@ Keltari建议的Net Nanny Integration ),以及它是否支持备用路由器固件(例如DD-WRT) ,该固件可以定时断开孩子的计算机(例如,晚上10点至凌晨6点)每天)。
Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor. It is next to impossible to stop someone from accessing the Internet if they really want to (just ask China or other countries with massive firewalls that ultimately do not work perfectly).
即便如此,网络过滤通常还是Whack-A-Mole的游戏,并且经常容易被Tor之类的代理所挫败。 如果某人确实想阻止某人访问Internet,那几乎是不可能的(只要问中国或其他拥有大量防火墙而最终无法正常运行的国家)。
With kids, you either have to talk with them and explain the perils of the Internet, then have enough trust that they will not intentionally seek out the bad sites (using Net Nanny merely as a backup to stop accidental navigations), or you refuse to let them use a connected computer unsupervised.
与孩子一起,您要么必须与他们交谈并解释Internet的危险,然后要有足够的信任以至于他们不会故意寻找不良站点(仅将Net Nanny用作备份来阻止意外导航),或者您拒绝让他们在无人看管的情况下使用连接的计算机。
Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.
有什么补充说明吗? 在评论中听起来不错。 是否想从其他精通Stack Exchange的用户那里获得更多答案? 在此处查看完整的讨论线程。
虚拟主机的操作系统拟机妙用
6142
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
