Difference between revisions of "Dansguardian"
RayMitchell (talk | contribs) m (minor change) |
RayMitchell (talk | contribs) m (custom firewall rule explanation enhanced) |
||
Line 58: | Line 58: | ||
'''1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080''' | '''1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080''' | ||
− | Note the functionality to create custom firewall rules using iptables is built in to the smeserver-dansguardian | + | Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands |
config setprop squid TransparentPort 8080 | config setprop squid TransparentPort 8080 | ||
config setprop dansguardian portblocking yes | config setprop dansguardian portblocking yes | ||
− | signal-event post-upgrade; signal-event reboot | + | signal-event post-upgrade; signal-event reboot |
To return Transparent Proxy port to default value and to disable portblocking | To return Transparent Proxy port to default value and to disable portblocking |
Revision as of 13:59, 12 November 2007
Dansguardian web content filtering
Description
Dansguardian is a web content filter, which analyses the actual content of web pages based on many criteria including phrase matching, PICS filtering, URL filtering and lists of banned sites. Each content type is given a score, and when the threshold score is exceeded, access to the web site is blocked. For additional information see http://dansguardian.org
This HOWTO requires command line control to edit configuration files & restart the dansguardian service after configuration changes.
There is a commercial implementation of Dansguardian for sme server which adds a server manager panel to allow GUI control of all Dansguardian functionality & settings, see http://dungog.net/wiki/Dungog-dansguardian
Information
To have a proper understanding of how Dansguardian works and the importance of certain configuration settings you should read the detailed installation notes and Manual at the Dansguardian web site http://dansguardian.org
An old version 2.4 installation notes are here: http://dansguardian.org/downloads/detailedinstallation2.4.html#further
The FAQ is here: http://sourceforge.net/docman/display_doc.php?docid=27215&group_id=131757
Information about group configuration is here: http://contentfilter.futuragts.com/wiki/index.php?title=Group_Configuration
Mailing list is here: http://tech.groups.yahoo.com/group/dansguardian/
The information on the Dansguardian website and other websites referred to, is of a generic nature and some of it is NOT applicable to sme server installations, refer to the instructions in this HOWTO in preference.
Installation instructions
Download the required rpms into an empty folder on your sme server using the Linux wget command
wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.9.8-2/dansguardian-2.9.8-2.noarch.rpm wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.9.8-2/smeserver-dansguardian-2.9-3.el4.sme.noarch.rpm wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.8.0.6/dungog-blacklists-1.0-20061002.noarch.rpm wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.9.8-2/pcre-6.7-1.i386.rpm
Install the rpms
yum localinstall *.rpm
Alternatively you can add the dungog repository
The following command will configure the Dungog repository on SME Server. The dungog repository will no longer be updated. All the contribs from this repository have been moved to the smecontribs repository.
DungogMember contribs are still at http://www.dungog.net After adding it to the database we have to update the changes to the configuration file:
signal-event yum-modify
Install dansguardian and it's dependencies
yum --enablerepo=dungog install smeserver-dansguardian dungog-blacklists
To view available updates
yum --enablerepo=dungog list updates
Modifying Firewall and Proxy
Configuring your system to force Dansguardian usage & prevent bypassing
Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should do the following steps:
1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080
Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands
config setprop squid TransparentPort 8080 config setprop dansguardian portblocking yes signal-event post-upgrade; signal-event reboot
To return Transparent Proxy port to default value and to disable portblocking
config delprop squid TransparentPort 3128 config delprop dansguardian portblocking signal-event post-upgrade; signal-event reboot
2) Configure your workstation web browser to auto detect proxy port
Go to your workstation and open your browser eg Internet Explorer or Firefox or your preferred browser
Change the settings for Connections to LAN
Select Auto detect proxy
Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080
Configuring Proxy to use Auth login
This functionality is built in to the rpms provided by http://www.dungog.net & requires enabling with a db command
Dansguardian supports different types of auth login ie nsca, pam & ident
Depending on your requirements, enable using the appropriate command. Most users of sme will probably use pam auth as that will authorise access against sme users and passwords.
For details regarding the various auth login methods & other configuration requirements, see http://dansguardian.org or Google, select one
config setprop squid RequireAuth pam config setprop squid RequireAuth nsca config setprop squid RequireAuth ident
To disable Auth login
config delprop squid RequireAuth
To enable any of the above setting changes you must follow the command with:
expand-template /etc/squid/squid.conf sv t /service/squid
Using NCSA Auth login
If you are using nsca auth, create the user & password authentication list (you don't require users to be valid sme users)
touch /etc/proxyusers
Enter user names & password combinations one by one using this command
htpasswd -b /etc/proxyusers username password
You can test the authentication list using the following command
/usr/lib/squid/ncsa_auth /etc/proxyusers
Then enter the username & password when asked
You will see a ERR or OK response
Using Ident login
If you are using ident auth, you will require a ident client on your workstation. One windows ident client is available from:
https://sourceforge.net/projects/retinascan
In some cases, the Windows firewall blocks access to the ident client and you will have to add an exception in your firewall rules as follows:
Control Panel >> Windows Firewall >> Exceptions >> Add Port
- Name: auth
- Port number: 113
- TCP
Modifying Dansguardian configuration
You need to manually modify configuration files /etc/dansguardian/dansguardian.conf and /etc/dansguardian/dansguardianf1.conf and /etc/dansguardian/dansguardianf2.conf and /etc/dansguardian/dansguardianf3.conf and so on depending on the number of filter groups you wish to have.
pico -w /etc/dansguardian/dansguardian.conf
You will initially need to change:
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
for example to
accessdeniedaddress = 'http://www.mydomain.com/cgi-bin/dansguardian.pl'
Make any other required changes to suit your situation by carefully reviewing the other setting possibilities
Ctrl o (to save)
Ctrl x (to exit)
pico -w /etc/dansguardian/dansguardianf1.conf
You may initially need to change (to suit adult level of protection)
naughtynesslimit = 50
to
naughtynesslimit = 160 (or even 250 or 300 depending on your sensitivity/tolerance requirements)
Make any other required changes to suit your situation by carefully reviewing the other setting possibilities
Ctrl o and Ctrl x
If you wish to use additional filter groups then edit further configuration files.
pico -w /etc/dansguardian/dansguardianf2.conf
Make any required changes to suit your situation by carefully reviewing all the setting possibilities
Ctrl o and Ctrl x
pico -w /etc/dansguardian/dansguardianf3.conf
Make any required changes to suit your situation by carefully reviewing all the setting possibilities
Ctrl o and Ctrl x
Modifying other Dansguardian configuration files
You will need to change other config files to suit your site requirements:
You can read information in the beginning of each config file that explains usage & syntax
These are located in /etc/dansguardian/lists... /etc/dansguardian/lists/f1/... /etc/dansguardian/lists/f2/... & so on and subfolders
eg
pico -w /etc/dansguardian/lists/f1/bannedextensionlist
make the required changes
Ctrl o and Ctrl x
Most users will need to change these 4 files as a minimum
bannedextensionlist
bannedsitelist
bannedurllist
exceptionsitelist
You should review ALL the dansguardian config files in /etc/dansguardian/lists and subfolders as part of your initial Dansguardian setup.
Some of the default settings in these files will prevent access to certain web sites and file types, which may conflict with your site requirements. See details in the "Further customisation" section at the end of this Howto or at http://dansguardian.org
Modifying the default html error message page
You may also want to tailor the html template for the error message displayed when Dansguardian blocks a site, see
/etc/dansguardian/languages/(languagename)/template.html
eg
pico -w /etc/dansguardian/languages/ukenglish/template.html
Groups and Auth login
See http:/dansguardian.org re Group configuration functionality in relation to Auth login (ie filtering users access rights based on group membership)
The Group filter files are located in:
/etc/dansguardian/lists/f1/...
/etc/dansguardian/lists/f2/...
/etc/dansguardian/lists/f3/...
and so on depending on the number of groups you set up
Edit these to suit your site requirements
Other Dansguardian Config Files
There are many other config files, including but not limited to the ones in this appendix
The following are rough notes re creating additional files & configuration steps needed for multiple filter groups.
Starting Dansguardian
After install & initial configuration you must manually start Dansguardian to enable web content filtering
(Note that suitable links to start Dansguardian at startup/reboot are setup when the rpm is installed)
/etc/init.d/dansguardian start
Stopping Dansguardian
If you need to stop Dansguardian (ie to disable filtering or test your system without Dansguardian running)
/etc/init.d/dansguardian stop
Restarting Dansguardian
You will need to restart Dansguardian after making any configuration changes (so they can take effect)
/etc/init.d/dansguardian restart
Status check of Dansguardian
If you need to check that Dansguardian is running
/etc/init.d/dansguardian status
Using Group Policy Editor to force proxy port setting on workstations
If you are using Windows & Internet Explorer you can use Group Policy Editor (gpedit.msc) to configure your workstation settings, to force all users of the workstation to use preset proxy port settings.
Refer to this forum thread for additional details
http://forums.contribs.org/index.php?topic=38284.0
Note that if TransparentPort = 8080 and portblocking = yes and you are not using Group Filtering, workstations can be set to "Auto detect proxy port" and will be forced to use Dansguardian.
Note that if Transparent = no and you are using Group Filtering with user login authentication, then your browsers proxy port will need to be set to port 8080 (for all users). If you are using Windows & Internet Explorer, then using gpedit.msc can simplify configuration for all users of workstations.
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-dansguardian component or use this link .
Tested software versions
- Host: SMEserver v7.1.3, v7.2
- Installed: smeserver-dansguardian 0.9-3.el4.sme
- Dependency Installed: dansguardian 2.9-2