Notebook
DansGuardian
Open Source Content Filtering
Andrew VandeverRHC{T,E,I,X}[email protected]://avcomp.net
DansGuardian
What Is DansGuardian?
Installing DansGuardian
Basic Configuration
List Management
Filter Groups
Advanced Url Matching with RegExp
Further Resources
What Is DansGuardian?
Content FilterOffensive Content
Time-Wasters
Malware
Logging
User-Based ManagementSquid Users
Ident
IP Addresses
Schools, businesses and even home users have a lot to lose from their workstation users accidentally or intentionally accessing offensive content, time-wasting content, or malware. DansGuardian protects your network from all three.DansGuardian logs to /var/log/dansguardian/access.log. Directives in the configuration can tell DG to log in squid format, making it easy to analyze the logs later with tools like calamaris.
What Is DansGuardian?
Comparable to WebSense, SonicWall
Pairs with ProxySquid
TinyProxy
Other
Scalable
Easy to InstallFedora/EPEL
Ubuntu
TinyProxy uses far fewer resources than squid, making it very nice for home use. However, you give up 3 of 5 of your authentication mechanisms. Squid is also probably better for an environment with many users.DG forks similar to Apache HTTPD.EPEL, of course, being Extra Packages for Enterprise Linux. You could also grab the source from dansguardian.org.
What Is DansGuardian?
Open SourcePatchable
Flexible
Community Support
Commercial Support Available: Smoothwall
Smoothwall gives a commercial packaging and support for DG.Either the browser intentionally used DG as a proxy, or the firewall intercepts the traffic, redirecting it to DG. Explicit-proxy is better, but more difficult to manage. Transparent-proxy is easier to manage, but gives you less flexibility when it comes to traffic like SSL, as well as cutting out 3 of 5 of DG's auth mechanisms. For SSL, sending the traffic directly to squid is typically a better idea.
Installing DansGuardian
DG Itself (Fedora similar for Ubuntu)yum -y install dansguardian
chkconfig dansguardian on
service dansguardian start
Squidyum -y install squid
chkconfig squid on
service squid start
Installing DansGuardian
Alternative TinyProxyyum -y install tinyproxy
chkconfig tinyproxy on
service tinyproxy start
Must change listen port for TP or send port for DG
Default Configuration/etc/dansguardian/* (possibly /usr/share/dansguardian)
/etc/squid/*, /etc/tinyproxy/*
Installing Dansguardian
Default Configurationdansguardian.conf server configuration file
dansguardianf1.conf filter settings for first group
lists/* - blacklists, whitelists, regexp lists, group lists
squid.conf main squid configuration, defaults okay
tinyproxy.conf main TP configuration, check port
Installing DansGuardian
Set Browser ProxyDepends on browser
More systems = harder to manage
Difficult to enforce
Best option if you can do it
FirewallEasier to configure
Easier to enforce
Breaks SSL
Examples:Gateway is 10.0.0.1, dg box is 10.0.0.2iptables -t nat -A FORWARD -s 10.0.0.2 -j ACCEPTiptables -t nat -A FORWARD -m tcp -p tcp dport 80 ! -d 10.0.0.0/8 -j DNAT to-destination 10.0.0.2:8080iptables -t filter -A FORWARD -m tcp -p tcp dport 3128 ! -d 10.0.0.2 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 8080 ! -d 10.0.0.2 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 8888 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 443 -j REJECTiptables -t filter -A FORWARD -j LOGService iptables saveNow, make sure you set squid on 10.0.0.1 to listen to port 80 only from loopback (DG), but 443 from all clients
Installing DansGuardian
Firewall ConfigurationAccept HTTP traffic from Squid
DNAT HTTP traffic to DansGuardian
Reject outbound proxy ports
Log or block other outbound ports
Examples:Redirect box's own traffic to dgiptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPTiptables -t nat -A OUTPUT -m tcp -p tcp dport 80 -j DNAT to-destination 127.0.0.1:8080iptables -t filter -A OUTPUT -m tcp -p tcp --dport 3128 -j REJECTiptables -t filter -A OUTPUT -m tcp -p tcp dport 8080 -j REJECTiptables -t filter -A OUTPUT -m tcp -p tcp --dport 8888 -j REJECTiptables -t filter -A OUTPUT -j LOGservice iptables save
DansGuardian Configuration
Basic Configurationgrep 'filterport' dansguardian.conf
grep 'downloadmanager' dansguardian.conf
grep 'contentscanner' dansguardian.conf
grep 'naughtynesslimit' dansguardianf1.conf
DansGuardian likes a local caching DNS serveryum -y install bind; chkconfig named on; service named start
nameserver 127.0.0.1 in /etc/resolv.conf
Otherwise, whitelisting may be necessary
The default BIND (named) configuration in fedora will perform recursive lookups for localhost, and cache the results. With just a little bit of tweaking you can also use this as the nameserver for the workstations on your network. The way certain sites (like facebook.com) do dns-based load-balancing can make DG think you're being spoofed. Local lookups prevent this, although the strict behavior is disabled in DG by default in current versions.
Contentscanner can set all your incoming content to be virus-scanned.Downloadmanager will try to assist with download speed, but can break large downloads in some cases.
List Management
Automatic UpdatesList service like shallalist.de or urlblacklist.com
Cronjob to get latest lists
.Include statements in banned{site,url}list
Plaintext lists add, remove, (un)comment a line
You probably need to comment many lines from banned{mimetype,extension}list right off the bat
shallalist.de is free for non-commercial use. urlblacklist.com costs money to use. Some on the mailing list tell me shallalist is better anyway.
List Management
Filter Decision Flowchart/Visualization
List Management
By default, urls are checked, and if allowed then the content is scanned and either allowed or denied
Blacklisted pages are denied outright
Whitelisted pages are allowed and content is not scanned
Greylisted pages are not blocked based on the url (useful for working around urlregexp issues), but still have their content checked, and are allowed or denied based on content
Weighted Phrases
Included by weightedphraselist
Page is scanned, producing naughtyness score
If naughtyness score of page is greater than naughtyness limit of client, access is denied
Check /var/log/dansguardian/access.log for more information on blocked content
Filter Groups
Can have global lists in tandem with group lists
Groups can have separate naughtyness limits
grep 'authplugin' dansguardian.confThree require Squid (not TP) and explicit-proxy (browser config):proxy-basic
proxy-digest
proxy-ntlm
ident
ip
Filter Groups
grep 'filtergroups' dansguardian.conf
In filtergroupslist: username=groupname
For ip auth, use lists/authplugins/ipgroups
Copy dansguardianf1.conf to dansguardianfN.conf
grep 'groupmode' dansguardianfN.conf
Can use nested includes for filter lists
Unfortunately you have to put filterX in your groupslist, even if you specify a groupname in your dansguardianfX.conf for the group.
Many sites will have a default group that has zero access to the internet, forcing users to login to get any access.
In a DHCP setting, you might use ip auth to place most users in a default group, but set permanent leases for frequent users who you want to place in a different group.
Url Matching with RegExp
Perl-based Regular Expressions
Used for blocking complex nested url's
Useful for blocking certain search patterns
Examples in urlregexplist
Anything you can do in Perl, you can do here, but keep in mind it's perlre, not PCRE.
Further Resources
dansguardian.org
squidguard.org/blacklists.html
smoothwall.net
netfilter.org
squid-cache.org
www.banu.com/tinyproxy
man 5 crontab
www.isc.org
calamaris.cord.de
Top Related