This guide is a quick step-by-step guide to how I implement DansGuardian on Ubuntu systems. This one is all command-line with no hand-holding. For something easier, though out of date, try some of my earlier tutorials.
Below are my local install notes for putting together a DansGuardian filtering system on Ubuntu 12.04 Precise Pangolin, including multiple filtering profiles and statistics. You'll need to be pretty comfortable with Linux and the command line to replicate this. But it's really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 2 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.
$ sudo passwd root $ su # mv /etc/securetty /etc/securetty.bak; \ touch /etc/securetty; \ mv /etc/sudoers /etc/sudoers.bak
# apt-get install ntp
/etc/ntp.conf to add
us.pool.ntp.org to the top of the list of servers
already in there./etc/ssh/sshd_config. Set
PermitRootLogin to no, set
X11Forwarding to no, and uncomment
the line #Banner /etc/issue.net./etc/issue.net to give whatever notice your
lawyers say is appropriate to people trying to log into your
server:*******************************************************************************
NOTICE TO USERS
This computer system is the property of the Branch District Library. It is
for authorized use only. Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.
By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.
Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate. By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.
*******************************************************************************
/etc/network/interfaces. Leave the entry for
eth0, add the following for eth1. If your eth0 subnet is
192.168.1.X, you'll need to change IP addresses in this tutorial
accordingly to suit your situationauto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway YOUR-GATEWAY-FOR-ETH0 dns-nameservers YOUR-DNS-SERVER-1 YOUR-DNS-SERVER-1
# /etc/init.d/networking restart
# apt-get install dhcp3-server; \ mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
/etc/dhcp/dhcpd.conf as needed, adding static
address assignments for your library-provided public computers. If
you don't want to count your library computers in the statistics
(we'll cover that later), make sure all library public computers are
defined in this file. The file should look something like this:authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style none;
log-facility local7;
option routers 192.168.1.1;
option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2;
subnet [Subnet of eth0, just ending in .0] netmask 255.255.255.0
{
}
subnet 192.168.1.0 netmask 255.255.255.0
{
range 192.168.1.100 192.168.1.254; # desired public service IP address range
host HOSTNAME-HERE # host names for static IP assignment
{
hardware ethernet MAC-ADDRESS-USING-COLONS;
fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE;
}
}
# /etc/init.d/isc-dhcp-server restart
# apt-get install shorewall; \ cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
/etc/shorewall/shorewall.conf. Find the line
that reads IP_FORWARDING=Keep and change that to
IP_FORWARDING=On./etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect dhcp
/etc/shorewall/masq:eth0 192.168.1.0/24 eth0 YOUR-SUBNET-FOR-ETH0/24
/etc/shorewall/policy:loc all REJECT fw all REJECT net all DROP all all REJECT
/etc/shorewall/rules. At minimum, have the
following rules. More likely, use the huge ruleset we normally
use.# Accept SSH connections for administration, outgoing ssh from fw
ACCEPT loc fw tcp 22
ACCEPT net fw tcp 22
ACCEPT fw net tcp 22
# Accept HTTP for the wifi stats
ACCEPT loc fw tcp 80
ACCEPT net fw tcp 80
# allow web traffic out of the firewall
ACCEPT fw net tcp 80,8000,8001,8080
# All pinging the web filter
ACCEPT loc net icmp
# Allow DNS requests
ACCEPT loc net tcp 53
ACCEPT loc net udp 53
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# Allow POP3 email
ACCEPT loc net tcp 110
# Allow NTP
ACCEPT loc net udp 123
# Allow IMAP email
ACCEPT loc net tcp 143
# Allow secure web sites
ACCEPT loc net tcp 443
# Secure SMTP
ACCEPT loc net tcp 465
# Allow DHCP requests
ACCEPT loc fw tcp 546,547
ACCEPT loc fw udp 67,68
ACCEPT fw net tcp 546,547
ACCEPT fw net udp 67,68
# smtp submission
ACCEPT loc net tcp 587
# Allow Secure IMAP email
ACCEPT loc net tcp 993
# Allow Secure POP3 email
ACCEPT loc net tcp 995
# Allow both sides of the firewall to access the filter
# (as in your staff side can use the filter, too)
ACCEPT net fw tcp 8080
# Route all HTTP traffic from library kids computers to the filter
# make the IP address range match your needs
REDIRECT loc:192.168.1.11-192.168.1.20 8081 tcp 80,8000,8001,8080 -
# Route all HTTP traffic from library adult computers to the filter
# make the IP address range match your needs
REDIRECT loc:192.168.1.21-192.168.1.30 8082 tcp 80,8000,8001,8080 -
# Route all HTTP traffic from patron devices to the filter
# make the IP address range match your needs
REDIRECT loc:192.168.1.100-192.168.1.255 8083 tcp 80,8000,8001,8080 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:fw firewall net ipv4 loc ipv4
/etc/default/shorewall. Change
startup=0 to startup=1. Restart
shorewall:# shorewall restart
# apt-get install squid
/etc/squid3/squid.conf: search for
http_port 3128 and change it to http_port
127.0.0.1:3128 transparent. Search for # access_log
/var/log/squid3/access.log squid. Add a line below that
reading access_log none. Search for
cache_store_log. There will be a commented out code
block for this tag with Default: none at the bottom.
Add a new line below this reading cache_store_log none.
Finally, add lines like the below to the end of the file to throttle
HTTP traffic as needed (adjust the numbers in bytes to match your
bandwidth and throttling needs):########Squid Delay Pools######### # a simple global throttle, users sharing 5 Mbit/s delay_pools 1 delay_class 1 1 # 5 Mbit/s fill rate, 6 Mbit/s reserve, units in bytes delay_parameters 1 655360/786432 acl All src 0/0 delay_access 1 allow All
# /etc/init.d/squid3 restart
# apt-get install dansguardian
# ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian1; \ ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian2; \ ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian3; \ mkdir /etc/dansguardian1; \ mkdir /etc/dansguardian2; \ mkdir /etc/dansguardian3; \ mkdir /var/log/dansguardian1; \ mkdir /var/log/dansguardian2; \ mkdir /var/log/dansguardian3; \ chown dansguardian:dansguardian /etc/dansguardian1; \ chown dansguardian:dansguardian /etc/dansguardian2; \ chown dansguardian:dansguardian /etc/dansguardian3; \ chown dansguardian:dansguardian /var/log/dansguardian1; \ chown dansguardian:dansguardian /var/log/dansguardian2; \ chown dansguardian:dansguardian /var/log/dansguardian3; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian1/; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian2/; \ cp /etc/dansguardian/dansguardian.conf /etc/dansguardian3/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian1/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian2/; \ cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian3/; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian1/authplugins; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian2/authplugins; \ ln -s /etc/dansguardian/authplugins /etc/dansguardian3/authplugins; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian1/contentscanners; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian2/contentscanners; \ ln -s /etc/dansguardian/contentscanners /etc/dansguardian3/contentscanners; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian1/downloadmanagers; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian2/downloadmanagers; \ ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian3/downloadmanagers; \ ln -s /etc/dansguardian/languages /etc/dansguardian1/languages; \ ln -s /etc/dansguardian/languages /etc/dansguardian2/languages; \ ln -s /etc/dansguardian/languages /etc/dansguardian3/languages; \ ln -s /etc/dansguardian/lists /etc/dansguardian1/lists; \ ln -s /etc/dansguardian/lists /etc/dansguardian2/lists; \ ln -s /etc/dansguardian/lists /etc/dansguardian3/lists
/etc/dansguardian/lists/bannedextensionlist.
Comment out any file extension that you want to allow through the
filter. Since we are not locking things down tightly like a
corporate environment might, you'll probably want to comment out
every line here. If you think you'll never want to block specific
file types, you could just select everything then delete the content
of the file to save time./etc/dansguardian/lists/bannedmimetypelist is
similar, you'll probably want to comment out, or delete, all the
lines./etc/dansguardian/lists/bannedregexpurllist. For a
library, the directives in this file have a tendency to over-block,
so comment out or delete all lines./etc/dansguardian/lists/bannedsitelist is one of
the more important files. This is where you can force an entire web
site to be blocked./etc/dansguardian/lists/bannedurllist works in a
similar fashion, though only for individual pages within a larger
web site, while leaving the rest of the web site alone. Like the
last file, you probably don't need to edit it now, except for
commenting out the ad blocking.exceptionsitelist—work similar to the banned*
ones above, only they apply to things you don't want blocked. Edit
them as you see fit. At BDL we add all the major web mail providers
to exceptionsitelist so that emails would never get blocked, for
example. Also, add .edu, .gov, .mi.us, etc./etc/dansguardian/lists/weightedphraselist contains
pointers to the various categories of phraselists that DansGuardian
uses in evaluating web pages. There's a nice description at the top
of the file that describes how the term weighting works. Edit the
file as you see fit, commenting out lines for things you don't want
to be blocked. For our example we'll leave the weighted phrase lists
only for good phrases and pornography, and comment out the
rest./etc/dansguardian/lists/urlregexplist to have a little expression to always force image searches on Google and Bing to be filtered. Add the following code to the end of the file:# for Google #we add &safe=vss to the end of every search "(^http[s]?://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?.*)"->"\1&safe=vss" #for Bing #similar, but &adlt=strict is the keyword "(http[s]?://[0-9a-z]+.bing.com/images/search\?.*)"->"\1&adlt=strict"
/etc/dansguardian/languages/ukenglish/template.html as
desired to change the page telling users they've been blocked.
You can put images in this page, but they must be inserted
inline in base64 encoding./etc/dansguardian1/dansguardian.conf,
/etc/dansguardian2/dansguardian.conf, and
/etc/dansguardian3/dansguardian.conf. The first thing
to do is comment out the line near the top of the file that starts
"UNCONFIGURED".loglevel = 2 and change the "2" to a "1".
Next, search and in every instance of
/etc/dansguardian/ and
/var/log/dansguardian/ replace "dansguardian" with
"dansguardian1", "dansguardian2", or "dansguardian3", as appropriate
to the file you're editing. There are many instances to change.
filterport = 8080. Change "8080" to
"8081", "8082", or "8083", depending on which file you're
editing.ipcfilename = '/tmp/.dguardianipc'urlipcfilename = '/tmp/.dguardianurlipc'ipipcfilename = '/tmp/.dguardianipipc'pidfilename = '/var/run/dansguardian.pid'ipcfilename = '/tmp/.dguardian1ipc'urlipcfilename = '/tmp/.dguardian1urlipc'ipipcfilename = '/tmp/.dguardian1ipipc'pidfilename = '/var/run/dansguardian1.pid'/etc/dansguardian1/dansguardianf1.conf,
/etc/dansguardian2/dansguardianf1.conf, and
/etc/dansguardian3/dansguardianf1.conf. Search and in
every instance of /etc/dansguardian/ replace
"dansguardian" with "dansguardian1", "dansguardian2",
"dansguardian3", as appropriate to the file you're editing. There
are many instances to change.naughtynesslimit to a number
that works best for you. We use 100 for children, 200 for adults,
and 250 for our public wireless network.# cd /etc/init.d/; \ mv dansguardian dansguardian.orig; \ update-rc.d dansguardian remove
# cd /etc/init.d/; \ chmod +x dansguardian*; \ update-rc.d dansguardian1 defaults 50 19; \ update-rc.d dansguardian2 defaults 50 19; \ update-rc.d dansguardian3 defaults 50 19
# /etc/init.d/dansguardian1 start; \ /etc/init.d/dansguardian2 start; \ /etc/init.d/dansguardian3 start
/var/www. Copy the appropriately-customized index.php, backbone.php, and stats.html into the session timer folder. Set the permissions appropriately:# chgrp -R www-data /var/www/signup; \ chmod 664 /var/www/signup/laptops_available; \ chmod 664 /var/www/signup/time_override
/etc/mysql/my.cnf to allow network connections (our custom firewall rules limit this to the appropriate machines). Find the line bind-address = 127.0.0.1 and comment it out. Find max_connections and change the number to something big, like 1000000. Restart MySQL:# /etc/init.d/mysql restart
# apt-get install phpmyadmin
/etc/dhcp/dhcpd.conf. Create the MySQL database for
tracking stats:# mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
# mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
wifi_stats.sql
into a file of the same name in your current directory. This is
the database schema which will create an empty database. Import
your file into MySQL:# mysql -u root -p wifi_stats < wifi_stats.sql
wifi_stats.php
into the file /var/www/wifi_stats.php. Edit the top of
the file to enter your own password.DHCPd-parse.php
into the file /var/www/DHCPd-parse.php. Edit the top of
the file to enter your own password. You can look at your collected
stats at
http://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php.
reportdhcp.pl into
/usr/lib/cgi-bin/reportdhcp.pl. This program isn't
actually used for any of the stats collection, but it can be useful
for troubleshooting. Access it from http://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl.
1 * * * * wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1 1 * * * * /etc/init.d/dansguardian1 restart 1 * * * * /etc/init.d/dansguardian2 restart 1 * * * * /etc/init.d/dansguardian3 restart
# apt-get install kubuntu-desktop
# apt-get install samba
/etc/samba/smb.conf to share and hold the print jobs. Add the following lines to the end of the file, changing as necessary to fit your situation:[Color_Printer] path = /var/spool/samba browseable = yes printable = yes printer name = CirculationPrinter cups options = job-hold-until=indefinite [Black_and_White_Printer] path = /var/spool/samba browseable = yes printable = yes printer name = CirculationPrinter cups options = job-hold-until=indefinite
kde-print-queue CirculationPrinter. From here you can release the print jobs to the printer or delete them.4 21 * * * /usr/bin/lprm -P CirculationPrinter - 5 21 * * * /bin/rm /var/cache/cups/job.cache* 6 21 * * * /bin/rm /var/spool/cups/c* 7 21 * * * /bin/rm /var/spool/cups/d*
smbpasswd -a <username>\\192.168.1.XXX\Black_and_White_Printer, etc. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.
# apt-get install apcupsd; \ mv /etc/apcupsd/apcupsd.conf /etc/apcupsd/apcupsd.conf.bak
apcupsd.conf into
/etc/apcupsd/apcupsd.conf, editing parameters as you
see fit.
/etc/default/apcupsd and change
ISCONFIGURED=no to ISCONFIGURED=yes.# ssh-keygen -t rsa # ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
5 0 * * * mysqldump -u root --password=YOUR-PASSWORD wifi_stats > /home/username/wifi_stats_dump.sql; scp -i /home/username/.ssh/id_rsa /home/username/wifi_stats_dump.sql username@remote_host:/path/to/backup/directory/
from="YOUR-FILTER'S-IP-ADDRESS", followed by a
space, before the "ssh-rsa [...]" stuff in your
/home/username/.ssh/authorized_keys file. This will
limit the key to being used only from your filter.
And that is all! Reboot and make sure everything comes back up the way it should.