dansguardianpresentation-100219133726-phpapp01
TRANSCRIPT
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
1/19
DansGuardianOpen Source Content Filtering
Andrew VandeverRHC{T,E,I,X}
[email protected]://avcomp.net
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
2/19
DansGuardian
What Is DansGuardian?
Installing DansGuardian
Basic Configuration
List Management
Filter Groups
Advanced Url Matching with RegExp Further Resources
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
3/19
What Is DansGuardian?
Content Filter
Offensive Content
Time-Wasters
Malware
Logging
User-Based Management
Squid Users
Ident
IP Addresses
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
4/19
What Is DansGuardian?
Comparable to WebSense, SonicWall
Pairs with Proxy
Squid
TinyProxy
Other
Scalable
Easy to Install
Fedora/EPEL
Ubuntu
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
5/19
What Is DansGuardian?
Open Source
Patchable
Flexible
Community Support
Commercial Support Available: Smoothwall
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
6/19
Installing DansGuardian
DG Itself (Fedora similar for Ubuntu)
yum -y install dansguardian
chkconfig dansguardian on
service dansguardian start
Squid
yum -y install squid
chkconfig squid on
service squid start
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
7/19
Installing DansGuardian
Alternative TinyProxy
yum -y install tinyproxy
chkconfig tinyproxy on
service tinyproxy start
Must change listen port for TP or send port for DG
Default Configuration
/etc/dansguardian/* (possibly/usr/share/dansguardian)
/etc/squid/*, /etc/tinyproxy/*
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
8/19
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
9/19
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
10/19
Installing DansGuardian
Firewall Configuration
Accept HTTP traffic from Squid
DNAT HTTP traffic to DansGuardian
Reject outbound proxy ports
Log or block other outbound ports
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
11/19
DansGuardian Configuration
Basic Configuration
grep 'filterport' dansguardian.conf
grep 'downloadmanager' dansguardian.conf
grep 'contentscanner' dansguardian.conf
grep 'naughtynesslimit' dansguardianf1.conf
DansGuardian likes a local caching DNS server
yum -y install bind; chkconfig named on; servicenamed start
nameserver 127.0.0.1 in /etc/resolv.conf
Otherwise, whitelisting may be necessary
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
12/19
List Management
Automatic Updates
List service like shallalist.de or urlblacklist.com
Cronjob to get latest lists
.Include statements in banned{site,url}list
Plaintext lists add, remove, (un)comment a line
You probably need to comment many lines from
banned{mimetype,extension}list right off the bat
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
13/19
List Management
Filter Decision Flowchart/Visualization
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
14/19
List Management
By default, urls are checked, and if allowed then thecontent is scanned and either allowed or denied
Blacklisted pages are denied outright
Whitelisted pages are allowed and content is notscanned
Greylisted pages are not blocked based on the url
(useful for working around urlregexp issues), butstill have their content checked, and are allowed ordenied based on content
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
15/19
Weighted Phrases
Included by weightedphraselist
Page is scanned, producing naughtyness score
If naughtyness score of page is greater than
naughtyness limit of client, access is denied
Check /var/log/dansguardian/access.log for moreinformation on blocked content
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
16/19
Filter Groups
Can have global lists in tandem with group lists
Groups can have separate naughtyness limits
grep 'authplugin' dansguardian.conf
Three require Squid (not TP) and explicit-proxy(browser config):
proxy-basic
proxy-digest proxy-ntlm
ident
ip
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
17/19
Filter Groups
grep 'filtergroups' dansguardian.conf
In filtergroupslist: username=groupname
For ip auth, use lists/authplugins/ipgroups
Copy dansguardianf1.conf to dansguardianfN.conf
grep 'groupmode' dansguardianfN.conf
Can use nested includes for filter lists
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
18/19
Url Matching with RegExp
Perl-based Regular Expressions
Used for blocking complex nested url's
Useful for blocking certain search patterns
Examples in urlregexplist
-
8/3/2019 dansguardianpresentation-100219133726-phpapp01
19/19
Further Resources dansguardian.org
squidguard.org/blacklists.html
smoothwall.net
netfilter.org
squid-cache.org
www.banu.com/tinyproxy
man 5 crontab www.isc.org
calamaris.cord.de