Dansguardian Version 2.10.1.1 - Installation und Konfiguration

Dansguardian Logo

Für die Zugriffsverwaltung und inhaltliche Bewertung der angewählten Internetseiten bedienen wir uns dem Proxy Squid und dem Contentfilter Dansguardian.
Bei dieser Konstellation arbeiten Squid und Dansguardian als einer Vermittler, der auf der einen Seite Anfragen entgegennimmt, um dann über seine eigene Adresse eine Verbindung zu einem Zielhost herzustellen. So bleibt einerseits die eigentliche Adresse des Client-Rechners dem Zielhost gegenüber komplett verborgen, was eine gewisse Anonymität schafft. Ferner können die Ergebnisse der Clientanfragen zwischengespeichert werden, um so Bandbreite zu sparen, da diese gepufferten Objekte nicht nochmals geladen werden müssen. Darüber hinaus haben wir so die Möglichkeit:

  • unerwünschte Seiten zu blocken (Pornographie)
  • bestimmte Inhalte nur bestimmten Usern zur Verfügung zu stellen (Multimediainhalte des WWW)
  • Seiten auf unerwünschten Inhalt zu überprüfen und ggf. zu blocken (Glücksspiel und politische Propaganda) oder
  • eine Virenprüfung der übermittelten Daten vorzunehmen.

Möchte man neben der reinen inhaltlichen Überprüfung, wie im folgenden Kapitel beschrieben, auch eine Virenfilterung des Webtraffics vornehmen, so installiert man sich am besten die aktuelle Version von Dansguardian. Hierzu benutzt man entweder direkt die Sourcen von Dansguardian oder man nutzt die komfortablere Variante eines RPMs aus einem Repository.

Die komfortabelste Variante ist die Nutzung von Djangos Repository. Die Einbindung ist im Dokuwiki unter Einbinden von Djangos Repository for CentOS 5.x beschrieben.

Wie bereits erwähnt, erfolgt die Installation der neuen Dansguardian-Version am leichtesten mit Hilfe eines RPMs und unter Zuhilfenahme eines Repositories.

 # yum install dansguardian

Anschließend können wir gleich mit der Konfiguration weitermachen und überspringen die nachfolgend beschriebenen manuellen Download und Installation.

Download

Möchte man Djangos's Repository nicht einbinden, so kann man das RPM auch vom Repository-Server herunterladen und manuell installieren. Die aktuelle Version - dansguardian-2.10.1.1-1.0.el5.i386.rpm - laden wir uns als erste auf unseren Rechner.

# su -

# cd /usr/local/src
# wget  http://repository.nausch.org/public/dansguardian-2.10.1.1-1.0.el5.i386.rpm

Da das Programm nicht aus einem uns bekannten Repository stammt, holen wir uns noch den public-key des Packager und installieren diesen in den RPM-Keyring.

 # rpm --import http://repository.nausch.org/public/GPG-PUB-KEY.asc

Somit können wir hier nun die Integrität des heruntergeladenen RPMs überprüfen.

 # rpm -K dansguardian-2.10.1.1-1.0.el5.i386.rpm
 dansguardian-2.10.1.1-1.0.el5.i386.rpm: (sha1) dsa sha1 md5 gpg OK

YUM-Installation

Das zuvor heruntergeladene RPM installieren wir, wie gewohnt mittels yum.

 # yum install dansguardian-2.10.1.1-1.0.el5.i386.rpm

Das Paket dansguardian des aktuellen Release-Kandidaten hat nun im Gegensatz zur Version 2.8.0.6 einen weitaus größeren Umfang, was uns ein detailierter Blick in das RPM1), nach erfolgter Installation des Paketes, zeigt.

# rpm -iql dansguardian
Name        : dansguardian                 Relocations: (not relocatable)
Version     : 2.10.1.1                          Vendor: Michael Nausch aka Django
Release     : 1.0.el5                       Build Date: Do 10 Dez 2009 14:23:37 CET
Install Date: Do 10 Dez 2009 14:25:11 CET      Build Host: office.nausch.org
Group       : System Environment/Daemons    Source RPM: dansguardian-2.10.1.1-1.0.el5.src.rpm
Size        : 1475359                          License: GPL
Signature   : DSA/SHA1, Do 10 Dez 2009 14:23:37 CET, Key ID 1f0471f12384c849
Packager    : Django <michael@nausch.org>
URL         : http://www.dansguardian.org/
Summary     : Content filtering web proxy with virusscan-support via clamd
Description :
DansGuardian is a web filtering engine that checks the content within
the page itself in addition to the more traditional URL filtering.

DansGuardian is a content filtering proxy. It filters using multiple methods,
including URL and domain filtering, content phrase filtering, PICS filtering,
MIME filtering, file extension filtering, POST filtering.
/etc/dansguardian
/etc/dansguardian/authplugins
/etc/dansguardian/authplugins/ident.conf
/etc/dansguardian/authplugins/ip.conf
/etc/dansguardian/authplugins/proxy-basic.conf
/etc/dansguardian/authplugins/proxy-digest.conf
/etc/dansguardian/contentscanners
/etc/dansguardian/contentscanners/clamdscan.conf
/etc/dansguardian/dansguardian.conf
/etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/downloadmanagers
/etc/dansguardian/downloadmanagers/default.conf
/etc/dansguardian/downloadmanagers/fancy.conf
/etc/dansguardian/downloadmanagers/trickle.conf
/etc/dansguardian/lists
/etc/dansguardian/lists/authplugins
/etc/dansguardian/lists/authplugins/ipgroups
/etc/dansguardian/lists/bannedextensionlist
/etc/dansguardian/lists/bannediplist
/etc/dansguardian/lists/bannedmimetypelist
/etc/dansguardian/lists/bannedphraselist
/etc/dansguardian/lists/bannedregexpheaderlist
/etc/dansguardian/lists/bannedregexpurllist
/etc/dansguardian/lists/bannedsitelist
/etc/dansguardian/lists/bannedurllist
/etc/dansguardian/lists/blacklists
/etc/dansguardian/lists/blacklists/ads
/etc/dansguardian/lists/blacklists/ads/domains
/etc/dansguardian/lists/blacklists/ads/urls
/etc/dansguardian/lists/contentregexplist
/etc/dansguardian/lists/contentscanners
/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist
/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist
/etc/dansguardian/lists/contentscanners/exceptionvirussitelist
/etc/dansguardian/lists/contentscanners/exceptionvirusurllist
/etc/dansguardian/lists/downloadmanagers
/etc/dansguardian/lists/downloadmanagers/managedextensionlist
/etc/dansguardian/lists/downloadmanagers/managedmimetypelist
/etc/dansguardian/lists/exceptionextensionlist
/etc/dansguardian/lists/exceptionfilesitelist
/etc/dansguardian/lists/exceptionfileurllist
/etc/dansguardian/lists/exceptioniplist
/etc/dansguardian/lists/exceptionmimetypelist
/etc/dansguardian/lists/exceptionphraselist
/etc/dansguardian/lists/exceptionregexpurllist
/etc/dansguardian/lists/exceptionsitelist
/etc/dansguardian/lists/exceptionurllist
/etc/dansguardian/lists/filtergroupslist
/etc/dansguardian/lists/greysitelist
/etc/dansguardian/lists/greyurllist
/etc/dansguardian/lists/headerregexplist
/etc/dansguardian/lists/logregexpurllist
/etc/dansguardian/lists/logsitelist
/etc/dansguardian/lists/logurllist
/etc/dansguardian/lists/phraselists
/etc/dansguardian/lists/phraselists/badwords
/etc/dansguardian/lists/phraselists/badwords/weighted_dutch
/etc/dansguardian/lists/phraselists/badwords/weighted_french
/etc/dansguardian/lists/phraselists/badwords/weighted_german
/etc/dansguardian/lists/phraselists/badwords/weighted_portuguese
/etc/dansguardian/lists/phraselists/badwords/weighted_spanish
/etc/dansguardian/lists/phraselists/chat
/etc/dansguardian/lists/phraselists/chat/weighted
/etc/dansguardian/lists/phraselists/chat/weighted_italian
/etc/dansguardian/lists/phraselists/conspiracy
/etc/dansguardian/lists/phraselists/conspiracy/weighted
/etc/dansguardian/lists/phraselists/domainsforsale
/etc/dansguardian/lists/phraselists/domainsforsale/weighted
/etc/dansguardian/lists/phraselists/drugadvocacy
/etc/dansguardian/lists/phraselists/drugadvocacy/weighted
/etc/dansguardian/lists/phraselists/forums
/etc/dansguardian/lists/phraselists/forums/weighted
/etc/dansguardian/lists/phraselists/gambling
/etc/dansguardian/lists/phraselists/gambling/banned
/etc/dansguardian/lists/phraselists/gambling/banned_portuguese
/etc/dansguardian/lists/phraselists/gambling/weighted
/etc/dansguardian/lists/phraselists/gambling/weighted_portuguese
/etc/dansguardian/lists/phraselists/games
/etc/dansguardian/lists/phraselists/games/weighted
/etc/dansguardian/lists/phraselists/goodphrases
/etc/dansguardian/lists/phraselists/goodphrases/exception
/etc/dansguardian/lists/phraselists/goodphrases/exception_email
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_danish
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_dutch
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_malay
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_polish
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_portuguese
/etc/dansguardian/lists/phraselists/goodphrases/weighted_general_swedish
/etc/dansguardian/lists/phraselists/goodphrases/weighted_news
/etc/dansguardian/lists/phraselists/googlesearches
/etc/dansguardian/lists/phraselists/googlesearches/banned
/etc/dansguardian/lists/phraselists/gore
/etc/dansguardian/lists/phraselists/gore/weighted
/etc/dansguardian/lists/phraselists/gore/weighted_portuguese
/etc/dansguardian/lists/phraselists/idtheft
/etc/dansguardian/lists/phraselists/idtheft/weighted
/etc/dansguardian/lists/phraselists/illegaldrugs
/etc/dansguardian/lists/phraselists/illegaldrugs/banned
/etc/dansguardian/lists/phraselists/illegaldrugs/weighted
/etc/dansguardian/lists/phraselists/illegaldrugs/weighted_portuguese
/etc/dansguardian/lists/phraselists/intolerance
/etc/dansguardian/lists/phraselists/intolerance/banned_portuguese
/etc/dansguardian/lists/phraselists/intolerance/weighted
/etc/dansguardian/lists/phraselists/intolerance/weighted_portuguese
/etc/dansguardian/lists/phraselists/legaldrugs
/etc/dansguardian/lists/phraselists/legaldrugs/weighted
/etc/dansguardian/lists/phraselists/malware
/etc/dansguardian/lists/phraselists/malware/weighted
/etc/dansguardian/lists/phraselists/music
/etc/dansguardian/lists/phraselists/music/weighted
/etc/dansguardian/lists/phraselists/news
/etc/dansguardian/lists/phraselists/news/weighted
/etc/dansguardian/lists/phraselists/nudism
/etc/dansguardian/lists/phraselists/nudism/weighted
/etc/dansguardian/lists/phraselists/peer2peer
/etc/dansguardian/lists/phraselists/peer2peer/weighted
/etc/dansguardian/lists/phraselists/personals
/etc/dansguardian/lists/phraselists/personals/weighted
/etc/dansguardian/lists/phraselists/personals/weighted_portuguese
/etc/dansguardian/lists/phraselists/pornography
/etc/dansguardian/lists/phraselists/pornography/banned
/etc/dansguardian/lists/phraselists/pornography/banned_portuguese
/etc/dansguardian/lists/phraselists/pornography/weighted
/etc/dansguardian/lists/phraselists/pornography/weighted_chinese
/etc/dansguardian/lists/phraselists/pornography/weighted_danish
/etc/dansguardian/lists/phraselists/pornography/weighted_dutch
/etc/dansguardian/lists/phraselists/pornography/weighted_french
/etc/dansguardian/lists/phraselists/pornography/weighted_german
/etc/dansguardian/lists/phraselists/pornography/weighted_italian
/etc/dansguardian/lists/phraselists/pornography/weighted_japanese
/etc/dansguardian/lists/phraselists/pornography/weighted_malay
/etc/dansguardian/lists/phraselists/pornography/weighted_norwegian
/etc/dansguardian/lists/phraselists/pornography/weighted_polish
/etc/dansguardian/lists/phraselists/pornography/weighted_portuguese
/etc/dansguardian/lists/phraselists/pornography/weighted_russian
/etc/dansguardian/lists/phraselists/pornography/weighted_spanish
/etc/dansguardian/lists/phraselists/pornography/weighted_swedish
/etc/dansguardian/lists/phraselists/proxies
/etc/dansguardian/lists/phraselists/proxies/weighted
/etc/dansguardian/lists/phraselists/rta
/etc/dansguardian/lists/phraselists/rta/banned
/etc/dansguardian/lists/phraselists/safelabel
/etc/dansguardian/lists/phraselists/safelabel/banned
/etc/dansguardian/lists/phraselists/secretsocieties
/etc/dansguardian/lists/phraselists/secretsocieties/weighted
/etc/dansguardian/lists/phraselists/sport
/etc/dansguardian/lists/phraselists/sport/weighted
/etc/dansguardian/lists/phraselists/translation
/etc/dansguardian/lists/phraselists/translation/weighted
/etc/dansguardian/lists/phraselists/travel
/etc/dansguardian/lists/phraselists/travel/weighted
/etc/dansguardian/lists/phraselists/upstreamfilter
/etc/dansguardian/lists/phraselists/upstreamfilter/weighted
/etc/dansguardian/lists/phraselists/violence
/etc/dansguardian/lists/phraselists/violence/weighted
/etc/dansguardian/lists/phraselists/violence/weighted_portuguese
/etc/dansguardian/lists/phraselists/warezhacking
/etc/dansguardian/lists/phraselists/warezhacking/weighted
/etc/dansguardian/lists/phraselists/weapons
/etc/dansguardian/lists/phraselists/weapons/weighted
/etc/dansguardian/lists/phraselists/weapons/weighted_portuguese
/etc/dansguardian/lists/phraselists/webmail
/etc/dansguardian/lists/phraselists/webmail/weighted
/etc/dansguardian/lists/pics
/etc/dansguardian/lists/urlregexplist
/etc/dansguardian/lists/weightedphraselist
/etc/httpd
/etc/httpd/conf.d
/etc/httpd/conf.d/dansguardian.conf
/etc/logrotate.d
/etc/rc.d
/etc/rc.d/init.d
/etc/rc.d/init.d/dansguardian
/usr
/usr/sbin
/usr/sbin/dansguardian
/usr/share
/usr/share/dansguardian
/usr/share/dansguardian/dansguardian.pl
/usr/share/dansguardian/languages
/usr/share/dansguardian/languages/arspanish
/usr/share/dansguardian/languages/arspanish/fancydmtemplate.html
/usr/share/dansguardian/languages/arspanish/messages
/usr/share/dansguardian/languages/arspanish/template.html
/usr/share/dansguardian/languages/bulgarian
/usr/share/dansguardian/languages/bulgarian/fancydmtemplate.html
/usr/share/dansguardian/languages/bulgarian/messages
/usr/share/dansguardian/languages/bulgarian/template.html
/usr/share/dansguardian/languages/chinesebig5
/usr/share/dansguardian/languages/chinesebig5/fancydmtemplate.html
/usr/share/dansguardian/languages/chinesebig5/messages
/usr/share/dansguardian/languages/chinesebig5/template.html
/usr/share/dansguardian/languages/chinesegb2312
/usr/share/dansguardian/languages/chinesegb2312/fancydmtemplate.html
/usr/share/dansguardian/languages/chinesegb2312/messages
/usr/share/dansguardian/languages/chinesegb2312/template.html
/usr/share/dansguardian/languages/czech
/usr/share/dansguardian/languages/czech/fancydmtemplate.html
/usr/share/dansguardian/languages/czech/messages
/usr/share/dansguardian/languages/czech/template.html
/usr/share/dansguardian/languages/danish
/usr/share/dansguardian/languages/danish/fancydmtemplate.html
/usr/share/dansguardian/languages/danish/messages
/usr/share/dansguardian/languages/danish/template.html
/usr/share/dansguardian/languages/dutch
/usr/share/dansguardian/languages/dutch/fancydmtemplate.html
/usr/share/dansguardian/languages/dutch/messages
/usr/share/dansguardian/languages/dutch/template.html
/usr/share/dansguardian/languages/french
/usr/share/dansguardian/languages/french/fancydmtemplate.html
/usr/share/dansguardian/languages/french/messages
/usr/share/dansguardian/languages/french/template.html
/usr/share/dansguardian/languages/german
/usr/share/dansguardian/languages/german/fancydmtemplate.html
/usr/share/dansguardian/languages/german/messages
/usr/share/dansguardian/languages/german/template.html
/usr/share/dansguardian/languages/hebrew
/usr/share/dansguardian/languages/hebrew/fancydmtemplate.html
/usr/share/dansguardian/languages/hebrew/messages
/usr/share/dansguardian/languages/hebrew/template.html
/usr/share/dansguardian/languages/hungarian
/usr/share/dansguardian/languages/hungarian/fancydmtemplate.html
/usr/share/dansguardian/languages/hungarian/messages
/usr/share/dansguardian/languages/hungarian/template.html
/usr/share/dansguardian/languages/indonesian
/usr/share/dansguardian/languages/indonesian/fancydmtemplate.html
/usr/share/dansguardian/languages/indonesian/messages
/usr/share/dansguardian/languages/indonesian/template.html
/usr/share/dansguardian/languages/italian
/usr/share/dansguardian/languages/italian/fancydmtemplate.html
/usr/share/dansguardian/languages/italian/messages
/usr/share/dansguardian/languages/italian/template.html
/usr/share/dansguardian/languages/japanese
/usr/share/dansguardian/languages/japanese/fancydmtemplate.html
/usr/share/dansguardian/languages/japanese/messages
/usr/share/dansguardian/languages/japanese/template.html
/usr/share/dansguardian/languages/lithuanian
/usr/share/dansguardian/languages/lithuanian/fancydmtemplate.html
/usr/share/dansguardian/languages/lithuanian/messages
/usr/share/dansguardian/languages/lithuanian/template.html
/usr/share/dansguardian/languages/malay
/usr/share/dansguardian/languages/malay/fancydmtemplate.html
/usr/share/dansguardian/languages/malay/messages
/usr/share/dansguardian/languages/malay/template.html
/usr/share/dansguardian/languages/mxspanish
/usr/share/dansguardian/languages/mxspanish/fancydmtemplate.html
/usr/share/dansguardian/languages/mxspanish/messages
/usr/share/dansguardian/languages/mxspanish/template.html
/usr/share/dansguardian/languages/polish
/usr/share/dansguardian/languages/polish/fancydmtemplate.html
/usr/share/dansguardian/languages/polish/messages
/usr/share/dansguardian/languages/polish/template.html
/usr/share/dansguardian/languages/portuguese
/usr/share/dansguardian/languages/portuguese/fancydmtemplate.html
/usr/share/dansguardian/languages/portuguese/messages
/usr/share/dansguardian/languages/portuguese/template.html
/usr/share/dansguardian/languages/ptbrazilian
/usr/share/dansguardian/languages/ptbrazilian/fancydmtemplate.html
/usr/share/dansguardian/languages/ptbrazilian/messages
/usr/share/dansguardian/languages/ptbrazilian/template.html
/usr/share/dansguardian/languages/russian-1251
/usr/share/dansguardian/languages/russian-1251/fancydmtemplate.html
/usr/share/dansguardian/languages/russian-1251/messages
/usr/share/dansguardian/languages/russian-1251/template.html
/usr/share/dansguardian/languages/russian-koi8-r
/usr/share/dansguardian/languages/russian-koi8-r/fancydmtemplate.html
/usr/share/dansguardian/languages/russian-koi8-r/messages
/usr/share/dansguardian/languages/russian-koi8-r/template.html
/usr/share/dansguardian/languages/slovak
/usr/share/dansguardian/languages/slovak/fancydmtemplate.html
/usr/share/dansguardian/languages/slovak/messages
/usr/share/dansguardian/languages/slovak/template.html
/usr/share/dansguardian/languages/spanish
/usr/share/dansguardian/languages/spanish/fancydmtemplate.html
/usr/share/dansguardian/languages/spanish/messages
/usr/share/dansguardian/languages/spanish/template.html
/usr/share/dansguardian/languages/swedish
/usr/share/dansguardian/languages/swedish/fancydmtemplate.html
/usr/share/dansguardian/languages/swedish/messages
/usr/share/dansguardian/languages/swedish/template.html
/usr/share/dansguardian/languages/turkish
/usr/share/dansguardian/languages/turkish/fancydmtemplate.html
/usr/share/dansguardian/languages/turkish/messages
/usr/share/dansguardian/languages/turkish/template.html
/usr/share/dansguardian/languages/ukenglish
/usr/share/dansguardian/languages/ukenglish/fancydmtemplate.html
/usr/share/dansguardian/languages/ukenglish/messages
/usr/share/dansguardian/languages/ukenglish/template.html
/usr/share/dansguardian/scripts
/usr/share/dansguardian/scripts/bsd-init
/usr/share/dansguardian/scripts/dansguardian
/usr/share/dansguardian/scripts/logrotation
/usr/share/dansguardian/scripts/solaris-init
/usr/share/dansguardian/scripts/systemv-init
/usr/share/dansguardian/transparent1x1.gif
/usr/share/doc
/usr/share/doc/dansguardian
/usr/share/doc/dansguardian/AuthPlugins
/usr/share/doc/dansguardian/ContentScanners
/usr/share/doc/dansguardian/DownloadManagers
/usr/share/doc/dansguardian/FAQ
/usr/share/doc/dansguardian/FAQ.html
/usr/share/doc/dansguardian/Plugins
/usr/share/doc/man8
/usr/share/doc/man8/dansguardian.8
/usr/share/man
/usr/share/man/man8
/usr/share/man/man8/dansguardian.8.gz
/usr/var
/usr/var/run
/var
/var/log
/var/log/dansguardian

Die Konfiguration unseres Contentscanners spielt sich im Wesentlichen unter dem Verezichnis /etc/dansguardian ab.

# cd /etc/dansguardian
# ls -alF
insgesamt 120
drwxr-xr-x   6 root root  4096 11. Dez 10:02 ./
drwxr-xr-x 122 root root 12288 11. Dez 09:00 ../
drwxr-xr-x   2 root root  4096 10. Dez 15:39 authplugins/
drwxr-xr-x   2 root root  4096 10. Dez 15:42 contentscanners/
-rw-r--r--   1 root root 23111 10. Dez 22:19 dansguardian.conf
-rw-r--r--   1 root root 11635 10. Dez 15:39 dansguardianf1.conf
drwxr-xr-x   2 root root  4096 10. Dez 15:39 downloadmanagers/
drwxr-xr-x   7 root root  4096 10. Dez 22:40 lists/

Die beiden Konfigurationsdateien:

  • dansguardian.conf
  • dansguardianf1.conf

beinhalten die Hauptkonfigurations-Optionen des Filters. In den Unterverzeichnissen erfolgt dann die weitere meist stark individuelle Anpassung.

  • authplugins
  • contentscanners
  • downloadmanagers
  • lists

dansguardian.conf

Die Haupfkonfiguration des Dansguardian-Content-filters/-Scanners erfolgt in der Datei /etc/dansguardian/dansguardian.conf.

Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien.

 # vim /etc/dansguardian/dansguardian.conf

Als erstes passen wir die Internationalisierung in der Konfigurationsdatei an:

# language to use from languagedir.
# Django 10.12.2009
#Default: language = 'ukenglish'
language = 'german'

Die Einstellungen im Bezug auf unsere Netzwerkadressen un den zugehörigen Ports erfolgen im Bereich Network Settings.

# Network Settings
# 
# the IP that DansGuardian listens on.  If left blank DansGuardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip =

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

Zur Information der User bei anwahl von gesperrten Seiten bietet Dansguardian zwei Wege:

dansguardian.pl

Möchte man das dansguardian reporting script nutzen, so trägt man in die Konfigurationsdate den Ort des Perl-Scriptes ein. Als Ergebnis wird dann z.B. folgende Seite generiert.

Dansguardian Zugriffsverweigerungsseite
Der zugehörige Eintrag in der Konfigurationsdatei lautet:

# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied. Only used in reporting levels 1 and 2.
#
# This webserver must be either:
#  1. Non-proxied. Either a machine on the local network, or listed as an exception
#     in your browser's proxy configuration.
#  2. Added to the exceptionsitelist. Option 1 is preferable; this option is
#     only for users using both transparent proxying and a non-local server
#     to host this script.
#
# Individual filter groups can override this setting in their own configuration.
#
# Django 10.12.2009
#Default: accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
accessdeniedaddress = 'http://nausch.org/cgi-bin/dansguardian.pl'

HTML-Statuspage

Alternativ dazu gibt es eine HTML-Seite mit den Hinweisen, warum die Seite gesperrt worden ist.

Dansguardian HTML-Zugriffsverweigerungsseite
Hierzu deaktiviert man einfach die Option in der konfiguartionsdatei.

# Django 10.12.2009
#Default: accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
#accessdeniedaddress = 'http://nausch.org/cgi-bin/dansguardian.pl'

In Summe ergibt sich also folgende erste Gesamtkonfiguration:

 # egrep -v '(^.*#|^$)' /etc/dansguardian/dansguardian.conf
reportinglevel = 3
languagedir = '/usr/share/dansguardian/languages'
language = 'german'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
originalip = off
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off
mailer = '/usr/sbin/sendmail -t'

dansguardianf1.conf

Die weitere Konfiguration des Dansguardian-Content-filters/-Scanners erfolgt in der Datei /etc/dansguardian/dansguardianf1.conf.

Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien.

 # vim /etc/dansguardian/dansguardianf1.conf

Im ersten Schritt passen wir die Ansprechschwelle der gewichteten Seitenüberprüfung an. Mit einem Naughtyness limit von 100 liegt man schon mal in einem praktikablen Bereich. :

# Naughtyness limit
# This the limit over which the page will be blocked.  Each weighted phrase is given
# a value either positive or negative and the values added up.  Phrases to do with
# good subjects will have negative values, and bad subjects will have positive
# values.  See the weightedphraselist file for examples.
# As a guide:
# 50 is for young children,  100 for old children,  160 for young adults.
# Django 10.12.2009
#Default: naughtynesslimit = 50
naughtynesslimit = 100

In Summe ergibt sich also folgende erste Gesamtkonfiguration:

 # egrep -v '(^.*#|^$)' /etc/dansguardian/dansguardianf1.conf
groupmode = 1
bannedphraselist = '/etc/dansguardian/lists/bannedphraselist'
weightedphraselist = '/etc/dansguardian/lists/weightedphraselist'
exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist'
bannedsitelist = '/etc/dansguardian/lists/bannedsitelist'
greysitelist = '/etc/dansguardian/lists/greysitelist'
exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist'
bannedurllist = '/etc/dansguardian/lists/bannedurllist'
greyurllist = '/etc/dansguardian/lists/greyurllist'
exceptionurllist = '/etc/dansguardian/lists/exceptionurllist'
exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist'
bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist'
picsfile = '/etc/dansguardian/lists/pics'
contentregexplist = '/etc/dansguardian/lists/contentregexplist'
urlregexplist = '/etc/dansguardian/lists/urlregexplist'
blockdownloads = off
exceptionextensionlist = '/etc/dansguardian/lists/exceptionextensionlist'
exceptionmimetypelist = '/etc/dansguardian/lists/exceptionmimetypelist'
bannedextensionlist = '/etc/dansguardian/lists/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/lists/bannedmimetypelist'
exceptionfilesitelist = '/etc/dansguardian/lists/exceptionfilesitelist'
exceptionfileurllist = '/etc/dansguardian/lists/exceptionfileurllist'
headerregexplist = '/etc/dansguardian/lists/headerregexplist'
bannedregexpheaderlist = '/etc/dansguardian/lists/bannedregexpheaderlist'
naughtynesslimit = 100
categorydisplaythreshold = 0
embeddedurlweight = 0
enablepics = off
bypass = 0
bypasskey = ''
infectionbypass = 0
infectionbypasskey = ''
infectionbypasserrorsonly = on
disablecontentscan = off
deepurlanalysis = off
usesmtp = off
mailfrom = ''
avadmin = ''
contentadmin = ''
avsubject = 'dansguardian virus block'
contentsubject = 'dansguardian violation'
notifyav = off
notifycontent = off
thresholdbyuser = off
violations = 0
threshold = 0

authplugins

Benutzt man keine Authentifizierung im Squid-Proxy, wie im Kapitel Konfiguration des Proxy's beschrieben, bietet Dansguardian selbst einige Plugins zur Auswahl. Die Konfigurationsdateien befinden sich im Pfad /etc/dansguardian/authplugins.

 # ll /etc/dansguardian/authplugins
total 16
-rw-r--r-- 1 root root 104 Dec  9 16:05 ident.conf
-rw-r--r-- 1 root root 323 Dec  9 16:05 ip.conf
-rw-r--r-- 1 root root 195 Dec  9 16:05 proxy-basic.conf
-rw-r--r-- 1 root root 257 Dec  9 16:05 proxy-digest.conf

contentscanners

In der Konfigurationsdatei /etc/dansguardian/contentscanners/clamdscan.conf erfolgt die Konfigurationn des Contentvirenscanners. Da der Maintainer bei der Erstellung des RPM clamd eincompiliert hat, lautet die Konfigurationsdatei clamdscan.conf.

plugname = 'clamdscan'

# edit this to match the location of your ClamD UNIX domain socket
#clamdudsfile = '/var/run/clamav/clamd.sock'

# If this string is set, the text it contains shall be removed from the
# beginning of filenames when passing them to ClamD.
# Use it to - for example - support a ClamD running inside a chroot jail:
# if DG's filecachedir is set to "/var/clamdchroot/downloads/" and pathprefix
# is set to "/var/clamdchroot", then file names given to ClamD will be of the
# form "/downloads/tf*" instead of "/var/clamdchroot/downloads/tf*".
#pathprefix = '/var/clamdchroot'

exceptionvirusmimetypelist = '/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist'
exceptionvirusextensionlist = '/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist'
exceptionvirussitelist = '/etc/dansguardian/lists/contentscanners/exceptionvirussitelist'
exceptionvirusurllist = '/etc/dansguardian/lists/contentscanners/exceptionvirusurllist'

Die Anpassung(en) dieser Konfigurationsdate erfolgt im nachfolgenden Kapitel Virenfilterung bei Dansguardian.

downloadmanagers

Im Verzeichnis /etc/dansguardian/downloadmanagers/ erfolgt die Definition und Konfiguration des Downloadmanagers.

 # ls -alf
 total 8
 -rw-r--r-- 1 root root  539 Dec  9 16:05 default.conf
 -rw-r--r-- 1 root root 2003 Dec  9 16:05 fancy.conf
default.conf
 # vim /etc/dansguardian/downloadmanagers/default.conf
# The default download manager.
# This is the safest option for unknown user-agents and content types, and
# hence a good one to include last.

# Which plugin should be loaded?
plugname = 'default'

# Regular expression for matching user agents
# When not defined, matches all agents.
#useragentregexp = '.*'

# Lists of mime types and extensions to manage
# When not defined, matches everything.
# These can be enabled separately; when both enabled,
# a request may match either list.
#managedmimetypelist = ''
#managedextensionlist = ''
fancy.conf
 # vim /etc/dansguardian/downloadmanagers/fancy.conf
# The 'fancy' download manager.
# This outputs a Javascript progress bar to the browser when a file is taking
# a long time to download, and hence is unsuitable for browsers without
# javascript support; also you may wish to enable it only for types/extensions
# that are usually downloaded individually, rather than embedded in a web page,
# such as executables and archives.

# Which plugin should be loaded?
plugname = 'fancy'

# Regular expression for matching user agents
# When not defined, matches all agents.
#
# 'mozilla' also matches firefox, IE, etc.
useragentregexp = 'mozilla'

# Lists of mime types and extensions to manage
# When not defined, matches everything.
# These can be enabled separately; when both enabled,
# a request may match either list.
#managedmimetypelist = '/etc/dansguardian/lists/downloadmanagers/managedmimetypelist'
managedextensionlist = '/etc/dansguardian/lists/downloadmanagers/managedextensionlist'

# HTML/JavaScript Template
# The contents of this file determine what is presented to the user during
# and after downloading/scanning. It is essentially an HTML file, but must
# define certain JavaScript functions -  called at various stages during
# the process - allowing the page to be modified to reflect current progress.
# This option generates a path of the form <languagedir>/<language>/<template>
template = 'fancydmtemplate.html'

# Maximum download size
# When a file with unknown content length gets handled by the fancy DM,
# something must be done in the case that the file is found to be too large
# to scan (i.e. larger than maxcontentfilecachescansize).
# As of 2.9.7.0, a warning will be issued to the user that the fancy DM may
# not be able to cache the entire file, and the file will continue to be
# downloaded to disk (but not scanned) until it reaches this size, at which
# point the user will simply have to re-download the file (the URL won't be
# scanned again).
# The size is in kibibytes (i.e. 10240 = 10Mb)
maxdownloadsize = 80000

lists

Die feingranulare nutzungsindividuelle Einstellung unseres Dansguardian erfolgt über mehrere Black- und/oder White-Listen. Diese befinden sich im Verzeichnis /etc/dansguardian/lists.

ll /etc/dansguardian/lists/
total 152
drwxr-xr-x  2 root root 4096 Dec  9 16:11 authplugins
-rw-r--r--  1 root root 4949 Dec  9 16:05 bannedextensionlist
-rw-r--r--  1 root root  500 Dec  9 16:05 bannediplist
-rw-r--r--  1 root root  284 Dec  9 16:05 bannedmimetypelist
-rw-r--r--  1 root root 1958 Dec  9 16:05 bannedphraselist
-rw-r--r--  1 root root  321 Dec  9 16:05 bannedregexpheaderlist
-rw-r--r--  1 root root 5229 Dec  9 16:05 bannedregexpurllist
-rw-r--r--  1 root root 4986 Dec  9 16:05 bannedsitelist
-rw-r--r--  1 root root 2640 Dec  9 16:05 bannedurllist
drwxr-xr-x  3 root root 4096 Dec  9 16:05 blacklists
-rw-r--r--  1 root root 4979 Dec  9 16:05 contentregexplist
drwxr-xr-x  2 root root 4096 Dec  9 16:11 contentscanners
drwxr-xr-x  2 root root 4096 Dec  9 16:11 downloadmanagers
-rw-r--r--  1 root root  480 Dec  9 16:05 exceptionextensionlist
-rw-r--r--  1 root root  912 Dec  9 16:05 exceptionfilesitelist
-rw-r--r--  1 root root  834 Dec  9 16:05 exceptionfileurllist
-rw-r--r--  1 root root  708 Dec  9 16:05 exceptioniplist
-rw-r--r--  1 root root  653 Dec  9 16:05 exceptionmimetypelist
-rw-r--r--  1 root root  538 Dec  9 16:05 exceptionphraselist
-rw-r--r--  1 root root  208 Dec  9 16:05 exceptionregexpurllist
-rw-r--r--  1 root root 1275 Dec  9 16:05 exceptionsitelist
-rw-r--r--  1 root root  361 Dec  9 16:05 exceptionurllist
-rw-r--r--  1 root root  194 Dec  9 16:05 filtergroupslist
-rw-r--r--  1 root root 1910 Dec  9 16:05 greysitelist
-rw-r--r--  1 root root  902 Dec  9 16:05 greyurllist
-rw-r--r--  1 root root  520 Dec  9 16:05 headerregexplist
-rw-r--r--  1 root root  623 Dec  9 16:05 logregexpurllist
-rw-r--r--  1 root root  596 Dec  9 16:05 logsitelist
-rw-r--r--  1 root root  591 Dec  9 16:05 logurllist
drwxr-xr-x 36 root root 4096 Dec  9 16:05 phraselists
-rw-r--r--  1 root root 2743 Dec  9 16:05 pics
-rw-r--r--  1 root root 2887 Dec  9 16:05 urlregexplist
-rw-r--r--  1 root root 6437 Dec  9 16:05 weightedphraselist

Auf einzelen spezielle Dateien wird im Kapitel Optimierung von Dansguardian eingegangen.

Starten von Dansguardian

Nun starten wir das erste mal unsere neuen Dienst dansguardian:

 # service dansguardian start
 Web Content Filter (dansguardian) starten:                 [  OK  ]

Im Syslog wird uns der erfolgreiche Start entsprechend dokumentiert:

 Dec 11 12:38:43 office dansguardian[5191]: Started sucessfully.

Auf Port 8080 lauscht nun unser Dansguardian-Daemon, was wir mit netstat entsprechend überprüfen können:

 # # netstat -tulpen | grep dansguardian
 tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      99         15535      5191/dansguardian  

In der Prozessliste sehen wir ferner die gestarteten Dansguardian-Prozesse:

 # ps aux | grep dansguardian
nobody    5191  0.0  0.5  17612 12232 ?        Ss   12:38   0:00 dansguardian
nobody    5192  0.0  0.5  17616 12176 ?        S    12:38   0:00 dansguardian
nobody    5193  0.0  0.5  18592 12056 ?        S    12:38   0:00 dansguardian
nobody    5194  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5195  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5196  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5197  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5198  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5199  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5201  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
nobody    5202  0.0  0.5  17612 12068 ?        S    12:38   0:00 dansguardian
root      5212  0.0  0.0   3940   736 pts/1    S+   12:43   0:00 grep dansguardian

automatisches Starten von Dansguardian beim Systemstart

Damit der Dansguardian-daemon automatisch bei jedem Systemstart startet, kann die Einrichtung des Start-Scriptes über folgenden Befehl erreicht werden:

 # chkconfig dansguardian on

Die Überprüfungung ob der Dienst (Daemons) Dansguardian wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden:

 # chkconfig --list | grep dansguardian
 dansguardian    0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

Wichtig sind jeweils die Schalter on bzw. Ein bei den Runleveln - 2 3 4 5.

Dansguardian's Startoptionen

Das binary von Dansguardian bringt uns von Haus aus, ein paar nützliche Startoptionen mit. Welches dies sind zeigt uns ein Aufruf von dansguardian mit der Option -h.

# dansguardian -h

Usage: dansguardian [{-c ConfigFileName|-v|-P|-h|-N|-q|-s|-r|-g}]
  -v gives the version number and build options.
  -h gives this message.
  -c allows you to specify a different configuration file location.
  -N Do not go into the background.
  -q causes DansGuardian to kill any running copy.
  -Q kill any running copy AND start a new one with current options.
  -s shows the parent process PID and exits.
  -r closes all connections and reloads config files by issuing a HUP,
     but this does not reset the maxchildren option (amongst others).
  -g gently restarts by not closing all current connections; only reloads
     filter group config files. (Issues a USR1)

Option -v

Mit Hilfe der Option -v können wir uns die Programmversion anzeigen sowie die Option, die der Maintainer beim Erstellen des Programms mit angegeben hatte.

# dansguardian -v

DansGuardian 2.10.1.1

Built with:  '--bindir=/usr/sbin/' '--prefix=/usr/' '--mandir=/usr/share/doc/' '--datadir=/usr/share/' '--sysconfdir=/etc/' '--with-proxyuser=nobody' '--with-proxygroup=nobody' '--with-logdir=/var/log/dansguardian' '--enable-orig-ip' '--enable-trickledm' '--enable-clamd' '--enable-email' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'

Option -g

Hat man Änderungen an den Konfigurationsfiles vorgenommen so ist i.d.R. ein Neustart des daemon notwendig.

 # service dansguardian restart

Möchte man aber in einer Prodktionsumgebung mit vielen Verbindungen diese nicht unterbrechen, sondern nur das Regelwerk neu einlesen, so nutzen wir die Option -g:

 # dansguardian -g

Anpassung Loglevel

Nach der erfolgten Inbetriebnahme drehen wir dem Dansguardian etwas die Luft ab, was heissen will, wir lassen uns nur noch die geblockten Seiten reporten, da das Logfile ggf. etwas arg überschwemmt wird mit Informationen, die uns eh' nicht interessieren.

 # vim /etc/dansguardian/dansguardian.conf
# Logging Settings
#
# 0 = none  1 = just denied  2 = all text based  3 = all requests
loglevel = 1

Anpassung Authentication

Damit in den Logfiles die User angezeigt werden können, aktivieren wir noch die Option Auth plugins in der Konfigurationsdatei /etc/dansguardian/dansguardian.conf.

 # vim /etc/dansguardian/dansguardian.conf
# Auth plugins
# These replace the usernameidmethod* options in previous versions. They
# handle the extraction of client usernames from various sources, such as
# Proxy-Authorisation headers and ident servers, enabling requests to be
# handled according to the settings of the user's filter group.
# Multiple plugins can be specified, and will be queried in order until one
# of them either finds a username or throws an error. For example, if Squid
# is configured with both NTLM and Basic auth enabled, and both the 'proxy-basic'
# and 'proxy-ntlm' auth plugins are enabled here, then clients which do not support
# NTLM can fall back to Basic without sacrificing access rights.
#
# If you do not use multiple filter groups, you need not specify this option.
#
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

An der aktiverten proxy-basic.conf ist weiter nichts zu ändern.

# Proxy-Basic auth plugin
# Identifies usernames in "Proxy-Authorization: Basic" headers;
# relies upon the upstream proxy (squid) to perform the actual password check.

plugname = 'proxy-basic'

Ein anschließender Restart aktiviert unsere Änderungen.

 # service dansguardian restart

Somit werden nunmehr die Usernamen im Logfile mit ausgegeben und wir können später nach Bedarf, nach einzelnen Usern greppen.

 2009.12.12 15:08:21 django 192.168.10.40 http://stationdata.wunderground.com/cgi-bin/stationlookup?station=IBAYERNP4&r=1260626901099 *SCANNED*  GET 1471 0  1 200 text/xml   -

Site-Whitelisting

Von Haus aus, ist der „ausgelieferte“ Dansguardian doch recht aggressiv eingestellt; d.h. viele doch erwünschten Seiten werden geblockt. Zum Erlauben dieser Seiten bearbeiten wir die Konfigurationsdatei /etc/dansguardian/lists/exceptionsitelist für die Ausnahmeseiten.

 # vim /etc/dansguardian/lists/exceptionsitelist
#Sites in exception list
#Don't bother with the www. or
#the http://
#
#These are specifically domains and are not URLs.
#For example 'foo.bar/porn/' is no good, you need
#to just have 'foo.bar'.
#
#You can also match IPs here too.
#
#As of DansGuardian 2.7.3 you can now include
#.tld so for example you can match .gov for example

# Django 10.12.2009
# Nutzerindividuelle Seiten
nausch.org
urlblacklist.com
ebay.de
bay.com

Site-Blacklisting

Genauso kann man natürlich auch unerwünschte Seiten komplett sperren. Hierzu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/lists/bannedsitelist für diese Seiten.

 # vim /etc/dansguardian/lists/bannedsitelist
#domains in banned list
#Don't bother with the www. or the http://

#The bannedurllist is for blocking PART of a site
#The bannedsitelist is for blocking ALL of a site

#As of DansGuardian 2.7.3 you can now include
#.tld so for example you can match .gov for example

#The 'grey' lists override the 'banned' lists.
#The 'exception' lists override the 'banned' lists also.
#The difference is that the 'exception' lists completely switch
#off *all* other filtering for the match.  'grey' lists only
#stop the URL filtering and allow the normal filtering to work.

#An example of grey list use is when in Blanket Block (whitelist)
#mode and you want to allow some sites but still filter as normal
#on their content

#Another example of grey list use is when you ban a site but want
#to allow part of it.

#To include additional files in this list use this example:
#.Include</etc/dansguardian/anotherbannedurllist>

#You can have multiple .Includes.

# Django 10.12.2009
# Nutzerindividuelle Seiten

microsoft.com
cdu.de
csu.de
spd.de

Host-Whitelisting

Möchte man einen Host im Netz gänzlich von der Bewertung ausnehmen, so z.B. für die Geschäftsleitung und/oder Betriebs-/Personalrat, trägt man diese IP-Adressen dieser Hosts in die Konfigurationsdatei /etc/dansguardian/lists/exceptioniplist ein.

 # vim /etc/dansguardian/lists/exceptioniplist
# IP addresses of computers from which
# web access should not be filtered.
#
# These would be servers which
# need unfiltered access for
# updates.  Also administrator
# workstations which need to
# download programs and check
# out blocked sites should be
# put here.
#
# Hostnames are allowed here, provided you
# enable the reverseclientlookups option.
#
# This is not the IP of web servers
# you don't want to filter.

#192.168.0.1
#192.168.0.2
#192.168.42.2

# Django 10.12.2009
# BOfH's Workstation bei der Bewertung ausnehmen
192.168.192.168

Host-Blacklisting

Im Gegensatz zur Vorgenannten Ausnahmeregelung kann man natürlich auch einem Host den Zugriff zum Web gänzlich blocken, hierzu trägt man dessen IP-Adresse in die Konfigurationsdatei /etc/dansguardian/lists/bannediplist ein.

 # vim /etc/dansguardian/lists/bannediplist
# IP addresses of client machines to
# disallow web access to.
#
# Hostnames are also allowed here, provided you
# enable the reverseclientlookups option.
#
# This is not the IP of web servers
# you want to filter.

#192.168.0.1
#192.168.0.2
#192.168.42.2

# Django 10.12.2009
# Workstation der Ferienwohnung komplett den Web-Zugriff sperren
192.168.192.200

Sperrlisten für URLS (regex)

Über die /etc/dansguardian/lists/bannedregexpurllist haben wir die Möglichkeit, einzelne Seiten an Hand ihrer URL, bzw. Teilbreiche einer URL zu sperren. Hierzu Nutzen wir geeignete REGEX um die URLs zu definieren, welche wir (aus)sperren wollen:

 # vim /etc/dansguardian/lists/bannedregexpurllist
#Banned URLs based on Regular Expressions
#
# E.g. 'sex' would block sex.com and middlesex.com etc

#listcategory: "Banned Regular Expression URLs"

#Banned URLs based on Regular Expressions

######################################################
#
# Django 10.12.2009
# SOHO-spezifische Anpassungen für nausch.org
#
######################################################

# Onlinegaming
(gladiatus|4story|gameforge|ikariam|pog.com|cracymonkeygames|poissonrouge)

# Musikmaffia
(musicload|musikload)

# videoportale
(vo.llnwd)

# Werbemüll
(Standardteaser|sponsorads|google-analytics)

# Schnacksl-Anbahnungsportale
(facebook|lokalisten|myspace|friendscout)

Blacklisting von MIME-Types

Will man bestimmte MIME-Typen generell nicht zulassen, trägt man diese in die Konfigurationsdatei /etc/dansguardian/lists/bannedmimetypelist ein.

 # vim /etc/dansguardian/lists/bannedmimetypelist
# banned MIME types

audio/mpeg
audio/x-mpeg
audio/x-pn-realaudio
audio/x-wav
video/mpeg
video/x-mpeg2
video/acorn-replay
video/quicktime
video/x-msvideo
video/msvideo
application/gzip
application/x-gzip
application/zip
application/compress
application/x-compress
application/java-vm

Blacklisting von Datei-Extensions

Über die /etc/dansguardian/bannedextensionlist stellen wir dann bei Bedarf noch ein, welche Datei-Extensions wird generell erlauben und welche wir (aus)sperren wollen:

 # vim /etc/dansguardian/lists/bannedextensionlist
#Banned extension list

# File extensions with executable code 

# The following file extensions can contain executable code.
# This means they can potentially carry a virus to infect your computer.

.ade  # Microsoft Access project extension
.adp  # Microsoft Access project
.asx  # Windows Media Audio / Video
.bas  # Microsoft Visual Basic class module
.bat  # Batch file
.cab  # Windows setup file
.chm  # Compiled HTML Help file
.cmd  # Microsoft Windows NT Command script
.com  # Microsoft MS-DOS program
.cpl  # Control Panel extension
.crt  # Security certificate 
.dll  # Windows system file
.exe  # Program
.hlp  # Help file
.ini  # Windows system file
.hta  # HTML program
.inf  # Setup Information
.ins  # Internet Naming Service
.isp  # Internet Communication settings
# .js   # JScript file - often needed in web pages
# .jse  # Jscript Encoded Script file - often needed in web pages
.lnk  # Windows Shortcut
.mda  # Microsoft Access add-in program 
.mdb  # Microsoft Access program
.mde  # Microsoft Access MDE database
.mdt  # Microsoft Access workgroup information 
.mdw  # Microsoft Access workgroup information 
.mdz  # Microsoft Access wizard program 
.msc  # Microsoft Common Console document
.msi  # Microsoft Windows Installer package
.msp  # Microsoft Windows Installer patch
.mst  # Microsoft Visual Test source files
.pcd  # Photo CD image, Microsoft Visual compiled script
.pif  # Shortcut to MS-DOS program
.prf  # Microsoft Outlook profile settings
.reg  # Windows registry entries
.scf  # Windows Explorer command
.scr  # Screen saver
.sct  # Windows Script Component
.sh   # Shell script
.shs  # Shell Scrap object
.shb  # Shell Scrap object
.sys  # Windows system file
.url  # Internet shortcut
.vb   # VBScript file
.vbe  # VBScript Encoded script file
.vbs  # VBScript file
.vxd  # Windows system file
.wsc  # Windows Script Component
.wsf  # Windows Script file
.wsh  # Windows Script Host Settings file
.otf  # Font file - can be used to instant reboot 2k and xp
.ops  # Office XP settings 

# Files which one normally things as non-executable but
# can contain harmful macros and viruses

.doc  # Word document
.xls  # Excel document
.pps


# Other files which may contain files with executable code

#.gz   # Gziped file
#.tar  # Tape ARchive file
#.zip  # Windows compressed file
#.tgz  # Unix compressed file
#.bz2  # Unix compressed file
.cdr  # Mac disk image
.dmg  # Mac disk image
.smi  # Mac self mounting disk image
.sit  # Mac compressed file
.sea  # Mac compressed file, self extracting
.bin  # Mac binary compressed file
.hqx  # Mac binhex encoded file
#.rar  # Similar to zip


# Time/bandwidth wasting files

#.mp3  # Music file
#.mpeg # Movie file
#.mpg  # Movie file
#.avi  # Movie file
.asf  # this can also exploit a security hole allowing virus infection
#.iso  # CD ISO image
#.ogg  # Music file
.wmf  # Movie file
.bin # CD ISO image
.cue # CD ISO image

# Django 10.12.2009
# eigene Definitionen
.ani  # animated cursor

Oft ist es wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.
Was zunächst kompliziert anmutet, funktioniert recht einfach und auch überschaubar.

Wichtig :!: bei der ganzen Sache ist nur, den Überblick über die einzelnen Nutzergruppen nicht zu verlieren. Eine (für mich) praktikable Lösung ist das ausreichende Dokumentieren der einzelnen Gruppen und deren Konfiguration in den Konfigurationsdateien im Verzeichnis /etc/dansguardian.

dansguardian.conf

Als erstes definieren wir wieviele Filtergruppen (max. 99) wir verwenden möchten. Diese Filergruppen müssen fortlaufend durchnummerriert werden, von 1 bis 99. Am besten, wir hinterlegen in der Hauptkonfigurationsdatei von Dansguardian gleich den Verwendungszweck der einzelnen Nutzer - hierzu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/dansguardian.conf mit unserem Lieblingseditor.

 # /etc/dansguardian/dansguardian.conf
# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users.  The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group.  To assign users to groups use the filtergroupslist option.  All users default
# to filter group 1.  You must have some sort of authentication to be able to map users
# to a group.  The more filter groups the more copies of the lists will be in RAM so
# use as few as possible.
# Django 10.12.2009
# Default: filtergroups = 1
# Definition der Filtergruppen
#
# -----------------------------
# Gruppe 1 = Default
# -----------------------------
# Gruppe 2 = Default mit ByPass
# -----------------------------
# Gruppe 3 = logging only
# -----------------------------
# Gruppe 4 = banned useres
# -----------------------------
# Gruppe 5 = Spezialisten 
# -----------------------------
#
filtergroups = 5
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

filtergroupslist

In der Datei filtergroupslist geben wir nun all diejenigen Nutzer an, die nicht in der Standardgruppe bewertet werden sollen, sondern in einer der zuvor definierten Filtergruppen. Auch hier vermerken wir für später die exakten FilterGruppen, damit wir ohne weiter nachsehen zu müssen, sofort die Gruppen und deren Verwendung parat haben.

 # vim /etc/dansguardian/lists/filtergroupslist
# Filter Groups List file for DansGuardian
#
# Format is <user>=filter<1-9> where 1-9 are the groups
#
# Eg:
# daniel=filter2
#
# This file is only of use if you have more than 1 filter group
#
# Definition der Filtergruppen
#
# -----------------------------
# Gruppe 1 = Default
# -----------------------------
# Gruppe 2 = Default mit ByPass
# -----------------------------
# Gruppe 3 = logging only
# -----------------------------
# Gruppe 4 = banned useres
# -----------------------------
# Gruppe 5 = Spezialisten 
# -----------------------------
#
django=filter2
skipper=filter3
kingjulien=filter5
mart=filter5

dansguardianfn.conf

Entsprechend unserer zuvor definierten Anzahl von Filtergruppen, vermehren wir nun die entsprechenden fn-Konfigurationsdateien:

 # cp dansguardianf1.conf dansguardianf2.conf
 # cp dansguardianf1.conf dansguardianf3.conf
 # cp dansguardianf1.conf dansguardianf4.conf
 # cp dansguardianf1.conf dansguardianf5.conf

Somit befinden sich nun in unserem Konfigurationsverzeichnis folgende Dateien:

 # ll /etc/dansguardian/dans*
-rw-r--r-- 1 root root 24029 16. Jan 16:57 /etc/dansguardian/dansguardian.conf
-rw-r--r-- 1 root root 11844 16. Jan 20:30 /etc/dansguardian/dansguardianf1.conf
-rw-r--r-- 1 root root 11996 16. Jan 19:57 /etc/dansguardian/dansguardianf2.conf
-rw-r--r-- 1 root root 11900 16. Jan 17:24 /etc/dansguardian/dansguardianf3.conf
-rw-r--r-- 1 root root 11857 16. Jan 16:56 /etc/dansguardian/dansguardianf4.conf
-rw-r--r-- 1 root root 11794 16. Jan 16:47 /etc/dansguardian/dansguardianf5.conf

Als kleine Hilfe bei späteren Konfigurationsarbeiten hat es sich bewährt, sich kleiner Eselsbrücken zu bedienen. Denn schnell stellt sich die Frage, was war nun was wieder für eine Konfigurationsdatei und welche Gruppe ist dies? Wir legen uns einfach ein paar symbolische Links mit aussagekräftige Namen an und schon ist klar, welche Konfigurationsdatei für welchen Zweck verwendet wird.

 # ln -s dansguardianf1.conf default
 # ln -s dansguardianf2.conf default_with_bypass
 # ln -s dansguardianf3.conf logging_only
 # ln -s dansguardianf4.conf banned_users
 # ln -s dansguardianf5.conf specialists

Schon ist später klarer, wenn wir uns das Verzeichnis ansehen, welche Konfigurationsdatei für wen verwendet wird.

 # ll /etc/dansguardian | grep lrwxrwxrwx
lrwxrwxrwx 1 root root    19 16. Jan 17:19 banned_users -> dansguardianf4.conf
lrwxrwxrwx 1 root root    19 16. Jan 17:19 default -> dansguardianf1.conf
lrwxrwxrwx 1 root root    19 16. Jan 17:20 default_with_bypass -> dansguardianf2.conf
lrwxrwxrwx 1 root root    19 16. Jan 17:21 specialists -> dansguardianf5.conf
lrwxrwxrwx 1 root root    19 16. Jan 17:20 logging_only -> dansguardianf3.conf

Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, jeweils in der betreffenden dansguardianfn.conf vor.

dansguardianf2.conf

Die Gruppe 2 werden wir uns nun als Standardgruppe mit einer BYPASS-Funktion einrichten. So werden zwar weiterhin nicht erwünschte Inhalte im Web gesperrt, aber der VIP bekommt eine Möglichkeit, die gesperrte Seite vorübergehend dennoch zu besuchen. Hierzu wird in der Sperrseite ein entsprechender Hinweis eingefügt:
Zeitlich begrenzten Zugriff auf diese Seite trotzdem ermöglichen? [JA/nein]

Sperrseite mit BYPASS-Funktion

Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf2.conf vor.

 # vim dansguardianf2.conf

Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt :!:

# DansGuardian filter group config file for version 2.10.1.1
# Django 16.01.2010
# -----------------------------
# Gruppe 2 = Default mit ByPass
# -----------------------------
# Filter group name
# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
# name the group in the access logs
# Defaults to empty string
# Django 16.01.2010
# Default: #groupname = ''
groupname = 'VIPs'
# Temporary Denied Page Bypass
# This provides a link on the denied page to bypass the ban for a few minutes.  To be
# secure it uses a random hashed secret generated at daemon startup.  You define the
# number of seconds the bypass will function for before the deny will appear again.
# To allow the link on the denied page to appear you will need to edit the template.html
# or dansguardian.pl file for your language.
# 300 = enable for 5 minutes
# 0 = disable ( defaults to 0 )
# -1 = enable but you require a separate program/CGI to generate a valid link
# Django 16.01.2010
# Default: bypass = 0
bypass = 300

# Temporary Denied Page Bypass Secret Key
# Rather than generating a random key you can specify one.  It must be more than 8 chars.
# '' = generate a random one (recommended and default)
# 'Mary had a little lamb.' = an example
# '76b42abc1cd0fdcaf6e943dcbc93b826' = an example
bypasskey = ''

# Infection/Scan Error Bypass
# Similar to the 'bypass' setting, but specifically for bypassing files scanned and found
# to be infected, or files that trigger scanner errors - for example, archive types with
# recognised but unsupported compression schemes, or corrupt archives.
# The option specifies the number of seconds for which the bypass link will be valid.
# 300 = enable for 5 minutes
# 0 = disable (default)
# -1 = enable, but require a separate program/CGI to generate a valid link
infectionbypass = 0

# Infection/Scan Error Bypass Secret Key
# Same as the 'bypasskey' option, but used for infection bypass mode.
infectionbypasskey = ''
# HTML Template override
# If defined, this specifies a custom HTML template file for members of this
# filter group, overriding the global setting in dansguardian.conf. This is
# only used in reporting level 3.
#
# The default template file path is <languagedir>/<language>/template.html
# e.g. /usr/share/dansguardian/languages/ukenglish/template.html when using 'ukenglish'
# language.
#
# This option generates a file path of the form:
# <languagedir>/<language>/<htmltemplate>
# e.g. /usr/share/dansguardian/languages/ukenglish/custom.html
#
#htmltemplate = 'custom.html'
# Django 16.01.2010
# Default: #htmltemplate = 'custom.html'
htmltemplate = 'bypasstemplate.html'

HTML Template override

Damit nun, wie oben beschrieben, dem Anwender in der Sperrseite eine entsprechende Sonder-/Ausnahmeregelung zu gute kommt, müssen wir noch unsere html-Template etwas anpassen.

Zuerst kopieren wir uns das vorhandenen Template:

 # cp /usr/share/dansguardian/languages/german/template.html /usr/share/dansguardian/languages/german/bypasstemplate.html

Anschließend erweitern wir dieses um die -BYPASS-Funktion.

 # vim /usr/share/dansguardian/languages/german/bypasstemplate.html
...
        <br><br>
        <font size=2>
        Zeitlich begrenzten Zugriff auf diese Seite trotzdem erm&ouml;glichen? [<a href="-BYPASS-">JA</a>/nein]
        <br><br><br><br>
...

dansguardianf3.conf

Die Gruppe 3 legen wir uns als quasi whitelist an, da die User dieser Gruppe, nicht in die Bewertung fallen sollen, sondern lediglich in das Logging.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf3.conf vor.

 # vim dansguardianf3.conf

Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt :!:

# DansGuardian filter group config file for version 2.10.1.1
# Django 16.01.2010
# -----------------------------
# Gruppe 3 = logging only
# -----------------------------


# Filter group mode
# This option determines whether members of this group have their web access
# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
# and "exceptionuserlist" files from previous versions.
#
# 0 = banned
# 1 = filtered
# 2 = unfiltered (exception)
#
# Only filter groups with a mode of 1 need to define phrase, URL, site, extension,
# mimetype and PICS lists; in other modes, these options are ignored to conserve
# memory.
#
# Defaults to 0 if unspecified.
# Unauthenticated users are treated as being in the first filter group.
# Django 16.01.2010
# Default: groupmode = 1 
groupmode = 2 

# Filter group name
# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
# name the group in the access logs
# Defaults to empty string
# Django 16.01.2010
# Default groupname =''
groupname = 'logging_users'

dansguardianf4.conf

Im Gegensatz zur vorgenannten Möglichkeit eines whitelisting legen wir uns Gruppe 4 als quasi blacklist an, um so bei Bedarf, einzelnen Usern sofort die Berechtigung im WWW zu sörfen entziehn können. Wir brauchen den betreffenden User dann lediglich in der /etc/dansguardian/lists/filtergroupslist in die Gruppe 4 zu versetzen.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf4.conf vor.

 # vim dansguardianf4.conf

Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt :!:

# DansGuardian filter group config file for version 2.10.1.1
# Django 16.01.2010
# -----------------------------
# Gruppe 4 = banned useres
# -----------------------------


# Filter group mode
# This option determines whether members of this group have their web access
# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
# and "exceptionuserlist" files from previous versions.
#
# 0 = banned
# 1 = filtered
# 2 = unfiltered (exception)
#
# Only filter groups with a mode of 1 need to define phrase, URL, site, extension,
# mimetype and PICS lists; in other modes, these options are ignored to conserve
# memory.
#
# Defaults to 0 if unspecified.
# Unauthenticated users are treated as being in the first filter group.
groupmode = 0 

# Filter group name
# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
# name the group in the access logs
# Defaults to empty string
# Django 16.01.2010
# Default: #groupname = ''
groupname = 'banned_users'

dansguardianf5.conf

Wie eingangs bereits erwähnt, ist es oft wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf5.conf vor.

 # vim dansguardianf5.conf

Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt :!:

# DansGuardian filter group config file for version 2.10.1.1
# Django 16.01.2010
# -----------------------------
# Gruppe 5 = specialists
# -----------------------------

# Filter group mode
# This option determines whether members of this group have their web access
# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
# and "exceptionuserlist" files from previous versions.
#
# 0 = banned
# 1 = filtered
# 2 = unfiltered (exception)
#
# Only filter groups with a mode of 1 need to define phrase, URL, site, extension,
# mimetype and PICS lists; in other modes, these options are ignored to conserve
# memory.
#
# Defaults to 0 if unspecified.
# Unauthenticated users are treated as being in the first filter group.
groupmode = 1 
# Filter group name
# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
# name the group in the access logs
# Defaults to empty string
# Django 16.01.2010
# Default: #groupname = ''
groupname = 'specialists'
# Content filtering files location
bannedphraselist = '/etc/dansguardian/lists/bannedphraselist'
weightedphraselist = '/etc/dansguardian/lists/weightedphraselist'
exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist'
bannedsitelist = '/etc/dansguardian/lists/bannedsitelist_f5'
greysitelist = '/etc/dansguardian/lists/greysitelist'
exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist_f5'
bannedurllist = '/etc/dansguardian/lists/bannedurllist'
greyurllist = '/etc/dansguardian/lists/greyurllist'
exceptionurllist = '/etc/dansguardian/lists/exceptionurllist'
exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist'
bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist_f5'
picsfile = '/etc/dansguardian/lists/pics'
contentregexplist = '/etc/dansguardian/lists/contentregexplist'
urlregexplist = '/etc/dansguardian/lists/urlregexplist'
# Naughtyness limit
# This the limit over which the page will be blocked.  Each weighted phrase is given
# a value either positive or negative and the values added up.  Phrases to do with
# good subjects will have negative values, and bad subjects will have positive
# values.  See the weightedphraselist file for examples.
# As a guide:
# 50 is for young children,  100 for old children,  160 for young adults.
# Django 10.12.2009
#Default: naughtynesslimit = 50
naughtynesslimit = 50

In den jeweiligen Listen:

  • /etc/dansguardian/lists/bannedsitelist_f5
  • /etc/dansguardian/lists/exceptionsitelist_f5
  • /etc/dansguardian/lists/bannedregexpurllist_f5

erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechnede Ausnahmeregelungen.

Neben der unterschiedlichen Bewertung einzelner Benutzergruppen, werden wir nun im nächsten Schritt eine zeitliche Begrenzung mit aktivieren. So könne wir z.B. einzelne Zielseiten nur außerhalb von Geschäftszeiten zulassen, oder für Kinder und Jugendliche ein Zeitfenster definieren, in dem grundsätzlich der Zugriff auf das Internet möglich bzw. grundsätzlich gesperrt ist.

Filtergruppe erweitern

Als erstes erweitern wir unsere zuvor definierten Filtergruppen. Wir definieren also die nächste fortlaufende Filergruppen und benutzen die nächste Nummer, in unserem Falle also die Gruppe 6. Wie schon zuvor hinterlegen wir in der Hauptkonfigurationsdatei von Dansguardian gleich den Verwendungszweck der einzelnen Nutzer. Dazu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/dansguardian.conf mit unserem Lieblingseditor.

 # /etc/dansguardian/dansguardian.conf
# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users.  The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group.  To assign users to groups use the filtergroupslist option.  All users default
# to filter group 1.  You must have some sort of authentication to be able to map users
# to a group.  The more filter groups the more copies of the lists will be in RAM so
# use as few as possible.
# Django 23.09.2010
# Default: filtergroups = 1
# Definition der Filtergruppen
#
# -----------------------------
# Gruppe 1 = Default
# -----------------------------
# Gruppe 2 = Default mit ByPass
# -----------------------------
# Gruppe 3 = logging only
# -----------------------------
# Gruppe 4 = banned useres
# -----------------------------
# Gruppe 5 = Spezialisten 
# -----------------------------
# Gruppe 6 = Jugendschutz 
# -----------------------------
#
filtergroups = 6
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

Filtergruppe konfigurieren

Für unsere im Beispiel genannten Gruppe Jugendlicher, welche nur zu bestimmten Zeiten und Tagen Zugriff auf das Internet bekommen sollen, konfigurieren wir genauso, wie zuvor im Kapitel Filtergruppen bei Dansguardian beschrieben, eine eigene Gruppe.

Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der Datei dansguardianf6.conf vor.

 # vim dansguardianf6.conf

Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt :!:

# DansGuardian filter group config file for version 2.10.1.1
# Django 23.09.2010
# -------------------------------
# Gruppe 6 = Jugendschutzgruppe
# -------------------------------

# Filter group mode
# This option determines whether members of this group have their web access
# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
# and "exceptionuserlist" files from previous versions.
#
# 0 = banned
# 1 = filtered
# 2 = unfiltered (exception)
#
# Only filter groups with a mode of 1 need to define phrase, URL, site, extension,
# mimetype and PICS lists; in other modes, these options are ignored to conserve
# memory.
#
# Defaults to 0 if unspecified.
# Unauthenticated users are treated as being in the first filter group.
groupmode = 1 
# Filter group name
# Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to
# name the group in the access logs
# Defaults to empty string
# Django 23.09.2010
# Default: #groupname = ''
groupname = 'Jugendliche'
# Content filtering files location
bannedphraselist = '/etc/dansguardian/lists/bannedphraselist'
weightedphraselist = '/etc/dansguardian/lists/weightedphraselist'
exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist'
bannedsitelist = '/etc/dansguardian/lists/bannedsitelist_f6'
greysitelist = '/etc/dansguardian/lists/greysitelist'
exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist_f6'
bannedurllist = '/etc/dansguardian/lists/bannedurllist'
greyurllist = '/etc/dansguardian/lists/greyurllist'
exceptionurllist = '/etc/dansguardian/lists/exceptionurllist'
exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist'
bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist_f6'
picsfile = '/etc/dansguardian/lists/pics'
contentregexplist = '/etc/dansguardian/lists/contentregexplist'
urlregexplist = '/etc/dansguardian/lists/urlregexplist'
# Naughtyness limit
# This the limit over which the page will be blocked.  Each weighted phrase is given
# a value either positive or negative and the values added up.  Phrases to do with
# good subjects will have negative values, and bad subjects will have positive
# values.  See the weightedphraselist file for examples.
# As a guide:
# 50 is for young children,  100 for old children,  160 for young adults.
# Django 23.09.2010
#Default: naughtynesslimit = 50
naughtynesslimit = 100

In den jeweiligen Listen:

  • /etc/dansguardian/lists/bannedsitelist_f6
  • /etc/dansguardian/lists/exceptionsitelist_f6
  • /etc/dansguardian/lists/bannedregexpurllist_f6

erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechende Ausnahmeregelungen.

Mit Hilfe der Time limiting syntax von Dansguardian können wir nun definieren, wann eine entsprechende Konfigurationsoption aktiv sein soll.

# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.

Diese Option findet nur in folgenden Konfigurationsdateien Anwendung:

  • /etc/dansguardian/lists/greysitelist
  • /etc/dansguardian/lists/exceptionfilesitelist
  • /etc/dansguardian/lists/bannedsitelist
  • /etc/dansguardian/lists/exceptionfileurllist
  • /etc/dansguardian/lists/exceptionsitelist

Mit Hilfe von Includes binden wir nun in die /etc/dansguardian/lists/bannedsitelist weitere Konfigurationsdateien ein, die unsere speziellen Zeiten abdecken werden.
Wir bearbeiten nun mit dem Editor unserer Wahl die zugehörige Datei zum Blocken der Seiten.

# vim /etc/dansguardian/lists/bannedsitelist_f6
#To include additional files in this list use this example:
#.Include</etc/dansguardian/anotherbannedurllist>
.Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_1>
.Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_2>
.Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_3>

In unserem Konfigurationsbeispiel möchten wir den Zugriff auf Internetseiten an folgenden Tagen und Zeiten reglementieren:

  • Montag bis Donnerstag: Zugriffsmöglichkeiten von 8:00 Uhr bis 21:30 Uhr
  • Freitag und Samstag: Zugriffsmöglichkeiten von 8:00 Uhr bis 22:30 Uhr
  • Sonntag: Zugriffsmöglichkeiten von 8:00 Uhr bis 21:30 Uhr

Als erstes legen wir nun unsere erste Include-Datei an, die den Zeitraum von 21:30 Uhr bis 23:59 Uhr an den Tagen Montag bis Donnerstag und Sonntag abdeckt.

# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_1

Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:

# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.
#time: 21 30 23 59 01236

# List categorisation
#listcategory: "Banned Sites"

#Blanket Block.  To block all sites except those in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**':
**

#Blanket SSL/CONNECT Block.  To block all SSL 
#and CONNECT tunnels except to addresses in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**s':
**s

#Blanket IP Block.  To block all sites specified only as an IP,
#remove the # from the next line to leave only a '*ip':
*ip

#Blanket SSL/CONNECT IP Block.  To block all SSL and CONNECT
#tunnels to sites specified only as an IP,
#remove the # from the next line to leave only a '*ips':
*ips

Als nächstes legen wir unsere zweite Include-Datei an, die den Zeitraum von 22:30 Uhr bis 23:59 Uhr an den Tagen Freitag und Samstag abdeckt.

# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_2

Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:

# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.
#time: 22 30 23 59 45

# List categorisation
#listcategory: "Banned Sites"

#Blanket Block.  To block all sites except those in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**':
**

#Blanket SSL/CONNECT Block.  To block all SSL 
#and CONNECT tunnels except to addresses in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**s':
**s

#Blanket IP Block.  To block all sites specified only as an IP,
#remove the # from the next line to leave only a '*ip':
*ip

#Blanket SSL/CONNECT IP Block.  To block all SSL and CONNECT
#tunnels to sites specified only as an IP,
#remove the # from the next line to leave only a '*ips':
*ips

Abschließend definieren wir unsere dritte Include-Datei, die den Zeitraum von 00:00 Uhr bis 07:59 Uhr an allen Tagen der Woche abdeckt.

# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_3

Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:

# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.
#time: 00 00 7 59 0123456

# List categorisation
#listcategory: "Banned Sites"

#Blanket Block.  To block all sites except those in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**':
**

#Blanket SSL/CONNECT Block.  To block all SSL 
#and CONNECT tunnels except to addresses in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**s':
**s

#Blanket IP Block.  To block all sites specified only as an IP,
#remove the # from the next line to leave only a '*ip':
*ip

#Blanket SSL/CONNECT IP Block.  To block all SSL and CONNECT
#tunnels to sites specified only as an IP,
#remove the # from the next line to leave only a '*ips':
*ips

zeitgesteuerte Filtergruppen testen

Zum Aktivieren und Testen unserer Einstellungen starten wir nun einmal unseren Dienst dansguardian durch.

 # service dansguardian restart

Wird nun außerhalb der freigegebenen Zeit versucht eine Verbindung zu einer normalerweise zugelassenen WEB-Seite aufzubauen, wird eine entsprechende Fehlermeldung ausgegeben.

original Fehler-/Sperrseite

Sperrseite anpassen

Die Konfigrationsoptionen des oben genannten Beispiels erzeugt folgende (originale) Fehlermeldung:
Verbotene Seite: Totalsperre für Nur-IP-Adressen aktiv, diese
Seite ist nicht auf der Erlaubt-Liste


Zum Abändern der Rückmeldung bearbeiten wir die entsprechende Datei im Pfad /usr/share/dansguardian/languages/german/.

# vim /usr/share/dansguardian/languages/german/messages
# DansGuardian 2.10 messages file in German
#
# Translated and adapted to Unicode by Peter Vollmar

"1","Zugriff verweigert"

"100","Ihre Arbeitsstation hat keine Erlaubnis zum Surfen auf: "
"101","Ihre Arbeitsstation hat keine Erlaubnis zum Surfen"
"102","Ihr Benutzername hat keine Erlaubnis zum Surfen auf: "

"200","Die angeforderte URL ist ungültig"

"300","Verbotener Ausdruck gefunden: "
"301","Verbotener Ausdruck gefunden"

"400","Verbotene Kombination von Ausdrücken gefunden: "
"401","Verbotene Kombination von Ausdrücken gefunden"
"402","Gewichtete Ausdrucksbeschränkung von "
"403","Gewichtete Ausdrucksbeschränkung überschritten"

"500","Verbotene Seite: "
"501","Verbotene URL: "
"502","Totalsperre aktiv, keine Ausnahmeregelung definiert und aktiv"
"503","Aufgrund von regulären Ausdrücken verbotene URL: "
"504","Aufgrund von regulären Ausdrücken verbotene URL gefunden"
"505","Totalsperre für IP-Adressen aktiv, diese Adresse ist nur eine IP."

"600","Übereinstimmung mit Client-IP in Ausnahmeliste"
"601","Übereinstimmung mit Client-Benutzer in Ausnahmeliste"
"602","Übereinstimmung mit Seite in Ausnahmeliste"
"603","Übereinstimmung mit URL in Ausnahmeliste"
"604","Ausnahme-Ausdruck gefunden: "
"605","Kombination von Ausnahme-Ausdrücken gefunden: "
"606","Umgehungs-URL gefunden"
"607","Umgehungs-Cookie gefunden"
"608","Scan bypass URL exception."
"609","Exception regular expression URL match: "

"700","Web-Upload verboten"
"701","Web-Upload-Schwellwert erreicht"

"800","Verbotener MIME-Typ: "

"900","Verbotene Datei-Erweiterung: "

"1000","PICS-Kennzeichnungsschwellwert überschritten"

"1100","Virus or bad content detected."
"1101","Advert blocked"

"1200","Please wait - downloading to be scanned..."
"1210","Download Complete.  Starting scan..."
"1220","Scan complete.</p><p>Click here to download: "
"1230","File no longer available"

Die entsprechende Zeile lautet:

 "502","Totalsperre aktiv, keine Ausnahmeregelung definiert und aktiv"

Anschließende starten wir den Dienst dansguardian einmal durch.

# service dansguardian restart

Beim erneuten Aufruf außerhalb der freigegebenen Zeit wird nun die geänderte Rückmeldung ausgegeben.

abgeänderte Fehler-/Sperrseite

Zur weiteren Absicherung unseres HTTP-Traffics bedienen wir uns der dämonisierten Variante des Virenscanners Clam AntiVirus.

Installation

Wir installieren uns hierzu den entsprechenden daemon via yum.

 # yum install clamd clamav clamav-db

Info

Was uns die einzelnen Pakete liefern, entnehmen wir den jeweiligen rpm's.

yum info clamd

Name   : clamd
...
Summary: The Clam AntiVirus Daemon
Description:
The Clam AntiVirus Daemon
yum info clamav


Name   : clamav
...
Summary: Anti-virus software
Description:
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of
this software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon, a
command line scanner, and a tool for automatic updating via Internet.

The programs are based on a shared library distributed with the Clam
AntiVirus package, which you can use with your own software. Most
importantly, the virus database is kept up to date
yum info clamav-db

Name   : clamav-db
...
Summary: Virus database for clamav
Description:
The actual virus database for clamav

Programmpfade und -inhalte

Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels:

rpm -ql clamd

/etc/clamd.conf
/etc/logrotate.d/clamav
/etc/rc.d/init.d/clamd
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/sbin/clamd
/usr/share/doc/clamd-0.94.1
/usr/share/doc/clamd-0.94.1/clamd.conf
/usr/share/doc/clamd-0.94.1/clamdwatch
/usr/share/doc/clamd-0.94.1/clamdwatch/clamdwatch.tar.gz
/usr/share/man/man1/clamconf.1.gz
/usr/share/man/man1/clamdscan.1.gz
/usr/share/man/man5/clamd.conf.5.gz
/usr/share/man/man8/clamd.8.gz
/var/clamav
/var/log/clamav
/var/run/clamav
rpm -ql clamav

/etc/freshclam.conf
/usr/bin/clamscan
/usr/bin/freshclam
/usr/bin/sigtool
/usr/lib/libclamav.so.5
/usr/lib/libclamav.so.5.0.3
/usr/lib/libclamunrar.so.5
/usr/lib/libclamunrar.so.5.0.3
/usr/lib/libclamunrar_iface.so.5
/usr/lib/libclamunrar_iface.so.5.0.3
/usr/share/doc/clamav-0.94.1
/usr/share/doc/clamav-0.94.1/AUTHORS
/usr/share/doc/clamav-0.94.1/BUGS
/usr/share/doc/clamav-0.94.1/COPYING
/usr/share/doc/clamav-0.94.1/ChangeLog
/usr/share/doc/clamav-0.94.1/FAQ
/usr/share/doc/clamav-0.94.1/INSTALL
/usr/share/doc/clamav-0.94.1/NEWS
/usr/share/doc/clamav-0.94.1/README
/usr/share/doc/clamav-0.94.1/clamav-mirror-howto.pdf
/usr/share/doc/clamav-0.94.1/clamdoc.pdf
/usr/share/doc/clamav-0.94.1/freshclam.conf
/usr/share/doc/clamav-0.94.1/phishsigs_howto.pdf
/usr/share/doc/clamav-0.94.1/signatures.pdf
/usr/share/doc/clamav-0.94.1/test
/usr/share/doc/clamav-0.94.1/test/.split
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipab
/usr/share/doc/clamav-0.94.1/test/Makefile
/usr/share/doc/clamav-0.94.1/test/Makefile.am
/usr/share/doc/clamav-0.94.1/test/Makefile.in
/usr/share/doc/clamav-0.94.1/test/README
/usr/share/doc/clamav-0.94.1/test/clam-aspack.exe
/usr/share/doc/clamav-0.94.1/test/clam-fsg.exe
/usr/share/doc/clamav-0.94.1/test/clam-mew.exe
/usr/share/doc/clamav-0.94.1/test/clam-nsis.exe
/usr/share/doc/clamav-0.94.1/test/clam-pespin.exe
/usr/share/doc/clamav-0.94.1/test/clam-petite.exe
/usr/share/doc/clamav-0.94.1/test/clam-upack.exe
/usr/share/doc/clamav-0.94.1/test/clam-upx.exe
/usr/share/doc/clamav-0.94.1/test/clam-v2.rar
/usr/share/doc/clamav-0.94.1/test/clam-v3.rar
/usr/share/doc/clamav-0.94.1/test/clam-wwpack.exe
/usr/share/doc/clamav-0.94.1/test/clam.arj
/usr/share/doc/clamav-0.94.1/test/clam.bz2.zip
/usr/share/doc/clamav-0.94.1/test/clam.cab
/usr/share/doc/clamav-0.94.1/test/clam.chm
/usr/share/doc/clamav-0.94.1/test/clam.d64.zip
/usr/share/doc/clamav-0.94.1/test/clam.ea05.exe
/usr/share/doc/clamav-0.94.1/test/clam.ea06.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe.binhex
/usr/share/doc/clamav-0.94.1/test/clam.exe.bz2
/usr/share/doc/clamav-0.94.1/test/clam.exe.html
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.base64
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.uu
/usr/share/doc/clamav-0.94.1/test/clam.exe.rtf
/usr/share/doc/clamav-0.94.1/test/clam.exe.szdd
/usr/share/doc/clamav-0.94.1/test/clam.impl.zip
/usr/share/doc/clamav-0.94.1/test/clam.mail
/usr/share/doc/clamav-0.94.1/test/clam.ole.doc
/usr/share/doc/clamav-0.94.1/test/clam.pdf
/usr/share/doc/clamav-0.94.1/test/clam.ppt
/usr/share/doc/clamav-0.94.1/test/clam.sis
/usr/share/doc/clamav-0.94.1/test/clam.tar.gz
/usr/share/doc/clamav-0.94.1/test/clam.tnef
/usr/share/doc/clamav-0.94.1/test/clam.zip
/usr/share/man/man1/clamscan.1.gz
/usr/share/man/man1/freshclam.1.gz
/usr/share/man/man1/sigtool.1.gz
/usr/share/man/man5/freshclam.conf.5.gz
rpm -ql clamav-db
/etc/cron.daily/freshclam
/etc/logrotate.d/freshclam
/var/clamav
/var/clamav/daily.cvd
/var/clamav/main.cvd
/var/log/clamav

Konfiguration

clamd

Die Konfigurationsdatei des ClamAV-Daemons /etc/clamd.conf passen wir unseren Gegebenheiten entsprechend an. Wichtig sind dabei insbesonders die drei Paramter:

  • User clamav
  • AllowSupplementaryGroups yes
  • LocalSocket /tmp/clamd.socket

In Summe ergibt sich also folgende Gesamtkonfiguration:

egrep -v '(^.*#|^$)' /etc/clamd.conf 

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /tmp/clamd.socket
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no

Wie in der /etc/amavisd.conf vermerkt

# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;

erweitern wir die Gruppe amavis um den User nobody mit dessen Rechte der Dansguardian-Daemon läuft.

 # usermod -a -G nobody clamav

erster Programmstart

Nun ist es an der Zeit unseren ClamAV-Daemon das erste mal zu starten.

# service clamd start
Starting Clam AntiVirus Daemon: LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
                                                           [  OK  ]

Wir müssen also unser Virendatenbank erst einmal updaten - Hierzu nutzen wir das Programm freshclam aus dem Paket clamav. Wir stoppen nun erst einmal unseren Daemon uns fahren mit der Installation und Konfiguration der weiteren schritte fort.

 # service clamd stop
 Stopping Clam AntiVirus Daemon:                            [  OK  ]

automatisches Starten des Daemon beim Systemstart

Damit nun unser ClamAV-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

 # chkconfig clamd on

Anschließend überprüfen wir noch unsere Änderung:

 # chkconfig --list | grep clamd
 clamd           0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

freshlam Konfiguration

Damit ClamAV stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm freshclam aus dem Paket clamav zu Diensten.

In der Standardkonfiguration sorgt freshclam dafür, dass 1x am Tag ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei stehen uns prinzipiell zwei Mechanismen zur Verfügung, die crontab und der Daemon-Modus. Beide Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz beschrieben.

Nutzung crontab

Die erste und einfache Variante besteht darin das Update-Script, welches sich mit dem Namen freshclam aktuell und standardmäßig unter /etc/cron.daily befindet, nach /etc/cron.hourly/ zu verschieben. Das Updatescript beinhaltet folgende Parameter und Aufrufe:

#!/bin/sh

### A simple update script for the clamav virus database.
### This could as well be replaced by a SysV script.

### fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clamav.clamav "$LOG_FILE"
fi

/usr/bin/freshclam \
    --quiet \
    --datadir="/var/clamav" \
    --log="$LOG_FILE" \
    --daemon-notify="/etc/clamd.conf"

Wir verschieben also das Script bei Bedarf nach /etc/cron.hourly/.

 # mv /etc/cron.daily/freshclam /etc/cron.hourly/

Nutzung Daemon-Modus

Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des freshclam-Daemons, der im Hintergrund läuft und regelmäßig zu den Pattenservern eine Abfrage startet.


Startscript Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes Startscript an.

# vim /etc/init.d/freshclamd
freshclamd
#!/bin/sh
#
# freshclamd    Init Script to start/stop the freshclamd.
#
# chkconfig: - 62 38
# description: freshclam is an update daemon for Clam AV database.
#
# processname: freshclamd
# config: /etc/freshclam.conf
# pidfile: /var/run/clamav/freshclam.pid
 
# Source function library
. /etc/init.d/functions
 
# Get network config
. /etc/sysconfig/network
 
test -f /etc/freshclam.conf || exit 0
 
RETVAL=0
DATA_DIR="/var/clamav"
CLAMD_CONF_FILE="/etc/clamd.conf"
LOG_FILE="/var/log/clamav/freshclam.log"
 
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clamav.clamav "$LOG_FILE"
fi
 
start() {
        echo -n $"Starting freshclam: "
        # Start me up!
        #       --log="$LOG_FILE" \
        #       --log-verbose \
        daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid \
                -c 48 \
                --quiet \
                --datadir="$DATA_DIR" \
                --daemon-notify="$CLAMD_CONF_FILE"
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/freshclam
        return $RETVAL
}
 
stop() {
        echo -n $"Stopping freshclam: "
        killproc freshclam
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/run/clamav/freshclam.pid /var/lock/subsys/freshclam
        return $RETVAL
}
 
restart() {
        stop
        start
}
 
reload() {
        echo -n $"Reloading DB: "
        killproc freshclam -ALRM
        RETVAL=$?
        echo
        return $RETVAL
}
 
 
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status freshclam
        ;;
  restart)
        restart
        ;;
  condrestart)
        [ -f /var/lock/subsys/freshclam ] && restart || :
        ;;
  reload)
        reload
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
        exit 1
esac
 
exit $?

Anschließend passen wir noch die Dateirechte an:

 # chmod +x /etc/init.d/freshclamd

Konfiguration Wir passen nun in der Konfigurationsdatei /etc/freshclam.conf das Updateintervall unseren Vorstellungen entsprechend an.

# vim /etc/freshclam.conf

...
# Number of database checks per day.
# Default: 12 (every two hours)
# Django 17.05.2009 für halbstündlichen Virenpatterndatenbankcheck
Checks 48
...

erster Programmstart Unseren Updatemechanismus freshclam-daemon starten wir wie gewohnt mit:

 # service freshclamd start
 Starting freshclam:                                        [  OK  ]

Im Logfile /var/log/clamav/freshclam.log wird der Programmaufruf entsprechend dokumentiert:

# tail -f /var/log/clamav/freshclam.log 
--------------------------------------
freshclam daemon 0.95.1 (OS: linux-gnu, ARCH: i386, CPU: i386)
ClamAV update process started at Sun May 17 22:15:13 2009
Downloading main-51.cdiff [100%]
main.cld updated (version: 51, sigs: 545035, f-level: 42, builder: sven)
WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 193.27.50.222)
WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net
Trying host db.de.clamav.net (213.174.32.130)...
WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 213.174.32.130)
WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net
Trying host db.de.clamav.net (212.1.60.18)...
WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 212.1.60.18)
WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Trying host db.de.clamav.net (130.133.110.67)...
Downloading daily.cvd [100%]
daily.cvd updated (version: 9365, sigs: 5249, f-level: 42, builder: mcichosz)
Database updated (550284 signatures) from db.de.clamav.net (IP: 130.133.110.67)
--------------------------------------

automatisches Starten des Daemon beim Systemstart Damit nun unser freshcam-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

 # chkconfig freshclamd on

Anschließend überprüfen wir noch unsere Änderung:

 # chkconfig --list | grep freshclamd
 freshclamd      0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

clamav Start

Da unsere Virendatenbank nun uptodate ist können wir den clamav-Daemon nun ohne Fehlermeldung starten:

 # service clamd start
 Starting Clam AntiVirus Daemon:                            [  OK  ]

Im Logfile /var/log/clamav/clamd.log wir der Programmstart entsprechend dokumentiert:

Sun May 17 22:20:12 2009 -> +++ Started at Sun May 17 22:20:12 2009
Sun May 17 22:20:12 2009 -> clamd daemon 0.99.1 (OS: linux-gnu, ARCH: i386, CPU: i386)
Sun May 17 22:20:12 2009 -> Running as user clamav (UID 101, GID 105)
Sun May 17 22:20:12 2009 -> Log file size limit disabled.
Sun May 17 22:20:12 2009 -> Reading databases from /var/clamav
Sun May 17 22:20:12 2009 -> Not loading PUA signatures.
Sun May 17 22:20:13 2009 -> Loaded 549731 signatures.
Sun May 17 22:20:13 2009 -> TCP: Bound to address 127.0.0.1 on port 3310
Sun May 17 22:20:13 2009 -> TCP: Setting connection queue length to 30
Sun May 17 22:20:13 2009 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock
Sun May 17 22:20:13 2009 -> LOCAL: Setting connection queue length to 30
Sun May 17 22:20:13 2009 -> Limits: Global size limit set to 104857600 bytes.
Sun May 17 22:20:13 2009 -> Limits: File size limit set to 26214400 bytes.
Sun May 17 22:20:13 2009 -> Limits: Recursion level limit set to 16.
Sun May 17 22:20:13 2009 -> Limits: Files limit set to 10000.
Sun May 17 22:20:13 2009 -> Archive support enabled.
Sun May 17 22:20:13 2009 -> Algorithmic detection enabled.
Sun May 17 22:20:13 2009 -> Portable Executable support enabled.
Sun May 17 22:20:13 2009 -> ELF support enabled.
Sun May 17 22:20:13 2009 -> Detection of broken executables enabled.
Sun May 17 22:20:13 2009 -> Mail files support enabled.
Sun May 17 22:20:13 2009 -> OLE2 support enabled.
Sun May 17 22:20:13 2009 -> PDF support enabled.
Sun May 17 22:20:13 2009 -> HTML support enabled.
Sun May 17 22:20:13 2009 -> Self checking every 600 seconds.

clamscan testen

Zum Schluß überprüfen wir noch, ob unser Virenscanner richtig arbeitet. Hierzu besorgen wir uns ein Virenpattern-Testfile.

# wget http://dansguardian.org/downloads/2/Variants/AVTest/danger/eicar.com.txt -O /tmp/eicar.com.txt
--2009-12-11 15:33:06--  http://dansguardian.org/downloads/2/Variants/AVTest/danger/eicar.com.txt
Auflösen des Rechnernamens »dansguardian.org«.... 89.16.172.190, 2001:41c8:1:5847::2
Verbindungsaufbau mit dansguardian.org[89.16.172.190]:80... verbunden.
HTTP-Anfrage gesendet, warte auf Antwort... 200 OK
Länge: 68 [text/plain]
Speichere nach: »/tmp/eicar.com.txt«

100%[===================================================================================================================>] 68          --.-K/s   in 0s      

2009-12-11 15:33:06 (10,6 MB/s) - »/tmp/eicar.com.txt« gespeichert [68/68]

Die erhalten Eicar-Testdatei lassen wir nun von clamscan überprüfen.

# clamscan -v /tmp/eicar.com.txt 
Scanning /tmp/eicar.com.txt
/tmp/eicar.com.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1215262
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 5.402 sec (0 m 5 s)

Zur Aktivierung des Virenscanner beim Contentfiltern aktivieren wir nun den clamd in der /etc/dansguardian/dansguardian.conf. Ebenso geben wir an, wo die empfangenen Daten zwischengespeichert werden können/sollen.

 # vim /etc/dansguardian/dansguardian.conf
# Content Scanners (Also known as AV scanners)
# These are plugins that scan the content of all files your browser fetches
# for example to AV scan.  The options are limitless.  Eventually all of
# DansGuardian will be plugin based.  You can have more than one content
# scanner. The plugins are run in the order you specify.
# This is one of the few places you can have multiple options of the same name.
#
# Some of the scanner(s) require 3rd party software and libraries eg clamav.
# See the individual plugin conf file for more options (if any).
#
#!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'
contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
#!! Unimplemented !! contentscanner = '/etc/dansguardian/contentscanners/kavav.conf'
#!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/kavdscan.conf'
#!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/icapscan.conf'
#!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/commandlinescan.conf'


# File cache dir
# Where DG will download files to be scanned if too large for the
# RAM cache.
# Django 10.12.2009
#Default: filecachedir = '/tmp'
filecachedir = '/var/tmp'

Die weitere Konfiguration findet in der oben genannten Datei /etc/dansguardian/contentscanners/clamdscan.conf statt. Mit dem Editor unserer ersten Wahl vim öffnen wir die Datei und tragen dort den Socket /tmp/clamd.socket ein, den wir bei der clamd.conf angelegt hatten.

 # vim /etc/dansguardian/contentscanners/clamdscan.conf
plugname = 'clamdscan'

# edit this to match the location of your ClamD UNIX domain socket
#clamdudsfile = '/var/run/clamav/clamd.sock'
# Django 10.12.2009
#Default: #clamdudsfile = '/var/run/clamav/clamd.sock'
clamdudsfile = '/tmp/clamd.socket'


# If this string is set, the text it contains shall be removed from the
# beginning of filenames when passing them to ClamD.
# Use it to - for example - support a ClamD running inside a chroot jail:
# if DG's filecachedir is set to "/var/clamdchroot/downloads/" and pathprefix
# is set to "/var/clamdchroot", then file names given to ClamD will be of the
# form "/downloads/tf*" instead of "/var/clamdchroot/downloads/tf*".
#pathprefix = '/var/clamdchroot'

exceptionvirusmimetypelist = '/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist'
exceptionvirusextensionlist = '/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist'
exceptionvirussitelist = '/etc/dansguardian/lists/contentscanners/exceptionvirussitelist'
exceptionvirusurllist = '/etc/dansguardian/lists/contentscanners/exceptionvirusurllist'
1)
zum besseren Vergleich zwischen der Verison 2.8.0.6 zur 2.10.1.1 erfolgt der Abdruck der gesamten Abfrage durch rpm -iql
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information