Notebook

DansGuardian
Open Source Content Filtering

Andrew VandeverRHC{T,E,I,X}andrew.vandever@gmail.comhttp://avcomp.net

DansGuardian

What Is DansGuardian?

Installing DansGuardian

Basic Configuration

List Management

Filter Groups

Advanced Url Matching with RegExp

Further Resources

What Is DansGuardian?

Content FilterOffensive Content

Time-Wasters

Malware

Logging

User-Based ManagementSquid Users

Ident

IP Addresses

Schools, businesses and even home users have a lot to lose from their workstation users accidentally or intentionally accessing offensive content, time-wasting content, or malware. DansGuardian protects your network from all three.DansGuardian logs to /var/log/dansguardian/access.log. Directives in the configuration can tell DG to log in squid format, making it easy to analyze the logs later with tools like calamaris.

What Is DansGuardian?

Comparable to WebSense, SonicWall

Pairs with ProxySquid

TinyProxy

Other

Scalable

Easy to InstallFedora/EPEL

Ubuntu

TinyProxy uses far fewer resources than squid, making it very nice for home use. However, you give up 3 of 5 of your authentication mechanisms. Squid is also probably better for an environment with many users.DG forks similar to Apache HTTPD.EPEL, of course, being Extra Packages for Enterprise Linux. You could also grab the source from dansguardian.org.

What Is DansGuardian?

Open SourcePatchable

Flexible

Community Support

Commercial Support Available: Smoothwall

Smoothwall gives a commercial packaging and support for DG.Either the browser intentionally used DG as a proxy, or the firewall intercepts the traffic, redirecting it to DG. Explicit-proxy is better, but more difficult to manage. Transparent-proxy is easier to manage, but gives you less flexibility when it comes to traffic like SSL, as well as cutting out 3 of 5 of DG's auth mechanisms. For SSL, sending the traffic directly to squid is typically a better idea.

Installing DansGuardian

DG Itself (Fedora similar for Ubuntu)yum -y install dansguardian

chkconfig dansguardian on

service dansguardian start

Squidyum -y install squid

chkconfig squid on

service squid start

Installing DansGuardian

Alternative TinyProxyyum -y install tinyproxy

chkconfig tinyproxy on

service tinyproxy start

Must change listen port for TP or send port for DG

Default Configuration/etc/dansguardian/* (possibly /usr/share/dansguardian)

/etc/squid/*, /etc/tinyproxy/*

Installing Dansguardian

Default Configurationdansguardian.conf server configuration file

dansguardianf1.conf filter settings for first group

lists/* - blacklists, whitelists, regexp lists, group lists

squid.conf main squid configuration, defaults okay

tinyproxy.conf main TP configuration, check port

Installing DansGuardian

Set Browser ProxyDepends on browser

More systems = harder to manage

Difficult to enforce

Best option if you can do it

FirewallEasier to configure

Easier to enforce

Breaks SSL

Examples:Gateway is 10.0.0.1, dg box is 10.0.0.2iptables -t nat -A FORWARD -s 10.0.0.2 -j ACCEPTiptables -t nat -A FORWARD -m tcp -p tcp dport 80 ! -d 10.0.0.0/8 -j DNAT to-destination 10.0.0.2:8080iptables -t filter -A FORWARD -m tcp -p tcp dport 3128 ! -d 10.0.0.2 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 8080 ! -d 10.0.0.2 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 8888 -j REJECTiptables -t filter -A FORWARD -m tcp -p tcp dport 443 -j REJECTiptables -t filter -A FORWARD -j LOGService iptables saveNow, make sure you set squid on 10.0.0.1 to listen to port 80 only from loopback (DG), but 443 from all clients

Installing DansGuardian

Firewall ConfigurationAccept HTTP traffic from Squid

DNAT HTTP traffic to DansGuardian

Reject outbound proxy ports

Log or block other outbound ports

Examples:Redirect box's own traffic to dgiptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPTiptables -t nat -A OUTPUT -m tcp -p tcp dport 80 -j DNAT to-destination 127.0.0.1:8080iptables -t filter -A OUTPUT -m tcp -p tcp --dport 3128 -j REJECTiptables -t filter -A OUTPUT -m tcp -p tcp dport 8080 -j REJECTiptables -t filter -A OUTPUT -m tcp -p tcp --dport 8888 -j REJECTiptables -t filter -A OUTPUT -j LOGservice iptables save

DansGuardian Configuration

Basic Configurationgrep 'filterport' dansguardian.conf

grep 'downloadmanager' dansguardian.conf

grep 'contentscanner' dansguardian.conf

grep 'naughtynesslimit' dansguardianf1.conf

DansGuardian likes a local caching DNS serveryum -y install bind; chkconfig named on; service named start

nameserver 127.0.0.1 in /etc/resolv.conf

Otherwise, whitelisting may be necessary

The default BIND (named) configuration in fedora will perform recursive lookups for localhost, and cache the results. With just a little bit of tweaking you can also use this as the nameserver for the workstations on your network. The way certain sites (like facebook.com) do dns-based load-balancing can make DG think you're being spoofed. Local lookups prevent this, although the strict behavior is disabled in DG by default in current versions.

Contentscanner can set all your incoming content to be virus-scanned.Downloadmanager will try to assist with download speed, but can break large downloads in some cases.

List Management

Automatic UpdatesList service like shallalist.de or urlblacklist.com

Cronjob to get latest lists

.Include statements in banned{site,url}list

Plaintext lists add, remove, (un)comment a line

You probably need to comment many lines from banned{mimetype,extension}list right off the bat

shallalist.de is free for non-commercial use. urlblacklist.com costs money to use. Some on the mailing list tell me shallalist is better anyway.

List Management

Filter Decision Flowchart/Visualization

List Management

By default, urls are checked, and if allowed then the content is scanned and either allowed or denied

Blacklisted pages are denied outright

Whitelisted pages are allowed and content is not scanned

Greylisted pages are not blocked based on the url (useful for working around urlregexp issues), but still have their content checked, and are allowed or denied based on content

Weighted Phrases

Included by weightedphraselist

Page is scanned, producing naughtyness score

If naughtyness score of page is greater than naughtyness limit of client, access is denied

Check /var/log/dansguardian/access.log for more information on blocked content

Filter Groups

Can have global lists in tandem with group lists

Groups can have separate naughtyness limits

grep 'authplugin' dansguardian.confThree require Squid (not TP) and explicit-proxy (browser config):proxy-basic

proxy-digest

proxy-ntlm

ident

ip

Filter Groups

grep 'filtergroups' dansguardian.conf

In filtergroupslist: username=groupname

For ip auth, use lists/authplugins/ipgroups

Copy dansguardianf1.conf to dansguardianfN.conf

grep 'groupmode' dansguardianfN.conf

Can use nested includes for filter lists

Unfortunately you have to put filterX in your groupslist, even if you specify a groupname in your dansguardianfX.conf for the group.

Many sites will have a default group that has zero access to the internet, forcing users to login to get any access.

In a DHCP setting, you might use ip auth to place most users in a default group, but set permanent leases for frequent users who you want to place in a different group.

Url Matching with RegExp

Perl-based Regular Expressions

Used for blocking complex nested url's

Useful for blocking certain search patterns

Examples in urlregexplist

Anything you can do in Perl, you can do here, but keep in mind it's perlre, not PCRE.

Further Resources

dansguardian.org

squidguard.org/blacklists.html

smoothwall.net

netfilter.org

squid-cache.org

www.banu.com/tinyproxy

man 5 crontab

www.isc.org

calamaris.cord.de

andrew.vandever@gmail.com