Dansguardian Version 2.10.1.1 - Installation und Konfiguration
Für die Zugriffsverwaltung und inhaltliche Bewertung der angewählten Internetseiten bedienen wir uns dem Proxy Squid und dem Contentfilter Dansguardian.
Bei dieser Konstellation arbeiten Squid und Dansguardian als einer Vermittler, der auf der einen Seite Anfragen entgegennimmt, um dann über seine eigene Adresse eine Verbindung zu einem Zielhost herzustellen. So bleibt einerseits die eigentliche Adresse des Client-Rechners dem Zielhost gegenüber komplett verborgen, was eine gewisse Anonymität schafft. Ferner können die Ergebnisse der Clientanfragen zwischengespeichert werden, um so Bandbreite zu sparen, da diese gepufferten Objekte nicht nochmals geladen werden müssen. Darüber hinaus haben wir so die Möglichkeit:
- unerwünschte Seiten zu blocken (Pornographie)
- bestimmte Inhalte nur bestimmten Usern zur Verfügung zu stellen (Multimediainhalte des WWW)
- Seiten auf unerwünschten Inhalt zu überprüfen und ggf. zu blocken (Glücksspiel und politische Propaganda) oder
- eine Virenprüfung der übermittelten Daten vorzunehmen.
Möchte man neben der reinen inhaltlichen Überprüfung, wie im folgenden Kapitel beschrieben, auch eine Virenfilterung des Webtraffics vornehmen, so installiert man sich am besten die aktuelle Version von Dansguardian. Hierzu benutzt man entweder direkt die Sourcen von Dansguardian oder man nutzt die komfortablere Variante eines RPMs aus einem Repository.
Die komfortabelste Variante ist die Nutzung von Djangos Repository. Die Einbindung ist im Dokuwiki unter Einbinden von Djangos Repository for CentOS 5.x beschrieben.
Installation
Wie bereits erwähnt, erfolgt die Installation der neuen Dansguardian-Version am leichtesten mit Hilfe eines RPMs und unter Zuhilfenahme eines Repositories.
# yum install dansguardian
Anschließend können wir gleich mit der Konfiguration weitermachen und überspringen die nachfolgend beschriebenen manuellen Download und Installation.
Download
Möchte man Djangos's Repository nicht einbinden, so kann man das RPM auch vom Repository-Server herunterladen und manuell installieren. Die aktuelle Version - dansguardian-2.10.1.1-1.0.el5.i386.rpm - laden wir uns als erste auf unseren Rechner.
# su - # cd /usr/local/src # wget http://repository.nausch.org/public/dansguardian-2.10.1.1-1.0.el5.i386.rpm
Da das Programm nicht aus einem uns bekannten Repository stammt, holen wir uns noch den public-key des Packager und installieren diesen in den RPM-Keyring.
# rpm --import http://repository.nausch.org/public/GPG-PUB-KEY.asc
Somit können wir hier nun die Integrität des heruntergeladenen RPMs überprüfen.
# rpm -K dansguardian-2.10.1.1-1.0.el5.i386.rpm dansguardian-2.10.1.1-1.0.el5.i386.rpm: (sha1) dsa sha1 md5 gpg OK
YUM-Installation
Das zuvor heruntergeladene RPM installieren wir, wie gewohnt mittels yum.
# yum install dansguardian-2.10.1.1-1.0.el5.i386.rpm
Das Paket dansguardian des aktuellen Release-Kandidaten hat nun im Gegensatz zur Version 2.8.0.6 einen weitaus größeren Umfang, was uns ein detailierter Blick in das RPM1), nach erfolgter Installation des Paketes, zeigt.
# rpm -iql dansguardian Name : dansguardian Relocations: (not relocatable) Version : 2.10.1.1 Vendor: Michael Nausch aka Django Release : 1.0.el5 Build Date: Do 10 Dez 2009 14:23:37 CET Install Date: Do 10 Dez 2009 14:25:11 CET Build Host: office.nausch.org Group : System Environment/Daemons Source RPM: dansguardian-2.10.1.1-1.0.el5.src.rpm Size : 1475359 License: GPL Signature : DSA/SHA1, Do 10 Dez 2009 14:23:37 CET, Key ID 1f0471f12384c849 Packager : Django <michael@nausch.org> URL : http://www.dansguardian.org/ Summary : Content filtering web proxy with virusscan-support via clamd Description : DansGuardian is a web filtering engine that checks the content within the page itself in addition to the more traditional URL filtering. DansGuardian is a content filtering proxy. It filters using multiple methods, including URL and domain filtering, content phrase filtering, PICS filtering, MIME filtering, file extension filtering, POST filtering. /etc/dansguardian /etc/dansguardian/authplugins /etc/dansguardian/authplugins/ident.conf /etc/dansguardian/authplugins/ip.conf /etc/dansguardian/authplugins/proxy-basic.conf /etc/dansguardian/authplugins/proxy-digest.conf /etc/dansguardian/contentscanners /etc/dansguardian/contentscanners/clamdscan.conf /etc/dansguardian/dansguardian.conf /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/downloadmanagers /etc/dansguardian/downloadmanagers/default.conf /etc/dansguardian/downloadmanagers/fancy.conf /etc/dansguardian/downloadmanagers/trickle.conf /etc/dansguardian/lists /etc/dansguardian/lists/authplugins /etc/dansguardian/lists/authplugins/ipgroups /etc/dansguardian/lists/bannedextensionlist /etc/dansguardian/lists/bannediplist /etc/dansguardian/lists/bannedmimetypelist /etc/dansguardian/lists/bannedphraselist /etc/dansguardian/lists/bannedregexpheaderlist /etc/dansguardian/lists/bannedregexpurllist /etc/dansguardian/lists/bannedsitelist /etc/dansguardian/lists/bannedurllist /etc/dansguardian/lists/blacklists /etc/dansguardian/lists/blacklists/ads /etc/dansguardian/lists/blacklists/ads/domains /etc/dansguardian/lists/blacklists/ads/urls /etc/dansguardian/lists/contentregexplist /etc/dansguardian/lists/contentscanners /etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist /etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist /etc/dansguardian/lists/contentscanners/exceptionvirussitelist /etc/dansguardian/lists/contentscanners/exceptionvirusurllist /etc/dansguardian/lists/downloadmanagers /etc/dansguardian/lists/downloadmanagers/managedextensionlist /etc/dansguardian/lists/downloadmanagers/managedmimetypelist /etc/dansguardian/lists/exceptionextensionlist /etc/dansguardian/lists/exceptionfilesitelist /etc/dansguardian/lists/exceptionfileurllist /etc/dansguardian/lists/exceptioniplist /etc/dansguardian/lists/exceptionmimetypelist /etc/dansguardian/lists/exceptionphraselist /etc/dansguardian/lists/exceptionregexpurllist /etc/dansguardian/lists/exceptionsitelist /etc/dansguardian/lists/exceptionurllist /etc/dansguardian/lists/filtergroupslist /etc/dansguardian/lists/greysitelist /etc/dansguardian/lists/greyurllist /etc/dansguardian/lists/headerregexplist /etc/dansguardian/lists/logregexpurllist /etc/dansguardian/lists/logsitelist /etc/dansguardian/lists/logurllist /etc/dansguardian/lists/phraselists /etc/dansguardian/lists/phraselists/badwords /etc/dansguardian/lists/phraselists/badwords/weighted_dutch /etc/dansguardian/lists/phraselists/badwords/weighted_french /etc/dansguardian/lists/phraselists/badwords/weighted_german /etc/dansguardian/lists/phraselists/badwords/weighted_portuguese /etc/dansguardian/lists/phraselists/badwords/weighted_spanish /etc/dansguardian/lists/phraselists/chat /etc/dansguardian/lists/phraselists/chat/weighted /etc/dansguardian/lists/phraselists/chat/weighted_italian /etc/dansguardian/lists/phraselists/conspiracy /etc/dansguardian/lists/phraselists/conspiracy/weighted /etc/dansguardian/lists/phraselists/domainsforsale /etc/dansguardian/lists/phraselists/domainsforsale/weighted /etc/dansguardian/lists/phraselists/drugadvocacy /etc/dansguardian/lists/phraselists/drugadvocacy/weighted /etc/dansguardian/lists/phraselists/forums /etc/dansguardian/lists/phraselists/forums/weighted /etc/dansguardian/lists/phraselists/gambling /etc/dansguardian/lists/phraselists/gambling/banned /etc/dansguardian/lists/phraselists/gambling/banned_portuguese /etc/dansguardian/lists/phraselists/gambling/weighted /etc/dansguardian/lists/phraselists/gambling/weighted_portuguese /etc/dansguardian/lists/phraselists/games /etc/dansguardian/lists/phraselists/games/weighted /etc/dansguardian/lists/phraselists/goodphrases /etc/dansguardian/lists/phraselists/goodphrases/exception /etc/dansguardian/lists/phraselists/goodphrases/exception_email /etc/dansguardian/lists/phraselists/goodphrases/weighted_general /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_danish /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_dutch /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_malay /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_polish /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_portuguese /etc/dansguardian/lists/phraselists/goodphrases/weighted_general_swedish /etc/dansguardian/lists/phraselists/goodphrases/weighted_news /etc/dansguardian/lists/phraselists/googlesearches /etc/dansguardian/lists/phraselists/googlesearches/banned /etc/dansguardian/lists/phraselists/gore /etc/dansguardian/lists/phraselists/gore/weighted /etc/dansguardian/lists/phraselists/gore/weighted_portuguese /etc/dansguardian/lists/phraselists/idtheft /etc/dansguardian/lists/phraselists/idtheft/weighted /etc/dansguardian/lists/phraselists/illegaldrugs /etc/dansguardian/lists/phraselists/illegaldrugs/banned /etc/dansguardian/lists/phraselists/illegaldrugs/weighted /etc/dansguardian/lists/phraselists/illegaldrugs/weighted_portuguese /etc/dansguardian/lists/phraselists/intolerance /etc/dansguardian/lists/phraselists/intolerance/banned_portuguese /etc/dansguardian/lists/phraselists/intolerance/weighted /etc/dansguardian/lists/phraselists/intolerance/weighted_portuguese /etc/dansguardian/lists/phraselists/legaldrugs /etc/dansguardian/lists/phraselists/legaldrugs/weighted /etc/dansguardian/lists/phraselists/malware /etc/dansguardian/lists/phraselists/malware/weighted /etc/dansguardian/lists/phraselists/music /etc/dansguardian/lists/phraselists/music/weighted /etc/dansguardian/lists/phraselists/news /etc/dansguardian/lists/phraselists/news/weighted /etc/dansguardian/lists/phraselists/nudism /etc/dansguardian/lists/phraselists/nudism/weighted /etc/dansguardian/lists/phraselists/peer2peer /etc/dansguardian/lists/phraselists/peer2peer/weighted /etc/dansguardian/lists/phraselists/personals /etc/dansguardian/lists/phraselists/personals/weighted /etc/dansguardian/lists/phraselists/personals/weighted_portuguese /etc/dansguardian/lists/phraselists/pornography /etc/dansguardian/lists/phraselists/pornography/banned /etc/dansguardian/lists/phraselists/pornography/banned_portuguese /etc/dansguardian/lists/phraselists/pornography/weighted /etc/dansguardian/lists/phraselists/pornography/weighted_chinese /etc/dansguardian/lists/phraselists/pornography/weighted_danish /etc/dansguardian/lists/phraselists/pornography/weighted_dutch /etc/dansguardian/lists/phraselists/pornography/weighted_french /etc/dansguardian/lists/phraselists/pornography/weighted_german /etc/dansguardian/lists/phraselists/pornography/weighted_italian /etc/dansguardian/lists/phraselists/pornography/weighted_japanese /etc/dansguardian/lists/phraselists/pornography/weighted_malay /etc/dansguardian/lists/phraselists/pornography/weighted_norwegian /etc/dansguardian/lists/phraselists/pornography/weighted_polish /etc/dansguardian/lists/phraselists/pornography/weighted_portuguese /etc/dansguardian/lists/phraselists/pornography/weighted_russian /etc/dansguardian/lists/phraselists/pornography/weighted_spanish /etc/dansguardian/lists/phraselists/pornography/weighted_swedish /etc/dansguardian/lists/phraselists/proxies /etc/dansguardian/lists/phraselists/proxies/weighted /etc/dansguardian/lists/phraselists/rta /etc/dansguardian/lists/phraselists/rta/banned /etc/dansguardian/lists/phraselists/safelabel /etc/dansguardian/lists/phraselists/safelabel/banned /etc/dansguardian/lists/phraselists/secretsocieties /etc/dansguardian/lists/phraselists/secretsocieties/weighted /etc/dansguardian/lists/phraselists/sport /etc/dansguardian/lists/phraselists/sport/weighted /etc/dansguardian/lists/phraselists/translation /etc/dansguardian/lists/phraselists/translation/weighted /etc/dansguardian/lists/phraselists/travel /etc/dansguardian/lists/phraselists/travel/weighted /etc/dansguardian/lists/phraselists/upstreamfilter /etc/dansguardian/lists/phraselists/upstreamfilter/weighted /etc/dansguardian/lists/phraselists/violence /etc/dansguardian/lists/phraselists/violence/weighted /etc/dansguardian/lists/phraselists/violence/weighted_portuguese /etc/dansguardian/lists/phraselists/warezhacking /etc/dansguardian/lists/phraselists/warezhacking/weighted /etc/dansguardian/lists/phraselists/weapons /etc/dansguardian/lists/phraselists/weapons/weighted /etc/dansguardian/lists/phraselists/weapons/weighted_portuguese /etc/dansguardian/lists/phraselists/webmail /etc/dansguardian/lists/phraselists/webmail/weighted /etc/dansguardian/lists/pics /etc/dansguardian/lists/urlregexplist /etc/dansguardian/lists/weightedphraselist /etc/httpd /etc/httpd/conf.d /etc/httpd/conf.d/dansguardian.conf /etc/logrotate.d /etc/rc.d /etc/rc.d/init.d /etc/rc.d/init.d/dansguardian /usr /usr/sbin /usr/sbin/dansguardian /usr/share /usr/share/dansguardian /usr/share/dansguardian/dansguardian.pl /usr/share/dansguardian/languages /usr/share/dansguardian/languages/arspanish /usr/share/dansguardian/languages/arspanish/fancydmtemplate.html /usr/share/dansguardian/languages/arspanish/messages /usr/share/dansguardian/languages/arspanish/template.html /usr/share/dansguardian/languages/bulgarian /usr/share/dansguardian/languages/bulgarian/fancydmtemplate.html /usr/share/dansguardian/languages/bulgarian/messages /usr/share/dansguardian/languages/bulgarian/template.html /usr/share/dansguardian/languages/chinesebig5 /usr/share/dansguardian/languages/chinesebig5/fancydmtemplate.html /usr/share/dansguardian/languages/chinesebig5/messages /usr/share/dansguardian/languages/chinesebig5/template.html /usr/share/dansguardian/languages/chinesegb2312 /usr/share/dansguardian/languages/chinesegb2312/fancydmtemplate.html /usr/share/dansguardian/languages/chinesegb2312/messages /usr/share/dansguardian/languages/chinesegb2312/template.html /usr/share/dansguardian/languages/czech /usr/share/dansguardian/languages/czech/fancydmtemplate.html /usr/share/dansguardian/languages/czech/messages /usr/share/dansguardian/languages/czech/template.html /usr/share/dansguardian/languages/danish /usr/share/dansguardian/languages/danish/fancydmtemplate.html /usr/share/dansguardian/languages/danish/messages /usr/share/dansguardian/languages/danish/template.html /usr/share/dansguardian/languages/dutch /usr/share/dansguardian/languages/dutch/fancydmtemplate.html /usr/share/dansguardian/languages/dutch/messages /usr/share/dansguardian/languages/dutch/template.html /usr/share/dansguardian/languages/french /usr/share/dansguardian/languages/french/fancydmtemplate.html /usr/share/dansguardian/languages/french/messages /usr/share/dansguardian/languages/french/template.html /usr/share/dansguardian/languages/german /usr/share/dansguardian/languages/german/fancydmtemplate.html /usr/share/dansguardian/languages/german/messages /usr/share/dansguardian/languages/german/template.html /usr/share/dansguardian/languages/hebrew /usr/share/dansguardian/languages/hebrew/fancydmtemplate.html /usr/share/dansguardian/languages/hebrew/messages /usr/share/dansguardian/languages/hebrew/template.html /usr/share/dansguardian/languages/hungarian /usr/share/dansguardian/languages/hungarian/fancydmtemplate.html /usr/share/dansguardian/languages/hungarian/messages /usr/share/dansguardian/languages/hungarian/template.html /usr/share/dansguardian/languages/indonesian /usr/share/dansguardian/languages/indonesian/fancydmtemplate.html /usr/share/dansguardian/languages/indonesian/messages /usr/share/dansguardian/languages/indonesian/template.html /usr/share/dansguardian/languages/italian /usr/share/dansguardian/languages/italian/fancydmtemplate.html /usr/share/dansguardian/languages/italian/messages /usr/share/dansguardian/languages/italian/template.html /usr/share/dansguardian/languages/japanese /usr/share/dansguardian/languages/japanese/fancydmtemplate.html /usr/share/dansguardian/languages/japanese/messages /usr/share/dansguardian/languages/japanese/template.html /usr/share/dansguardian/languages/lithuanian /usr/share/dansguardian/languages/lithuanian/fancydmtemplate.html /usr/share/dansguardian/languages/lithuanian/messages /usr/share/dansguardian/languages/lithuanian/template.html /usr/share/dansguardian/languages/malay /usr/share/dansguardian/languages/malay/fancydmtemplate.html /usr/share/dansguardian/languages/malay/messages /usr/share/dansguardian/languages/malay/template.html /usr/share/dansguardian/languages/mxspanish /usr/share/dansguardian/languages/mxspanish/fancydmtemplate.html /usr/share/dansguardian/languages/mxspanish/messages /usr/share/dansguardian/languages/mxspanish/template.html /usr/share/dansguardian/languages/polish /usr/share/dansguardian/languages/polish/fancydmtemplate.html /usr/share/dansguardian/languages/polish/messages /usr/share/dansguardian/languages/polish/template.html /usr/share/dansguardian/languages/portuguese /usr/share/dansguardian/languages/portuguese/fancydmtemplate.html /usr/share/dansguardian/languages/portuguese/messages /usr/share/dansguardian/languages/portuguese/template.html /usr/share/dansguardian/languages/ptbrazilian /usr/share/dansguardian/languages/ptbrazilian/fancydmtemplate.html /usr/share/dansguardian/languages/ptbrazilian/messages /usr/share/dansguardian/languages/ptbrazilian/template.html /usr/share/dansguardian/languages/russian-1251 /usr/share/dansguardian/languages/russian-1251/fancydmtemplate.html /usr/share/dansguardian/languages/russian-1251/messages /usr/share/dansguardian/languages/russian-1251/template.html /usr/share/dansguardian/languages/russian-koi8-r /usr/share/dansguardian/languages/russian-koi8-r/fancydmtemplate.html /usr/share/dansguardian/languages/russian-koi8-r/messages /usr/share/dansguardian/languages/russian-koi8-r/template.html /usr/share/dansguardian/languages/slovak /usr/share/dansguardian/languages/slovak/fancydmtemplate.html /usr/share/dansguardian/languages/slovak/messages /usr/share/dansguardian/languages/slovak/template.html /usr/share/dansguardian/languages/spanish /usr/share/dansguardian/languages/spanish/fancydmtemplate.html /usr/share/dansguardian/languages/spanish/messages /usr/share/dansguardian/languages/spanish/template.html /usr/share/dansguardian/languages/swedish /usr/share/dansguardian/languages/swedish/fancydmtemplate.html /usr/share/dansguardian/languages/swedish/messages /usr/share/dansguardian/languages/swedish/template.html /usr/share/dansguardian/languages/turkish /usr/share/dansguardian/languages/turkish/fancydmtemplate.html /usr/share/dansguardian/languages/turkish/messages /usr/share/dansguardian/languages/turkish/template.html /usr/share/dansguardian/languages/ukenglish /usr/share/dansguardian/languages/ukenglish/fancydmtemplate.html /usr/share/dansguardian/languages/ukenglish/messages /usr/share/dansguardian/languages/ukenglish/template.html /usr/share/dansguardian/scripts /usr/share/dansguardian/scripts/bsd-init /usr/share/dansguardian/scripts/dansguardian /usr/share/dansguardian/scripts/logrotation /usr/share/dansguardian/scripts/solaris-init /usr/share/dansguardian/scripts/systemv-init /usr/share/dansguardian/transparent1x1.gif /usr/share/doc /usr/share/doc/dansguardian /usr/share/doc/dansguardian/AuthPlugins /usr/share/doc/dansguardian/ContentScanners /usr/share/doc/dansguardian/DownloadManagers /usr/share/doc/dansguardian/FAQ /usr/share/doc/dansguardian/FAQ.html /usr/share/doc/dansguardian/Plugins /usr/share/doc/man8 /usr/share/doc/man8/dansguardian.8 /usr/share/man /usr/share/man/man8 /usr/share/man/man8/dansguardian.8.gz /usr/var /usr/var/run /var /var/log /var/log/dansguardian
Konfiguration
Die Konfiguration unseres Contentscanners spielt sich im Wesentlichen unter dem Verezichnis /etc/dansguardian ab.
# cd /etc/dansguardian
# ls -alF insgesamt 120 drwxr-xr-x 6 root root 4096 11. Dez 10:02 ./ drwxr-xr-x 122 root root 12288 11. Dez 09:00 ../ drwxr-xr-x 2 root root 4096 10. Dez 15:39 authplugins/ drwxr-xr-x 2 root root 4096 10. Dez 15:42 contentscanners/ -rw-r--r-- 1 root root 23111 10. Dez 22:19 dansguardian.conf -rw-r--r-- 1 root root 11635 10. Dez 15:39 dansguardianf1.conf drwxr-xr-x 2 root root 4096 10. Dez 15:39 downloadmanagers/ drwxr-xr-x 7 root root 4096 10. Dez 22:40 lists/
Die beiden Konfigurationsdateien:
- dansguardian.conf
- dansguardianf1.conf
beinhalten die Hauptkonfigurations-Optionen des Filters. In den Unterverzeichnissen erfolgt dann die weitere meist stark individuelle Anpassung.
- authplugins
- contentscanners
- downloadmanagers
- lists
dansguardian.conf
Die Haupfkonfiguration des Dansguardian-Content-filters/-Scanners erfolgt in der Datei /etc/dansguardian/dansguardian.conf.
Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien.
# vim /etc/dansguardian/dansguardian.conf
Als erstes passen wir die Internationalisierung in der Konfigurationsdatei an:
# language to use from languagedir. # Django 10.12.2009 #Default: language = 'ukenglish' language = 'german'
Die Einstellungen im Bezug auf unsere Netzwerkadressen un den zugehörigen Ports erfolgen im Bereich Network Settings.
# Network Settings # # the IP that DansGuardian listens on. If left blank DansGuardian will # listen on all IPs. That would include all NICs, loopback, modem, etc. # Normally you would have your firewall protecting this, but if you want # you can limit it to a certain IP. To bind to multiple interfaces, # specify each IP on an individual filterip line. filterip = # the port that DansGuardian listens to. filterport = 8080 # the ip of the proxy (default is the loopback - i.e. this server) proxyip = 127.0.0.1 # the port DansGuardian connects to proxy on proxyport = 3128
Zur Information der User bei anwahl von gesperrten Seiten bietet Dansguardian zwei Wege:
dansguardian.pl
Möchte man das dansguardian reporting script nutzen, so trägt man in die Konfigurationsdate den Ort des Perl-Scriptes ein. Als Ergebnis wird dann z.B. folgende Seite generiert.
Der zugehörige Eintrag in der Konfigurationsdatei lautet:
# accessdeniedaddress is the address of your web server to which the cgi # dansguardian reporting script was copied. Only used in reporting levels 1 and 2. # # This webserver must be either: # 1. Non-proxied. Either a machine on the local network, or listed as an exception # in your browser's proxy configuration. # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is # only for users using both transparent proxying and a non-local server # to host this script. # # Individual filter groups can override this setting in their own configuration. # # Django 10.12.2009 #Default: accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' accessdeniedaddress = 'http://nausch.org/cgi-bin/dansguardian.pl'
HTML-Statuspage
Alternativ dazu gibt es eine HTML-Seite mit den Hinweisen, warum die Seite gesperrt worden ist.
Hierzu deaktiviert man einfach die Option in der konfiguartionsdatei.
# Django 10.12.2009 #Default: accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' #accessdeniedaddress = 'http://nausch.org/cgi-bin/dansguardian.pl'
In Summe ergibt sich also folgende erste Gesamtkonfiguration:
# egrep -v '(^.*#|^$)' /etc/dansguardian/dansguardian.conf
reportinglevel = 3 languagedir = '/usr/share/dansguardian/languages' language = 'german' loglevel = 2 logexceptionhits = 2 logfileformat = 1 filterip = filterport = 8080 proxyip = 127.0.0.1 proxyport = 3128 originalip = off nonstandarddelimiter = on usecustombannedimage = on custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif' filtergroups = 1 filtergroupslist = '/etc/dansguardian/lists/filtergroupslist' bannediplist = '/etc/dansguardian/lists/bannediplist' exceptioniplist = '/etc/dansguardian/lists/exceptioniplist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 scancleancache = on phrasefiltermode = 2 preservecase = 0 hexdecodecontent = off forcequicksearch = off reverseaddresslookups = off reverseclientiplookups = off logclienthostnames = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 filecachedir = '/tmp' deletedownloadedtempfiles = on initialtrickledelay = 20 trickledelay = 10 downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf' downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf' contentscannertimeout = 60 contentscanexceptions = off recheckreplacedurls = off forwardedfor = off usexforwardedfor = off logconnectionhandlingerrors = on logchildprocesshandling = off maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 maxips = 0 ipcfilename = '/tmp/.dguardianipc' urlipcfilename = '/tmp/.dguardianurlipc' ipipcfilename = '/tmp/.dguardianipipc' nodaemon = off nologger = off logadblocks = off loguseragent = off softrestart = off mailer = '/usr/sbin/sendmail -t'
dansguardianf1.conf
Die weitere Konfiguration des Dansguardian-Content-filters/-Scanners erfolgt in der Datei /etc/dansguardian/dansguardianf1.conf.
Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien.
# vim /etc/dansguardian/dansguardianf1.conf
Im ersten Schritt passen wir die Ansprechschwelle der gewichteten Seitenüberprüfung an. Mit einem Naughtyness limit von 100 liegt man schon mal in einem praktikablen Bereich. :
# Naughtyness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. # Django 10.12.2009 #Default: naughtynesslimit = 50 naughtynesslimit = 100
In Summe ergibt sich also folgende erste Gesamtkonfiguration:
# egrep -v '(^.*#|^$)' /etc/dansguardian/dansguardianf1.conf
groupmode = 1 bannedphraselist = '/etc/dansguardian/lists/bannedphraselist' weightedphraselist = '/etc/dansguardian/lists/weightedphraselist' exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist' bannedsitelist = '/etc/dansguardian/lists/bannedsitelist' greysitelist = '/etc/dansguardian/lists/greysitelist' exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist' bannedurllist = '/etc/dansguardian/lists/bannedurllist' greyurllist = '/etc/dansguardian/lists/greyurllist' exceptionurllist = '/etc/dansguardian/lists/exceptionurllist' exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist' bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist' picsfile = '/etc/dansguardian/lists/pics' contentregexplist = '/etc/dansguardian/lists/contentregexplist' urlregexplist = '/etc/dansguardian/lists/urlregexplist' blockdownloads = off exceptionextensionlist = '/etc/dansguardian/lists/exceptionextensionlist' exceptionmimetypelist = '/etc/dansguardian/lists/exceptionmimetypelist' bannedextensionlist = '/etc/dansguardian/lists/bannedextensionlist' bannedmimetypelist = '/etc/dansguardian/lists/bannedmimetypelist' exceptionfilesitelist = '/etc/dansguardian/lists/exceptionfilesitelist' exceptionfileurllist = '/etc/dansguardian/lists/exceptionfileurllist' headerregexplist = '/etc/dansguardian/lists/headerregexplist' bannedregexpheaderlist = '/etc/dansguardian/lists/bannedregexpheaderlist' naughtynesslimit = 100 categorydisplaythreshold = 0 embeddedurlweight = 0 enablepics = off bypass = 0 bypasskey = '' infectionbypass = 0 infectionbypasskey = '' infectionbypasserrorsonly = on disablecontentscan = off deepurlanalysis = off usesmtp = off mailfrom = '' avadmin = '' contentadmin = '' avsubject = 'dansguardian virus block' contentsubject = 'dansguardian violation' notifyav = off notifycontent = off thresholdbyuser = off violations = 0 threshold = 0
authplugins
Benutzt man keine Authentifizierung im Squid-Proxy, wie im Kapitel Konfiguration des Proxy's beschrieben, bietet Dansguardian selbst einige Plugins zur Auswahl. Die Konfigurationsdateien befinden sich im Pfad /etc/dansguardian/authplugins.
# ll /etc/dansguardian/authplugins
total 16 -rw-r--r-- 1 root root 104 Dec 9 16:05 ident.conf -rw-r--r-- 1 root root 323 Dec 9 16:05 ip.conf -rw-r--r-- 1 root root 195 Dec 9 16:05 proxy-basic.conf -rw-r--r-- 1 root root 257 Dec 9 16:05 proxy-digest.conf
contentscanners
In der Konfigurationsdatei /etc/dansguardian/contentscanners/clamdscan.conf erfolgt die Konfigurationn des Contentvirenscanners. Da der Maintainer bei der Erstellung des RPM clamd eincompiliert hat, lautet die Konfigurationsdatei clamdscan.conf
.
plugname = 'clamdscan' # edit this to match the location of your ClamD UNIX domain socket #clamdudsfile = '/var/run/clamav/clamd.sock' # If this string is set, the text it contains shall be removed from the # beginning of filenames when passing them to ClamD. # Use it to - for example - support a ClamD running inside a chroot jail: # if DG's filecachedir is set to "/var/clamdchroot/downloads/" and pathprefix # is set to "/var/clamdchroot", then file names given to ClamD will be of the # form "/downloads/tf*" instead of "/var/clamdchroot/downloads/tf*". #pathprefix = '/var/clamdchroot' exceptionvirusmimetypelist = '/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist' exceptionvirusextensionlist = '/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist' exceptionvirussitelist = '/etc/dansguardian/lists/contentscanners/exceptionvirussitelist' exceptionvirusurllist = '/etc/dansguardian/lists/contentscanners/exceptionvirusurllist'
Die Anpassung(en) dieser Konfigurationsdate erfolgt im nachfolgenden Kapitel Virenfilterung bei Dansguardian.
downloadmanagers
Im Verzeichnis /etc/dansguardian/downloadmanagers/ erfolgt die Definition und Konfiguration des Downloadmanagers.
# ls -alf total 8 -rw-r--r-- 1 root root 539 Dec 9 16:05 default.conf -rw-r--r-- 1 root root 2003 Dec 9 16:05 fancy.conf
default.conf
# vim /etc/dansguardian/downloadmanagers/default.conf
# The default download manager. # This is the safest option for unknown user-agents and content types, and # hence a good one to include last. # Which plugin should be loaded? plugname = 'default' # Regular expression for matching user agents # When not defined, matches all agents. #useragentregexp = '.*' # Lists of mime types and extensions to manage # When not defined, matches everything. # These can be enabled separately; when both enabled, # a request may match either list. #managedmimetypelist = '' #managedextensionlist = ''
fancy.conf
# vim /etc/dansguardian/downloadmanagers/fancy.conf
# The 'fancy' download manager. # This outputs a Javascript progress bar to the browser when a file is taking # a long time to download, and hence is unsuitable for browsers without # javascript support; also you may wish to enable it only for types/extensions # that are usually downloaded individually, rather than embedded in a web page, # such as executables and archives. # Which plugin should be loaded? plugname = 'fancy' # Regular expression for matching user agents # When not defined, matches all agents. # # 'mozilla' also matches firefox, IE, etc. useragentregexp = 'mozilla' # Lists of mime types and extensions to manage # When not defined, matches everything. # These can be enabled separately; when both enabled, # a request may match either list. #managedmimetypelist = '/etc/dansguardian/lists/downloadmanagers/managedmimetypelist' managedextensionlist = '/etc/dansguardian/lists/downloadmanagers/managedextensionlist' # HTML/JavaScript Template # The contents of this file determine what is presented to the user during # and after downloading/scanning. It is essentially an HTML file, but must # define certain JavaScript functions - called at various stages during # the process - allowing the page to be modified to reflect current progress. # This option generates a path of the form <languagedir>/<language>/<template> template = 'fancydmtemplate.html' # Maximum download size # When a file with unknown content length gets handled by the fancy DM, # something must be done in the case that the file is found to be too large # to scan (i.e. larger than maxcontentfilecachescansize). # As of 2.9.7.0, a warning will be issued to the user that the fancy DM may # not be able to cache the entire file, and the file will continue to be # downloaded to disk (but not scanned) until it reaches this size, at which # point the user will simply have to re-download the file (the URL won't be # scanned again). # The size is in kibibytes (i.e. 10240 = 10Mb) maxdownloadsize = 80000
lists
Die feingranulare nutzungsindividuelle Einstellung unseres Dansguardian erfolgt über mehrere Black- und/oder White-Listen. Diese befinden sich im Verzeichnis /etc/dansguardian/lists.
ll /etc/dansguardian/lists/ total 152 drwxr-xr-x 2 root root 4096 Dec 9 16:11 authplugins -rw-r--r-- 1 root root 4949 Dec 9 16:05 bannedextensionlist -rw-r--r-- 1 root root 500 Dec 9 16:05 bannediplist -rw-r--r-- 1 root root 284 Dec 9 16:05 bannedmimetypelist -rw-r--r-- 1 root root 1958 Dec 9 16:05 bannedphraselist -rw-r--r-- 1 root root 321 Dec 9 16:05 bannedregexpheaderlist -rw-r--r-- 1 root root 5229 Dec 9 16:05 bannedregexpurllist -rw-r--r-- 1 root root 4986 Dec 9 16:05 bannedsitelist -rw-r--r-- 1 root root 2640 Dec 9 16:05 bannedurllist drwxr-xr-x 3 root root 4096 Dec 9 16:05 blacklists -rw-r--r-- 1 root root 4979 Dec 9 16:05 contentregexplist drwxr-xr-x 2 root root 4096 Dec 9 16:11 contentscanners drwxr-xr-x 2 root root 4096 Dec 9 16:11 downloadmanagers -rw-r--r-- 1 root root 480 Dec 9 16:05 exceptionextensionlist -rw-r--r-- 1 root root 912 Dec 9 16:05 exceptionfilesitelist -rw-r--r-- 1 root root 834 Dec 9 16:05 exceptionfileurllist -rw-r--r-- 1 root root 708 Dec 9 16:05 exceptioniplist -rw-r--r-- 1 root root 653 Dec 9 16:05 exceptionmimetypelist -rw-r--r-- 1 root root 538 Dec 9 16:05 exceptionphraselist -rw-r--r-- 1 root root 208 Dec 9 16:05 exceptionregexpurllist -rw-r--r-- 1 root root 1275 Dec 9 16:05 exceptionsitelist -rw-r--r-- 1 root root 361 Dec 9 16:05 exceptionurllist -rw-r--r-- 1 root root 194 Dec 9 16:05 filtergroupslist -rw-r--r-- 1 root root 1910 Dec 9 16:05 greysitelist -rw-r--r-- 1 root root 902 Dec 9 16:05 greyurllist -rw-r--r-- 1 root root 520 Dec 9 16:05 headerregexplist -rw-r--r-- 1 root root 623 Dec 9 16:05 logregexpurllist -rw-r--r-- 1 root root 596 Dec 9 16:05 logsitelist -rw-r--r-- 1 root root 591 Dec 9 16:05 logurllist drwxr-xr-x 36 root root 4096 Dec 9 16:05 phraselists -rw-r--r-- 1 root root 2743 Dec 9 16:05 pics -rw-r--r-- 1 root root 2887 Dec 9 16:05 urlregexplist -rw-r--r-- 1 root root 6437 Dec 9 16:05 weightedphraselist
Auf einzelen spezielle Dateien wird im Kapitel Optimierung von Dansguardian eingegangen.
Starten von Dansguardian
Nun starten wir das erste mal unsere neuen Dienst dansguardian:
# service dansguardian start Web Content Filter (dansguardian) starten: [ OK ]
Im Syslog wird uns der erfolgreiche Start entsprechend dokumentiert:
Dec 11 12:38:43 office dansguardian[5191]: Started sucessfully.
Auf Port 8080 lauscht nun unser Dansguardian-Daemon, was wir mit netstat entsprechend überprüfen können:
# # netstat -tulpen | grep dansguardian tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 99 15535 5191/dansguardian
In der Prozessliste sehen wir ferner die gestarteten Dansguardian-Prozesse:
# ps aux | grep dansguardian
nobody 5191 0.0 0.5 17612 12232 ? Ss 12:38 0:00 dansguardian nobody 5192 0.0 0.5 17616 12176 ? S 12:38 0:00 dansguardian nobody 5193 0.0 0.5 18592 12056 ? S 12:38 0:00 dansguardian nobody 5194 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5195 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5196 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5197 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5198 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5199 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5201 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian nobody 5202 0.0 0.5 17612 12068 ? S 12:38 0:00 dansguardian root 5212 0.0 0.0 3940 736 pts/1 S+ 12:43 0:00 grep dansguardian
automatisches Starten von Dansguardian beim Systemstart
Damit der Dansguardian-daemon automatisch bei jedem Systemstart startet, kann die Einrichtung des Start-Scriptes über folgenden Befehl erreicht werden:
# chkconfig dansguardian on
Die Überprüfungung ob der Dienst (Daemons) Dansguardian wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden:
# chkconfig --list | grep dansguardian dansguardian 0:Aus 1:Aus 2:Ein 3:Ein 4:Ein 5:Ein 6:Aus
Wichtig sind jeweils die Schalter on bzw. Ein bei den Runleveln - 2 3 4 5.
Dansguardian's Startoptionen
Das binary von Dansguardian bringt uns von Haus aus, ein paar nützliche Startoptionen mit. Welches dies sind zeigt uns ein Aufruf von dansguardian
mit der Option -h.
# dansguardian -h Usage: dansguardian [{-c ConfigFileName|-v|-P|-h|-N|-q|-s|-r|-g}] -v gives the version number and build options. -h gives this message. -c allows you to specify a different configuration file location. -N Do not go into the background. -q causes DansGuardian to kill any running copy. -Q kill any running copy AND start a new one with current options. -s shows the parent process PID and exits. -r closes all connections and reloads config files by issuing a HUP, but this does not reset the maxchildren option (amongst others). -g gently restarts by not closing all current connections; only reloads filter group config files. (Issues a USR1)
Option -v
Mit Hilfe der Option -v können wir uns die Programmversion anzeigen sowie die Option, die der Maintainer beim Erstellen des Programms mit angegeben hatte.
# dansguardian -v DansGuardian 2.10.1.1 Built with: '--bindir=/usr/sbin/' '--prefix=/usr/' '--mandir=/usr/share/doc/' '--datadir=/usr/share/' '--sysconfdir=/etc/' '--with-proxyuser=nobody' '--with-proxygroup=nobody' '--with-logdir=/var/log/dansguardian' '--enable-orig-ip' '--enable-trickledm' '--enable-clamd' '--enable-email' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'
Option -g
Hat man Änderungen an den Konfigurationsfiles vorgenommen so ist i.d.R. ein Neustart des daemon notwendig.
# service dansguardian restart
Möchte man aber in einer Prodktionsumgebung mit vielen Verbindungen diese nicht unterbrechen, sondern nur das Regelwerk neu einlesen, so nutzen wir die Option -g:
# dansguardian -g
Optimierung von Dansguardian
Anpassung Loglevel
Nach der erfolgten Inbetriebnahme drehen wir dem Dansguardian etwas die Luft ab, was heissen will, wir lassen uns nur noch die geblockten Seiten reporten, da das Logfile ggf. etwas arg überschwemmt wird mit Informationen, die uns eh' nicht interessieren.
# vim /etc/dansguardian/dansguardian.conf
# Logging Settings # # 0 = none 1 = just denied 2 = all text based 3 = all requests loglevel = 1
Anpassung Authentication
Damit in den Logfiles die User angezeigt werden können, aktivieren wir noch die Option Auth plugins in der Konfigurationsdatei /etc/dansguardian/dansguardian.conf.
# vim /etc/dansguardian/dansguardian.conf
# Auth plugins # These replace the usernameidmethod* options in previous versions. They # handle the extraction of client usernames from various sources, such as # Proxy-Authorisation headers and ident servers, enabling requests to be # handled according to the settings of the user's filter group. # Multiple plugins can be specified, and will be queried in order until one # of them either finds a username or throws an error. For example, if Squid # is configured with both NTLM and Basic auth enabled, and both the 'proxy-basic' # and 'proxy-ntlm' auth plugins are enabled here, then clients which do not support # NTLM can fall back to Basic without sacrificing access rights. # # If you do not use multiple filter groups, you need not specify this option. # authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
An der aktiverten proxy-basic.conf ist weiter nichts zu ändern.
# Proxy-Basic auth plugin # Identifies usernames in "Proxy-Authorization: Basic" headers; # relies upon the upstream proxy (squid) to perform the actual password check. plugname = 'proxy-basic'
Ein anschließender Restart aktiviert unsere Änderungen.
# service dansguardian restart
Somit werden nunmehr die Usernamen im Logfile mit ausgegeben und wir können später nach Bedarf, nach einzelnen Usern greppen.
2009.12.12 15:08:21 django 192.168.10.40 http://stationdata.wunderground.com/cgi-bin/stationlookup?station=IBAYERNP4&r=1260626901099 *SCANNED* GET 1471 0 1 200 text/xml -
Site-Whitelisting
Von Haus aus, ist der „ausgelieferte“ Dansguardian doch recht aggressiv eingestellt; d.h. viele doch erwünschten Seiten werden geblockt. Zum Erlauben dieser Seiten bearbeiten wir die Konfigurationsdatei /etc/dansguardian/lists/exceptionsitelist für die Ausnahmeseiten.
# vim /etc/dansguardian/lists/exceptionsitelist
#Sites in exception list #Don't bother with the www. or #the http:// # #These are specifically domains and are not URLs. #For example 'foo.bar/porn/' is no good, you need #to just have 'foo.bar'. # #You can also match IPs here too. # #As of DansGuardian 2.7.3 you can now include #.tld so for example you can match .gov for example # Django 10.12.2009 # Nutzerindividuelle Seiten nausch.org urlblacklist.com ebay.de bay.com
Site-Blacklisting
Genauso kann man natürlich auch unerwünschte Seiten komplett sperren. Hierzu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/lists/bannedsitelist für diese Seiten.
# vim /etc/dansguardian/lists/bannedsitelist
#domains in banned list #Don't bother with the www. or the http:// #The bannedurllist is for blocking PART of a site #The bannedsitelist is for blocking ALL of a site #As of DansGuardian 2.7.3 you can now include #.tld so for example you can match .gov for example #The 'grey' lists override the 'banned' lists. #The 'exception' lists override the 'banned' lists also. #The difference is that the 'exception' lists completely switch #off *all* other filtering for the match. 'grey' lists only #stop the URL filtering and allow the normal filtering to work. #An example of grey list use is when in Blanket Block (whitelist) #mode and you want to allow some sites but still filter as normal #on their content #Another example of grey list use is when you ban a site but want #to allow part of it. #To include additional files in this list use this example: #.Include</etc/dansguardian/anotherbannedurllist> #You can have multiple .Includes. # Django 10.12.2009 # Nutzerindividuelle Seiten microsoft.com cdu.de csu.de spd.de
Host-Whitelisting
Möchte man einen Host im Netz gänzlich von der Bewertung ausnehmen, so z.B. für die Geschäftsleitung und/oder Betriebs-/Personalrat, trägt man diese IP-Adressen dieser Hosts in die Konfigurationsdatei /etc/dansguardian/lists/exceptioniplist ein.
# vim /etc/dansguardian/lists/exceptioniplist
# IP addresses of computers from which # web access should not be filtered. # # These would be servers which # need unfiltered access for # updates. Also administrator # workstations which need to # download programs and check # out blocked sites should be # put here. # # Hostnames are allowed here, provided you # enable the reverseclientlookups option. # # This is not the IP of web servers # you don't want to filter. #192.168.0.1 #192.168.0.2 #192.168.42.2 # Django 10.12.2009 # BOfH's Workstation bei der Bewertung ausnehmen 192.168.192.168
Host-Blacklisting
Im Gegensatz zur Vorgenannten Ausnahmeregelung kann man natürlich auch einem Host den Zugriff zum Web gänzlich blocken, hierzu trägt man dessen IP-Adresse in die Konfigurationsdatei /etc/dansguardian/lists/bannediplist ein.
# vim /etc/dansguardian/lists/bannediplist
# IP addresses of client machines to # disallow web access to. # # Hostnames are also allowed here, provided you # enable the reverseclientlookups option. # # This is not the IP of web servers # you want to filter. #192.168.0.1 #192.168.0.2 #192.168.42.2 # Django 10.12.2009 # Workstation der Ferienwohnung komplett den Web-Zugriff sperren 192.168.192.200
Sperrlisten für URLS (regex)
Über die /etc/dansguardian/lists/bannedregexpurllist haben wir die Möglichkeit, einzelne Seiten an Hand ihrer URL, bzw. Teilbreiche einer URL zu sperren. Hierzu Nutzen wir geeignete REGEX um die URLs zu definieren, welche wir (aus)sperren wollen:
# vim /etc/dansguardian/lists/bannedregexpurllist
#Banned URLs based on Regular Expressions # # E.g. 'sex' would block sex.com and middlesex.com etc #listcategory: "Banned Regular Expression URLs" #Banned URLs based on Regular Expressions ###################################################### # # Django 10.12.2009 # SOHO-spezifische Anpassungen für nausch.org # ###################################################### # Onlinegaming (gladiatus|4story|gameforge|ikariam|pog.com|cracymonkeygames|poissonrouge) # Musikmaffia (musicload|musikload) # videoportale (vo.llnwd) # Werbemüll (Standardteaser|sponsorads|google-analytics) # Schnacksl-Anbahnungsportale (facebook|lokalisten|myspace|friendscout)
Blacklisting von MIME-Types
Will man bestimmte MIME-Typen generell nicht zulassen, trägt man diese in die Konfigurationsdatei /etc/dansguardian/lists/bannedmimetypelist ein.
# vim /etc/dansguardian/lists/bannedmimetypelist
# banned MIME types audio/mpeg audio/x-mpeg audio/x-pn-realaudio audio/x-wav video/mpeg video/x-mpeg2 video/acorn-replay video/quicktime video/x-msvideo video/msvideo application/gzip application/x-gzip application/zip application/compress application/x-compress application/java-vm
Blacklisting von Datei-Extensions
Über die /etc/dansguardian/bannedextensionlist stellen wir dann bei Bedarf noch ein, welche Datei-Extensions wird generell erlauben und welche wir (aus)sperren wollen:
# vim /etc/dansguardian/lists/bannedextensionlist
#Banned extension list # File extensions with executable code # The following file extensions can contain executable code. # This means they can potentially carry a virus to infect your computer. .ade # Microsoft Access project extension .adp # Microsoft Access project .asx # Windows Media Audio / Video .bas # Microsoft Visual Basic class module .bat # Batch file .cab # Windows setup file .chm # Compiled HTML Help file .cmd # Microsoft Windows NT Command script .com # Microsoft MS-DOS program .cpl # Control Panel extension .crt # Security certificate .dll # Windows system file .exe # Program .hlp # Help file .ini # Windows system file .hta # HTML program .inf # Setup Information .ins # Internet Naming Service .isp # Internet Communication settings # .js # JScript file - often needed in web pages # .jse # Jscript Encoded Script file - often needed in web pages .lnk # Windows Shortcut .mda # Microsoft Access add-in program .mdb # Microsoft Access program .mde # Microsoft Access MDE database .mdt # Microsoft Access workgroup information .mdw # Microsoft Access workgroup information .mdz # Microsoft Access wizard program .msc # Microsoft Common Console document .msi # Microsoft Windows Installer package .msp # Microsoft Windows Installer patch .mst # Microsoft Visual Test source files .pcd # Photo CD image, Microsoft Visual compiled script .pif # Shortcut to MS-DOS program .prf # Microsoft Outlook profile settings .reg # Windows registry entries .scf # Windows Explorer command .scr # Screen saver .sct # Windows Script Component .sh # Shell script .shs # Shell Scrap object .shb # Shell Scrap object .sys # Windows system file .url # Internet shortcut .vb # VBScript file .vbe # VBScript Encoded script file .vbs # VBScript file .vxd # Windows system file .wsc # Windows Script Component .wsf # Windows Script file .wsh # Windows Script Host Settings file .otf # Font file - can be used to instant reboot 2k and xp .ops # Office XP settings # Files which one normally things as non-executable but # can contain harmful macros and viruses .doc # Word document .xls # Excel document .pps # Other files which may contain files with executable code #.gz # Gziped file #.tar # Tape ARchive file #.zip # Windows compressed file #.tgz # Unix compressed file #.bz2 # Unix compressed file .cdr # Mac disk image .dmg # Mac disk image .smi # Mac self mounting disk image .sit # Mac compressed file .sea # Mac compressed file, self extracting .bin # Mac binary compressed file .hqx # Mac binhex encoded file #.rar # Similar to zip # Time/bandwidth wasting files #.mp3 # Music file #.mpeg # Movie file #.mpg # Movie file #.avi # Movie file .asf # this can also exploit a security hole allowing virus infection #.iso # CD ISO image #.ogg # Music file .wmf # Movie file .bin # CD ISO image .cue # CD ISO image # Django 10.12.2009 # eigene Definitionen .ani # animated cursor
Filtergruppen bei Dansguardian
Oft ist es wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.
Was zunächst kompliziert anmutet, funktioniert recht einfach und auch überschaubar.
Wichtig bei der ganzen Sache ist nur, den Überblick über die einzelnen Nutzergruppen nicht zu verlieren. Eine (für mich) praktikable Lösung ist das ausreichende Dokumentieren der einzelnen Gruppen und deren Konfiguration in den Konfigurationsdateien im Verzeichnis /etc/dansguardian.
dansguardian.conf
Als erstes definieren wir wieviele Filtergruppen (max. 99) wir verwenden möchten. Diese Filergruppen müssen fortlaufend durchnummerriert werden, von 1 bis 99. Am besten, wir hinterlegen in der Hauptkonfigurationsdatei von Dansguardian gleich den Verwendungszweck der einzelnen Nutzer - hierzu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/dansguardian.conf mit unserem Lieblingseditor.
# /etc/dansguardian/dansguardian.conf
# Filter groups options # filtergroups sets the number of filter groups. A filter group is a set of content # filtering options you can apply to a group of users. The value must be 1 or more. # DansGuardian will automatically look for dansguardianfN.conf where N is the filter # group. To assign users to groups use the filtergroupslist option. All users default # to filter group 1. You must have some sort of authentication to be able to map users # to a group. The more filter groups the more copies of the lists will be in RAM so # use as few as possible. # Django 10.12.2009 # Default: filtergroups = 1 # Definition der Filtergruppen # # ----------------------------- # Gruppe 1 = Default # ----------------------------- # Gruppe 2 = Default mit ByPass # ----------------------------- # Gruppe 3 = logging only # ----------------------------- # Gruppe 4 = banned useres # ----------------------------- # Gruppe 5 = Spezialisten # ----------------------------- # filtergroups = 5 filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
filtergroupslist
In der Datei filtergroupslist geben wir nun all diejenigen Nutzer an, die nicht in der Standardgruppe bewertet werden sollen, sondern in einer der zuvor definierten Filtergruppen. Auch hier vermerken wir für später die exakten FilterGruppen, damit wir ohne weiter nachsehen zu müssen, sofort die Gruppen und deren Verwendung parat haben.
# vim /etc/dansguardian/lists/filtergroupslist
# Filter Groups List file for DansGuardian # # Format is <user>=filter<1-9> where 1-9 are the groups # # Eg: # daniel=filter2 # # This file is only of use if you have more than 1 filter group # # Definition der Filtergruppen # # ----------------------------- # Gruppe 1 = Default # ----------------------------- # Gruppe 2 = Default mit ByPass # ----------------------------- # Gruppe 3 = logging only # ----------------------------- # Gruppe 4 = banned useres # ----------------------------- # Gruppe 5 = Spezialisten # ----------------------------- # django=filter2 skipper=filter3 kingjulien=filter5 mart=filter5
dansguardianfn.conf
Entsprechend unserer zuvor definierten Anzahl von Filtergruppen, vermehren wir nun die entsprechenden fn-Konfigurationsdateien:
# cp dansguardianf1.conf dansguardianf2.conf
# cp dansguardianf1.conf dansguardianf3.conf
# cp dansguardianf1.conf dansguardianf4.conf
# cp dansguardianf1.conf dansguardianf5.conf
Somit befinden sich nun in unserem Konfigurationsverzeichnis folgende Dateien:
# ll /etc/dansguardian/dans*
-rw-r--r-- 1 root root 24029 16. Jan 16:57 /etc/dansguardian/dansguardian.conf -rw-r--r-- 1 root root 11844 16. Jan 20:30 /etc/dansguardian/dansguardianf1.conf -rw-r--r-- 1 root root 11996 16. Jan 19:57 /etc/dansguardian/dansguardianf2.conf -rw-r--r-- 1 root root 11900 16. Jan 17:24 /etc/dansguardian/dansguardianf3.conf -rw-r--r-- 1 root root 11857 16. Jan 16:56 /etc/dansguardian/dansguardianf4.conf -rw-r--r-- 1 root root 11794 16. Jan 16:47 /etc/dansguardian/dansguardianf5.conf
Als kleine Hilfe bei späteren Konfigurationsarbeiten hat es sich bewährt, sich kleiner Eselsbrücken zu bedienen. Denn schnell stellt sich die Frage, was war nun was wieder für eine Konfigurationsdatei und welche Gruppe ist dies? Wir legen uns einfach ein paar symbolische Links mit aussagekräftige Namen an und schon ist klar, welche Konfigurationsdatei für welchen Zweck verwendet wird.
# ln -s dansguardianf1.conf default
# ln -s dansguardianf2.conf default_with_bypass
# ln -s dansguardianf3.conf logging_only
# ln -s dansguardianf4.conf banned_users
# ln -s dansguardianf5.conf specialists
Schon ist später klarer, wenn wir uns das Verzeichnis ansehen, welche Konfigurationsdatei für wen verwendet wird.
# ll /etc/dansguardian | grep lrwxrwxrwx
lrwxrwxrwx 1 root root 19 16. Jan 17:19 banned_users -> dansguardianf4.conf lrwxrwxrwx 1 root root 19 16. Jan 17:19 default -> dansguardianf1.conf lrwxrwxrwx 1 root root 19 16. Jan 17:20 default_with_bypass -> dansguardianf2.conf lrwxrwxrwx 1 root root 19 16. Jan 17:21 specialists -> dansguardianf5.conf lrwxrwxrwx 1 root root 19 16. Jan 17:20 logging_only -> dansguardianf3.conf
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, jeweils in der betreffenden dansguardianfn.conf vor.
dansguardianf2.conf
Die Gruppe 2 werden wir uns nun als Standardgruppe mit einer BYPASS-Funktion einrichten. So werden zwar weiterhin nicht erwünschte Inhalte im Web gesperrt, aber der VIP bekommt eine Möglichkeit, die gesperrte Seite vorübergehend dennoch zu besuchen. Hierzu wird in der Sperrseite ein entsprechender Hinweis eingefügt:
Zeitlich begrenzten Zugriff auf diese Seite trotzdem ermöglichen? [JA/nein]
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf2.conf vor.
# vim dansguardianf2.conf
Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt
# DansGuardian filter group config file for version 2.10.1.1 # Django 16.01.2010 # ----------------------------- # Gruppe 2 = Default mit ByPass # -----------------------------
# Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string # Django 16.01.2010 # Default: #groupname = '' groupname = 'VIPs'
# Temporary Denied Page Bypass
# This provides a link on the denied page to bypass the ban for a few minutes. To be
# secure it uses a random hashed secret generated at daemon startup. You define the
# number of seconds the bypass will function for before the deny will appear again.
# To allow the link on the denied page to appear you will need to edit the template.html
# or dansguardian.pl file for your language.
# 300 = enable for 5 minutes
# 0 = disable ( defaults to 0 )
# -1 = enable but you require a separate program/CGI to generate a valid link
# Django 16.01.2010
# Default: bypass = 0
bypass = 300
# Temporary Denied Page Bypass Secret Key
# Rather than generating a random key you can specify one. It must be more than 8 chars.
# '' = generate a random one (recommended and default)
# 'Mary had a little lamb.' = an example
# '76b42abc1cd0fdcaf6e943dcbc93b826' = an example
bypasskey = ''
# Infection/Scan Error Bypass
# Similar to the 'bypass' setting, but specifically for bypassing files scanned and found
# to be infected, or files that trigger scanner errors - for example, archive types with
# recognised but unsupported compression schemes, or corrupt archives.
# The option specifies the number of seconds for which the bypass link will be valid.
# 300 = enable for 5 minutes
# 0 = disable (default)
# -1 = enable, but require a separate program/CGI to generate a valid link
infectionbypass = 0
# Infection/Scan Error Bypass Secret Key
# Same as the 'bypasskey' option, but used for infection bypass mode.
infectionbypasskey = ''
# HTML Template override # If defined, this specifies a custom HTML template file for members of this # filter group, overriding the global setting in dansguardian.conf. This is # only used in reporting level 3. # # The default template file path is <languagedir>/<language>/template.html # e.g. /usr/share/dansguardian/languages/ukenglish/template.html when using 'ukenglish' # language. # # This option generates a file path of the form: # <languagedir>/<language>/<htmltemplate> # e.g. /usr/share/dansguardian/languages/ukenglish/custom.html # #htmltemplate = 'custom.html' # Django 16.01.2010 # Default: #htmltemplate = 'custom.html' htmltemplate = 'bypasstemplate.html'
HTML Template override
Damit nun, wie oben beschrieben, dem Anwender in der Sperrseite eine entsprechende Sonder-/Ausnahmeregelung zu gute kommt, müssen wir noch unsere html-Template etwas anpassen.
Zuerst kopieren wir uns das vorhandenen Template:
# cp /usr/share/dansguardian/languages/german/template.html /usr/share/dansguardian/languages/german/bypasstemplate.html
Anschließend erweitern wir dieses um die -BYPASS-Funktion.
# vim /usr/share/dansguardian/languages/german/bypasstemplate.html
... <br><br> <font size=2> Zeitlich begrenzten Zugriff auf diese Seite trotzdem ermöglichen? [<a href="-BYPASS-">JA</a>/nein] <br><br><br><br> ...
dansguardianf3.conf
Die Gruppe 3 legen wir uns als quasi whitelist an, da die User dieser Gruppe, nicht in die Bewertung fallen sollen, sondern lediglich in das Logging.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf3.conf vor.
# vim dansguardianf3.conf
Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt
# DansGuardian filter group config file for version 2.10.1.1 # Django 16.01.2010 # ----------------------------- # Gruppe 3 = logging only # ----------------------------- # Filter group mode # This option determines whether members of this group have their web access # unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" # and "exceptionuserlist" files from previous versions. # # 0 = banned # 1 = filtered # 2 = unfiltered (exception) # # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, # mimetype and PICS lists; in other modes, these options are ignored to conserve # memory. # # Defaults to 0 if unspecified. # Unauthenticated users are treated as being in the first filter group. # Django 16.01.2010 # Default: groupmode = 1 groupmode = 2 # Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string # Django 16.01.2010 # Default groupname ='' groupname = 'logging_users'
dansguardianf4.conf
Im Gegensatz zur vorgenannten Möglichkeit eines whitelisting legen wir uns Gruppe 4 als quasi blacklist an, um so bei Bedarf, einzelnen Usern sofort die Berechtigung im WWW zu sörfen entziehn können. Wir brauchen den betreffenden User dann lediglich in der /etc/dansguardian/lists/filtergroupslist in die Gruppe 4 zu versetzen.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf4.conf vor.
# vim dansguardianf4.conf
Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt
# DansGuardian filter group config file for version 2.10.1.1 # Django 16.01.2010 # ----------------------------- # Gruppe 4 = banned useres # ----------------------------- # Filter group mode # This option determines whether members of this group have their web access # unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" # and "exceptionuserlist" files from previous versions. # # 0 = banned # 1 = filtered # 2 = unfiltered (exception) # # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, # mimetype and PICS lists; in other modes, these options are ignored to conserve # memory. # # Defaults to 0 if unspecified. # Unauthenticated users are treated as being in the first filter group. groupmode = 0 # Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string # Django 16.01.2010 # Default: #groupname = '' groupname = 'banned_users'
dansguardianf5.conf
Wie eingangs bereits erwähnt, ist es oft wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der dansguardianf5.conf vor.
# vim dansguardianf5.conf
Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt
# DansGuardian filter group config file for version 2.10.1.1 # Django 16.01.2010 # ----------------------------- # Gruppe 5 = specialists # ----------------------------- # Filter group mode # This option determines whether members of this group have their web access # unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" # and "exceptionuserlist" files from previous versions. # # 0 = banned # 1 = filtered # 2 = unfiltered (exception) # # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, # mimetype and PICS lists; in other modes, these options are ignored to conserve # memory. # # Defaults to 0 if unspecified. # Unauthenticated users are treated as being in the first filter group. groupmode = 1
# Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string # Django 16.01.2010 # Default: #groupname = '' groupname = 'specialists'
# Content filtering files location bannedphraselist = '/etc/dansguardian/lists/bannedphraselist' weightedphraselist = '/etc/dansguardian/lists/weightedphraselist' exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist' bannedsitelist = '/etc/dansguardian/lists/bannedsitelist_f5' greysitelist = '/etc/dansguardian/lists/greysitelist' exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist_f5' bannedurllist = '/etc/dansguardian/lists/bannedurllist' greyurllist = '/etc/dansguardian/lists/greyurllist' exceptionurllist = '/etc/dansguardian/lists/exceptionurllist' exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist' bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist_f5' picsfile = '/etc/dansguardian/lists/pics' contentregexplist = '/etc/dansguardian/lists/contentregexplist' urlregexplist = '/etc/dansguardian/lists/urlregexplist'
# Naughtyness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. # Django 10.12.2009 #Default: naughtynesslimit = 50 naughtynesslimit = 50
In den jeweiligen Listen:
- /etc/dansguardian/lists/bannedsitelist_f5
- /etc/dansguardian/lists/exceptionsitelist_f5
- /etc/dansguardian/lists/bannedregexpurllist_f5
erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechnede Ausnahmeregelungen.
Zeitbegrenzung bei Dansguardian
Neben der unterschiedlichen Bewertung einzelner Benutzergruppen, werden wir nun im nächsten Schritt eine zeitliche Begrenzung mit aktivieren. So könne wir z.B. einzelne Zielseiten nur außerhalb von Geschäftszeiten zulassen, oder für Kinder und Jugendliche ein Zeitfenster definieren, in dem grundsätzlich der Zugriff auf das Internet möglich bzw. grundsätzlich gesperrt ist.
Filtergruppe erweitern
Als erstes erweitern wir unsere zuvor definierten Filtergruppen. Wir definieren also die nächste fortlaufende Filergruppen und benutzen die nächste Nummer, in unserem Falle also die Gruppe 6. Wie schon zuvor hinterlegen wir in der Hauptkonfigurationsdatei von Dansguardian gleich den Verwendungszweck der einzelnen Nutzer. Dazu bearbeiten wir die Konfigurationsdatei /etc/dansguardian/dansguardian.conf mit unserem Lieblingseditor.
# /etc/dansguardian/dansguardian.conf
# Filter groups options # filtergroups sets the number of filter groups. A filter group is a set of content # filtering options you can apply to a group of users. The value must be 1 or more. # DansGuardian will automatically look for dansguardianfN.conf where N is the filter # group. To assign users to groups use the filtergroupslist option. All users default # to filter group 1. You must have some sort of authentication to be able to map users # to a group. The more filter groups the more copies of the lists will be in RAM so # use as few as possible. # Django 23.09.2010 # Default: filtergroups = 1 # Definition der Filtergruppen # # ----------------------------- # Gruppe 1 = Default # ----------------------------- # Gruppe 2 = Default mit ByPass # ----------------------------- # Gruppe 3 = logging only # ----------------------------- # Gruppe 4 = banned useres # ----------------------------- # Gruppe 5 = Spezialisten # ----------------------------- # Gruppe 6 = Jugendschutz # ----------------------------- # filtergroups = 6 filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
Filtergruppe konfigurieren
Für unsere im Beispiel genannten Gruppe Jugendlicher, welche nur zu bestimmten Zeiten und Tagen Zugriff auf das Internet bekommen sollen, konfigurieren wir genauso, wie zuvor im Kapitel Filtergruppen bei Dansguardian beschrieben, eine eigene Gruppe.
Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der Datei dansguardianf6.conf vor.
# vim dansguardianf6.conf
Es werden nachfolgend nur die relevanten Konfigurationsoptionen vermerkt
# DansGuardian filter group config file for version 2.10.1.1 # Django 23.09.2010 # ------------------------------- # Gruppe 6 = Jugendschutzgruppe # ------------------------------- # Filter group mode # This option determines whether members of this group have their web access # unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist" # and "exceptionuserlist" files from previous versions. # # 0 = banned # 1 = filtered # 2 = unfiltered (exception) # # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, # mimetype and PICS lists; in other modes, these options are ignored to conserve # memory. # # Defaults to 0 if unspecified. # Unauthenticated users are treated as being in the first filter group. groupmode = 1
# Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string # Django 23.09.2010 # Default: #groupname = '' groupname = 'Jugendliche'
# Content filtering files location bannedphraselist = '/etc/dansguardian/lists/bannedphraselist' weightedphraselist = '/etc/dansguardian/lists/weightedphraselist' exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist' bannedsitelist = '/etc/dansguardian/lists/bannedsitelist_f6' greysitelist = '/etc/dansguardian/lists/greysitelist' exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist_f6' bannedurllist = '/etc/dansguardian/lists/bannedurllist' greyurllist = '/etc/dansguardian/lists/greyurllist' exceptionurllist = '/etc/dansguardian/lists/exceptionurllist' exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist' bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist_f6' picsfile = '/etc/dansguardian/lists/pics' contentregexplist = '/etc/dansguardian/lists/contentregexplist' urlregexplist = '/etc/dansguardian/lists/urlregexplist'
# Naughtyness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. # Django 23.09.2010 #Default: naughtynesslimit = 50 naughtynesslimit = 100
In den jeweiligen Listen:
- /etc/dansguardian/lists/bannedsitelist_f6
- /etc/dansguardian/lists/exceptionsitelist_f6
- /etc/dansguardian/lists/bannedregexpurllist_f6
erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechende Ausnahmeregelungen.
Mit Hilfe der Time limiting syntax von Dansguardian können wir nun definieren, wann eine entsprechende Konfigurationsoption aktiv sein soll.
# Time limiting syntax: # #time: <start hour> <start minute> <end hour> <end minute> <days> # Example: ##time: 9 0 17 0 01234 # Remove the first # from the line above to enable this list only from # 9am to 5pm, Monday to Friday.
Diese Option findet nur in folgenden Konfigurationsdateien Anwendung:
- /etc/dansguardian/lists/greysitelist
- /etc/dansguardian/lists/exceptionfilesitelist
- /etc/dansguardian/lists/bannedsitelist
- /etc/dansguardian/lists/exceptionfileurllist
- /etc/dansguardian/lists/exceptionsitelist
Mit Hilfe von Includes binden wir nun in die /etc/dansguardian/lists/bannedsitelist weitere Konfigurationsdateien ein, die unsere speziellen Zeiten abdecken werden.
Wir bearbeiten nun mit dem Editor unserer Wahl die zugehörige Datei zum Blocken der Seiten.
# vim /etc/dansguardian/lists/bannedsitelist_f6
#To include additional files in this list use this example: #.Include</etc/dansguardian/anotherbannedurllist> .Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_1> .Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_2> .Include</etc/dansguardian/lists/bannedsitelist_f6_denied_time_3>
In unserem Konfigurationsbeispiel möchten wir den Zugriff auf Internetseiten an folgenden Tagen und Zeiten reglementieren:
- Montag bis Donnerstag: Zugriffsmöglichkeiten von 8:00 Uhr bis 21:30 Uhr
- Freitag und Samstag: Zugriffsmöglichkeiten von 8:00 Uhr bis 22:30 Uhr
- Sonntag: Zugriffsmöglichkeiten von 8:00 Uhr bis 21:30 Uhr
Als erstes legen wir nun unsere erste Include-Datei an, die den Zeitraum von 21:30 Uhr bis 23:59 Uhr an den Tagen Montag bis Donnerstag und Sonntag abdeckt.
# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_1
Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:
# Time limiting syntax: # #time: <start hour> <start minute> <end hour> <end minute> <days> # Example: ##time: 9 0 17 0 01234 # Remove the first # from the line above to enable this list only from # 9am to 5pm, Monday to Friday. #time: 21 30 23 59 01236 # List categorisation #listcategory: "Banned Sites" #Blanket Block. To block all sites except those in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**': ** #Blanket SSL/CONNECT Block. To block all SSL #and CONNECT tunnels except to addresses in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**s': **s #Blanket IP Block. To block all sites specified only as an IP, #remove the # from the next line to leave only a '*ip': *ip #Blanket SSL/CONNECT IP Block. To block all SSL and CONNECT #tunnels to sites specified only as an IP, #remove the # from the next line to leave only a '*ips': *ips
Als nächstes legen wir unsere zweite Include-Datei an, die den Zeitraum von 22:30 Uhr bis 23:59 Uhr an den Tagen Freitag und Samstag abdeckt.
# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_2
Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:
# Time limiting syntax: # #time: <start hour> <start minute> <end hour> <end minute> <days> # Example: ##time: 9 0 17 0 01234 # Remove the first # from the line above to enable this list only from # 9am to 5pm, Monday to Friday. #time: 22 30 23 59 45 # List categorisation #listcategory: "Banned Sites" #Blanket Block. To block all sites except those in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**': ** #Blanket SSL/CONNECT Block. To block all SSL #and CONNECT tunnels except to addresses in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**s': **s #Blanket IP Block. To block all sites specified only as an IP, #remove the # from the next line to leave only a '*ip': *ip #Blanket SSL/CONNECT IP Block. To block all SSL and CONNECT #tunnels to sites specified only as an IP, #remove the # from the next line to leave only a '*ips': *ips
Abschließend definieren wir unsere dritte Include-Datei, die den Zeitraum von 00:00 Uhr bis 07:59 Uhr an allen Tagen der Woche abdeckt.
# vim /etc/dansguardian/lists/bannedsitelist_f6_denied_time_3
Die zugehörigen benötigten Konfigurationsoptionen lauten hierzu:
# Time limiting syntax: # #time: <start hour> <start minute> <end hour> <end minute> <days> # Example: ##time: 9 0 17 0 01234 # Remove the first # from the line above to enable this list only from # 9am to 5pm, Monday to Friday. #time: 00 00 7 59 0123456 # List categorisation #listcategory: "Banned Sites" #Blanket Block. To block all sites except those in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**': ** #Blanket SSL/CONNECT Block. To block all SSL #and CONNECT tunnels except to addresses in the #exceptionsitelist and greysitelist files, remove #the # from the next line to leave only a '**s': **s #Blanket IP Block. To block all sites specified only as an IP, #remove the # from the next line to leave only a '*ip': *ip #Blanket SSL/CONNECT IP Block. To block all SSL and CONNECT #tunnels to sites specified only as an IP, #remove the # from the next line to leave only a '*ips': *ips
zeitgesteuerte Filtergruppen testen
Zum Aktivieren und Testen unserer Einstellungen starten wir nun einmal unseren Dienst dansguardian durch.
# service dansguardian restart
Wird nun außerhalb der freigegebenen Zeit versucht eine Verbindung zu einer normalerweise zugelassenen WEB-Seite aufzubauen, wird eine entsprechende Fehlermeldung ausgegeben.
Sperrseite anpassen
Die Konfigrationsoptionen des oben genannten Beispiels erzeugt folgende (originale) Fehlermeldung:
Verbotene Seite: Totalsperre für Nur-IP-Adressen aktiv, diese
Seite ist nicht auf der Erlaubt-Liste
Zum Abändern der Rückmeldung bearbeiten wir die entsprechende Datei im Pfad /usr/share/dansguardian/languages/german/.
# vim /usr/share/dansguardian/languages/german/messages
# DansGuardian 2.10 messages file in German # # Translated and adapted to Unicode by Peter Vollmar "1","Zugriff verweigert" "100","Ihre Arbeitsstation hat keine Erlaubnis zum Surfen auf: " "101","Ihre Arbeitsstation hat keine Erlaubnis zum Surfen" "102","Ihr Benutzername hat keine Erlaubnis zum Surfen auf: " "200","Die angeforderte URL ist ungültig" "300","Verbotener Ausdruck gefunden: " "301","Verbotener Ausdruck gefunden" "400","Verbotene Kombination von Ausdrücken gefunden: " "401","Verbotene Kombination von Ausdrücken gefunden" "402","Gewichtete Ausdrucksbeschränkung von " "403","Gewichtete Ausdrucksbeschränkung überschritten" "500","Verbotene Seite: " "501","Verbotene URL: " "502","Totalsperre aktiv, keine Ausnahmeregelung definiert und aktiv" "503","Aufgrund von regulären Ausdrücken verbotene URL: " "504","Aufgrund von regulären Ausdrücken verbotene URL gefunden" "505","Totalsperre für IP-Adressen aktiv, diese Adresse ist nur eine IP." "600","Übereinstimmung mit Client-IP in Ausnahmeliste" "601","Übereinstimmung mit Client-Benutzer in Ausnahmeliste" "602","Übereinstimmung mit Seite in Ausnahmeliste" "603","Übereinstimmung mit URL in Ausnahmeliste" "604","Ausnahme-Ausdruck gefunden: " "605","Kombination von Ausnahme-Ausdrücken gefunden: " "606","Umgehungs-URL gefunden" "607","Umgehungs-Cookie gefunden" "608","Scan bypass URL exception." "609","Exception regular expression URL match: " "700","Web-Upload verboten" "701","Web-Upload-Schwellwert erreicht" "800","Verbotener MIME-Typ: " "900","Verbotene Datei-Erweiterung: " "1000","PICS-Kennzeichnungsschwellwert überschritten" "1100","Virus or bad content detected." "1101","Advert blocked" "1200","Please wait - downloading to be scanned..." "1210","Download Complete. Starting scan..." "1220","Scan complete.</p><p>Click here to download: " "1230","File no longer available"
Die entsprechende Zeile lautet:
"502","Totalsperre aktiv, keine Ausnahmeregelung definiert und aktiv"
Anschließende starten wir den Dienst dansguardian einmal durch.
# service dansguardian restart
Beim erneuten Aufruf außerhalb der freigegebenen Zeit wird nun die geänderte Rückmeldung ausgegeben.
clamd Installation und Konfiguration
Zur weiteren Absicherung unseres HTTP-Traffics bedienen wir uns der dämonisierten Variante des Virenscanners Clam AntiVirus.
Installation
Wir installieren uns hierzu den entsprechenden daemon via yum.
# yum install clamd clamav clamav-db
Info
Was uns die einzelnen Pakete liefern, entnehmen wir den jeweiligen rpm's.
yum info clamd Name : clamd ... Summary: The Clam AntiVirus Daemon Description: The Clam AntiVirus Daemon
yum info clamav Name : clamav ... Summary: Anti-virus software Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date
yum info clamav-db Name : clamav-db ... Summary: Virus database for clamav Description: The actual virus database for clamav
Programmpfade und -inhalte
Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels:
rpm -ql clamd /etc/clamd.conf /etc/logrotate.d/clamav /etc/rc.d/init.d/clamd /usr/bin/clamconf /usr/bin/clamdscan /usr/sbin/clamd /usr/share/doc/clamd-0.94.1 /usr/share/doc/clamd-0.94.1/clamd.conf /usr/share/doc/clamd-0.94.1/clamdwatch /usr/share/doc/clamd-0.94.1/clamdwatch/clamdwatch.tar.gz /usr/share/man/man1/clamconf.1.gz /usr/share/man/man1/clamdscan.1.gz /usr/share/man/man5/clamd.conf.5.gz /usr/share/man/man8/clamd.8.gz /var/clamav /var/log/clamav /var/run/clamav
rpm -ql clamav /etc/freshclam.conf /usr/bin/clamscan /usr/bin/freshclam /usr/bin/sigtool /usr/lib/libclamav.so.5 /usr/lib/libclamav.so.5.0.3 /usr/lib/libclamunrar.so.5 /usr/lib/libclamunrar.so.5.0.3 /usr/lib/libclamunrar_iface.so.5 /usr/lib/libclamunrar_iface.so.5.0.3 /usr/share/doc/clamav-0.94.1 /usr/share/doc/clamav-0.94.1/AUTHORS /usr/share/doc/clamav-0.94.1/BUGS /usr/share/doc/clamav-0.94.1/COPYING /usr/share/doc/clamav-0.94.1/ChangeLog /usr/share/doc/clamav-0.94.1/FAQ /usr/share/doc/clamav-0.94.1/INSTALL /usr/share/doc/clamav-0.94.1/NEWS /usr/share/doc/clamav-0.94.1/README /usr/share/doc/clamav-0.94.1/clamav-mirror-howto.pdf /usr/share/doc/clamav-0.94.1/clamdoc.pdf /usr/share/doc/clamav-0.94.1/freshclam.conf /usr/share/doc/clamav-0.94.1/phishsigs_howto.pdf /usr/share/doc/clamav-0.94.1/signatures.pdf /usr/share/doc/clamav-0.94.1/test /usr/share/doc/clamav-0.94.1/test/.split /usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.raraa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.rarab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.raraa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.rarab /usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2aa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2ab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64aa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64ab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefab /usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipaa /usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipab /usr/share/doc/clamav-0.94.1/test/Makefile /usr/share/doc/clamav-0.94.1/test/Makefile.am /usr/share/doc/clamav-0.94.1/test/Makefile.in /usr/share/doc/clamav-0.94.1/test/README /usr/share/doc/clamav-0.94.1/test/clam-aspack.exe /usr/share/doc/clamav-0.94.1/test/clam-fsg.exe /usr/share/doc/clamav-0.94.1/test/clam-mew.exe /usr/share/doc/clamav-0.94.1/test/clam-nsis.exe /usr/share/doc/clamav-0.94.1/test/clam-pespin.exe /usr/share/doc/clamav-0.94.1/test/clam-petite.exe /usr/share/doc/clamav-0.94.1/test/clam-upack.exe /usr/share/doc/clamav-0.94.1/test/clam-upx.exe /usr/share/doc/clamav-0.94.1/test/clam-v2.rar /usr/share/doc/clamav-0.94.1/test/clam-v3.rar /usr/share/doc/clamav-0.94.1/test/clam-wwpack.exe /usr/share/doc/clamav-0.94.1/test/clam.arj /usr/share/doc/clamav-0.94.1/test/clam.bz2.zip /usr/share/doc/clamav-0.94.1/test/clam.cab /usr/share/doc/clamav-0.94.1/test/clam.chm /usr/share/doc/clamav-0.94.1/test/clam.d64.zip /usr/share/doc/clamav-0.94.1/test/clam.ea05.exe /usr/share/doc/clamav-0.94.1/test/clam.ea06.exe /usr/share/doc/clamav-0.94.1/test/clam.exe /usr/share/doc/clamav-0.94.1/test/clam.exe.binhex /usr/share/doc/clamav-0.94.1/test/clam.exe.bz2 /usr/share/doc/clamav-0.94.1/test/clam.exe.html /usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.base64 /usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.uu /usr/share/doc/clamav-0.94.1/test/clam.exe.rtf /usr/share/doc/clamav-0.94.1/test/clam.exe.szdd /usr/share/doc/clamav-0.94.1/test/clam.impl.zip /usr/share/doc/clamav-0.94.1/test/clam.mail /usr/share/doc/clamav-0.94.1/test/clam.ole.doc /usr/share/doc/clamav-0.94.1/test/clam.pdf /usr/share/doc/clamav-0.94.1/test/clam.ppt /usr/share/doc/clamav-0.94.1/test/clam.sis /usr/share/doc/clamav-0.94.1/test/clam.tar.gz /usr/share/doc/clamav-0.94.1/test/clam.tnef /usr/share/doc/clamav-0.94.1/test/clam.zip /usr/share/man/man1/clamscan.1.gz /usr/share/man/man1/freshclam.1.gz /usr/share/man/man1/sigtool.1.gz /usr/share/man/man5/freshclam.conf.5.gz
rpm -ql clamav-db /etc/cron.daily/freshclam /etc/logrotate.d/freshclam /var/clamav /var/clamav/daily.cvd /var/clamav/main.cvd /var/log/clamav
Konfiguration
clamd
Die Konfigurationsdatei des ClamAV-Daemons /etc/clamd.conf passen wir unseren Gegebenheiten entsprechend an. Wichtig sind dabei insbesonders die drei Paramter:
- User clamav
- AllowSupplementaryGroups yes
- LocalSocket /tmp/clamd.socket
In Summe ergibt sich also folgende Gesamtkonfiguration:
egrep -v '(^.*#|^$)' /etc/clamd.conf LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime yes LogSyslog yes PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp DatabaseDirectory /var/clamav LocalSocket /tmp/clamd.socket FixStaleSocket yes TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 30 MaxThreads 50 ReadTimeout 300 User clamav AllowSupplementaryGroups yes ScanPE yes ScanELF yes DetectBrokenExecutables yes ScanOLE2 yes ScanMail yes ScanArchive yes ArchiveBlockEncrypted no
Wie in der /etc/amavisd.conf vermerkt
# # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf;
erweitern wir die Gruppe amavis um den User nobody mit dessen Rechte der Dansguardian-Daemon läuft.
# usermod -a -G nobody clamav
erster Programmstart
Nun ist es an der Zeit unseren ClamAV-Daemon das erste mal zu starten.
# service clamd start Starting Clam AntiVirus Daemon: LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** [ OK ]
Wir müssen also unser Virendatenbank erst einmal updaten - Hierzu nutzen wir das Programm freshclam aus dem Paket clamav. Wir stoppen nun erst einmal unseren Daemon uns fahren mit der Installation und Konfiguration der weiteren schritte fort.
# service clamd stop Stopping Clam AntiVirus Daemon: [ OK ]
automatisches Starten des Daemon beim Systemstart
Damit nun unser ClamAV-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig clamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep clamd clamd 0:Aus 1:Aus 2:Ein 3:Ein 4:Ein 5:Ein 6:Aus
freshlam Konfiguration
Damit ClamAV stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm freshclam aus dem Paket clamav zu Diensten.
In der Standardkonfiguration sorgt freshclam dafür, dass 1x am Tag ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei stehen uns prinzipiell zwei Mechanismen zur Verfügung, die crontab und der Daemon-Modus. Beide Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz beschrieben.
Nutzung crontab
Die erste und einfache Variante besteht darin das Update-Script, welches sich mit dem Namen freshclam aktuell und standardmäßig unter /etc/cron.daily befindet, nach /etc/cron.hourly/ zu verschieben. Das Updatescript beinhaltet folgende Parameter und Aufrufe:
#!/bin/sh ### A simple update script for the clamav virus database. ### This could as well be replaced by a SysV script. ### fix log file if needed LOG_FILE="/var/log/clamav/freshclam.log" if [ ! -f "$LOG_FILE" ]; then touch "$LOG_FILE" chmod 644 "$LOG_FILE" chown clamav.clamav "$LOG_FILE" fi /usr/bin/freshclam \ --quiet \ --datadir="/var/clamav" \ --log="$LOG_FILE" \ --daemon-notify="/etc/clamd.conf"
Wir verschieben also das Script bei Bedarf nach /etc/cron.hourly/.
# mv /etc/cron.daily/freshclam /etc/cron.hourly/
Nutzung Daemon-Modus
Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des freshclam-Daemons, der im Hintergrund läuft und regelmäßig zu den Pattenservern eine Abfrage startet.
Startscript Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes Startscript an.
# vim /etc/init.d/freshclamd
- freshclamd
#!/bin/sh # # freshclamd Init Script to start/stop the freshclamd. # # chkconfig: - 62 38 # description: freshclam is an update daemon for Clam AV database. # # processname: freshclamd # config: /etc/freshclam.conf # pidfile: /var/run/clamav/freshclam.pid # Source function library . /etc/init.d/functions # Get network config . /etc/sysconfig/network test -f /etc/freshclam.conf || exit 0 RETVAL=0 DATA_DIR="/var/clamav" CLAMD_CONF_FILE="/etc/clamd.conf" LOG_FILE="/var/log/clamav/freshclam.log" if [ ! -f "$LOG_FILE" ]; then touch "$LOG_FILE" chmod 644 "$LOG_FILE" chown clamav.clamav "$LOG_FILE" fi start() { echo -n $"Starting freshclam: " # Start me up! # --log="$LOG_FILE" \ # --log-verbose \ daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid \ -c 48 \ --quiet \ --datadir="$DATA_DIR" \ --daemon-notify="$CLAMD_CONF_FILE" RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/freshclam return $RETVAL } stop() { echo -n $"Stopping freshclam: " killproc freshclam RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/run/clamav/freshclam.pid /var/lock/subsys/freshclam return $RETVAL } restart() { stop start } reload() { echo -n $"Reloading DB: " killproc freshclam -ALRM RETVAL=$? echo return $RETVAL } case "$1" in start) start ;; stop) stop ;; status) status freshclam ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/freshclam ] && restart || : ;; reload) reload ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" exit 1 esac exit $?
Anschließend passen wir noch die Dateirechte an:
# chmod +x /etc/init.d/freshclamd
Konfiguration Wir passen nun in der Konfigurationsdatei /etc/freshclam.conf das Updateintervall unseren Vorstellungen entsprechend an.
# vim /etc/freshclam.conf ... # Number of database checks per day. # Default: 12 (every two hours) # Django 17.05.2009 für halbstündlichen Virenpatterndatenbankcheck Checks 48 ...
erster Programmstart Unseren Updatemechanismus freshclam-daemon starten wir wie gewohnt mit:
# service freshclamd start Starting freshclam: [ OK ]
Im Logfile /var/log/clamav/freshclam.log wird der Programmaufruf entsprechend dokumentiert:
# tail -f /var/log/clamav/freshclam.log -------------------------------------- freshclam daemon 0.95.1 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Sun May 17 22:15:13 2009 Downloading main-51.cdiff [100%] main.cld updated (version: 51, sigs: 545035, f-level: 42, builder: sven) WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 193.27.50.222) WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net Trying host db.de.clamav.net (213.174.32.130)... WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 213.174.32.130) WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net Trying host db.de.clamav.net (212.1.60.18)... WARNING: getfile: daily-9214.cdiff not found on remote server (IP: 212.1.60.18) WARNING: getpatch: Can't download daily-9214.cdiff from db.de.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.de.clamav.net (130.133.110.67)... Downloading daily.cvd [100%] daily.cvd updated (version: 9365, sigs: 5249, f-level: 42, builder: mcichosz) Database updated (550284 signatures) from db.de.clamav.net (IP: 130.133.110.67) --------------------------------------
automatisches Starten des Daemon beim Systemstart Damit nun unser freshcam-Daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig freshclamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep freshclamd freshclamd 0:Aus 1:Aus 2:Ein 3:Ein 4:Ein 5:Ein 6:Aus
clamav Start
Da unsere Virendatenbank nun uptodate ist können wir den clamav-Daemon nun ohne Fehlermeldung starten:
# service clamd start Starting Clam AntiVirus Daemon: [ OK ]
Im Logfile /var/log/clamav/clamd.log wir der Programmstart entsprechend dokumentiert:
Sun May 17 22:20:12 2009 -> +++ Started at Sun May 17 22:20:12 2009 Sun May 17 22:20:12 2009 -> clamd daemon 0.99.1 (OS: linux-gnu, ARCH: i386, CPU: i386) Sun May 17 22:20:12 2009 -> Running as user clamav (UID 101, GID 105) Sun May 17 22:20:12 2009 -> Log file size limit disabled. Sun May 17 22:20:12 2009 -> Reading databases from /var/clamav Sun May 17 22:20:12 2009 -> Not loading PUA signatures. Sun May 17 22:20:13 2009 -> Loaded 549731 signatures. Sun May 17 22:20:13 2009 -> TCP: Bound to address 127.0.0.1 on port 3310 Sun May 17 22:20:13 2009 -> TCP: Setting connection queue length to 30 Sun May 17 22:20:13 2009 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock Sun May 17 22:20:13 2009 -> LOCAL: Setting connection queue length to 30 Sun May 17 22:20:13 2009 -> Limits: Global size limit set to 104857600 bytes. Sun May 17 22:20:13 2009 -> Limits: File size limit set to 26214400 bytes. Sun May 17 22:20:13 2009 -> Limits: Recursion level limit set to 16. Sun May 17 22:20:13 2009 -> Limits: Files limit set to 10000. Sun May 17 22:20:13 2009 -> Archive support enabled. Sun May 17 22:20:13 2009 -> Algorithmic detection enabled. Sun May 17 22:20:13 2009 -> Portable Executable support enabled. Sun May 17 22:20:13 2009 -> ELF support enabled. Sun May 17 22:20:13 2009 -> Detection of broken executables enabled. Sun May 17 22:20:13 2009 -> Mail files support enabled. Sun May 17 22:20:13 2009 -> OLE2 support enabled. Sun May 17 22:20:13 2009 -> PDF support enabled. Sun May 17 22:20:13 2009 -> HTML support enabled. Sun May 17 22:20:13 2009 -> Self checking every 600 seconds.
clamscan testen
Zum Schluß überprüfen wir noch, ob unser Virenscanner richtig arbeitet. Hierzu besorgen wir uns ein Virenpattern-Testfile.
# wget http://dansguardian.org/downloads/2/Variants/AVTest/danger/eicar.com.txt -O /tmp/eicar.com.txt --2009-12-11 15:33:06-- http://dansguardian.org/downloads/2/Variants/AVTest/danger/eicar.com.txt Auflösen des Rechnernamens »dansguardian.org«.... 89.16.172.190, 2001:41c8:1:5847::2 Verbindungsaufbau mit dansguardian.org[89.16.172.190]:80... verbunden. HTTP-Anfrage gesendet, warte auf Antwort... 200 OK Länge: 68 [text/plain] Speichere nach: »/tmp/eicar.com.txt« 100%[===================================================================================================================>] 68 --.-K/s in 0s 2009-12-11 15:33:06 (10,6 MB/s) - »/tmp/eicar.com.txt« gespeichert [68/68]
Die erhalten Eicar-Testdatei lassen wir nun von clamscan überprüfen.
# clamscan -v /tmp/eicar.com.txt Scanning /tmp/eicar.com.txt /tmp/eicar.com.txt: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1215262 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 5.402 sec (0 m 5 s)
Virenfilterung bei Dansguardian
Zur Aktivierung des Virenscanner beim Contentfiltern aktivieren wir nun den clamd in der /etc/dansguardian/dansguardian.conf. Ebenso geben wir an, wo die empfangenen Daten zwischengespeichert werden können/sollen.
# vim /etc/dansguardian/dansguardian.conf
# Content Scanners (Also known as AV scanners) # These are plugins that scan the content of all files your browser fetches # for example to AV scan. The options are limitless. Eventually all of # DansGuardian will be plugin based. You can have more than one content # scanner. The plugins are run in the order you specify. # This is one of the few places you can have multiple options of the same name. # # Some of the scanner(s) require 3rd party software and libraries eg clamav. # See the individual plugin conf file for more options (if any). # #!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/clamav.conf' contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf' #!! Unimplemented !! contentscanner = '/etc/dansguardian/contentscanners/kavav.conf' #!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/kavdscan.conf' #!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/icapscan.conf' #!! Not compiled !! contentscanner = '/etc/dansguardian/contentscanners/commandlinescan.conf' # File cache dir # Where DG will download files to be scanned if too large for the # RAM cache. # Django 10.12.2009 #Default: filecachedir = '/tmp' filecachedir = '/var/tmp'
Die weitere Konfiguration findet in der oben genannten Datei /etc/dansguardian/contentscanners/clamdscan.conf statt. Mit dem Editor unserer ersten Wahl vim öffnen wir die Datei und tragen dort den Socket /tmp/clamd.socket ein, den wir bei der clamd.conf angelegt hatten.
# vim /etc/dansguardian/contentscanners/clamdscan.conf
plugname = 'clamdscan' # edit this to match the location of your ClamD UNIX domain socket #clamdudsfile = '/var/run/clamav/clamd.sock' # Django 10.12.2009 #Default: #clamdudsfile = '/var/run/clamav/clamd.sock' clamdudsfile = '/tmp/clamd.socket' # If this string is set, the text it contains shall be removed from the # beginning of filenames when passing them to ClamD. # Use it to - for example - support a ClamD running inside a chroot jail: # if DG's filecachedir is set to "/var/clamdchroot/downloads/" and pathprefix # is set to "/var/clamdchroot", then file names given to ClamD will be of the # form "/downloads/tf*" instead of "/var/clamdchroot/downloads/tf*". #pathprefix = '/var/clamdchroot' exceptionvirusmimetypelist = '/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist' exceptionvirusextensionlist = '/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist' exceptionvirussitelist = '/etc/dansguardian/lists/contentscanners/exceptionvirussitelist' exceptionvirusurllist = '/etc/dansguardian/lists/contentscanners/exceptionvirusurllist'