Below are my local install notes for putting together a DansGuardian filtering system on Kubuntu 14.04 Trusty, including computer lab time and print management, video surveilance, shared file server space, usage statistics, and more.
You'll need to be pretty comfortable with Linux and the command line to replicate this. But it's really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 3 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.
Prep things for basic server tasks:
$ sudo apt-get install -y lamp-server^ samba-server^ openssh-server^
$ sudo apt install -y ntp vim exfat-fuse exfat-utils traceroute
/etc/ntp.conf to add
us.pool.ntp.org to the top of the list of servers
already in there./etc/ssh/sshd_config. Uncomment
the line #Banner /etc/issue.net./etc/issue.net to give whatever notice your
lawyers say is appropriate to people trying to log into your
server:*******************************************************************************
NOTICE TO USERS
This computer system is the property of the Branch District Library. It is
for authorized use only. Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.
By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.
Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate. By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.
*******************************************************************************
/etc/network/interfaces. Leave the entry for
lo, add the following for eth0 and eth1. If your eth0 subnet is
192.168.1.X, you'll need to change IP addresses in this tutorial
accordingly to suit your situation. Your interfaces may also be labeled differently than ethX; they might be emX or something else. Use what makes senseauto eth0 iface eth0 inet static address 192.168.40.2 netmask 255.255.255.0 broadcast 192.168.40.255 gateway 192.168.40.1 dns-nameservers DNS1 DNS2 auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 dns-nameservers DNS1 DNS2
$ sudo apt install -y isc-dhcp-server && \ sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
Edit /etc/dhcp/dhcpd.conf as needed, adding static
address assignments for your library-provided public computers. If
you are using this DHCP server to give addresses to all your public
and staff computers, make sure all library computers are defined in
this file. The file should look something like this:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style none;
log-facility local7;
option routers 192.168.1.1;
option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2;
subnet [Subnet of eth0, just ending in .0] netmask 255.255.255.0
{
}
subnet 192.168.1.0 netmask 255.255.255.0
{
range 192.168.1.100 192.168.1.254; # desired public service IP address range
host HOSTNAME-HERE # host names for static IP assignment
{
hardware ethernet MAC-ADDRESS-USING-COLONS;
fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE;
}
}
Edit /etc/rsyslog.d/50-default.conf. Find the line that reads:
*.*;auth,authpriv.none -/var/log/syslog
and change it to:
*.*;auth,authpriv.none,local7.none -/var/log/syslog
Restart DHCP server and rsyslog:
$ sudo service rsyslog restart && sudo service isc-dhcp-server restart
We'll use Shorewall to make it easier to maintain rules for public Internet access. Note: I highly recommend that you have this gateway behind another firewall, limiting access from the public Internet. In this case, think of "net" in all the examples below to mean your staff network and "loc" is your public access network.
Install shorewall and copy configuration files:
$ sudo apt-get install -y shorewall shorewall-init && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/ && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/masq /etc/shorewall/ && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/ && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/ && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/
/etc/shorewall/shorewall.conf. Find the line
that reads IP_FORWARDING=Keep and change that to
IP_FORWARDING=On./etc/shorewall/interfaces:#ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,nosmurfs,routefilter,sourceroute=0 loc eth1 dhcp,tcpflags,nosmurfs,routefilter
Edit /etc/shorewall/masq:
eth0 192.168.1.0/24
Edit /etc/shorewall/policy:
loc all ACCEPT fw loc ACCEPT fw net REJECT net all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECTEdit
/etc/shorewall/rules. At minimum, append the
following rules to the end of the existing file. More likely, use
the huge ruleset we normally use.
# file sharing SMB(ACCEPT) net fw SMB(ACCEPT) fw net # Accept SSH connections for administration ACCEPT net fw tcp 22 # Accept HTTP for the wifi stats ACCEPT net fw tcp 80,443 # let the other servers access apcupsd for shutdown commands # after a power failure ACCEPT net fw tcp 3551 # VNC ACCEPT net fw tcp 5900 # Allow both sides of the firewall to access the filter # (as in your staff side can use the filter, too) ACCEPT net fw tcp 8081 # Route all HTTP traffic from library computers to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.2-192.168.1.255 8081 tcp 80,8000,8001,8080 - #################################################### # RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # #################################################### # ping ACCEPT fw net icmp #DNS ACCEPT fw net udp 53 ACCEPT fw net tcp 53 # HTTP(s) ACCEPT fw net tcp 80,8000,8001,8080,443 # NTP ACCEPT fw net udp 123 # Security Cams ACCEPT fw net tcp 7001,7002 # Allow all traffic out to the local staff and public networks ACCEPT fw net:192.168.0.0/16 all ACCEPT fw loc all ######################################################## # END RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # ######################################################## # This last rule needs to be in place to allow for unfiltered library computers. It needs to be kept last. ACCEPT loc net tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:fw firewall net ipv4 loc ipv4
/etc/default/shorewall. Change
startup=0 to startup=1. Restart
shorewall:$ sudo shorewall restart
This setup will work fine with either Squid or Tinyproxy. Tinyproxy, as the name implies, is easier to setup and has less overhead. Squid has fewer problems with sites not loading, but requires more overhead and is more difficult to set up. We typically use Squid here.
Install Squid:
$ sudo apt-get install squid3
Edit /etc/squid3/squid.conf: search for
http_port 3128 and below it add the line
http_port 3129 intercept. Search for # access_log
/var/log/squid3/access.log squid. Add a line below that
reading access_log none. Search for
cache_store_log. There will be a commented out code
block for this tag with Default: none at the bottom.
Add a new line below this reading cache_store_log none.
Finally, add lines like the below to the end of the file to throttle
HTTP traffic as needed (adjust the numbers in bytes to match your
bandwidth and throttling needs):
########Squid Delay Pools######### # a simple global throttle, users sharing 5 Mbit/s delay_pools 1 delay_class 1 1 # 5 Mbit/s fill rate, 6 Mbit/s reserve, units in bytes delay_parameters 1 655360/786432 acl All src 0/0 delay_access 1 allow All
$ sudo service squid3 restart
$ sudo apt-get install -y tinyproxy
/etc/tinyproxy.conf: search for
LogLevel Info and change it to LogLevel
Warning. Search for
MaxClients 100, and change that to MaxClients
1000.$ sudo /etc/init.d/tinyproxy restart
0 2 * * * /etc/init.d/tinyproxy restart
# sudo apt-get install -y dansguardian
/etc/dansguardian/lists/bannedextensionlist.
Comment out any file extension that you want to allow through the
filter. Since we are not locking things down tightly like a
corporate environment might, you'll probably want to comment out
every line here. If you think you'll never want to block specific
file types, you could just select everything then delete the content
of the file to save time./etc/dansguardian/lists/bannedmimetypelist is
similar, you'll probably want to comment out, or delete, all the
lines./etc/dansguardian/lists/bannedregexpurllist. For a
library, the directives in this file have a tendency to over-block,
so comment out or delete all lines./etc/dansguardian/lists/bannedsitelist is one of
the more important files. This is where you can force an entire web
site to be blocked./etc/dansguardian/lists/blacklists/porn. Download
Shalla's Blacklist,
complying with the licensing for your type of organization. Unpack
the archive and copy the contents of the porn folder
into the folder you created above./etc/dansguardian/lists/bannedurllist works in a
similar fashion, though only for individual pages within a larger
web site, while leaving the rest of the web site alone. Like the
last file, you probably don't need to edit it now, except for
commenting out the ad blocking and uncommenting the porn
blacklist.exceptionsitelist—work similar to the banned*
ones above, only they apply to things you don't want blocked. Edit
them as you see fit. At BDL we add all the major web mail providers
to exceptionsitelist so that emails would never get blocked, for
example. Also, add .edu, .gov, .mi.us, etc./etc/dansguardian/lists/weightedphraselist contains
pointers to the various categories of phraselists that DansGuardian
uses in evaluating web pages. There's a nice description at the top
of the file that describes how the term weighting works. Edit the
file as you see fit, commenting out lines for things you don't want
to be blocked. For our example we'll leave the weighted phrase lists
only for good phrases and pornography, and comment out the
rest./etc/dansguardian/lists/urlregexplist to have a little expression to always force image searches on Google and Bing to be filtered. Add the following code to the end of the file:# for Google #we add &safe=vss to the end of every search "(^http[s]?://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?.*)"->"\1&safe=vss" #for Bing #similar, but &adlt=strict is the keyword "(http[s]?://[0-9a-z]+.bing.com/images/search\?.*)"->"\1&adlt=strict"
/etc/dansguardian/languages/ukenglish/template.html as
desired to change the page telling users they've been blocked.
You can put images in this page, but they must be inserted
inline in base64 encoding./etc/dansguardian/dansguardian.conf.
The first thing
to do is comment out the line near the top of the file that starts
"UNCONFIGURED".loglevel = 2 and change the "2" to a "1".
proxy port from 3128 to 8888. If you're using Squid, leave it alone.filterport = 8080. Change "8080" to
"8081". Enough websites use port 8080 that this default port causes
problems sometimes.
/etc/dansguardian/dansguardianf1.conf. Change
the value for naughtynesslimit to a number that works
best for you. We use 220.$ sudo service dansguardian restart
For stability, add a root cronjob to restart DansGuardian hourly:
1 * * * * service dansguardian restart 31 * * * * service dansguardian restart
/var/www/html/signup. Copy the appropriately-customized index.php, backbone.php, and stats.php into the session timer folder. Set the permissions appropriately:$ sudo chgrp -R www-data /var/www/html/signup; \ sudo chmod 664 /var/www/html/signup/laptops_available; \ sudo chmod 664 /var/www/html/signup/time_override
/etc/mysql/my.cnf to allow network connections (our custom firewall rules limit this to the appropriate machines). Find the line bind-address = 127.0.0.1 and comment it out. Find and uncomment #max_connections and change the number to something big, like 1000000. Restart MySQL:$ sudo service mysql restart
$ mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `pc_signup` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit; $ mysql -u root -p pc_signup < path_to_database_backup.sql
Create a user for the session timer user, granting only select and update permissions, from the IP address of the desktop. Repeat for each computer.
$ mysql -u root -p mysql> create user '[user]'@'[ip-address]' IDENTIFIED by '[password]'; GRANT SELECT, UPDATE ON pc_signup.* to '[user]'@'[ip-address]'; flush privileges; quit;
Install phpMyAdmin. We don't actually need it to get the system running, but it's nice to have if we ever need to look at the stats database directly. You can access it by going to http://YOUR-SERVER-IP-ADDRESS-OR-URL/phpmyadmin.
$ sudo apt install -y phpmyadmin
Next, edit /etc/phpmyadmin/apache.conf, find the "
Options FollowSymLinks DirectoryIndex index.php Order deny,allow Deny from all allow from YOUR-ALLOWED-IP-ADDRESS-OR-RANGE
Our stats setup will log hourly stats for any computer that
doesn't have a static definition in
/etc/dhcp/dhcpd.conf. Create the MySQL database for
tracking stats:
$ mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
$ mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
wifi_stats.sql
into a file of the same name in your current directory. This is
the database schema which will create an empty database. Import
your file into MySQL:$ sudo mysql -u root -p wifi_stats < wifi_stats.sql
wifi_stats.php
into the file /var/www/html/wifi_stats.php. Edit the
top of the file to enter your own password.DHCPd-parse.php
into the file /var/www/html/DHCPd-parse.php. Edit the
top of the file to enter your own password. You can look at your
collected stats at
http://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php.
reportdhcp.pl into
/usr/lib/cgi-bin/reportdhcp.pl. $ sudo chmod 755 /usr/lib/cgi-bin/reportdhcp.pl $ sudo a2enmod cgi $ sudo service apache2 restartThis program isn't actually used for any of the stats collection, but it can be useful for troubleshooting. Access it from
http://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl.
1 * * * * wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1
/home/temp:$ sudo mkdir /home/temp $ sudo chown nobody:nogroup /home/temp $ sudo chmod 777 /home/temp
/etc/samba/smb.conf. Put the following lines
at the end:[temp] comment = Public file sharing space path = /home/temp read only = no user mask = nobody create mask = 0666 directory mask = 0777 browseable = no public = yes writeable = yes guest ok = yes guest only = yes
$ sudo service samba restart
\\192.168.1.1\temp in a file manager window. No
password should be required and you shoudl have full write
access./etc/samba/smb.conf to share and hold the print
jobs. Comment out the [printers] and
[print$] sections, then add the following lines to the
end of the file, changing as necessary to fit your situation:[ServiceDeskPrinter] path = /var/spool/samba browseable = yes printable = yes printer name = ServiceDeskPrinter cups options = job-hold-until=indefinite
lpadmin group. $ sudo adduser bdl_printers # or your own username sudo usermod -aG lpadmin bdl_printers
kde-print-queue ServiceDeskPrinter, then add that to startup. WIth the print queue manager you can release the print jobs to the printer, delete them, or reprint them.59 23 * * * /usr/bin/lprm -P ServiceDeskPrinter - 59 23 * * * /bin/rm /var/cache/cups/job.cache* 59 23 * * * /bin/rm /var/spool/cups/c* 59 23 * * * /bin/rm /var/spool/cups/d* 59 23 * * * /bin/rm /var/log/cups/page_log 59 23 * * * service cups restart
$ sudo adduser --no-create-home --disabled-login <user>, and make an accompanying Samba user with $ sudo smbpasswd -a <username>\\192.168.1.XXX\ServiceDeskPrinter. Make two instances, one for color and one for black and white. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.
Try to follow the instructions on Google's CloudPrint GitHub page to install from source. As of this writing, however, those instructions are utter crap. This recipe is gleaned from helpful individuals online (ignore any "FAIL" messages you may see. It will all still work):
$ sudo apt-get install -y build-essential libcups2-dev libavahi-client-dev git bzr $ git clone https://go.googlesource.com/go ~/go1.4 $ cd ~/go1.4/src $ git checkout go1.4.3 $ ./all.bash $ git clone https://go.googlesource.com/go ~/go1.5 $ cd ~/go1.5/src $ git checkout go1.5.2 $ ./all.bash $ echo 'export GOPATH=$HOME/go' >> ~/.bashrc $ echo 'PATH="$PATH:$HOME/go1.5/bin:$GOPATH/bin"' >> ~/.bashrc $ source ~/.bashrc $ go version $ go get github.com/google/cloud-print-connector/... $ sudo useradd -s /usr/sbin/nologin -r -M cloud-print-connector $ sudo mkdir /opt/cloud-print-connector $ sudo mv ~/go/bin/gcp* /opt/cloud-print-connector $ sudo chmod 755 /opt/cloud-print-connector/gcp* $ sudo chown cloud-print-connector:cloud-print-connector /opt/cloud-print-connector/gcp*
Run the setup program (skip if you already have the JSON file from an earlier install). Answer the questions it asks. When asked to visit a website to confirm a code, make sure you are logged into the Google account you are using to share your CloudPrint printers. Some help for these questions is available.
$ cd ~/ $ /opt/cloud-print-connector/gcp-connector-util init $ sudo mv ~/gcp-cups-connector.config.json /opt/cloud-print-connector/ $ sudo chmod 660 /opt/cloud-print-connector/gcp-cups-connector.config.json $ sudo chown cloud-print-connector:cloud-print-connector /opt/cloud-print-connector/gcp-cups-connector.config.json
Enable print holding for CloudPrint jobs:
$ sudo lpadmin -p ServiceDeskPrinter -o job-hold-until-default=indefinite
Create a startup script at /etc/init/gcp.conf: