Dansguardian Web Content Filtering
Dansguardian Web Content Filtering
Dansguardian Web Content Filtering
Description
Dansguardian is a web content filter, which analyses the actual content of web pages based on many
criteria including phrase matching, PICS filtering, URL filtering and lists of banned sites. Each content
type is given a score, and when the threshold score is exceeded, access to the web site is blocked. For
additional information see http://dansguardian.org
This HOWTO requires command line control to edit configuration files & restart the dansguardian service
after configuration changes.
There is a commercial implementation of Dansguardian for sme server which adds a server manager panel
to allow GUI control of all Dansguardian functionality & settings, see http://dungog.net/wiki/Dungog-
dansguardian
Information
To have a proper understanding of how Dansguardian works and the importance of certain configuration
settings you should read the detailed installation notes and Manual at the Dansguardian web site
http://dansguardian.org
The information on the Dansguardian website and other websites referred to, is of a generic nature and
some of it is NOT applicable to sme server installations, refer to the instructions in this HOWTO in
preference.
Installation instructions
Note:
It is not sufficient to simply install the package, the appropriate manual configuration is an integral
part of getting Dansguardian working on your system. A minimal installation requires all the
configuration steps listed below to be carried out, ie from the "Modifying Firewall and Proxy" section
up to "Filter Groups and Auth login". Filter Group configuration is only required if you wish to control
access on a per user basis.
Tip:
If you would like to have a graphical and web based overview of what dansguardian has analyzed then
take a look at http://wiki.contribs.org/Dansguardian-stats
Upgrading
There are substantial changes between dansguardian v2.9 over previous v2.8 (or earlier) installations. The
recommendation from dansguardian.org is to edit the new configuration files/lists rather than try to edit
your old ones.
Upgrading from 2.9 versions creates .rpmnew config files under /etc/dansguardian. This preserves your
existing config files, but there is a chance that dansguardian won't start if parameters in the config file have
changed.
Clamav libraries can cause problems when updating. If while updating you see something like
Update with
then
yum update
These instructions assume that the sme server is running in server gateway mode and acting as the gateway
for your network, and the squid proxy is running on the same machine that Dansguardian is running on.
If your server is configured in server only mode, then you will need to point your browser at that machine
to find the squid proxy rather than the default gateway.
Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then
Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should
do ALL the following steps:
1) Configure your SME Server to use Transparent Proxy port 8080 and to block direct access to the
squid proxy port 3128 & redirect port 80 to port 8080
Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-
dansguardian and is configured with the following commands. The Transparent proxy must also be enabled
(which is the sme default) to prevent users bypassing Dansguardian filtering.
To return Transparent Proxy port to default value and to disable portblocking and to enable the Transparent
proxy (which is the sme default)
Note:
If you disable the Transparent Proxy feature of SME Server, Dansguardian can be bypassed at will by
your users. You should keep the Transparent Proxy enabled (configured as above) for filtering to
work.
Go to your workstation and open your browser eg Internet Explorer or Firefox or your preferred browser
Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080
Bypass Proxy
Allow individual PC's or selected sites to bypass the proxy (and dansguardian) entirely see
Firewall#Bypass_Proxy.
Configuring Proxy to use Auth login
Dansguardian supports different types of auth login ie ncsa, pam & ident, and allows control of web site
access based on user name. For more details regarding the various auth login methods & other
configuration requirements, see http://dansguardian.org or Google.
Enable this functionality using the appropriate command, depending on your requirements. Most users of
sme will probably use pam auth as that will authorise access against sme users and passwords.
To enable any of the above setting changes you must follow the command with
expand-template /etc/squid/squid.conf
sv t /service/squid
If you are using ncsa auth, create the user & password authentication list (you don't require users to be valid
sme users)
touch /etc/proxyusers
Enter user names & password combinations one by one using this command
You can test the authentication list using the following command
/usr/lib/squid/ncsa_auth /etc/proxyusers
If you are using ident auth, you will require a ident client on your workstation. One windows ident client is
available from:
https://sourceforge.net/projects/retinascan
In some cases, the Windows firewall blocks access to the ident client and you will have to add an exception
in your firewall rules as follows:
Control Panel >> Windows Firewall >> Exceptions >> Add Port
• Name: auth
• Port number: 113
• TCP
You need to manually modify various configuration files. As a minimum the following basic changes need
to be made:
pico -w /etc/dansguardian/dansguardian.conf
for example to
accessdeniedaddress = 'http://www.mydomain.com/cgi-bin/dansguardian.pl'
Make any other required changes to suit your situation by carefully reviewing the other setting possibilities
Ctrl o
Ctrl x
pico -w /etc/dansguardian/dansguardianf1.conf
You may initially need to change (to suit adult level of protection)
naughtynesslimit = 50
to
naughtynesslimit = 160
Make any other required changes to suit your situation by carefully reviewing the other setting possibilities
Ctrl o
Ctrl x
If you have additional filter groups, then additional configuration files will need to be created and modified.
See section on "Filter Groups and Auth login" below.
You will need to change other config files to suit your site requirements:
You can read information in the beginning of each config file that explains usage & syntax
/etc/dansguardian/lists...
/etc/dansguardian/lists/f2/...
eg
pico -w /etc/dansguardian/lists/f2/bannedextensionlist
Ctrl o
Ctrl x
bannedextensionlist
bannedsitelist
bannedurllist
exceptionsitelist
You should review ALL the dansguardian config files in /etc/dansguardian/lists and subfolders as part of
your initial Dansguardian setup.
Some of the default settings in these files will prevent access to certain web sites and file types, which may
conflict with your site requirements. See more details on the Dansguardian/ConfigFiles page of this Howto
or at http://dansguardian.org
You may also want to tailor the html template for the error message displayed when Dansguardian blocks a
site, see
/etc/dansguardian/languages/(languagename)/template.html
eg
pico -w /etc/dansguardian/languages/ukenglish/template.html
Dansguardian supports filter groups, which allow web access control of users based on filter group
membership. Different users can have different access rights, and to achieve this each filter groups
configuration files are configured with different access rights. Users are made members of the required
filter group by editing /etc/dansguardian/lists/filtergroupslist
When you open a web browser you get asked to login with a username & password. Depending on the
users group membership they get filtered or unfiltered access.
For additional information on filtering users access rights based on group membership (in conjunction with
Auth login), see http:/dansguardian.org
In order to use filter groups, you must be using one of the Auth login methods.
If you wish to authenticate users when opening a browser using pam auth method, then you will need to
disable Transparent Proxy as it is not compatible with this method.
Doing the above will also require you to manually specify the proxy settings in your browser, so you will
need to add the server IP eg 192.168.1.1 and port 8080 for the proxy setting
You cannot have pam auth enabled and Transparent Proxy set to yes.
Issue one of the following commands to enable the type of Auth login required, which will then permit the
configuration & use of Filter Groups
expand-template /etc/squid/squid.conf
sv t /service/squid
cp /etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf2.conf
cp /etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf3.conf
cp /etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf4.conf
cp /etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf5.conf
Because the Filter Group 1 (default) uses the configuration files located at the root of "/lists" directory, it is
only necessary to create the rest of the directories f2, f3, f4 and f5 to host the configuration files for each
Filter Group.
Each filter directory (f2, f3, etc.) will house all the configuration files located at the root of "/lists" directory
unless filtergroupslist, bannediplist and exceptioniplist, because they are not used for filtering because only
they are called (logically) from the general configuration file dansguardian.conf.
Because the configuration files are modified, is a smart idea to create a "virgin" copy of the files and then
use it to create new filters directory. This directory will named "virgin" or something similar.
mkdir -p /etc/dansguardian/lists/virgin
cp /etc/dansguardian/lists/* /etc/dansguardian/lists/virgin
rm -f /etc/dansguardian/lists/virgin/filtergroupslist
rm -f /etc/dansguardian/lists/virgin/bannediplist
rm -f /etc/dansguardian/lists/virgin/exceptioniplist
cp -R /etc/dansguardian/lists/virgin /etc/dansguardian/lists/f2
cp -R /etc/dansguardian/lists/virgin /etc/dansguardian/lists/f3
cp -R /etc/dansguardian/lists/virgin /etc/dansguardian/lists/f4
cp -R /etc/dansguardian/lists/virgin /etc/dansguardian/lists/f5
pico -w /etc/dansguardian/dansguardianf2.conf
pico -w /etc/dansguardian/dansguardianf3.conf
pico -w /etc/dansguardian/dansguardianf4.conf
pico -w /etc/dansguardian/dansguardianf5.conf
Edit & save the main dansguardian configuration file to setup filter groups
pico -w /etc/dansguardian/dansguardian.conf
pico -w /etc/dansguardian/dansguardianf1.conf
pico -w /etc/dansguardian/dansguardianf2.conf
pico -w /etc/dansguardian/dansguardianf3.conf
pico -w /etc/dansguardian/dansguardianf4.conf
pico -w /etc/dansguardian/dansguardianf5.conf
pico -w /etc/dansguardian/lists/filtergroupslist
add entries for users who are members of other filter groups, use this format
username=filtergroupnumber
for example
ray=filter2
george=filter3
mary=filter4
peter=filter5
and so on.
/etc/init.d/dansguardian restart
You can create as many groups as you want, using similar steps as above.
Each group can have different levels of filtering eg different exceptionlists and naughtyness limits etc.
pico -w /etc/dansguardian/lists/f2/exceptionsitelist
etc etc
Where f2 is a blocked group then setting changes to exception & other lists for that group will have no
effect. Where f5 is a unfiltered group then setting changes to exception & other lists for that group will
have no effect.
ClamAV support
If you want to use DansGuardian with SME antivirus, edit /etc/dansguardian/dansguardian.conf and
uncomment following line:
contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
# OPTION: virusscanexceptions
# If off, antivirus scanner will ignore exception sites and urls.
virusscanexceptions = on
+ clamdudsfile = '/var/clamav/clamd.socket'
- #clamdudsfile = '/var/run/clamav/clamd.socket'
If you also want to be warned each time a bad page is blocked, edit /etc/dansguardian/dansguardianf1.conf
and modify default settings:
usesmtp = on
mailfrom = 'dansguardian'
avadmin = 'admin'
contentadmin = 'admin'
notifyav = on <= virus mail alert
notifycontent = on <= content mail alert
Restart dansguardian and try to download eicar test virus
There are many other config files, including but not limited to the ones in this appendix
Dansguardian/ConfigFiles
Starting Dansguardian
After install & initial configuration you must manually start Dansguardian to enable web content filtering
(Note that suitable links to start Dansguardian at startup/reboot are setup when the rpm is installed)
/etc/init.d/dansguardian start
Stopping Dansguardian
If you need to stop Dansguardian (ie to disable filtering or test your system without Dansguardian running)
/etc/init.d/dansguardian stop
Restarting Dansguardian
You will need to restart Dansguardian after making any configuration changes (so they can take effect)
/etc/init.d/dansguardian restart
/etc/init.d/dansguardian status
Testing access
You should receive a message advising the site is blocked. Try browsing to other sites with inappropriate
content or a site on your banned site list and you should receive a site blocked message.