DansGuardian open source content filtering
•Download as ODP, PDF•
1 like•3,929 views
DansGuardian is an open source content filtering proxy server that can block offensive, malicious, or time-wasting content. It works by pairing with proxy servers like Squid or TinyProxy to filter web traffic. DansGuardian can be configured to log blocked content, apply user-based or group-based filters, and uses blacklist and whitelist files to determine what content to allow or block. Basic configuration of DansGuardian involves editing configuration files to specify the proxy port and blacklist files, while more advanced options allow regular expression matching and separate filter profiles for different user groups.
![DansGuardian Open Source Content Filtering Andrew Vandever RHC{T,E,I,X} [email_address] http://avcomp.net](https://image.slidesharecdn.com/dansguardianpresentation-100219133726-phpapp01/85/DansGuardian-open-source-content-filtering-1-320.jpg)
![DansGuardian ,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
More Related Content
What's hot
What's hot (20)
Similar to DansGuardian open source content filtering
Similar to DansGuardian open source content filtering (20)
Recently uploaded
Recently uploaded (20)
DansGuardian open source content filtering
- 1. DansGuardian Open Source Content Filtering Andrew Vandever RHC{T,E,I,X} [email_address] http://avcomp.net
- 7. Advanced Url Matching with RegExp
- 10. Time-Wasters
- 13. Ident
- 14. IP Addresses
- 17. TinyProxy
- 20. Ubuntu
- 22. Flexible
- 24. Commercial Support Available: Smoothwall
- 36. dansguardianf1.conf – filter settings for first group
- 37. lists/* - blacklists, whitelists, regexp lists, group lists
- 38. squid.conf – main squid configuration, defaults okay
- 39. tinyproxy.conf – main TP configuration, check port
- 41. More systems = harder to manage
- 45. Breaks SSL
- 47. DNAT HTTP traffic to DansGuardian
- 48. Reject outbound proxy ports
- 49. Log or block other outbound ports
- 54. “nameserver 127.0.0.1” in /etc/resolv.conf
- 55. Otherwise, whitelisting may be necessary
- 57. Cronjob to get latest lists
- 59. You probably need to comment many lines from banned{mimetype,extension}list right off the bat
- 62. Blacklisted pages are denied outright
- 63. Whitelisted pages are allowed and content is not scanned
- 64. Greylisted pages are not blocked based on the url (useful for working around urlregexp issues), but still have their content checked, and are allowed or denied based on content
- 66. Page is scanned, producing “naughtyness” score
- 67. If naughtyness score of page is greater than naughtyness limit of client, access is denied
- 68. Check /var/log/dansguardian/access.log for more information on blocked content
- 70. Groups can have separate naughtyness limits
- 72. proxy-digest
- 74. ip
- 76. In filtergroupslist: username=groupname
- 77. For ip auth, use lists/authplugins/ipgroups
- 78. Copy dansguardianf1.conf to dansguardianfN.conf
- 80. Can use nested includes for filter lists
- 82. Used for blocking complex nested url's
- 83. Useful for blocking certain search patterns
- 87. smoothwall.net
- 88. netfilter.org
- 89. squid-cache.org
- 91. man 5 crontab
- 92. www.isc.org
- 94. [email_address]
Editor's Notes
- Schools, businesses and even home users have a lot to lose from their workstation users accidentally or intentionally accessing offensive content, time-wasting content, or malware. DansGuardian protects your network from all three. DansGuardian logs to /var/log/dansguardian/access.log. Directives in the configuration can tell DG to log in squid format, making it easy to analyze the logs later with tools like calamaris.
- TinyProxy uses far fewer resources than squid, making it very nice for home use. However, you give up 3 of 5 of your authentication mechanisms. Squid is also probably better for an environment with many users. DG forks similar to Apache HTTPD. EPEL, of course, being “Extra Packages for Enterprise Linux”. You could also grab the source from dansguardian.org.
- Smoothwall gives a commercial packaging and support for DG. Either the browser intentionally used DG as a proxy, or the firewall intercepts the traffic, redirecting it to DG. Explicit-proxy is better, but more difficult to manage. Transparent-proxy is easier to manage, but gives you less flexibility when it comes to traffic like SSL, as well as cutting out 3 of 5 of DG's auth mechanisms. For SSL, sending the traffic directly to squid is typically a better idea.
- Examples: Gateway is 10.0.0.1, dg box is 10.0.0.2 iptables -t nat -A FORWARD -s 10.0.0.2 -j ACCEPT iptables -t nat -A FORWARD -m tcp -p tcp –dport 80 ! -d 10.0.0.0/8 -j DNAT –to-destination 10.0.0.2:8080 iptables -t filter -A FORWARD -m tcp -p tcp –dport 3128 ! -d 10.0.0.2 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 8080 ! -d 10.0.0.2 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 8888 -j REJECT iptables -t filter -A FORWARD -m tcp -p tcp –dport 443 -j REJECT iptables -t filter -A FORWARD -j LOG Service iptables save Now, make sure you set squid on 10.0.0.1 to listen to port 80 only from loopback (DG), but 443 from all clients
- Examples: Redirect box's own traffic to dg iptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -m tcp -p tcp –dport 80 -j DNAT –to-destination 127.0.0.1:8080 iptables -t filter -A OUTPUT -m tcp -p tcp --dport 3128 -j REJECT iptables -t filter -A OUTPUT -m tcp -p tcp –dport 8080 -j REJECT iptables -t filter -A OUTPUT -m tcp -p tcp --dport 8888 -j REJECT iptables -t filter -A OUTPUT -j LOG service iptables save
- The default BIND (named) configuration in fedora will perform recursive lookups for localhost, and cache the results. With just a little bit of tweaking you can also use this as the nameserver for the workstations on your network. The way certain sites (like facebook.com) do dns-based load-balancing can make DG think you're being spoofed. Local lookups prevent this, although the strict behavior is disabled in DG by default in current versions. Contentscanner can set all your incoming content to be virus-scanned. Downloadmanager will try to assist with download speed, but can break large downloads in some cases.
- shallalist.de is free for non-commercial use. urlblacklist.com costs money to use. Some on the mailing list tell me shallalist is better anyway.
- Unfortunately you have to put “filterX” in your groupslist, even if you specify a groupname in your dansguardianfX.conf for the group. Many sites will have a default group that has zero access to the internet, forcing users to login to get any access. In a DHCP setting, you might use ip auth to place most users in a default group, but set permanent leases for frequent users who you want to place in a different group.
- Anything you can do in Perl, you can do here, but keep in mind it's perlre, not PCRE.