DansGuardian open source content filtering
1 like3,944 views
DansGuardian is an open source content filtering proxy server that can block offensive, malicious, or time-wasting content. It works by pairing with proxy servers like Squid or TinyProxy to filter web traffic. DansGuardian can be configured to log blocked content, apply user-based or group-based filters, and uses blacklist and whitelist files to determine what content to allow or block. Basic configuration of DansGuardian involves editing configuration files to specify the proxy port and blacklist files, while more advanced options allow regular expression matching and separate filter profiles for different user groups.
![DansGuardian Open Source Content Filtering Andrew Vandever RHC{T,E,I,X} [email_address] http://avcomp.net](https://image.slidesharecdn.com/dansguardianpresentation-100219133726-phpapp01/85/DansGuardian-open-source-content-filtering-1-320.jpg)
DansGuardian open source content filtering
- 1. DansGuardian Open Source Content Filtering Andrew Vandever RHC{T,E,I,X} [email_address] http://avcomp.net
- 2. DansGuardian What Is DansGuardian?
- 7. Advanced Url Matching with RegExp
- 9. What Is DansGuardian? Content Filter Offensive Content
- 10. Time-Wasters
- 11. Malware Logging
- 12. User-Based Management Squid Users
- 13. Ident
- 14. IP Addresses
- 15. What Is DansGuardian? Comparable to WebSense, SonicWall
- 16. Pairs with Proxy Squid
- 17. TinyProxy
- 18. Other Scalable
- 19. Easy to Install Fedora/EPEL
- 20. Ubuntu
- 21. What Is DansGuardian? Open Source Patchable
- 22. Flexible
- 24. Commercial Support Available: Smoothwall
- 25. Installing DansGuardian DG Itself (Fedora – similar for Ubuntu) yum -y install dansguardian
- 27. service dansguardian start Squid yum -y install squid
- 30. Installing DansGuardian Alternative – TinyProxy yum -y install tinyproxy
- 33. Must change listen port for TP or send port for DG Default Configuration /etc/dansguardian/* (possibly /usr/share/dansguardian)
- 35. Installing Dansguardian Default Configuration dansguardian.conf – server configuration file
- 36. dansguardianf1.conf – filter settings for first group
- 37. lists/* - blacklists, whitelists, regexp lists, group lists
- 38. squid.conf – main squid configuration, defaults okay
- 39. tinyproxy.conf – main TP configuration, check port
- 40. Installing DansGuardian Set Browser Proxy Depends on browser
- 41. More systems = harder to manage
- 43. Best option if you can do it Firewall Easier to configure
- 45. Breaks SSL
- 46. Installing DansGuardian Firewall Configuration Accept HTTP traffic from Squid
- 47. DNAT HTTP traffic to DansGuardian
- 48. Reject outbound proxy ports
- 49. Log or block other outbound ports
- 50. DansGuardian Configuration Basic Configuration grep 'filterport' dansguardian.conf
- 53. grep 'naughtynesslimit' dansguardianf1.conf DansGuardian likes a local caching DNS server yum -y install bind; chkconfig named on; service named start
- 54. “nameserver 127.0.0.1” in /etc/resolv.conf
- 55. Otherwise, whitelisting may be necessary
- 56. List Management Automatic Updates List service like shallalist.de or urlblacklist.com
- 57. Cronjob to get latest lists
- 58. .Include<> statements in banned{site,url}list Plaintext lists – add, remove, (un)comment a line
- 59. You probably need to comment many lines from banned{mimetype,extension}list right off the bat
- 60. List Management Filter Decision Flowchart/Visualization
- 61. List Management By default, urls are checked, and if allowed then the content is scanned and either allowed or denied
- 62. Blacklisted pages are denied outright
- 63. Whitelisted pages are allowed and content is not scanned
- 64. Greylisted pages are not blocked based on the url (useful for working around urlregexp issues), but still have their content checked, and are allowed or denied based on content
- 65. Weighted Phrases Included by weightedphraselist
- 66. Page is scanned, producing “naughtyness” score
- 67. If naughtyness score of page is greater than naughtyness limit of client, access is denied
- 68. Check /var/log/dansguardian/access.log for more information on blocked content
- 69. Filter Groups Can have global lists in tandem with group lists
- 70. Groups can have separate naughtyness limits
- 71. grep 'authplugin' dansguardian.conf Three require Squid (not TP) and explicit-proxy (browser config): proxy-basic
- 72. proxy-digest
- 73. proxy-ntlm ident
- 74. ip
- 75. Filter Groups grep 'filtergroups' dansguardian.conf
- 76. In filtergroupslist: username=groupname
- 77. For ip auth, use lists/authplugins/ipgroups
- 78. Copy dansguardianf1.conf to dansguardianfN.conf
- 80. Can use nested includes for filter lists
- 81. Url Matching with RegExp Perl-based Regular Expressions
- 82. Used for blocking complex nested url's
- 83. Useful for blocking certain search patterns
- 87. smoothwall.net
- 88. netfilter.org
- 89. squid-cache.org
- 91. man 5 crontab
- 92. www.isc.org
- 94. [email_address]
Editor's Notes
- #4: Schools, businesses and even home users have a lot to lose from their workstation users accidentally or intentionally accessing offensive content, time-wasting content, or malware. DansGuardian protects your network from all three. DansGuardian logs to /var/log/dansguardian/access.log. Directives in the configuration can tell DG to log in squid format, making it easy to analyze the logs later with tools like calamaris.
- #5: TinyProxy uses far fewer resources than squid, making it very nice for home use. However, you give up 3 of 5 of your authentication mechanisms. Squid is also probably better for an environment with many users. DG forks similar to Apache HTTPD. EPEL, of course, being “Extra Packages for Enterprise Linux”. You could also grab the source from dansguardian.org.
- #6: Smoothwall gives a commercial packaging and support for DG. Either the browser intentionally used DG as a proxy, or the firewall intercepts the traffic, redirecting it to DG. Explicit-proxy is better, but more difficult to manage. Transparent-proxy is easier to manage, but gives you less flexibility when it comes to traffic like SSL, as well as cutting out 3 of 5 of DG's auth mechanisms. For SSL, sending the traffic directly to squid is typically a better idea.
- #10: Examples: Gateway is 10.0.0.1, dg box is 10.0.0.2 iptables -t nat -A FORWARD -s 10.0.0.2 -j ACCEPT iptables -t nat -A FORWARD -m tcp -p tcp –dport 80 ! -d 10.0.0.0/8 -j DNAT –to-destination 10.0.0.2:8080 iptables -t filter -A FORWARD -m tcp -p tcp –dport 3128 ! -d 10.0.0.2 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 8080 ! -d 10.0.0.2 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 8888 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 443 -j REJECT iptables -t filter -A FORWARD -j LOG Service iptables save Now, make sure you set squid on 10.0.0.1 to listen to port 80 only from loopback (DG), but 443 from all clients
- #11: Examples: Redirect box's own traffic to dg iptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -m tcp -p tcp –dport 80 -j DNAT –to-destination 127.0.0.1:8080 iptables -t filter -A OUTPUT -m tcp -p tcp --dport 3128 -j REJECT iptables -t filter -A OUTPUT -m tcp -p tcp –dport 8080 -j REJECT iptables -t filter -A OUTPUT -m tcp -p tcp --dport 8888 -j REJECT iptables -t filter -A OUTPUT -j LOG service iptables save
- #12: The default BIND (named) configuration in fedora will perform recursive lookups for localhost, and cache the results. With just a little bit of tweaking you can also use this as the nameserver for the workstations on your network. The way certain sites (like facebook.com) do dns-based load-balancing can make DG think you're being spoofed. Local lookups prevent this, although the strict behavior is disabled in DG by default in current versions. Contentscanner can set all your incoming content to be virus-scanned. Downloadmanager will try to assist with download speed, but can break large downloads in some cases.
- #13: shallalist.de is free for non-commercial use. urlblacklist.com costs money to use. Some on the mailing list tell me shallalist is better anyway.
- #18: Unfortunately you have to put “filterX” in your groupslist, even if you specify a groupname in your dansguardianfX.conf for the group. Many sites will have a default group that has zero access to the internet, forcing users to login to get any access. In a DHCP setting, you might use ip auth to place most users in a default group, but set permanent leases for frequent users who you want to place in a different group.
- #19: Anything you can do in Perl, you can do here, but keep in mind it's perlre, not PCRE.