UBUNTU 12.04 PRECISE PANGOLIN AND DANSGUARDIAN FOR FILTERING AND PUBLIC WIRELESS ACCESS

Image: Ubuntu and DansGuardian--Great for Libraries!

Ubuntu 12.04 Precise Pangolin and DansGuardian for
Filtering and Public Wireless Access

By John C. Rucker

Originally published on 2 November 2012. Last modified on 2 June 2015.
This guide is a quick step-by-step guide to how
I implement DansGuardian on Ubuntu systems. This 
one is all command-line with no hand-holding. For
something easier, though out of date, try some 
of my earlier tutorials.

Introduction

Below are my local install notes for putting together a DansGuardian filtering system on Ubuntu 12.04 Precise Pangolin, including multiple filtering profiles and statistics. You’ll need to be pretty comfortable with Linux and the command line to replicate this. But it’s really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 2 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.

Install Ubuntu

  • Start installing the server edition of Ubuntu Precise Pangolin.
  • Partition the hard drive as you see fit.
  • Choose LAMP and OpenSSH servers to install.
  • Reboot, login, and apply all updates, and reboot again.
  • At this point you should log in via SSH from another computer with a GUI so you can copy and paste commands. Things will go much quicker this way.

Tweak a Few Things

  • Enable the root user, and disable sudo:
$ sudo passwd root
$ su
# mv /etc/securetty /etc/securetty.bak; \
touch /etc/securetty; \
mv /etc/sudoers /etc/sudoers.bak
  • Install NTP:
# apt-get install ntp
  • Edit /etc/ntp.conf to add us.pool.ntp.org to the top of the list of servers already in there.
  • Edit /etc/ssh/sshd_config. Set PermitRootLogin to no, set X11Forwarding to no, and uncomment the line #Banner /etc/issue.net.
  • Edit /etc/issue.net to give whatever notice your lawyers say is appropriate to people trying to log into your server:
*******************************************************************************
                              NOTICE TO USERS

This computer system is the property of the Branch District Library.  It is
for authorized use only.  Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.

By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.

Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate.  By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use.  LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.

*******************************************************************************
  • Edit /etc/network/interfaces. Leave the entry for eth0, add the following for eth1. If your eth0 subnet is 192.168.1.X, you’ll need to change IP addresses in this tutorial accordingly to suit your situation
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway YOUR-GATEWAY-FOR-ETH0
dns-nameservers YOUR-DNS-SERVER-1 YOUR-DNS-SERVER-1
  • Restart networking:
# /etc/init.d/networking restart

DHCP Server

  • Install the DHCP server and back up the original config file:
# apt-get install dhcp3-server; \
mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
  • Edit /etc/dhcp/dhcpd.conf as needed, adding static address assignments for your library-provided public computers. If you don’t want to count your library computers in the statistics (we’ll cover that later), make sure all library public computers are defined in this file. The file should look something like this:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style none;
log-facility local7;
option routers 192.168.1.1;
option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2;

subnet [Subnet of eth0, just ending in .0] netmask 255.255.255.0 
{
}

subnet 192.168.1.0 netmask 255.255.255.0 
{
    range 192.168.1.100 192.168.1.254; # desired public service IP address range
    host HOSTNAME-HERE # host names for static IP assignment
    {
        hardware ethernet MAC-ADDRESS-USING-COLONS;
        fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE;
    }
}
  • Restart DHCP server:
# /etc/init.d/isc-dhcp-server restart

Shorewall

  • Install shorewall and copy configuration files:
# apt-get install shorewall; \
cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
  • Edit /etc/shorewall/shorewall.conf. Find the line that reads IP_FORWARDING=Keep and change that to IP_FORWARDING=On.
  • Edit /etc/shorewall/interfaces:
#ZONE   INTERFACE   BROADCAST   OPTIONS

net     eth0        detect
loc     eth1        detect      dhcp
  • Edit /etc/shorewall/masq:
eth0          192.168.1.0/24
eth0          YOUR-SUBNET-FOR-ETH0/24
  • Edit /etc/shorewall/policy:
loc         all         REJECT
fw          all         REJECT
net         all         DROP
all         all         REJECT
  • Edit /etc/shorewall/rules. At minimum, have the following rules. More likely, use the huge ruleset we normally use.
# Accept SSH connections for administration, outgoing ssh from fw
ACCEPT      loc                     fw      tcp     22
ACCEPT      net                     fw      tcp     22
ACCEPT      fw                      net     tcp     22

# Accept HTTP for the wifi stats
ACCEPT      loc                     fw      tcp     80
ACCEPT      net                     fw      tcp     80

# allow web traffic out of the firewall
ACCEPT      fw      net                     tcp     80,8000,8001,8080

# All pinging the web filter
ACCEPT      loc        net        icmp
        
# Allow DNS requests
ACCEPT      loc        net        tcp     53
ACCEPT      loc        net        udp     53 
ACCEPT      fw         net        tcp     53
ACCEPT      fw         net        udp     53

# Allow POP3 email
ACCEPT      loc        net        tcp     110

# Allow NTP
ACCEPT      loc        net        udp     123

# Allow IMAP email
ACCEPT      loc        net        tcp     143   
        
# Allow secure web sites
ACCEPT      loc        net        tcp     443

# Secure SMTP
ACCEPT      loc                     net     tcp     465

# Allow DHCP requests
ACCEPT      loc        fw         tcp     546,547
ACCEPT      loc        fw         udp     67,68
ACCEPT      fw         net        tcp     546,547
ACCEPT      fw         net        udp     67,68

# smtp submission
ACCEPT      loc                     net     tcp     587

# Allow Secure IMAP email
ACCEPT      loc        net        tcp    993

# Allow Secure POP3 email
ACCEPT      loc        net        tcp    995

# Allow both sides of the firewall to access the filter
# (as in your staff side can use the filter, too)
ACCEPT      net       fw          tcp    8080

# Route all HTTP traffic from library kids computers to the filter
# make the IP address range match your needs
REDIRECT    loc:192.168.1.11-192.168.1.20 8081    tcp    80,8000,8001,8080   -

# Route all HTTP traffic from library adult computers to the filter
# make the IP address range match your needs
REDIRECT    loc:192.168.1.21-192.168.1.30 8082    tcp    80,8000,8001,8080   -

# Route all HTTP traffic from patron devices to the filter
# make the IP address range match your needs
REDIRECT    loc:192.168.1.100-192.168.1.255 8083    tcp    80,8000,8001,8080   -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  • Edit /etc/shorewall/zones:
fw      firewall
net     ipv4
loc     ipv4
  • Edit /etc/default/shorewall. Change startup=0 to startup=1. Restart shorewall:
# shorewall restart

Squid

  • Install Squid:
# apt-get install squid
  • Edit /etc/squid3/squid.conf: search for http_port 3128 and change it to http_port 127.0.0.1:3128 transparent. Search for # access_log /var/log/squid3/access.log squid. Add a line below that reading access_log none. Search for cache_store_log. There will be a commented out code block for this tag with Default: none at the bottom. Add a new line below this reading cache_store_log none. Finally, add lines like the below to the end of the file to throttle HTTP traffic as needed (adjust the numbers in bytes to match your bandwidth and throttling needs):
########Squid Delay Pools#########
# a simple global throttle, users sharing 5 Mbit/s
delay_pools 1
delay_class 1 1
# 5 Mbit/s fill rate, 6 Mbit/s reserve, units in bytes
delay_parameters 1 655360/786432
acl All src 0/0
delay_access 1 allow All
  • Restart Squid:
# /etc/init.d/squid3 restart

DansGuardian

  • Install DansGuardian:
# apt-get install dansguardian
  • We’re going to have 3 instances of Dansguardian running: One for filtering kids’ computers in the library, running on port 8081; one for adult computers in the library, running on port 8082; and one for our free pubic wireless network for patrons’ own devices, running on port 8083. We’ll be using just one set of configuration files to control most of all 3 Dansguardian instances, editing only the three sets of dansguardian.conf and dansguardianf1.conf files to fine-tune our three instances. Below are all the commands to symlink the binaries, make additional directories for configuration and log files, and copy and symlink to the orginal configuration files. For your copy & paste pleasure, these commands are below as one multi-line command line that you can copy all at once:
# ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian1; \
ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian2; \
ln -s /usr/sbin/dansguardian /usr/sbin/dansguardian3; \
mkdir /etc/dansguardian1; \
mkdir /etc/dansguardian2; \
mkdir /etc/dansguardian3; \
mkdir /var/log/dansguardian1; \
mkdir /var/log/dansguardian2; \
mkdir /var/log/dansguardian3; \
chown dansguardian:dansguardian /etc/dansguardian1; \
chown dansguardian:dansguardian /etc/dansguardian2; \
chown dansguardian:dansguardian /etc/dansguardian3; \
chown dansguardian:dansguardian /var/log/dansguardian1; \
chown dansguardian:dansguardian /var/log/dansguardian2; \
chown dansguardian:dansguardian /var/log/dansguardian3; \
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian1/; \
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian2/; \
cp /etc/dansguardian/dansguardian.conf /etc/dansguardian3/; \
cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian1/; \
cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian2/; \
cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian3/; \
ln -s /etc/dansguardian/authplugins /etc/dansguardian1/authplugins; \
ln -s /etc/dansguardian/authplugins /etc/dansguardian2/authplugins; \
ln -s /etc/dansguardian/authplugins /etc/dansguardian3/authplugins; \
ln -s /etc/dansguardian/contentscanners /etc/dansguardian1/contentscanners; \
ln -s /etc/dansguardian/contentscanners /etc/dansguardian2/contentscanners; \
ln -s /etc/dansguardian/contentscanners /etc/dansguardian3/contentscanners; \
ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian1/downloadmanagers; \
ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian2/downloadmanagers; \
ln -s /etc/dansguardian/downloadmanagers /etc/dansguardian3/downloadmanagers; \
ln -s /etc/dansguardian/languages /etc/dansguardian1/languages; \
ln -s /etc/dansguardian/languages /etc/dansguardian2/languages; \
ln -s /etc/dansguardian/languages /etc/dansguardian3/languages; \
ln -s /etc/dansguardian/lists /etc/dansguardian1/lists; \
ln -s /etc/dansguardian/lists /etc/dansguardian2/lists; \
ln -s /etc/dansguardian/lists /etc/dansguardian3/lists
  • Now we’ll modify the common configuration files:
  • Open /etc/dansguardian/lists/bannedextensionlist. Comment out any file extension that you want to allow through the filter. Since we are not locking things down tightly like a corporate environment might, you’ll probably want to comment out every line here. If you think you’ll never want to block specific file types, you could just select everything then delete the content of the file to save time.Here’s our working file if you want to copy and paste.
  • /etc/dansguardian/lists/bannedmimetypelist is similar, you’ll probably want to comment out, or delete, all the lines.Here’s our working file if you want to copy and paste.
  • Now open /etc/dansguardian/lists/bannedregexpurllist. For a library, the directives in this file have a tendency to over-block, so comment out or delete all lines.Here’s our working file if you want to copy and paste.
  • /etc/dansguardian/lists/bannedsitelist is one of the more important files. This is where you can force an entire web site to be blocked.You can also use this file to make your filter a whitelist. That is, all sites will be blocked that you don’t explicitly allow.Finally, you also have the option to use some built-in blacklists. You likely won’t need to edit this file now, but later you might. The comments in the file explain how to enable the various options.

    One thing you will want to do for a library environment is comment out the advertisement blocking about halfway down through the file.

    Here’s our working file if you want to copy and paste.

  • /etc/dansguardian/lists/bannedurllist works in a similar fashion, though only for individual pages within a larger web site, while leaving the rest of the web site alone. Like the last file, you probably don’t need to edit it now, except for commenting out the ad blocking.Here’s our working file if you want to copy and paste.
  • The files starting with exception—like exceptionsitelist—work similar to the banned* ones above, only they apply to things you don’t want blocked. Edit them as you see fit. At BDL we add all the major web mail providers to exceptionsitelist so that emails would never get blocked, for example. Also, add .edu, .gov, .mi.us, etc.Here’s our working file if you want to copy and paste.
  • /etc/dansguardian/lists/weightedphraselist contains pointers to the various categories of phraselists that DansGuardian uses in evaluating web pages. There’s a nice description at the top of the file that describes how the term weighting works. Edit the file as you see fit, commenting out lines for things you don’t want to be blocked. For our example we’ll leave the weighted phrase lists only for good phrases and pornography, and comment out the rest.Here’s our working file if you want to copy and paste.
  • Edit /etc/dansguardian/lists/urlregexplist to have a little expression to always force image searches on Google and Bing to be filtered. Add the following code to the end of the file:
# for Google
#we add &safe=vss to the end of every search
"(^http[s]?://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?.*)"->"\1&safe=vss"

#for Bing
#similar, but &adlt=strict is the keyword
"(http[s]?://[0-9a-z]+.bing.com/images/search\?.*)"->"\1&adlt=strict"
  • Edit /etc/dansguardian/languages/ukenglish/template.html as desired to change the page telling users they’ve been blocked. You can put images in this page, but they must be inserted inline in base64 encoding.Here’s our working file if you want to copy and paste.
  • Up to this point, even though we’re going to have 3 instances of DansGuardian running, we’ve been editing only one set of files since all 3 instances share the files. For the next steps, we’ll be editing the same files 3 times, one for each instance.
  • Edit /etc/dansguardian1/dansguardian.conf/etc/dansguardian2/dansguardian.conf, and /etc/dansguardian3/dansguardian.conf. The first thing to do is comment out the line near the top of the file that starts “UNCONFIGURED”.Next find loglevel = 2 and change the “2” to a “1”. Next, search and in every instance of /etc/dansguardian/ and /var/log/dansguardian/ replace “dansguardian” with “dansguardian1”, “dansguardian2”, or “dansguardian3”, as appropriate to the file you’re editing. There are many instances to change.Find the line filterport = 8080. Change “8080” to “8081”, “8082”, or “8083”, depending on which file you’re editing.

    Find the following lines:

    • ipcfilename = '/tmp/.dguardianipc'
    • urlipcfilename = '/tmp/.dguardianurlipc'
    • ipipcfilename = '/tmp/.dguardianipipc'
    • pidfilename = '/var/run/dansguardian.pid'

    and change them to:

    • ipcfilename = '/tmp/.dguardian1ipc'
    • urlipcfilename = '/tmp/.dguardian1urlipc'
    • ipipcfilename = '/tmp/.dguardian1ipipc'
    • pidfilename = '/var/run/dansguardian1.pid'

    Change the “1” to a “2” or “3” depending on the file you’re editing.

    Here are our working files if you want to copy and paste:

  • Edit /etc/dansguardian1/dansguardianf1.conf/etc/dansguardian2/dansguardianf1.conf, and /etc/dansguardian3/dansguardianf1.conf. Search and in every instance of /etc/dansguardian/ replace “dansguardian” with “dansguardian1”, “dansguardian2”, “dansguardian3”, as appropriate to the file you’re editing. There are many instances to change.Next change the value for naughtynesslimit to a number that works best for you. We use 100 for children, 200 for adults, and 250 for our public wireless network.Here are our working files if you want to copy and paste:
  • We will now remove the original DansGuardian startup script:
# cd /etc/init.d/; \
mv dansguardian dansguardian.orig; \
update-rc.d dansguardian remove
# cd /etc/init.d/; \
chmod +x dansguardian*; \
update-rc.d dansguardian1 defaults 50 19; \
update-rc.d dansguardian2 defaults 50 19; \
update-rc.d dansguardian3 defaults 50 19
  • Turn on all 3 instances of DansGuardian:
# /etc/init.d/dansguardian1 start; \
/etc/init.d/dansguardian2 start; \
/etc/init.d/dansguardian3 start

Public Computer Lab Session Timer

  • Download and copy the session timer software to /var/www. Copy the appropriately-customized index.phpbackbone.php, and stats.html into the session timer folder. Set the permissions appropriately:
# chgrp -R www-data /var/www/signup; \
chmod 664 /var/www/signup/laptops_available; \
chmod 664 /var/www/signup/time_override
  • Edit /etc/mysql/my.cnf to allow network connections (our custom firewall rules limit this to the appropriate machines). Find the line bind-address = 127.0.0.1 and comment it out. Find max_connections and change the number to something big, like 1000000. Restart MySQL:
# /etc/init.d/mysql restart
  • Import the session timer database backup:

Statistics

  • Install phpMyAdmin. We don’t actually need it to get the system running, but it’s nice to have if we ever need to look at the stats database directly. You can access it by going to http://YOUR-SERVER-IP-ADDRESS-OR-URL/phpmyadmin.
# apt-get install phpmyadmin
  • Our stats setup will log hourly stats for any computer that doesn’t have a static definition in /etc/dhcp/dhcpd.conf. Create the MySQL database for tracking stats:
# mysql -u root -p
mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
  • Do ONLY ONE of the following:
    • Import any stats you might have exported from an earlier installation (you can use phpMyAdmin to easily export stats from your server):
# mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
  • -OR-
    • Copy and paste the contents of wifi_stats.sql into a file of the same name in your current directory. This is the database schema which will create an empty database. Import your file into MySQL:
# mysql -u root -p wifi_stats < wifi_stats.sql
  • Copy and paste the contents of wifi_stats.php into the file /var/www/wifi_stats.php. Edit the top of the file to enter your own password.
  • Copy and paste the contents of DHCPd-parse.php into the file /var/www/DHCPd-parse.php. Edit the top of the file to enter your own password. You can look at your collected stats athttp://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php.Here’s a sample stats output page.
  • Copy and paste the contents of reportdhcp.pl into /usr/lib/cgi-bin/reportdhcp.pl. This program isn’t actually used for any of the stats collection, but it can be useful for troubleshooting. Access it from http://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl.
  • Set a cron job to collect the stats every hour, and to preemptively restart the services hourly (for stability reasons):
1 *  *   *   *     wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1
1 *  *   *   *     /etc/init.d/dansguardian1 restart
1 *  *   *   *     /etc/init.d/dansguardian2 restart
1 *  *   *   *     /etc/init.d/dansguardian3 restart

Print Release Station

  • If you share your printers over Samba, you can easily turn the server into a print release station to avoid unwanted prints. Ideally, this would be on a separate machine, but if you have to, it could be on the same system. You’ll need to install the KDE desktop, as it contains the print-manager program which provides a nice interface to release the print job to the printer.
  • First, install the KDE desktop:
# apt-get install kubuntu-desktop
  • This will take a while, and the scope of it is beyond this tutorial.
  • Next, install samba:
# apt-get install samba
  • Add the printer in the KDE System Settings application. Then, edit /etc/samba/smb.conf to share and hold the print jobs. Add the following lines to the end of the file, changing as necessary to fit your situation:
[Color_Printer]
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printer name = CirculationPrinter
   cups options = job-hold-until=indefinite

[Black_and_White_Printer]
   path = /var/spool/samba
   browseable = yes
   printable = yes
   printer name = CirculationPrinter
   cups options = job-hold-until=indefinite
  • Then you can add a shortcut to your KDE desktop and startup that points to kde-print-queue CirculationPrinter. From here you can release the print jobs to the printer or delete them.
  • Add something like the following to your root crontab to clean out the queue at the end of each day:
4 21 *   *   *     /usr/bin/lprm -P CirculationPrinter -
5 21 *   *   *     /bin/rm /var/cache/cups/job.cache*
6 21 *   *   *     /bin/rm /var/spool/cups/c*
7 21 *   *   *     /bin/rm /var/spool/cups/d*
  • Finally, add a user to your system for each computer you want to print, and make an accompanying Samba user with smbpasswd -a <username>
  • When you add the printers on Windows, you’ll need to set up network credentials first to the print server using the usernames and passwords you created above. Then add the printers with a custom new port, local port type, \\192.168.1.XXX\Black_and_White_Printer, etc. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.

Battery and File Backups

  • If you have an APC battery backup, install apcupsd and save the original configuration file:
# apt-get install apcupsd; \
mv /etc/apcupsd/apcupsd.conf /etc/apcupsd/apcupsd.conf.bak
  • Copy and paste the contents of apcupsd.conf into /etc/apcupsd/apcupsd.conf, editing parameters as you see fit.
  • Edit /etc/default/apcupsd and change ISCONFIGURED=no to ISCONFIGURED=yes.
  • Make a public key for automated backups of our stats files to a remote backups Unix file server, and copy it to the remote server:
# ssh-keygen -t rsa
# ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
  • Add another cron job to backup your stats database every night at 5 past midnight:
5 0 * * * mysqldump -u root --password=YOUR-PASSWORD wifi_stats > /home/username/wifi_stats_dump.sql; scp -i /home/username/.ssh/id_rsa /home/username/wifi_stats_dump.sql username@remote_host:/path/to/backup/directory/
  • On the remote machine that’s your backup destination, make sure to add from="YOUR-FILTER'S-IP-ADDRESS", followed by a space, before the “ssh-rsa […]” stuff in your/home/username/.ssh/authorized_keys file. This will limit the key to being used only from your filter.

Conclusion

And that is all! Reboot and make sure everything comes back up the way it should.


Originally published on 2 November 2012. Last modified on 2 June 2015.
Copyright © John C. Rucker
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved.

Originally published on:
https://www.branchdistrictlibrary.org/professional/ubuntu_precise_dg.php

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.