Squid Guard

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 5

Steelmon's tech stuff

Setting up a blacklist proxy with automatic updates using Squid and SquidGuard
Posted in Howto, Linux, Proxy, Security by steelmon on December 9, 2010 The versatile, open source proxy server Squid can be used together with the plug-in SquidGuard to set up a flexible blacklist proxy server Together with a simple cron !ob and a shell script, the database of blacklisted sites is kept up to date This article describes the process step-by-step of how to get up and running I will be setting up the solution on n !buntu 9 ser"er which con"eniently h s the necess ry so#tw re " il ble in its repositories$ %he setup should be "ery simil r #or other Linux en"ironments, but you might h "e to compile the so#tw re #rom scr tch$

"nstall and configure Squid


&irst o# ll, inst ll nd con#igure S'uid$ I did this in pre"ious post when I w s loo(ing t con#iguring whitelist proxy$ # sudo apt-get install squid )dit the S'uid con#igur tion #ile, /etc/squid/squid.conf nd #ind the http_port t g$ *y de# ult S'uid listens to port +12, #or re'uests$ I# you w nt to ch nge it, uncomment the line nd ch nge the port number$ -ext, de#ine who is llowed to ccess the proxy$ &ind the TAG: http_access he ding nd below it the .INSE T !"# "$N #%E&S' (E E). !ncomment the line / #http_access allo* localnet 0ou will lso need to de#ine wh t is me nt by localnet$ &ind the TAG: A+% he ding, nd loo( #or something li(e the #ollowing line/ #acl localnet src ,-..,/0.,.1/.2 ,-..,/0...1/.2 1h nge the IP ddress nd netm s( bo"e so th t it m tches your loc l networ($ In my c se, I m on loc l networ( with ddresses r nging #rom ,-..,/0.1., to ,-..,/0.1..33$ %his me ns th t the netm s( is .33..33..33.1 2 i$e$ + bytes o# 3ones4, or 25 bits$ So #or my networ( it loo(s li(e this/ acl localnet src ,-..,/0.1.1/.2 -ow st rt S'uid i# it6s not lre dy running nd then tell it to relo d its con#igur tion/ sudo /etc/init.d/squid start squid -4 reconfigure

0ou should now be ble to use the proxy ser"er #rom your web browser$ 0ou will not be ble to get nything bloc(ed 7ust yet, but you should get p ges ser"ed i# e"erything w s set up correctly$

"nstall SquidGuard
St rt by inst lling S'uid8u rd using pt9get/ sudo apt-get install squidguard -ext, prep re S'uid #or use with S'uid8u rd, so once more open up /etc/squid/squid.conf in your # "orite text editor$ 0ou need to tell s'uid where S'uid8u rd is$ &ind the TAG: url_re*rite_progra5 he ding$ %here is no de# ult setting so dd new line/ url_re*rite_progra5 /usr/6in/squidGuard 7c /etc/squid/squidGuard.conf

#repare the blacklist database


*e#ore going in to #urther con#igur tion o# S'uid8u rd, h "ing ccess to d t b se o# bl c(listed sites nd !:Ls is desir ble$ Downlo d the #ile getlists$odt, set the execut ble #l g nd ren me it getlists.sh/ *get http://steel5on.files.*ordpress.co5/.1,1/,./getlists.odt sudo 58 getlists.odt /usr/local/6in/getlists.sh sudo ch5od 9: /usr/local/6in/getlists.sh %he #ile ending is odt r ther th n sh since wordpress does not llow shell scripts to be uplo ded$ -ow, cre te the d t b se by executing the script/ sudo getlists.sh 0ou should now see some output #rom the script, nd #ter some time o# processing, you should be ble to see the output by listing the contents o# the bl c(lists d t b se directory/ ls -l /8ar/li6/squidguard/d6/6lac4lists/

$onfigure SquidGuard
;pen the S'uid8u rd con#igur tion #ile, /etc/squid/squidGuard.conf #or edit, nd repl ce the contents with the #ollowing/ # # +"N;IG ;I%E ;" S<#I=G#A = # d6ho5e /8ar/li6/squidguard/d6/6lac4lists

logdir /8ar/log/squid dest ads > do5ainlist ads/do5ains urllist ads/urls ? dest aggressi8e > do5ainlist aggressi8e/do5ains urllist aggressi8e/urls ? dest drugs > do5ainlist drugs/do5ains urllist drugs/urls ? dest hac4ing > do5ainlist hac4ing/do5ains urllist hac4ing/urls ? dest porn > do5ainlist porn/do5ains urllist porn/urls ? dest redirector > do5ainlist redirector/do5ains urllist redirector/urls ? dest suspect > do5ainlist suspect/do5ains urllist suspect/urls ? dest *are@ > do5ainlist *are@/do5ains urllist *are@/urls ? dest audio-8ideo > do5ainlist audio-8ideo/do5ains urllist audio-8ideo/urls ? dest ga56ling > do5ainlist ga56ling/do5ains urllist ga56ling/urls ? dest 5ail > do5ainlist 5ail/do5ains ? dest pro:A > do5ainlist pro:A/do5ains urllist pro:A/urls ? dest spA*are > do5ainlist spA*are/do5ains urllist spA*are/urls ?

dest 8iolence > do5ainlist 8iolence/do5ains urllist 8iolence/urls ? acl > default > pass Bads Baggressi8e Bdrugs Bhac4ing Bporn Bredirector B suspect B*are@ Baudio-8ideo Bga56ling B5ail Bpro:A BspA*are B 8iolence all redirect http://***.:31-.se/6loc4.ht5l ? ? <mong the l st lines, there is !:L to p ge th t gets ser"ed whene"er there is bloc(ed content$ 0ou should ch nge the !:L to your own bloc( p ge =unless your h ppy with my extremely sp rse one in Swedish> $ 1ompile the S'uid8u rd d t b se$ %his m y t (e while to complete/ sudo squidGuard 7+ all St rt S'uid, which in turn will st rt S'uid8u rd, nd recon#igure sudo /etc/init.d/squid start sudo squid -4 reconfigure

Troubleshooting
I# you re h "ing problems, most li(ely it6s rel ted to permissions$ 0ou c n get some use#ul in#orm tion by running S'uid8u rd #rom the comm nd line/ sudo su 7 pro:A echo Chttp://***.u6untu.co5 >client ip address?/ - - GETC D squidGuard -d -c /etc/squid/squidGuard.conf 0ou c n ch nge the !:L to wh te"er you6d li(e to test #or ccess or deni l$ %he IP ddress is the ddress o# the computer you w nt to simul te s sur#ing the net #rom$ I# you encounter ny problems with permissions, you m y try the #ollowing/ sudo cho*n pro:A:pro:A /etc/squid/squidGuard.conf sudo cho*n - pro:A:pro:A /8ar/li6/squidguard/d6 sudo cho*n - pro:A:pro:A /8ar/log/squid/ ch5od /22 /etc/squid/squidGuard.conf ch5od - /21 /8ar/li6/squidguard/d6 ch5od - /22 /8ar/log/squid/ find /8ar/li6/squidguard/d6 -tApe d -e:ec ch5od E33 F>F? FG -print ch5od E33 /8ar/log/squid

%here re more det iled trouble shooting " il ble in the re#erence section$

%utomating the blacklist updates


?hen e"erything is up nd running, you m y w nt to utom te the upd te procedure$ %his is e sily ccomplished by setting up cron 7ob$ ;pen the cron t ble in inter cti"e mode/ sudo cronta6 -e <dd the #ollowing line t the end o# the #ile/ H1 H I I I /usr/local/6in/getlists.sh %his will run the bl c(list downlo d script e"ery night t +0 minutes p st +$

&eferences

https/@@help$ubuntu$com@community@S'uid8u rd http/@@www$s'uidgu rd$org@Doc@ http/@@www$m ynide $com@s'uidgu rd@getlists$html

You might also like