Difference between revisions of "Installing Dansguardian on LinuxMCE"
Anupindi007 (Talk | contribs) |
|||
(19 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:Installation Tutorials|Dansguardian]] | ||
{| align="right" | {| align="right" | ||
| __TOC__ | | __TOC__ | ||
|} | |} | ||
− | + | ||
− | + | ||
− | + | ||
==Basics== | ==Basics== | ||
Line 27: | Line 26: | ||
− | ==dhcp== | + | ===dhcp=== |
apt-get install dhcp3-server | apt-get install dhcp3-server | ||
− | ==dns server== | + | ===dns server=== |
apt-get install dnsmasq | apt-get install dnsmasq | ||
Line 38: | Line 37: | ||
==Dansguardian Web Log Viewer== | ==Dansguardian Web Log Viewer== | ||
apt-get install dglog | apt-get install dglog | ||
+ | |||
+ | |||
+ | ==Installing webmin and dansguardian webmin module== | ||
+ | First you need to install the additional packages: | ||
+ | sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl | ||
+ | |||
+ | |||
+ | Download and install webmin package: | ||
+ | wget http://prdownloads.sourceforge.net/webadmin/webmin_1.480_all.deb | ||
+ | |||
+ | sudo dpkg -i webmin_1.480_all.deb | ||
Line 61: | Line 71: | ||
===Shorewall=== | ===Shorewall=== | ||
Make the following changes: | Make the following changes: | ||
− | set "shorewall" auto start at boot time: | + | |
+ | '''copy configuration files (take backup of existing files):''' | ||
+ | cp /usr/share/doc/shorewall-common/default-config/* /etc/shorewall/ | ||
+ | |||
+ | |||
+ | |||
+ | '''set "shorewall" auto start at boot time:''' | ||
vi /etc/default/shorewall | vi /etc/default/shorewall | ||
# startup = 1 | # startup = 1 | ||
− | "zones" tells the firewall to zone each name for the rest configuration file e.g. loc, net: | + | |
+ | '''"zones" tells the firewall to zone each name for the rest configuration file e.g. loc, net:''' | ||
vi /etc/shorewall/zones | vi /etc/shorewall/zones | ||
# #ZONES TYPE OPTION IN OUT | # #ZONES TYPE OPTION IN OUT | ||
Line 76: | Line 93: | ||
− | "interfaces" tells the firewall which is internal and external interfaces: | + | |
+ | '''"interfaces" tells the firewall which is internal and external interfaces:''' | ||
vi /etc/shorewall/interfaces | vi /etc/shorewall/interfaces | ||
# #ZONE INTERFACE BROADCAST OPTIONS | # #ZONE INTERFACE BROADCAST OPTIONS | ||
Line 85: | Line 103: | ||
− | "masq" tells the firewall that internal network(eth1)is connected through external network(eth0): | + | |
+ | '''"masq" tells the firewall that internal network(eth1)is connected through external network(eth0):''' | ||
vi /etc/shorewall/masq | vi /etc/shorewall/masq | ||
# #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC | # #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC | ||
Line 92: | Line 111: | ||
− | "policy" tells the firewall that how should handle the requests: | + | |
+ | '''"policy" tells the firewall that how should handle the requests:''' | ||
vi /etc/shorewall/policy | vi /etc/shorewall/policy | ||
# loc all ACCEPT | # loc all ACCEPT | ||
Line 100: | Line 120: | ||
− | "shorewall.conf" we will configure ip_forwarding: | + | |
+ | '''"shorewall.conf" we will configure ip_forwarding:''' | ||
vi /etc/shorewall/shorewall.conf | vi /etc/shorewall/shorewall.conf | ||
# IP_FORWARDING=On | # IP_FORWARDING=On | ||
− | "rules" allows to set firewall rules: | + | |
+ | '''"rules" allows to set firewall rules:''' | ||
vi /etc/shorewall/rules | vi /etc/shorewall/rules | ||
# SECTION NEW | # SECTION NEW | ||
Line 115: | Line 137: | ||
# #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE | # #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE | ||
− | + | ||
+ | |||
+ | ''' # check shorewall working or not properly:''' | ||
shorewall check | shorewall check | ||
Line 123: | Line 147: | ||
/etc/init.d/shorewall restart | /etc/init.d/shorewall restart | ||
/etc/init.d/dansguardian restart | /etc/init.d/dansguardian restart | ||
+ | |||
+ | Troubleshooting: | ||
+ | 1. Still not working restart the system once | ||
+ | 2. Check all service started are not "ps -ef | grep <service>" service - apache2, dnsmasq, tinyproxy, shorewall, dansguardian, | ||
+ | and dhcpd. If any of the service is not starting, start the service sh /etc/init.d.<service> start. Check especially dnsmasq | ||
+ | and shorewall services. | ||
+ | |||
==DHCP Server== | ==DHCP Server== | ||
Line 145: | Line 176: | ||
# auto lo | # auto lo | ||
# iface lo inet loopback | # iface lo inet loopback | ||
+ | # auto eth0 | ||
+ | # iface eth0 inet dhcp | ||
# auto eth1 | # auto eth1 | ||
− | # iface | + | # iface eth1 inet static |
# address 192.168.80.1 | # address 192.168.80.1 | ||
# netmask 255.255.255.0 | # netmask 255.255.255.0 | ||
Line 152: | Line 185: | ||
#restart dhcp | #restart dhcp | ||
# /etc/init.d/dhcpd restart | # /etc/init.d/dhcpd restart | ||
− | |||
− | |||
− | |||
− | |||
==Adding BlackList== | ==Adding BlackList== | ||
Line 178: | Line 207: | ||
chown -R root:root blacklists | chown -R root:root blacklists | ||
chmod -R 755 blacklists | chmod -R 755 blacklists | ||
+ | |||
+ | |||
+ | ==Webmin and Dansguardian webmin configuration== | ||
+ | Login into Webmin(open your web browser and enter the following): | ||
+ | https://192.168.80.1:10000/ | ||
+ | |||
+ | |||
+ | Install and configure the Dansguardian Webmin module: | ||
+ | 1.Open browser & login as madmin(sudo user) https://192.168.80.1:10000 | ||
+ | |||
+ | 2.Go to Webmin > Webmin Configuration > Webmin Modules | ||
+ | Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module. | ||
+ | (http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-devel/0.7.0beta1b/dgwebmin-0.7.0beta1b.wbm?use_mirror=voxel) | ||
+ | |||
+ | Observe: The following modules have been successfully installed and added to your access control list : | ||
+ | DansGuardian Web Content Filter in /usr/share/webmin/dansguardian (4612 kB) under category Servers | ||
+ | |||
+ | |||
+ | '''Trouble shooting:''' | ||
+ | |||
+ | The first time you try to run the dg module, you'll get errors such as: | ||
+ | Warning - DansGuardian binary file not found, maybe you need to update your module config (especially the directory paths). | ||
+ | (Expected location: /sbin/dansguardian) | ||
+ | |||
+ | |||
+ | '''Solution:''' | ||
+ | |||
+ | The problem is that the we are using different directory locations for many of the files. | ||
+ | So, look at the Configurable options for DansGuardian Web Content Filter (in the upper left corner of the dg page) - and nearly every path needs to be changed. | ||
+ | |||
+ | For instance, our binary is in '''/usr/sbin/dansguardian''' instead of '''/sbin/dansguardian''', so change that. | ||
+ | |||
+ | Confirm the locations for the rest of the files by running | ||
+ | |||
+ | find / -name dansguardian | ||
+ | results may show: | ||
+ | /usr/share/webmin/dansguardian | ||
+ | /usr/share/lintian/overrides/dansguardian | ||
+ | /usr/share/doc/dansguardian | ||
+ | /usr/share/dansguardian | ||
+ | /usr/sbin/dansguardian | ||
+ | /var/log/dansguardian | ||
+ | /etc/webmin/dansguardian | ||
+ | /etc/init.d/dansguardian | ||
+ | /etc/logrotate.d/dansguardian | ||
+ | /etc/dansguardian | ||
+ | |||
+ | When you've finished replacing all of the locations, hit save on the config page and then "stop & restart DG" on the top right of the main DG page. | ||
+ | |||
+ | Then it should work! If not, check your syslog for errors. | ||
+ | You should be able to check the status of DG, review logs with a good viewer, and view and edit many of the detailed configurations. |
Latest revision as of 23:04, 19 October 2012
Basics
DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.
DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as unobstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.
DansGuardian is a true web content filter. We will see how to configure DansGuardian on Ubuntu Linux along with LinuxMCE.
Installing packages
tinyproxy
apt-get install tinyproxy
shorewall
apt-get install shorewall
dansguardian
apt-get install dansguardian
dhcp
apt-get install dhcp3-server
dns server
apt-get install dnsmasq
Optional:
Dansguardian Web Log Viewer
apt-get install dglog
Installing webmin and dansguardian webmin module
First you need to install the additional packages:
sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
Download and install webmin package:
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.480_all.deb sudo dpkg -i webmin_1.480_all.deb
Configure Packages
Tinyproxy
vi /etc/tinyproxy/tinyproxy.conf
Make the following changes
- User root
- Group root
- Allow 192.168.80.0/25
Dansguardian
vi /etc/dansguardian/dansguardian.conf
Make the following changes:
- Delete UNCONFIGURED line
- filterport = 8081
- proxyip = 192.168.80.1
- proxyport = 8888
- usernameidmethodproxyauth = off
Shorewall
Make the following changes:
copy configuration files (take backup of existing files):
cp /usr/share/doc/shorewall-common/default-config/* /etc/shorewall/
set "shorewall" auto start at boot time:
vi /etc/default/shorewall
- startup = 1
"zones" tells the firewall to zone each name for the rest configuration file e.g. loc, net:
vi /etc/shorewall/zones
- #ZONES TYPE OPTION IN OUT
- #OPTIONS OPTIONS
- fw firewall
- net ipv4
- loc ipv4
- #Last Line - ADD ENTRIES ABOVE THIS ONE - DO NOT REMOVE
"interfaces" tells the firewall which is internal and external interfaces:
vi /etc/shorewall/interfaces
- #ZONE INTERFACE BROADCAST OPTIONS
- #Note assuming "eth1"- is internal ip & "eth0"- is external ip
- net eth0 detect dhcp,tcpflags
- loc eth1 detect dhcp
- #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
"masq" tells the firewall that internal network(eth1)is connected through external network(eth0):
vi /etc/shorewall/masq
- #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
- eth0 eth1
- #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
"policy" tells the firewall that how should handle the requests:
vi /etc/shorewall/policy
- loc all ACCEPT
- net all DROP
- fw all ACCEPT
- all all REJECT
"shorewall.conf" we will configure ip_forwarding:
vi /etc/shorewall/shorewall.conf
- IP_FORWARDING=On
"rules" allows to set firewall rules:
vi /etc/shorewall/rules
- SECTION NEW
- ACCEPT net fw tcp 80
- REDIRECT loc 8081 tcp www
- ACCEPT loc fw tcp 22
- ACCEPT net fw icmp
- ACCEPT loc loc icmp
- #LAST LINE --ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
# check shorewall working or not properly:
shorewall check
Restart Applications
/etc/init.d/dnsmasq restart /etc/init.d/tinyproxy restart /etc/init.d/shorewall restart /etc/init.d/dansguardian restart Troubleshooting: 1. Still not working restart the system once 2. Check all service started are not "ps -ef | grep <service>" service - apache2, dnsmasq, tinyproxy, shorewall, dansguardian, and dhcpd. If any of the service is not starting, start the service sh /etc/init.d.<service> start. Check especially dnsmasq and shorewall services.
DHCP Server
Note: you need not to make any changes if you are working on single system or dhcp is already running on your local network interface(any changes dhcpd.conf or interfaces respective files)
vi /etc/default/dhcp3-server
- INTERFACE="eth1"
vi /etc/dhcp3/dhcpd.conf
- #change the subnet, netmask, range, dns, router as per your settings
- default-leasetime=86400
- max-leasetime=60480
- subnet 192.168.0.0 netmask 255.255.255.0{
- range 192.168.0.2 192.168.1.99;
- option domain-name-server 192.168.80.1;
- option routers 192.168.80.2;
- }
set static ip address:
vi /etc/network/interfaces
- auto lo
- iface lo inet loopback
- auto eth0
- iface eth0 inet dhcp
- auto eth1
- iface eth1 inet static
- address 192.168.80.1
- netmask 255.255.255.0
#restart dhcp
- /etc/init.d/dhcpd restart
Adding BlackList
A BlackList is a precompiled list of sites that are deemed potentially worrisome.
cd /etc/dansguardian wget http://urlblacklist.com/downloads/OriginalUpdateBL vi OriginalUpdateBL
- modify line 68 by switching the listed URL with the following:
- http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist
chmod 777 /etc/dansguardian/OriginalUpdateBL /etc/dansguardian/OriginalUpdateBL
when script is finished if you see any errors.
/etc/init.d/dansguardian restart
if the above script is not creating blacklists directory and creating blacklists file then follow the following:
cd /etc/dansguardian wget http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist tar -xvf bigblacklist.tar.gz chown -R root:root blacklists chmod -R 755 blacklists
Webmin and Dansguardian webmin configuration
Login into Webmin(open your web browser and enter the following):
https://192.168.80.1:10000/
Install and configure the Dansguardian Webmin module:
1.Open browser & login as madmin(sudo user) https://192.168.80.1:10000 2.Go to Webmin > Webmin Configuration > Webmin Modules Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module. (http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-devel/0.7.0beta1b/dgwebmin-0.7.0beta1b.wbm?use_mirror=voxel) Observe: The following modules have been successfully installed and added to your access control list : DansGuardian Web Content Filter in /usr/share/webmin/dansguardian (4612 kB) under category Servers
Trouble shooting:
The first time you try to run the dg module, you'll get errors such as:
Warning - DansGuardian binary file not found, maybe you need to update your module config (especially the directory paths). (Expected location: /sbin/dansguardian)
Solution:
The problem is that the we are using different directory locations for many of the files. So, look at the Configurable options for DansGuardian Web Content Filter (in the upper left corner of the dg page) - and nearly every path needs to be changed.
For instance, our binary is in /usr/sbin/dansguardian instead of /sbin/dansguardian, so change that.
Confirm the locations for the rest of the files by running
find / -name dansguardian results may show: /usr/share/webmin/dansguardian /usr/share/lintian/overrides/dansguardian /usr/share/doc/dansguardian /usr/share/dansguardian /usr/sbin/dansguardian /var/log/dansguardian /etc/webmin/dansguardian /etc/init.d/dansguardian /etc/logrotate.d/dansguardian /etc/dansguardian
When you've finished replacing all of the locations, hit save on the config page and then "stop & restart DG" on the top right of the main DG page.
Then it should work! If not, check your syslog for errors. You should be able to check the status of DG, review logs with a good viewer, and view and edit many of the detailed configurations.