Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
| centos:dansguardian_2.10 [15.11.2011 13:53. ] – [Filtergruppen bei Dansguardian] django | centos:dansguardian_2.10 [20.04.2018 10:36. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| + | ====== Dansguardian Version 2.10.1.1 - Installation und Konfiguration ====== | ||
| + | {{: | ||
| + | |||
| + | Für die Zugriffsverwaltung und inhaltliche Bewertung der angewählten Internetseiten bedienen wir uns dem Proxy [[http:// | ||
| + | Bei dieser Konstellation arbeiten **// | ||
| + | * unerwünschte Seiten zu blocken (Pornographie) | ||
| + | * bestimmte Inhalte nur bestimmten Usern zur Verfügung zu stellen (Multimediainhalte des WWW) | ||
| + | * Seiten auf unerwünschten Inhalt zu überprüfen und ggf. zu blocken (Glücksspiel und politische Propaganda) oder | ||
| + | * eine Virenprüfung der übermittelten Daten vorzunehmen. | ||
| + | |||
| + | |||
| + | <WRAP round important> | ||
| + | \\ | ||
| + | <WRAP round tip>Die komfortabelste Variante ist die Nutzung von **// | ||
| + | |||
| + | |||
| + | |||
| + | </ | ||
| + | |||
| + | ===== Installation ===== | ||
| + | Wie bereits erwähnt, erfolgt die Installation der neuen Dansguardian-Version am leichtesten mit Hilfe eines **RPMs** und unter Zuhilfenahme eines [[centos: | ||
| + | # yum install dansguardian | ||
| + | Anschließend können wir gleich mit der [[centos: | ||
| + | |||
| + | ==== Download ==== | ||
| + | Möchte man **// | ||
| + | Die aktuelle Version - [[http:// | ||
| + | < | ||
| + | |||
| + | # cd / | ||
| + | # wget http:// | ||
| + | Da das Programm nicht aus einem uns bekannten Repository stammt, holen wir uns noch den **public-key** des **__Packager__** und installieren diesen in den **RPM-Keyring**. | ||
| + | # rpm --import http:// | ||
| + | Somit können wir hier nun die Integrität des heruntergeladenen RPMs überprüfen. | ||
| + | # rpm -K dansguardian-2.10.1.1-1.0.el5.i386.rpm | ||
| + | | ||
| + | |||
| + | ==== YUM-Installation ==== | ||
| + | Das zuvor heruntergeladene RPM installieren wir, wie gewohnt mittels **yum**. | ||
| + | # yum install dansguardian-2.10.1.1-1.0.el5.i386.rpm | ||
| + | Das Paket **dansguardian** des aktuellen Release-Kandidaten hat nun im Gegensatz zur Version 2.8.0.6 einen weitaus größeren Umfang, was uns ein detailierter Blick in das **RPM**((zum besseren Vergleich zwischen der Verison 2.8.0.6 zur 2.10.1.1 erfolgt der //Abdruck// der gesamten Abfrage durch **rpm -iql**)), nach erfolgter Installation des Paketes, zeigt. | ||
| + | < | ||
| + | Name : dansguardian | ||
| + | Version | ||
| + | Release | ||
| + | Install Date: Do 10 Dez 2009 14:25:11 CET Build Host: office.nausch.org | ||
| + | Group : System Environment/ | ||
| + | Size : 1475359 | ||
| + | Signature | ||
| + | Packager | ||
| + | URL : http:// | ||
| + | Summary | ||
| + | Description : | ||
| + | DansGuardian is a web filtering engine that checks the content within | ||
| + | the page itself in addition to the more traditional URL filtering. | ||
| + | |||
| + | DansGuardian is a content filtering proxy. It filters using multiple methods, | ||
| + | including URL and domain filtering, content phrase filtering, PICS filtering, | ||
| + | MIME filtering, file extension filtering, POST filtering. | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | /etc/httpd | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | /etc/rc.d | ||
| + | / | ||
| + | / | ||
| + | /usr | ||
| + | /usr/sbin | ||
| + | / | ||
| + | /usr/share | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | /usr/var | ||
| + | / | ||
| + | /var | ||
| + | /var/log | ||
| + | / | ||
| + | ===== Konfiguration ===== | ||
| + | Die Konfiguration unseres Contentscanners spielt sich im Wesentlichen unter dem Verezichnis **/ | ||
| + | # cd / | ||
| + | < | ||
| + | insgesamt 120 | ||
| + | drwxr-xr-x | ||
| + | drwxr-xr-x 122 root root 12288 11. Dez 09:00 ../ | ||
| + | drwxr-xr-x | ||
| + | drwxr-xr-x | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | drwxr-xr-x | ||
| + | drwxr-xr-x | ||
| + | Die beiden Konfigurationsdateien: | ||
| + | * **dansguardian.conf** | ||
| + | * **dansguardianf1.conf** | ||
| + | beinhalten die Hauptkonfigurations-Optionen des Filters. In den Unterverzeichnissen erfolgt dann die weitere meist stark individuelle Anpassung. | ||
| + | * **authplugins** | ||
| + | * **contentscanners** | ||
| + | * **downloadmanagers** | ||
| + | * **lists** | ||
| + | |||
| + | ==== dansguardian.conf ==== | ||
| + | Die Haupfkonfiguration des // | ||
| + | \\ | ||
| + | Mit dem Editor unserer Wahl - also **vim** - bearbeiten nun die erste der beiden Konfigurationsdateien. | ||
| + | # vim / | ||
| + | Als erstes passen wir die Internationalisierung in der Konfigurationsdatei an: | ||
| + | < | ||
| + | # Django 10.12.2009 | ||
| + | #Default: language = ' | ||
| + | language = ' | ||
| + | Die Einstellungen im Bezug auf unsere Netzwerkadressen un den zugehörigen Ports erfolgen im Bereich **Network Settings**. | ||
| + | < | ||
| + | # | ||
| + | # the IP that DansGuardian listens on. If left blank DansGuardian will | ||
| + | # listen on all IPs. That would include all NICs, loopback, modem, etc. | ||
| + | # Normally you would have your firewall protecting this, but if you want | ||
| + | # you can limit it to a certain IP. To bind to multiple interfaces, | ||
| + | # specify each IP on an individual filterip line. | ||
| + | filterip = | ||
| + | |||
| + | # the port that DansGuardian listens to. | ||
| + | filterport = 8080 | ||
| + | |||
| + | # the ip of the proxy (default is the loopback - i.e. this server) | ||
| + | proxyip = 127.0.0.1 | ||
| + | |||
| + | # the port DansGuardian connects to proxy on | ||
| + | proxyport = 3128 | ||
| + | </ | ||
| + | Zur Information der User bei anwahl von gesperrten Seiten bietet Dansguardian zwei Wege: | ||
| + | === dansguardian.pl === | ||
| + | Möchte man das // | ||
| + | \\ | ||
| + | {{ : | ||
| + | \\ | ||
| + | Der zugehörige Eintrag in der Konfigurationsdatei lautet: | ||
| + | < | ||
| + | # dansguardian reporting script was copied. Only used in reporting levels 1 and 2. | ||
| + | # | ||
| + | # This webserver must be either: | ||
| + | # 1. Non-proxied. Either a machine on the local network, or listed as an exception | ||
| + | # in your browser' | ||
| + | # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is | ||
| + | # only for users using both transparent proxying and a non-local server | ||
| + | # to host this script. | ||
| + | # | ||
| + | # Individual filter groups can override this setting in their own configuration. | ||
| + | # | ||
| + | # Django 10.12.2009 | ||
| + | #Default: accessdeniedaddress = ' | ||
| + | accessdeniedaddress = ' | ||
| + | === HTML-Statuspage === | ||
| + | Alternativ dazu gibt es eine HTML-Seite mit den Hinweisen, warum die Seite gesperrt worden ist.\\ | ||
| + | \\ | ||
| + | {{ : | ||
| + | \\ | ||
| + | Hierzu deaktiviert man einfach die Option in der konfiguartionsdatei. | ||
| + | < | ||
| + | #Default: accessdeniedaddress = ' | ||
| + | # | ||
| + | In Summe ergibt sich also folgende __erste Gesamtkonfiguration__: | ||
| + | # egrep -v ' | ||
| + | < | ||
| + | languagedir = '/ | ||
| + | language = ' | ||
| + | loglevel = 2 | ||
| + | logexceptionhits = 2 | ||
| + | logfileformat = 1 | ||
| + | filterip = | ||
| + | filterport = 8080 | ||
| + | proxyip = 127.0.0.1 | ||
| + | proxyport = 3128 | ||
| + | originalip = off | ||
| + | nonstandarddelimiter = on | ||
| + | usecustombannedimage = on | ||
| + | custombannedimagefile = '/ | ||
| + | filtergroups = 1 | ||
| + | filtergroupslist = '/ | ||
| + | bannediplist = '/ | ||
| + | exceptioniplist = '/ | ||
| + | showweightedfound = on | ||
| + | weightedphrasemode = 2 | ||
| + | urlcachenumber = 1000 | ||
| + | urlcacheage = 900 | ||
| + | scancleancache = on | ||
| + | phrasefiltermode = 2 | ||
| + | preservecase = 0 | ||
| + | hexdecodecontent = off | ||
| + | forcequicksearch = off | ||
| + | reverseaddresslookups = off | ||
| + | reverseclientiplookups = off | ||
| + | logclienthostnames = off | ||
| + | createlistcachefiles = on | ||
| + | maxuploadsize = -1 | ||
| + | maxcontentfiltersize = 256 | ||
| + | maxcontentramcachescansize = 2000 | ||
| + | maxcontentfilecachescansize = 20000 | ||
| + | filecachedir = '/ | ||
| + | deletedownloadedtempfiles = on | ||
| + | initialtrickledelay = 20 | ||
| + | trickledelay = 10 | ||
| + | downloadmanager = '/ | ||
| + | downloadmanager = '/ | ||
| + | contentscannertimeout = 60 | ||
| + | contentscanexceptions = off | ||
| + | recheckreplacedurls = off | ||
| + | forwardedfor = off | ||
| + | usexforwardedfor = off | ||
| + | logconnectionhandlingerrors = on | ||
| + | logchildprocesshandling = off | ||
| + | maxchildren = 120 | ||
| + | minchildren = 8 | ||
| + | minsparechildren = 4 | ||
| + | preforkchildren = 6 | ||
| + | maxsparechildren = 32 | ||
| + | maxagechildren = 500 | ||
| + | maxips = 0 | ||
| + | ipcfilename = '/ | ||
| + | urlipcfilename = '/ | ||
| + | ipipcfilename = '/ | ||
| + | nodaemon = off | ||
| + | nologger = off | ||
| + | logadblocks = off | ||
| + | loguseragent = off | ||
| + | softrestart = off | ||
| + | mailer = '/ | ||
| + | |||
| + | === dansguardianf1.conf === | ||
| + | Die weitere Konfiguration des Dansguardian-Content-filters/ | ||
| + | \\ | ||
| + | Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien. | ||
| + | # vim / | ||
| + | Im ersten Schritt passen wir die Ansprechschwelle der gewichteten Seitenüberprüfung an. Mit einem **Naughtyness limit** von **//100//** liegt man schon mal in einem praktikablen Bereich. : | ||
| + | < | ||
| + | # This the limit over which the page will be blocked. | ||
| + | # a value either positive or negative and the values added up. Phrases to do with | ||
| + | # good subjects will have negative values, and bad subjects will have positive | ||
| + | # values. | ||
| + | # As a guide: | ||
| + | # 50 is for young children, | ||
| + | # Django 10.12.2009 | ||
| + | #Default: naughtynesslimit = 50 | ||
| + | naughtynesslimit = 100</ | ||
| + | In Summe ergibt sich also folgende __erste Gesamtkonfiguration__: | ||
| + | # egrep -v ' | ||
| + | < | ||
| + | bannedphraselist = '/ | ||
| + | weightedphraselist = '/ | ||
| + | exceptionphraselist = '/ | ||
| + | bannedsitelist = '/ | ||
| + | greysitelist = '/ | ||
| + | exceptionsitelist = '/ | ||
| + | bannedurllist = '/ | ||
| + | greyurllist = '/ | ||
| + | exceptionurllist = '/ | ||
| + | exceptionregexpurllist = '/ | ||
| + | bannedregexpurllist = '/ | ||
| + | picsfile = '/ | ||
| + | contentregexplist = '/ | ||
| + | urlregexplist = '/ | ||
| + | blockdownloads = off | ||
| + | exceptionextensionlist = '/ | ||
| + | exceptionmimetypelist = '/ | ||
| + | bannedextensionlist = '/ | ||
| + | bannedmimetypelist = '/ | ||
| + | exceptionfilesitelist = '/ | ||
| + | exceptionfileurllist = '/ | ||
| + | headerregexplist = '/ | ||
| + | bannedregexpheaderlist = '/ | ||
| + | naughtynesslimit = 100 | ||
| + | categorydisplaythreshold = 0 | ||
| + | embeddedurlweight = 0 | ||
| + | enablepics = off | ||
| + | bypass = 0 | ||
| + | bypasskey = '' | ||
| + | infectionbypass = 0 | ||
| + | infectionbypasskey = '' | ||
| + | infectionbypasserrorsonly = on | ||
| + | disablecontentscan = off | ||
| + | deepurlanalysis = off | ||
| + | usesmtp = off | ||
| + | mailfrom = '' | ||
| + | avadmin = '' | ||
| + | contentadmin = '' | ||
| + | avsubject = ' | ||
| + | contentsubject = ' | ||
| + | notifyav = off | ||
| + | notifycontent = off | ||
| + | thresholdbyuser = off | ||
| + | violations = 0 | ||
| + | threshold = 0</ | ||
| + | |||
| + | === authplugins === | ||
| + | Benutzt man keine Authentifizierung im **Squid-Proxy**, | ||
| + | # ll / | ||
| + | < | ||
| + | -rw-r--r-- 1 root root 104 Dec 9 16:05 ident.conf | ||
| + | -rw-r--r-- 1 root root 323 Dec 9 16:05 ip.conf | ||
| + | -rw-r--r-- 1 root root 195 Dec 9 16:05 proxy-basic.conf | ||
| + | -rw-r--r-- 1 root root 257 Dec 9 16:05 proxy-digest.conf</ | ||
| + | |||
| + | === contentscanners === | ||
| + | In der Konfigurationsdatei // | ||
| + | < | ||
| + | |||
| + | # edit this to match the location of your ClamD UNIX domain socket | ||
| + | # | ||
| + | |||
| + | # If this string is set, the text it contains shall be removed from the | ||
| + | # beginning of filenames when passing them to ClamD. | ||
| + | # Use it to - for example - support a ClamD running inside a chroot jail: | ||
| + | # if DG's filecachedir is set to "/ | ||
| + | # is set to "/ | ||
| + | # form "/ | ||
| + | #pathprefix = '/ | ||
| + | |||
| + | exceptionvirusmimetypelist = '/ | ||
| + | exceptionvirusextensionlist = '/ | ||
| + | exceptionvirussitelist = '/ | ||
| + | exceptionvirusurllist = '/ | ||
| + | Die Anpassung(en) dieser Konfigurationsdate erfolgt im nachfolgenden Kapitel [[centos: | ||
| + | |||
| + | === downloadmanagers === | ||
| + | Im Verzeichnis // | ||
| + | # ls -alf | ||
| + | total 8 | ||
| + | | ||
| + | | ||
| + | == default.conf == | ||
| + | # vim / | ||
| + | < | ||
| + | # This is the safest option for unknown user-agents and content types, and | ||
| + | # hence a good one to include last. | ||
| + | |||
| + | # Which plugin should be loaded? | ||
| + | plugname = ' | ||
| + | |||
| + | # Regular expression for matching user agents | ||
| + | # When not defined, matches all agents. | ||
| + | # | ||
| + | |||
| + | # Lists of mime types and extensions to manage | ||
| + | # When not defined, matches everything. | ||
| + | # These can be enabled separately; when both enabled, | ||
| + | # a request may match either list. | ||
| + | # | ||
| + | # | ||
| + | == fancy.conf == | ||
| + | # vim / | ||
| + | < | ||
| + | # This outputs a Javascript progress bar to the browser when a file is taking | ||
| + | # a long time to download, and hence is unsuitable for browsers without | ||
| + | # javascript support; also you may wish to enable it only for types/ | ||
| + | # that are usually downloaded individually, | ||
| + | # such as executables and archives. | ||
| + | |||
| + | # Which plugin should be loaded? | ||
| + | plugname = ' | ||
| + | |||
| + | # Regular expression for matching user agents | ||
| + | # When not defined, matches all agents. | ||
| + | # | ||
| + | # ' | ||
| + | useragentregexp = ' | ||
| + | |||
| + | # Lists of mime types and extensions to manage | ||
| + | # When not defined, matches everything. | ||
| + | # These can be enabled separately; when both enabled, | ||
| + | # a request may match either list. | ||
| + | # | ||
| + | managedextensionlist = '/ | ||
| + | |||
| + | # HTML/ | ||
| + | # The contents of this file determine what is presented to the user during | ||
| + | # and after downloading/ | ||
| + | # define certain JavaScript functions - called at various stages during | ||
| + | # the process - allowing the page to be modified to reflect current progress. | ||
| + | # This option generates a path of the form < | ||
| + | template = ' | ||
| + | |||
| + | # Maximum download size | ||
| + | # When a file with unknown content length gets handled by the fancy DM, | ||
| + | # something must be done in the case that the file is found to be too large | ||
| + | # to scan (i.e. larger than maxcontentfilecachescansize). | ||
| + | # As of 2.9.7.0, a warning will be issued to the user that the fancy DM may | ||
| + | # not be able to cache the entire file, and the file will continue to be | ||
| + | # downloaded to disk (but not scanned) until it reaches this size, at which | ||
| + | # point the user will simply have to re-download the file (the URL won't be | ||
| + | # scanned again). | ||
| + | # The size is in kibibytes (i.e. 10240 = 10Mb) | ||
| + | maxdownloadsize = 80000</ | ||
| + | |||
| + | === lists === | ||
| + | Die feingranulare nutzungsindividuelle Einstellung unseres Dansguardian erfolgt über mehrere Black- und/oder White-Listen. Diese befinden sich im Verzeichnis // | ||
| + | < | ||
| + | total 152 | ||
| + | drwxr-xr-x | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | drwxr-xr-x | ||
| + | -rw-r--r-- | ||
| + | drwxr-xr-x | ||
| + | drwxr-xr-x | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | drwxr-xr-x 36 root root 4096 Dec 9 16:05 phraselists | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | -rw-r--r-- | ||
| + | Auf einzelen spezielle Dateien wird im Kapitel [[centos: | ||
| + | |||
| + | ==== Starten von Dansguardian ==== | ||
| + | Nun starten wir das erste mal unsere neuen Dienst dansguardian: | ||
| + | # service dansguardian start | ||
| + | Web Content Filter (dansguardian) starten: | ||
| + | Im Syslog wird uns der erfolgreiche Start entsprechend dokumentiert: | ||
| + | Dec 11 12:38:43 office dansguardian[5191]: | ||
| + | Auf Port **8080** lauscht nun unser Dansguardian-Daemon, | ||
| + | # # netstat -tulpen | grep dansguardian | ||
| + | | ||
| + | In der Prozessliste sehen wir ferner die gestarteten Dansguardian-Prozesse: | ||
| + | # ps aux | grep dansguardian | ||
| + | < | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | nobody | ||
| + | root 5212 0.0 0.0 | ||
| + | |||
| + | ==== automatisches Starten von Dansguardian beim Systemstart ==== | ||
| + | Damit der Dansguardian-daemon automatisch bei jedem Systemstart startet, kann die Einrichtung des Start-Scriptes über folgenden Befehl erreicht werden: | ||
| + | # chkconfig dansguardian on | ||
| + | |||
| + | Die Überprüfungung ob der Dienst (Daemons) Dansguardian wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden: | ||
| + | # chkconfig --list | grep dansguardian | ||
| + | | ||
| + | Wichtig sind jeweils die Schalter **on** bzw. **Ein** bei den Runleveln - **2 3 4 5**. | ||
| + | ==== Dansguardian' | ||
| + | Das **// | ||
| + | < | ||
| + | |||
| + | Usage: dansguardian [{-c ConfigFileName|-v|-P|-h|-N|-q|-s|-r|-g}] | ||
| + | -v gives the version number and build options. | ||
| + | -h gives this message. | ||
| + | -c allows you to specify a different configuration file location. | ||
| + | -N Do not go into the background. | ||
| + | -q causes DansGuardian to kill any running copy. | ||
| + | -Q kill any running copy AND start a new one with current options. | ||
| + | -s shows the parent process PID and exits. | ||
| + | -r closes all connections and reloads config files by issuing a HUP, | ||
| + | but this does not reset the maxchildren option (amongst others). | ||
| + | -g gently restarts by not closing all current connections; | ||
| + | | ||
| + | |||
| + | ==== Option -v ==== | ||
| + | Mit Hilfe der Option **-v** können wir uns die Programmversion anzeigen sowie die Option, die der Maintainer beim Erstellen des Programms mit angegeben hatte. | ||
| + | < | ||
| + | |||
| + | DansGuardian 2.10.1.1 | ||
| + | |||
| + | Built with: ' | ||
| + | ==== Option -g ==== | ||
| + | Hat man Änderungen an den Konfigurationsfiles vorgenommen so ist i.d.R. | ||
| + | # service dansguardian restart | ||
| + | Möchte man aber in einer Prodktionsumgebung mit vielen Verbindungen diese nicht unterbrechen, | ||
| + | # dansguardian -g | ||
| + | |||
| + | ===== Optimierung von Dansguardian ===== | ||
| + | ==== Anpassung Loglevel ==== | ||
| + | Nach der erfolgten Inbetriebnahme drehen wir dem Dansguardian etwas die Luft ab, was heissen will, wir lassen uns nur noch die geblockten Seiten reporten, da das Logfile ggf. etwas arg überschwemmt wird mit Informationen, | ||
| + | # vim / | ||
| + | < | ||
| + | # | ||
| + | # 0 = none 1 = just denied | ||
| + | loglevel = 1</ | ||
| + | ==== Anpassung Authentication ==== | ||
| + | Damit in den Logfiles die **User** angezeigt werden können, aktivieren wir noch die Option __**Auth plugins**__ in der Konfigurationsdatei // | ||
| + | # vim / | ||
| + | < | ||
| + | # These replace the usernameidmethod* options in previous versions. They | ||
| + | # handle the extraction of client usernames from various sources, such as | ||
| + | # Proxy-Authorisation headers and ident servers, enabling requests to be | ||
| + | # handled according to the settings of the user's filter group. | ||
| + | # Multiple plugins can be specified, and will be queried in order until one | ||
| + | # of them either finds a username or throws an error. For example, if Squid | ||
| + | # is configured with both NTLM and Basic auth enabled, and both the ' | ||
| + | # and ' | ||
| + | # NTLM can fall back to Basic without sacrificing access rights. | ||
| + | # | ||
| + | # If you do not use multiple filter groups, you need not specify this option. | ||
| + | # | ||
| + | authplugin = '/ | ||
| + | An der aktiverten **proxy-basic.conf** ist weiter nichts zu ändern. | ||
| + | < | ||
| + | # Identifies usernames in " | ||
| + | # relies upon the upstream proxy (squid) to perform the actual password check. | ||
| + | |||
| + | plugname = ' | ||
| + | Ein anschließender Restart aktiviert unsere Änderungen. | ||
| + | # service dansguardian restart | ||
| + | Somit werden nunmehr die Usernamen im Logfile mit ausgegeben und wir können später nach Bedarf, nach einzelnen Usern greppen. | ||
| + | | ||
| + | |||
| + | ==== Site-Whitelisting ==== | ||
| + | Von Haus aus, ist der „ausgelieferte“ Dansguardian doch recht aggressiv eingestellt; | ||
| + | # vim / | ||
| + | < | ||
| + | #Don't bother with the www. or | ||
| + | #the http:// | ||
| + | # | ||
| + | #These are specifically domains and are not URLs. | ||
| + | #For example ' | ||
| + | #to just have ' | ||
| + | # | ||
| + | #You can also match IPs here too. | ||
| + | # | ||
| + | #As of DansGuardian 2.7.3 you can now include | ||
| + | #.tld so for example you can match .gov for example | ||
| + | |||
| + | # Django 10.12.2009 | ||
| + | # Nutzerindividuelle Seiten | ||
| + | nausch.org | ||
| + | urlblacklist.com | ||
| + | ebay.de | ||
| + | bay.com</ | ||
| + | ==== Site-Blacklisting ==== | ||
| + | Genauso kann man natürlich auch unerwünschte Seiten komplett sperren. Hierzu bearbeiten wir die Konfigurationsdatei // | ||
| + | # vim / | ||
| + | < | ||
| + | #Don't bother with the www. or the http:// | ||
| + | |||
| + | #The bannedurllist is for blocking PART of a site | ||
| + | #The bannedsitelist is for blocking ALL of a site | ||
| + | |||
| + | #As of DansGuardian 2.7.3 you can now include | ||
| + | #.tld so for example you can match .gov for example | ||
| + | |||
| + | #The ' | ||
| + | #The ' | ||
| + | #The difference is that the ' | ||
| + | #off *all* other filtering for the match. | ||
| + | #stop the URL filtering and allow the normal filtering to work. | ||
| + | |||
| + | #An example of grey list use is when in Blanket Block (whitelist) | ||
| + | #mode and you want to allow some sites but still filter as normal | ||
| + | #on their content | ||
| + | |||
| + | #Another example of grey list use is when you ban a site but want | ||
| + | #to allow part of it. | ||
| + | |||
| + | #To include additional files in this list use this example: | ||
| + | # | ||
| + | |||
| + | #You can have multiple .Includes. | ||
| + | |||
| + | # Django 10.12.2009 | ||
| + | # Nutzerindividuelle Seiten | ||
| + | |||
| + | microsoft.com | ||
| + | cdu.de | ||
| + | csu.de | ||
| + | spd.de</ | ||
| + | ==== Host-Whitelisting ==== | ||
| + | Möchte man einen Host im Netz gänzlich von der Bewertung ausnehmen, so z.B. für die Geschäftsleitung und/oder Betriebs-/ | ||
| + | # vim / | ||
| + | < | ||
| + | # web access should not be filtered. | ||
| + | # | ||
| + | # These would be servers which | ||
| + | # need unfiltered access for | ||
| + | # updates. | ||
| + | # workstations which need to | ||
| + | # download programs and check | ||
| + | # out blocked sites should be | ||
| + | # put here. | ||
| + | # | ||
| + | # Hostnames are allowed here, provided you | ||
| + | # enable the reverseclientlookups option. | ||
| + | # | ||
| + | # This is not the IP of web servers | ||
| + | # you don't want to filter. | ||
| + | |||
| + | # | ||
| + | # | ||
| + | # | ||
| + | |||
| + | # Django 10.12.2009 | ||
| + | # BOfH's Workstation bei der Bewertung ausnehmen | ||
| + | 192.168.192.168</ | ||
| + | ==== Host-Blacklisting ==== | ||
| + | Im Gegensatz zur Vorgenannten Ausnahmeregelung kann man natürlich auch einem Host den Zugriff zum Web gänzlich blocken, hierzu trägt man dessen IP-Adresse in die Konfigurationsdatei // | ||
| + | # vim / | ||
| + | < | ||
| + | # disallow web access to. | ||
| + | # | ||
| + | # Hostnames are also allowed here, provided you | ||
| + | # enable the reverseclientlookups option. | ||
| + | # | ||
| + | # This is not the IP of web servers | ||
| + | # you want to filter. | ||
| + | |||
| + | # | ||
| + | # | ||
| + | # | ||
| + | |||
| + | # Django 10.12.2009 | ||
| + | # Workstation der Ferienwohnung komplett den Web-Zugriff sperren | ||
| + | 192.168.192.200</ | ||
| + | ==== Sperrlisten für URLS (regex) ==== | ||
| + | Über die // | ||
| + | # vim / | ||
| + | < | ||
| + | # | ||
| + | # E.g. ' | ||
| + | |||
| + | # | ||
| + | |||
| + | #Banned URLs based on Regular Expressions | ||
| + | |||
| + | ###################################################### | ||
| + | # | ||
| + | # Django 10.12.2009 | ||
| + | # SOHO-spezifische Anpassungen für nausch.org | ||
| + | # | ||
| + | ###################################################### | ||
| + | |||
| + | # Onlinegaming | ||
| + | (gladiatus|4story|gameforge|ikariam|pog.com|cracymonkeygames|poissonrouge) | ||
| + | |||
| + | # Musikmaffia | ||
| + | (musicload|musikload) | ||
| + | |||
| + | # videoportale | ||
| + | (vo.llnwd) | ||
| + | |||
| + | # Werbemüll | ||
| + | (Standardteaser|sponsorads|google-analytics) | ||
| + | |||
| + | # Schnacksl-Anbahnungsportale | ||
| + | (facebook|lokalisten|myspace|friendscout)</ | ||
| + | ==== Blacklisting von MIME-Types ==== | ||
| + | Will man bestimmte MIME-Typen generell nicht zulassen, trägt man diese in die Konfigurationsdatei // | ||
| + | # vim / | ||
| + | < | ||
| + | |||
| + | audio/mpeg | ||
| + | audio/ | ||
| + | audio/ | ||
| + | audio/x-wav | ||
| + | video/mpeg | ||
| + | video/ | ||
| + | video/ | ||
| + | video/ | ||
| + | video/ | ||
| + | video/ | ||
| + | application/ | ||
| + | application/ | ||
| + | application/ | ||
| + | application/ | ||
| + | application/ | ||
| + | application/ | ||
| + | ==== Blacklisting von Datei-Extensions ==== | ||
| + | Über die // | ||
| + | # vim / | ||
| + | < | ||
| + | |||
| + | # File extensions with executable code | ||
| + | |||
| + | # The following file extensions can contain executable code. | ||
| + | # This means they can potentially carry a virus to infect your computer. | ||
| + | |||
| + | .ade # Microsoft Access project extension | ||
| + | .adp # Microsoft Access project | ||
| + | .asx # Windows Media Audio / Video | ||
| + | .bas # Microsoft Visual Basic class module | ||
| + | .bat # Batch file | ||
| + | .cab # Windows setup file | ||
| + | .chm # Compiled HTML Help file | ||
| + | .cmd # Microsoft Windows NT Command script | ||
| + | .com # Microsoft MS-DOS program | ||
| + | .cpl # Control Panel extension | ||
| + | .crt # Security certificate | ||
| + | .dll # Windows system file | ||
| + | .exe # Program | ||
| + | .hlp # Help file | ||
| + | .ini # Windows system file | ||
| + | .hta # HTML program | ||
| + | .inf # Setup Information | ||
| + | .ins # Internet Naming Service | ||
| + | .isp # Internet Communication settings | ||
| + | # .js # JScript file - often needed in web pages | ||
| + | # .jse # Jscript Encoded Script file - often needed in web pages | ||
| + | .lnk # Windows Shortcut | ||
| + | .mda # Microsoft Access add-in program | ||
| + | .mdb # Microsoft Access program | ||
| + | .mde # Microsoft Access MDE database | ||
| + | .mdt # Microsoft Access workgroup information | ||
| + | .mdw # Microsoft Access workgroup information | ||
| + | .mdz # Microsoft Access wizard program | ||
| + | .msc # Microsoft Common Console document | ||
| + | .msi # Microsoft Windows Installer package | ||
| + | .msp # Microsoft Windows Installer patch | ||
| + | .mst # Microsoft Visual Test source files | ||
| + | .pcd # Photo CD image, Microsoft Visual compiled script | ||
| + | .pif # Shortcut to MS-DOS program | ||
| + | .prf # Microsoft Outlook profile settings | ||
| + | .reg # Windows registry entries | ||
| + | .scf # Windows Explorer command | ||
| + | .scr # Screen saver | ||
| + | .sct # Windows Script Component | ||
| + | .sh # Shell script | ||
| + | .shs # Shell Scrap object | ||
| + | .shb # Shell Scrap object | ||
| + | .sys # Windows system file | ||
| + | .url # Internet shortcut | ||
| + | .vb # VBScript file | ||
| + | .vbe # VBScript Encoded script file | ||
| + | .vbs # VBScript file | ||
| + | .vxd # Windows system file | ||
| + | .wsc # Windows Script Component | ||
| + | .wsf # Windows Script file | ||
| + | .wsh # Windows Script Host Settings file | ||
| + | .otf # Font file - can be used to instant reboot 2k and xp | ||
| + | .ops # Office XP settings | ||
| + | |||
| + | # Files which one normally things as non-executable but | ||
| + | # can contain harmful macros and viruses | ||
| + | |||
| + | .doc # Word document | ||
| + | .xls # Excel document | ||
| + | .pps | ||
| + | |||
| + | |||
| + | # Other files which may contain files with executable code | ||
| + | |||
| + | #.gz # Gziped file | ||
| + | #.tar # Tape ARchive file | ||
| + | #.zip # Windows compressed file | ||
| + | #.tgz # Unix compressed file | ||
| + | #.bz2 # Unix compressed file | ||
| + | .cdr # Mac disk image | ||
| + | .dmg # Mac disk image | ||
| + | .smi # Mac self mounting disk image | ||
| + | .sit # Mac compressed file | ||
| + | .sea # Mac compressed file, self extracting | ||
| + | .bin # Mac binary compressed file | ||
| + | .hqx # Mac binhex encoded file | ||
| + | #.rar # Similar to zip | ||
| + | |||
| + | |||
| + | # Time/ | ||
| + | |||
| + | #.mp3 # Music file | ||
| + | #.mpeg # Movie file | ||
| + | #.mpg # Movie file | ||
| + | #.avi # Movie file | ||
| + | .asf # this can also exploit a security hole allowing virus infection | ||
| + | #.iso # CD ISO image | ||
| + | #.ogg # Music file | ||
| + | .wmf # Movie file | ||
| + | .bin # CD ISO image | ||
| + | .cue # CD ISO image | ||
| + | |||
| + | # Django 10.12.2009 | ||
| + | # eigene Definitionen | ||
| + | .ani # animated cursor | ||
| + | </ | ||
| + | |||
| + | ===== Filtergruppen bei Dansguardian ===== | ||
| + | Oft ist es wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.\\ | ||
| + | Was zunächst kompliziert anmutet, funktioniert recht einfach und auch überschaubar.\\ | ||
| + | \\ | ||
| + | Wichtig :!: bei der ganzen Sache ist nur, den Überblick über die einzelnen Nutzergruppen nicht zu verlieren. Eine (für mich) praktikable Lösung ist das ausreichende Dokumentieren der einzelnen Gruppen und deren Konfiguration in den // | ||
| + | |||
| + | ==== dansguardian.conf ==== | ||
| + | Als erstes definieren wir wieviele Filtergruppen (max. 99) wir verwenden möchten. Diese Filergruppen **__müssen__** fortlaufend durchnummerriert werden, von **1** bis **99**. Am besten, wir hinterlegen in der Hauptkonfigurationsdatei von Dansguardian gleich den Verwendungszweck der einzelnen Nutzer - hierzu bearbeiten wir die Konfigurationsdatei // | ||
| + | # / | ||
| + | < | ||
| + | # filtergroups sets the number of filter groups. A filter group is a set of content | ||
| + | # filtering options you can apply to a group of users. | ||
| + | # DansGuardian will automatically look for dansguardianfN.conf where N is the filter | ||
| + | # group. | ||
| + | # to filter group 1. You must have some sort of authentication to be able to map users | ||
| + | # to a group. | ||
| + | # use as few as possible. | ||
| + | # Django 10.12.2009 | ||
| + | # Default: filtergroups = 1 | ||
| + | # Definition der Filtergruppen | ||
| + | # | ||
| + | # ----------------------------- | ||
| + | # Gruppe 1 = Default | ||
| + | # ----------------------------- | ||
| + | # Gruppe 2 = Default mit ByPass | ||
| + | # ----------------------------- | ||
| + | # Gruppe 3 = logging only | ||
| + | # ----------------------------- | ||
| + | # Gruppe 4 = banned useres | ||
| + | # ----------------------------- | ||
| + | # Gruppe 5 = Spezialisten | ||
| + | # ----------------------------- | ||
| + | # | ||
| + | filtergroups = 5 | ||
| + | filtergroupslist = '/ | ||
| + | |||
| + | ==== filtergroupslist ==== | ||
| + | In der Datei **filtergroupslist** geben wir nun all diejenigen Nutzer an, die nicht in der Standardgruppe bewertet werden sollen, sondern in einer der zuvor definierten Filtergruppen. Auch hier vermerken wir für später die exakten FilterGruppen, | ||
| + | # vim / | ||
| + | < | ||
| + | # | ||
| + | # Format is < | ||
| + | # | ||
| + | # Eg: | ||
| + | # daniel=filter2 | ||
| + | # | ||
| + | # This file is only of use if you have more than 1 filter group | ||
| + | # | ||
| + | # Definition der Filtergruppen | ||
| + | # | ||
| + | # ----------------------------- | ||
| + | # Gruppe 1 = Default | ||
| + | # ----------------------------- | ||
| + | # Gruppe 2 = Default mit ByPass | ||
| + | # ----------------------------- | ||
| + | # Gruppe 3 = logging only | ||
| + | # ----------------------------- | ||
| + | # Gruppe 4 = banned useres | ||
| + | # ----------------------------- | ||
| + | # Gruppe 5 = Spezialisten | ||
| + | # ----------------------------- | ||
| + | # | ||
| + | django=filter2 | ||
| + | skipper=filter3 | ||
| + | kingjulien=filter5 | ||
| + | mart=filter5</ | ||
| + | |||
| + | ==== dansguardianfn.conf ==== | ||
| + | Entsprechend unserer zuvor definierten Anzahl von Filtergruppen, | ||
| + | # cp dansguardianf1.conf dansguardianf2.conf | ||
| + | |||
| + | # cp dansguardianf1.conf dansguardianf3.conf | ||
| + | |||
| + | # cp dansguardianf1.conf dansguardianf4.conf | ||
| + | |||
| + | # cp dansguardianf1.conf dansguardianf5.conf | ||
| + | Somit befinden sich nun in unserem Konfigurationsverzeichnis folgende Dateien: | ||
| + | # ll / | ||
| + | < | ||
| + | -rw-r--r-- 1 root root 11844 16. Jan 20:30 / | ||
| + | -rw-r--r-- 1 root root 11996 16. Jan 19:57 / | ||
| + | -rw-r--r-- 1 root root 11900 16. Jan 17:24 / | ||
| + | -rw-r--r-- 1 root root 11857 16. Jan 16:56 / | ||
| + | -rw-r--r-- 1 root root 11794 16. Jan 16:47 / | ||
| + | Als kleine Hilfe bei späteren Konfigurationsarbeiten hat es sich bewährt, sich kleiner [[http:// | ||
| + | # ln -s dansguardianf1.conf default | ||
| + | |||
| + | # ln -s dansguardianf2.conf default_with_bypass | ||
| + | |||
| + | # ln -s dansguardianf3.conf logging_only | ||
| + | |||
| + | # ln -s dansguardianf4.conf banned_users | ||
| + | |||
| + | # ln -s dansguardianf5.conf specialists | ||
| + | Schon ist später klarer, wenn wir uns das Verzeichnis ansehen, welche Konfigurationsdatei für wen verwendet wird. | ||
| + | # ll / | ||
| + | < | ||
| + | lrwxrwxrwx 1 root root 19 16. Jan 17:19 default -> dansguardianf1.conf | ||
| + | lrwxrwxrwx 1 root root 19 16. Jan 17:20 default_with_bypass -> dansguardianf2.conf | ||
| + | lrwxrwxrwx 1 root root 19 16. Jan 17:21 specialists -> dansguardianf5.conf | ||
| + | lrwxrwxrwx 1 root root 19 16. Jan 17:20 logging_only -> dansguardianf3.conf</ | ||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, jeweils in der betreffenden dansguardian**// | ||
| + | ==== dansguardianf2.conf ==== | ||
| + | Die Gruppe **2** werden wir uns nun als Standardgruppe mit einer **BYPASS**-Funktion einrichten. So werden zwar weiterhin nicht erwünschte Inhalte im Web gesperrt, aber der **VIP** bekommt eine Möglichkeit, | ||
| + | |||
| + | {{ : | ||
| + | |||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardian**// | ||
| + | # vim dansguardianf2.conf | ||
| + | Es werden nachfolgend nur die **__relevanten Konfigurationsoptionen__** vermerkt :!: | ||
| + | < | ||
| + | # Django 16.01.2010 | ||
| + | # ----------------------------- | ||
| + | # Gruppe 2 = Default mit ByPass | ||
| + | # -----------------------------</ | ||
| + | < | ||
| + | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
| + | # name the group in the access logs | ||
| + | # Defaults to empty string | ||
| + | # Django 16.01.2010 | ||
| + | # Default: #groupname = '' | ||
| + | groupname = ' | ||
| + | < | ||
| + | # This provides a link on the denied page to bypass the ban for a few minutes. | ||
| + | # secure it uses a random hashed secret generated at daemon startup. | ||
| + | # number of seconds the bypass will function for before the deny will appear again. | ||
| + | # To allow the link on the denied page to appear you will need to edit the template.html | ||
| + | # or dansguardian.pl file for your language. | ||
| + | # 300 = enable for 5 minutes | ||
| + | # 0 = disable ( defaults to 0 ) | ||
| + | # -1 = enable but you require a separate program/CGI to generate a valid link | ||
| + | # Django 16.01.2010 | ||
| + | # Default: bypass = 0 | ||
| + | bypass = 300 | ||
| + | |||
| + | # Temporary Denied Page Bypass Secret Key | ||
| + | # Rather than generating a random key you can specify one. It must be more than 8 chars. | ||
| + | # '' | ||
| + | # 'Mary had a little lamb.' = an example | ||
| + | # ' | ||
| + | bypasskey = '' | ||
| + | |||
| + | # Infection/ | ||
| + | # Similar to the ' | ||
| + | # to be infected, or files that trigger scanner errors - for example, archive types with | ||
| + | # recognised but unsupported compression schemes, or corrupt archives. | ||
| + | # The option specifies the number of seconds for which the bypass link will be valid. | ||
| + | # 300 = enable for 5 minutes | ||
| + | # 0 = disable (default) | ||
| + | # -1 = enable, but require a separate program/CGI to generate a valid link | ||
| + | infectionbypass = 0 | ||
| + | |||
| + | # Infection/ | ||
| + | # Same as the ' | ||
| + | infectionbypasskey = ''</ | ||
| + | < | ||
| + | # If defined, this specifies a custom HTML template file for members of this | ||
| + | # filter group, overriding the global setting in dansguardian.conf. This is | ||
| + | # only used in reporting level 3. | ||
| + | # | ||
| + | # The default template file path is < | ||
| + | # e.g. / | ||
| + | # language. | ||
| + | # | ||
| + | # This option generates a file path of the form: | ||
| + | # < | ||
| + | # e.g. / | ||
| + | # | ||
| + | # | ||
| + | # Django 16.01.2010 | ||
| + | # Default: # | ||
| + | htmltemplate = ' | ||
| + | === HTML Template override === | ||
| + | Damit nun, wie oben beschrieben, | ||
| + | |||
| + | Zuerst kopieren wir uns das vorhandenen Template: | ||
| + | # cp / | ||
| + | Anschließend erweitern wir dieses um die **-BYPASS-**Funktion. | ||
| + | # vim / | ||
| + | < | ||
| + | ... | ||
| + | < | ||
| + | <font size=2> | ||
| + | Zeitlich begrenzten Zugriff auf diese Seite trotzdem erm& | ||
| + | < | ||
| + | ... | ||
| + | </ | ||
| + | ==== dansguardianf3.conf ==== | ||
| + | Die Gruppe **3** legen wir uns als quasi **// | ||
| + | \\ | ||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardian**// | ||
| + | # vim dansguardianf3.conf | ||
| + | Es werden nachfolgend nur die **__relevanten Konfigurationsoptionen__** vermerkt :!: | ||
| + | < | ||
| + | # Django 16.01.2010 | ||
| + | # ----------------------------- | ||
| + | # Gruppe 3 = logging only | ||
| + | # ----------------------------- | ||
| + | |||
| + | |||
| + | # Filter group mode | ||
| + | # This option determines whether members of this group have their web access | ||
| + | # unfiltered, filtered, or banned. This mechanism replaces the " | ||
| + | # and " | ||
| + | # | ||
| + | # 0 = banned | ||
| + | # 1 = filtered | ||
| + | # 2 = unfiltered (exception) | ||
| + | # | ||
| + | # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, | ||
| + | # mimetype and PICS lists; in other modes, these options are ignored to conserve | ||
| + | # memory. | ||
| + | # | ||
| + | # Defaults to 0 if unspecified. | ||
| + | # Unauthenticated users are treated as being in the first filter group. | ||
| + | # Django 16.01.2010 | ||
| + | # Default: groupmode = 1 | ||
| + | groupmode = 2 | ||
| + | |||
| + | # Filter group name | ||
| + | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
| + | # name the group in the access logs | ||
| + | # Defaults to empty string | ||
| + | # Django 16.01.2010 | ||
| + | # Default groupname ='' | ||
| + | groupname = ' | ||
| + | ==== dansguardianf4.conf ==== | ||
| + | Im Gegensatz zur vorgenannten Möglichkeit eines **// | ||
| + | \\ | ||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardian**// | ||
| + | # vim dansguardianf4.conf | ||
| + | Es werden nachfolgend nur die **__relevanten Konfigurationsoptionen__** vermerkt :!: | ||
| + | < | ||
| + | # Django 16.01.2010 | ||
| + | # ----------------------------- | ||
| + | # Gruppe 4 = banned useres | ||
| + | # ----------------------------- | ||
| + | |||
| + | |||
| + | # Filter group mode | ||
| + | # This option determines whether members of this group have their web access | ||
| + | # unfiltered, filtered, or banned. This mechanism replaces the " | ||
| + | # and " | ||
| + | # | ||
| + | # 0 = banned | ||
| + | # 1 = filtered | ||
| + | # 2 = unfiltered (exception) | ||
| + | # | ||
| + | # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, | ||
| + | # mimetype and PICS lists; in other modes, these options are ignored to conserve | ||
| + | # memory. | ||
| + | # | ||
| + | # Defaults to 0 if unspecified. | ||
| + | # Unauthenticated users are treated as being in the first filter group. | ||
| + | groupmode = 0 | ||
| + | |||
| + | # Filter group name | ||
| + | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
| + | # name the group in the access logs | ||
| + | # Defaults to empty string | ||
| + | # Django 16.01.2010 | ||
| + | # Default: #groupname = '' | ||
| + | groupname = ' | ||
| + | |||
| + | ==== dansguardianf5.conf ==== | ||
| + | Wie eingangs bereits erwähnt, ist es oft wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden. | ||
| + | \\ | ||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardian**// | ||
| + | # vim dansguardianf5.conf | ||
| + | Es werden nachfolgend nur die **__relevanten Konfigurationsoptionen__** vermerkt :!: | ||
| + | < | ||
| + | # Django 16.01.2010 | ||
| + | # ----------------------------- | ||
| + | # Gruppe 5 = specialists | ||
| + | # ----------------------------- | ||
| + | |||
| + | # Filter group mode | ||
| + | # This option determines whether members of this group have their web access | ||
| + | # unfiltered, filtered, or banned. This mechanism replaces the " | ||
| + | # and " | ||
| + | # | ||
| + | # 0 = banned | ||
| + | # 1 = filtered | ||
| + | # 2 = unfiltered (exception) | ||
| + | # | ||
| + | # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, | ||
| + | # mimetype and PICS lists; in other modes, these options are ignored to conserve | ||
| + | # memory. | ||
| + | # | ||
| + | # Defaults to 0 if unspecified. | ||
| + | # Unauthenticated users are treated as being in the first filter group. | ||
| + | groupmode = 1 </ | ||
| + | < | ||
| + | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
| + | # name the group in the access logs | ||
| + | # Defaults to empty string | ||
| + | # Django 16.01.2010 | ||
| + | # Default: #groupname = '' | ||
| + | groupname = ' | ||
| + | < | ||
| + | bannedphraselist = '/ | ||
| + | weightedphraselist = '/ | ||
| + | exceptionphraselist = '/ | ||
| + | bannedsitelist = '/ | ||
| + | greysitelist = '/ | ||
| + | exceptionsitelist = '/ | ||
| + | bannedurllist = '/ | ||
| + | greyurllist = '/ | ||
| + | exceptionurllist = '/ | ||
| + | exceptionregexpurllist = '/ | ||
| + | bannedregexpurllist = '/ | ||
| + | picsfile = '/ | ||
| + | contentregexplist = '/ | ||
| + | urlregexplist = '/ | ||
| + | < | ||
| + | # This the limit over which the page will be blocked. | ||
| + | # a value either positive or negative and the values added up. Phrases to do with | ||
| + | # good subjects will have negative values, and bad subjects will have positive | ||
| + | # values. | ||
| + | # As a guide: | ||
| + | # 50 is for young children, | ||
| + | # Django 10.12.2009 | ||
| + | #Default: naughtynesslimit = 50 | ||
| + | naughtynesslimit = 50</ | ||
| + | In den jeweiligen Listen: | ||
| + | * **/ | ||
| + | * **/ | ||
| + | * **/ | ||
| + | erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechnede Ausnahmeregelungen. | ||
| + | ===== Zeitbegrenzung bei Dansguardian ===== | ||
| + | Neben der unterschiedlichen Bewertung einzelner Benutzergruppen, | ||
| + | ==== Filtergruppe erweitern ==== | ||
| + | Als erstes erweitern wir unsere zuvor definierten [[centos: | ||
| + | # / | ||
| + | < | ||
| + | # filtergroups sets the number of filter groups. A filter group is a set of content | ||
| + | # filtering options you can apply to a group of users. | ||
| + | # DansGuardian will automatically look for dansguardianfN.conf where N is the filter | ||
| + | # group. | ||
| + | # to filter group 1. You must have some sort of authentication to be able to map users | ||
| + | # to a group. | ||
| + | # use as few as possible. | ||
| + | # Django 23.09.2010 | ||
| + | # Default: filtergroups = 1 | ||
| + | # Definition der Filtergruppen | ||
| + | # | ||
| + | # ----------------------------- | ||
| + | # Gruppe 1 = Default | ||
| + | # ----------------------------- | ||
| + | # Gruppe 2 = Default mit ByPass | ||
| + | # ----------------------------- | ||
| + | # Gruppe 3 = logging only | ||
| + | # ----------------------------- | ||
| + | # Gruppe 4 = banned useres | ||
| + | # ----------------------------- | ||
| + | # Gruppe 5 = Spezialisten | ||
| + | # ----------------------------- | ||
| + | # Gruppe 6 = Jugendschutz | ||
| + | # ----------------------------- | ||
| + | # | ||
| + | filtergroups = 6 | ||
| + | filtergroupslist = '/ | ||
| + | ==== Filtergruppe konfigurieren ==== | ||
| + | Für unsere im Beispiel genannten Gruppe // | ||
| + | |||
| + | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der Datei dansguardian**// | ||
| + | # vim dansguardianf6.conf | ||
| + | Es werden nachfolgend nur die **__relevanten Konfigurationsoptionen__** vermerkt :!: | ||
| + | < | ||
| + | # Django 23.09.2010 | ||
| + | # ------------------------------- | ||
| + | # Gruppe 6 = Jugendschutzgruppe | ||
| + | # ------------------------------- | ||
| + | |||
| + | # Filter group mode | ||
| + | # This option determines whether members of this group have their web access | ||
| + | # unfiltered, filtered, or banned. This mechanism replaces the " | ||
| + | # and " | ||
| + | # | ||
| + | # 0 = banned | ||
| + | # 1 = filtered | ||
| + | # 2 = unfiltered (exception) | ||
| + | # | ||
| + | # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, | ||
| + | # mimetype and PICS lists; in other modes, these options are ignored to conserve | ||
| + | # memory. | ||
| + | # | ||
| + | # Defaults to 0 if unspecified. | ||
| + | # Unauthenticated users are treated as being in the first filter group. | ||
| + | groupmode = 1 </ | ||
| + | < | ||
| + | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
| + | # name the group in the access logs | ||
| + | # Defaults to empty string | ||
| + | # Django 23.09.2010 | ||
| + | # Default: #groupname = '' | ||
| + | groupname = ' | ||
| + | < | ||
| + | bannedphraselist = '/ | ||
| + | weightedphraselist = '/ | ||
| + | exceptionphraselist = '/ | ||
| + | bannedsitelist = '/ | ||
| + | greysitelist = '/ | ||
| + | exceptionsitelist = '/ | ||
| + | bannedurllist = '/ | ||
| + | greyurllist = '/ | ||
| + | exceptionurllist = '/ | ||
| + | exceptionregexpurllist = '/ | ||
| + | bannedregexpurllist = '/ | ||
| + | picsfile = '/ | ||
| + | contentregexplist = '/ | ||
| + | urlregexplist = '/ | ||
| + | < | ||
| + | # This the limit over which the page will be blocked. | ||
| + | # a value either positive or negative and the values added up. Phrases to do with | ||
| + | # good subjects will have negative values, and bad subjects will have positive | ||
| + | # values. | ||
| + | # As a guide: | ||
| + | # 50 is for young children, | ||
| + | # Django 23.09.2010 | ||
| + | #Default: naughtynesslimit = 50 | ||
| + | naughtynesslimit = 100</ | ||
| + | In den jeweiligen Listen: | ||
| + | * **/ | ||
| + | * **/ | ||
| + | * **/ | ||
| + | erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechende Ausnahmeregelungen. | ||
| + | |||
| + | Mit Hilfe der **__Time limiting syntax__** von Dansguardian können wir nun definieren, wann eine entsprechende Konfigurationsoption aktiv sein soll. | ||
| + | < | ||
| + | # #time: <start hour> <start minute> <end hour> <end minute> < | ||
| + | # Example: | ||
| + | ##time: 9 0 17 0 01234 | ||
| + | # Remove the first # from the line above to enable this list only from | ||
| + | # 9am to 5pm, Monday to Friday.</ | ||
| + | Diese Option findet __nur__ in folgenden Konfigurationsdateien Anwendung: | ||
| + | * **/ | ||
| + | * **/ | ||
| + | * **/ | ||
| + | * **/ | ||
| + | * **/ | ||
| + | Mit Hilfe von **// | ||
| + | Wir bearbeiten nun mit dem Editor unserer Wahl die zugehörige Datei zum Blocken der Seiten. | ||
| + | # vim / | ||
| + | < | ||
| + | # | ||
| + | .Include</ | ||
| + | .Include</ | ||
| + | .Include</ | ||
| + | </ | ||
| + | In unserem Konfigurationsbeispiel möchten wir den Zugriff auf Internetseiten an folgenden Tagen und Zeiten reglementieren: | ||
| + | * **Montag bis Donnerstag**: | ||
| + | * **Freitag und Samstag**: Zugriffsmöglichkeiten von 8:00 Uhr bis 22:30 Uhr | ||
| + | * **Sonntag**: | ||
| + | Als erstes legen wir nun unsere erste Include-Datei an, die den Zeitraum von **21:30 Uhr** bis **23:59 Uhr** an den Tagen **Montag** bis **Donnerstag** und **Sonntag** abdeckt. | ||
| + | # vim / | ||
| + | Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu: | ||
| + | < | ||
| + | # #time: <start hour> <start minute> <end hour> <end minute> < | ||
| + | # Example: | ||
| + | ##time: 9 0 17 0 01234 | ||
| + | # Remove the first # from the line above to enable this list only from | ||
| + | # 9am to 5pm, Monday to Friday. | ||
| + | #time: 21 30 23 59 01236 | ||
| + | |||
| + | # List categorisation | ||
| + | # | ||
| + | |||
| + | #Blanket Block. | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | ** | ||
| + | |||
| + | #Blanket SSL/CONNECT Block. | ||
| + | #and CONNECT tunnels except to addresses in the | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | **s | ||
| + | |||
| + | #Blanket IP Block. | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ip | ||
| + | |||
| + | #Blanket SSL/CONNECT IP Block. | ||
| + | #tunnels to sites specified only as an IP, | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ips</ | ||
| + | Als nächstes legen wir unsere zweite Include-Datei an, die den Zeitraum von **22:30 Uhr** bis **23:59 Uhr** an den Tagen **Freitag** und **Samstag** abdeckt. | ||
| + | # vim / | ||
| + | Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu: | ||
| + | < | ||
| + | # #time: <start hour> <start minute> <end hour> <end minute> < | ||
| + | # Example: | ||
| + | ##time: 9 0 17 0 01234 | ||
| + | # Remove the first # from the line above to enable this list only from | ||
| + | # 9am to 5pm, Monday to Friday. | ||
| + | #time: 22 30 23 59 45 | ||
| + | |||
| + | # List categorisation | ||
| + | # | ||
| + | |||
| + | #Blanket Block. | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | ** | ||
| + | |||
| + | #Blanket SSL/CONNECT Block. | ||
| + | #and CONNECT tunnels except to addresses in the | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | **s | ||
| + | |||
| + | #Blanket IP Block. | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ip | ||
| + | |||
| + | #Blanket SSL/CONNECT IP Block. | ||
| + | #tunnels to sites specified only as an IP, | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ips</ | ||
| + | Abschließend definieren wir unsere dritte Include-Datei, | ||
| + | # vim / | ||
| + | Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu: | ||
| + | < | ||
| + | # #time: <start hour> <start minute> <end hour> <end minute> < | ||
| + | # Example: | ||
| + | ##time: 9 0 17 0 01234 | ||
| + | # Remove the first # from the line above to enable this list only from | ||
| + | # 9am to 5pm, Monday to Friday. | ||
| + | #time: 00 00 7 59 0123456 | ||
| + | |||
| + | # List categorisation | ||
| + | # | ||
| + | |||
| + | #Blanket Block. | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | ** | ||
| + | |||
| + | #Blanket SSL/CONNECT Block. | ||
| + | #and CONNECT tunnels except to addresses in the | ||
| + | # | ||
| + | #the # from the next line to leave only a ' | ||
| + | **s | ||
| + | |||
| + | #Blanket IP Block. | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ip | ||
| + | |||
| + | #Blanket SSL/CONNECT IP Block. | ||
| + | #tunnels to sites specified only as an IP, | ||
| + | #remove the # from the next line to leave only a ' | ||
| + | *ips</ | ||
| + | |||
| + | ==== zeitgesteuerte Filtergruppen testen ==== | ||
| + | Zum Aktivieren und Testen unserer Einstellungen starten wir nun einmal unseren Dienst **dansguardian** durch. | ||
| + | # service dansguardian restart | ||
| + | Wird nun außerhalb der freigegebenen Zeit versucht eine Verbindung zu einer normalerweise zugelassenen WEB-Seite aufzubauen, wird eine entsprechende Fehlermeldung ausgegeben.\\ | ||
| + | \\ | ||
| + | {{ : | ||
| + | \\ | ||
| + | |||
| + | ==== Sperrseite anpassen ==== | ||
| + | Die Konfigrationsoptionen des oben genannten Beispiels erzeugt folgende (// | ||
| + | **Verbotene Seite: Totalsperre für Nur-IP-Adressen aktiv, diese \\ Seite ist nicht auf der Erlaubt-Liste** \\ | ||
| + | \\ | ||
| + | Zum Abändern der Rückmeldung bearbeiten wir die entsprechende Datei im Pfad // | ||
| + | # vim / | ||
| + | < | ||
| + | # | ||
| + | # Translated and adapted to Unicode by Peter Vollmar | ||
| + | |||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | |||
| + | " | ||
| + | |||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | |||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | Die entsprechende Zeile lautet:\\ | ||
| + | " | ||
| + | Anschließende starten wir den Dienst **dansguardian** einmal durch. | ||
| + | # service dansguardian restart | ||
| + | Beim erneuten Aufruf außerhalb der freigegebenen Zeit wird nun die geänderte Rückmeldung ausgegeben.\\ | ||
| + | \\ | ||
| + | {{ : | ||
| + | \\ | ||
| + | |||
| + | ===== clamd Installation und Konfiguration ===== | ||
| + | Zur weiteren Absicherung unseres HTTP-Traffics bedienen wir uns der dämonisierten Variante des Virenscanners [[http:// | ||
| + | |||
| + | ==== Installation ==== | ||
| + | Wir installieren uns hierzu den entsprechenden **daemon** via **yum**. | ||
| + | # yum install clamd clamav clamav-db | ||
| + | === Info === | ||
| + | Was uns die einzelnen Pakete liefern, entnehmen wir den jeweiligen rpm's. | ||
| + | < | ||
| + | |||
| + | Name : clamd | ||
| + | ... | ||
| + | Summary: The Clam AntiVirus Daemon | ||
| + | Description: | ||
| + | The Clam AntiVirus Daemon</ | ||
| + | |||
| + | < | ||
| + | |||
| + | |||
| + | Name : clamav | ||
| + | ... | ||
| + | Summary: Anti-virus software | ||
| + | Description: | ||
| + | Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of | ||
| + | this software is the integration with mail servers (attachment scanning). | ||
| + | The package provides a flexible and scalable multi-threaded daemon, a | ||
| + | command line scanner, and a tool for automatic updating via Internet. | ||
| + | |||
| + | The programs are based on a shared library distributed with the Clam | ||
| + | AntiVirus package, which you can use with your own software. Most | ||
| + | importantly, | ||
| + | |||
| + | < | ||
| + | |||
| + | Name : clamav-db | ||
| + | ... | ||
| + | Summary: Virus database for clamav | ||
| + | Description: | ||
| + | The actual virus database for clamav</ | ||
| + | === Programmpfade und -inhalte === | ||
| + | Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels: | ||
| + | < | ||
| + | |||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | /var/clamav | ||
| + | / | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | |||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | / | ||
| + | / | ||
| + | /var/clamav | ||
| + | / | ||
| + | / | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | ==== Konfiguration ==== | ||
| + | === clamd === | ||
| + | Die Konfigurationsdatei des ClamAV-Daemons **/ | ||
| + | Wichtig sind dabei insbesonders die drei Paramter: | ||
| + | * **User clamav** | ||
| + | * **AllowSupplementaryGroups yes** | ||
| + | * **LocalSocket / | ||
| + | In Summe ergibt sich also folgende Gesamtkonfiguration: | ||
| + | < | ||
| + | |||
| + | LogFile / | ||
| + | LogFileMaxSize 0 | ||
| + | LogTime yes | ||
| + | LogSyslog yes | ||
| + | PidFile / | ||
| + | TemporaryDirectory /var/tmp | ||
| + | DatabaseDirectory /var/clamav | ||
| + | LocalSocket / | ||
| + | FixStaleSocket yes | ||
| + | TCPSocket 3310 | ||
| + | TCPAddr 127.0.0.1 | ||
| + | MaxConnectionQueueLength 30 | ||
| + | MaxThreads 50 | ||
| + | ReadTimeout 300 | ||
| + | User clamav | ||
| + | AllowSupplementaryGroups yes | ||
| + | ScanPE yes | ||
| + | ScanELF yes | ||
| + | DetectBrokenExecutables yes | ||
| + | ScanOLE2 yes | ||
| + | ScanMail yes | ||
| + | ScanArchive yes | ||
| + | ArchiveBlockEncrypted no</ | ||
| + | Wie in der **/ | ||
| + | # # uid such as clamav, add user clamav to the amavis group, and then add | ||
| + | # # AllowSupplementaryGroups to clamd.conf;</ | ||
| + | # usermod -a -G nobody clamav | ||
| + | === erster Programmstart === | ||
| + | Nun ist es an der Zeit unseren **ClamAV**-Daemon das erste mal zu starten. | ||
| + | < | ||
| + | Starting Clam AntiVirus Daemon: LibClamAV Warning: ************************************************** | ||
| + | LibClamAV Warning: *** The virus database is older than 7 days! *** | ||
| + | LibClamAV Warning: *** | ||
| + | LibClamAV Warning: ************************************************** | ||
| + | | ||
| + | Wir müssen also unser Virendatenbank erst einmal updaten - Hierzu nutzen wir das Programm **freshclam** aus dem Paket **// | ||
| + | # service clamd stop | ||
| + | | ||
| + | === automatisches Starten des Daemon beim Systemstart === | ||
| + | Damit nun unser ClamAV-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor. | ||
| + | # chkconfig clamd on | ||
| + | Anschließend überprüfen wir noch unsere Änderung: | ||
| + | # chkconfig --list | grep clamd | ||
| + | | ||
| + | === freshlam Konfiguration === | ||
| + | Damit [[http:// | ||
| + | \\ | ||
| + | In der Standardkonfiguration sorgt **freshclam** dafür, dass **1x am Tag** ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei stehen uns prinzipiell zwei Mechanismen zur Verfügung, die **crontab** und der **Daemon-Modus**. Beide Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz beschrieben. | ||
| + | === Nutzung crontab === | ||
| + | Die erste und einfache Variante besteht darin das Update-Script, | ||
| + | Das Updatescript beinhaltet folgende Parameter und Aufrufe: | ||
| + | < | ||
| + | |||
| + | ### A simple update script for the clamav virus database. | ||
| + | ### This could as well be replaced by a SysV script. | ||
| + | |||
| + | ### fix log file if needed | ||
| + | LOG_FILE="/ | ||
| + | if [ ! -f " | ||
| + | touch " | ||
| + | chmod 644 " | ||
| + | chown clamav.clamav " | ||
| + | fi | ||
| + | |||
| + | / | ||
| + | --quiet \ | ||
| + | --datadir="/ | ||
| + | --log=" | ||
| + | --daemon-notify="/ | ||
| + | Wir verschieben also das Script bei Bedarf nach // | ||
| + | # mv / | ||
| + | === Nutzung Daemon-Modus === | ||
| + | Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des **freshclam-Daemons**, | ||
| + | |||
| + | ---- | ||
| + | **Startscript** | ||
| + | Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes Startscript an. | ||
| + | # vim / | ||
| + | <code bash freshclamd># | ||
| + | # | ||
| + | # freshclamd | ||
| + | # | ||
| + | # chkconfig: - 62 38 | ||
| + | # description: | ||
| + | # | ||
| + | # processname: | ||
| + | # config: / | ||
| + | # pidfile: / | ||
| + | |||
| + | # Source function library | ||
| + | . / | ||
| + | |||
| + | # Get network config | ||
| + | . / | ||
| + | |||
| + | test -f / | ||
| + | |||
| + | RETVAL=0 | ||
| + | DATA_DIR="/ | ||
| + | CLAMD_CONF_FILE="/ | ||
| + | LOG_FILE="/ | ||
| + | |||
| + | if [ ! -f " | ||
| + | touch " | ||
| + | chmod 644 " | ||
| + | chown clamav.clamav " | ||
| + | fi | ||
| + | |||
| + | start() { | ||
| + | echo -n $" | ||
| + | # Start me up! | ||
| + | # | ||
| + | # | ||
| + | daemon / | ||
| + | -c 48 \ | ||
| + | --quiet \ | ||
| + | --datadir=" | ||
| + | --daemon-notify=" | ||
| + | RETVAL=$? | ||
| + | echo | ||
| + | [ $RETVAL -eq 0 ] && touch / | ||
| + | return $RETVAL | ||
| + | } | ||
| + | |||
| + | stop() { | ||
| + | echo -n $" | ||
| + | killproc freshclam | ||
| + | RETVAL=$? | ||
| + | echo | ||
| + | [ $RETVAL -eq 0 ] && rm -f / | ||
| + | return $RETVAL | ||
| + | } | ||
| + | |||
| + | restart() { | ||
| + | stop | ||
| + | start | ||
| + | } | ||
| + | |||
| + | reload() { | ||
| + | echo -n $" | ||
| + | killproc freshclam -ALRM | ||
| + | RETVAL=$? | ||
| + | echo | ||
| + | return $RETVAL | ||
| + | } | ||
| + | |||
| + | |||
| + | case " | ||
| + | start) | ||
| + | start | ||
| + | ;; | ||
| + | stop) | ||
| + | stop | ||
| + | ;; | ||
| + | status) | ||
| + | status freshclam | ||
| + | ;; | ||
| + | restart) | ||
| + | restart | ||
| + | ;; | ||
| + | condrestart) | ||
| + | [ -f / | ||
| + | ;; | ||
| + | reload) | ||
| + | reload | ||
| + | ;; | ||
| + | *) | ||
| + | echo $" | ||
| + | exit 1 | ||
| + | esac | ||
| + | |||
| + | exit $?</ | ||
| + | Anschließend passen wir noch die Dateirechte an: | ||
| + | # chmod +x / | ||
| + | |||
| + | ---- | ||
| + | **Konfiguration** | ||
| + | Wir passen nun in der Konfigurationsdatei **/// | ||
| + | < | ||
| + | |||
| + | ... | ||
| + | # Number of database checks per day. | ||
| + | # Default: 12 (every two hours) | ||
| + | # Django 17.05.2009 für halbstündlichen Virenpatterndatenbankcheck | ||
| + | Checks 48 | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | ---- | ||
| + | **erster Programmstart** | ||
| + | Unseren Updatemechanismus **freshclam-daemon** starten wir wie gewohnt mit: | ||
| + | # service freshclamd start | ||
| + | | ||
| + | Im Logfile // | ||
| + | < | ||
| + | -------------------------------------- | ||
| + | freshclam daemon 0.95.1 (OS: linux-gnu, ARCH: i386, CPU: i386) | ||
| + | ClamAV update process started at Sun May 17 22:15:13 2009 | ||
| + | Downloading main-51.cdiff [100%] | ||
| + | main.cld updated (version: 51, sigs: 545035, f-level: 42, builder: sven) | ||
| + | WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 193.27.50.222) | ||
| + | WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net | ||
| + | Trying host db.de.clamav.net (213.174.32.130)... | ||
| + | WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 213.174.32.130) | ||
| + | WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net | ||
| + | Trying host db.de.clamav.net (212.1.60.18)... | ||
| + | WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 212.1.60.18) | ||
| + | WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net | ||
| + | WARNING: Incremental update failed, trying to download daily.cvd | ||
| + | Trying host db.de.clamav.net (130.133.110.67)... | ||
| + | Downloading daily.cvd [100%] | ||
| + | daily.cvd updated (version: 9365, sigs: 5249, f-level: 42, builder: mcichosz) | ||
| + | Database updated (550284 signatures) from db.de.clamav.net (IP: 130.133.110.67) | ||
| + | --------------------------------------</ | ||
| + | |||
| + | ---- | ||
| + | **automatisches Starten des Daemon beim Systemstart** | ||
| + | Damit nun unser freshcam-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor. | ||
| + | # chkconfig freshclamd on | ||
| + | Anschließend überprüfen wir noch unsere Änderung: | ||
| + | # chkconfig --list | grep freshclamd | ||
| + | | ||
| + | === clamav Start === | ||
| + | Da unsere Virendatenbank nun uptodate ist können wir den clamav-Daemon nun ohne Fehlermeldung starten: | ||
| + | # service clamd start | ||
| + | | ||
| + | Im Logfile **/// | ||
| + | < | ||
| + | Sun May 17 22:20:12 2009 -> clamd daemon 0.99.1 (OS: linux-gnu, ARCH: i386, CPU: i386) | ||
| + | Sun May 17 22:20:12 2009 -> Running as user clamav (UID 101, GID 105) | ||
| + | Sun May 17 22:20:12 2009 -> Log file size limit disabled. | ||
| + | Sun May 17 22:20:12 2009 -> Reading databases from /var/clamav | ||
| + | Sun May 17 22:20:12 2009 -> Not loading PUA signatures. | ||
| + | Sun May 17 22:20:13 2009 -> Loaded 549731 signatures. | ||
| + | Sun May 17 22:20:13 2009 -> TCP: Bound to address 127.0.0.1 on port 3310 | ||
| + | Sun May 17 22:20:13 2009 -> TCP: Setting connection queue length to 30 | ||
| + | Sun May 17 22:20:13 2009 -> LOCAL: Unix socket file / | ||
| + | Sun May 17 22:20:13 2009 -> LOCAL: Setting connection queue length to 30 | ||
| + | Sun May 17 22:20:13 2009 -> Limits: Global size limit set to 104857600 bytes. | ||
| + | Sun May 17 22:20:13 2009 -> Limits: File size limit set to 26214400 bytes. | ||
| + | Sun May 17 22:20:13 2009 -> Limits: Recursion level limit set to 16. | ||
| + | Sun May 17 22:20:13 2009 -> Limits: Files limit set to 10000. | ||
| + | Sun May 17 22:20:13 2009 -> Archive support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> Algorithmic detection enabled. | ||
| + | Sun May 17 22:20:13 2009 -> Portable Executable support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> ELF support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> Detection of broken executables enabled. | ||
| + | Sun May 17 22:20:13 2009 -> Mail files support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> OLE2 support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> PDF support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> HTML support enabled. | ||
| + | Sun May 17 22:20:13 2009 -> Self checking every 600 seconds. | ||
| + | </ | ||
| + | === clamscan testen === | ||
| + | Zum Schluß überprüfen wir noch, ob unser Virenscanner richtig arbeitet. Hierzu besorgen wir uns ein Virenpattern-Testfile. | ||
| + | < | ||
| + | --2009-12-11 15: | ||
| + | Auflösen des Rechnernamens »dansguardian.org«.... 89.16.172.190, | ||
| + | Verbindungsaufbau mit dansguardian.org[89.16.172.190]: | ||
| + | HTTP-Anfrage gesendet, warte auf Antwort... 200 OK | ||
| + | Länge: 68 [text/ | ||
| + | Speichere nach: »/ | ||
| + | |||
| + | 100%[===================================================================================================================> | ||
| + | |||
| + | 2009-12-11 15:33:06 (10,6 MB/s) - »/ | ||
| + | Die erhalten Eicar-Testdatei lassen wir nun von **clamscan** überprüfen. | ||
| + | < | ||
| + | Scanning / | ||
| + | / | ||
| + | |||
| + | ----------- SCAN SUMMARY ----------- | ||
| + | Known viruses: 1215262 | ||
| + | Engine version: 0.95.3 | ||
| + | Scanned directories: | ||
| + | Scanned files: 1 | ||
| + | Infected files: 1 | ||
| + | Data scanned: 0.00 MB | ||
| + | Data read: 0.00 MB (ratio 0.00:1) | ||
| + | Time: 5.402 sec (0 m 5 s)</ | ||
| + | |||
| + | |||
| + | |||
| + | ===== Virenfilterung bei Dansguardian ===== | ||
| + | Zur Aktivierung des Virenscanner beim Contentfiltern aktivieren wir nun den **clamd** in der // | ||
| + | # vim / | ||
| + | < | ||
| + | # These are plugins that scan the content of all files your browser fetches | ||
| + | # for example to AV scan. The options are limitless. | ||
| + | # DansGuardian will be plugin based. | ||
| + | # scanner. The plugins are run in the order you specify. | ||
| + | # This is one of the few places you can have multiple options of the same name. | ||
| + | # | ||
| + | # Some of the scanner(s) require 3rd party software and libraries eg clamav. | ||
| + | # See the individual plugin conf file for more options (if any). | ||
| + | # | ||
| + | #!! Not compiled !! contentscanner = '/ | ||
| + | contentscanner = '/ | ||
| + | #!! Unimplemented !! contentscanner = '/ | ||
| + | #!! Not compiled !! contentscanner = '/ | ||
| + | #!! Not compiled !! contentscanner = '/ | ||
| + | #!! Not compiled !! contentscanner = '/ | ||
| + | |||
| + | |||
| + | # File cache dir | ||
| + | # Where DG will download files to be scanned if too large for the | ||
| + | # RAM cache. | ||
| + | # Django 10.12.2009 | ||
| + | #Default: filecachedir = '/ | ||
| + | filecachedir = '/ | ||
| + | Die weitere Konfiguration findet in der oben genannten Datei // | ||
| + | # vim / | ||
| + | < | ||
| + | |||
| + | # edit this to match the location of your ClamD UNIX domain socket | ||
| + | # | ||
| + | # Django 10.12.2009 | ||
| + | #Default: # | ||
| + | clamdudsfile = '/ | ||
| + | |||
| + | |||
| + | # If this string is set, the text it contains shall be removed from the | ||
| + | # beginning of filenames when passing them to ClamD. | ||
| + | # Use it to - for example - support a ClamD running inside a chroot jail: | ||
| + | # if DG's filecachedir is set to "/ | ||
| + | # is set to "/ | ||
| + | # form "/ | ||
| + | #pathprefix = '/ | ||
| + | |||
| + | exceptionvirusmimetypelist = '/ | ||
| + | exceptionvirusextensionlist = '/ | ||
| + | exceptionvirussitelist = '/ | ||
| + | exceptionvirusurllist = '/ | ||
| + | |||