Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung | |||
centos:dansguardian_2.8 [03.08.2011 19:49. ] – [dansguardianf2.conf] django | centos:dansguardian_2.8 [20.04.2018 10:36. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Dansguardian Version 2.8.0.6 - Installation und Konfiguration ====== | ||
+ | {{: | ||
+ | |||
+ | Für die Zugriffsverwaltung und inhaltliche Bewertung der angewählten Internetseiten bedienen wir uns dem Proxy [[http:// | ||
+ | Bei dieser Konstellation arbeiten **// | ||
+ | * unerwünschte Seiten zu blocken (Pornographie) | ||
+ | * bestimmte Inhalte nur bestimmten Usern zur Verfügung zu stellen (Multimediainhalte des WWW) | ||
+ | * Seiten auf unerwünschten Inhalt zu überprüfen und ggf. zu blocken (Glücksspiel und politische Propaganda) oder | ||
+ | * eine Virenprüfung der übermittelten Daten vorzunehmen. | ||
+ | |||
+ | <WRAP round info>Die einfachere Variante ist die Installation der Version **2.8.0.6** aus dem [[http:// | ||
+ | \\ | ||
+ | Diese Version unterstützt __nur__ die Inhaltliche Überprüfung noch noch __**NICHT**__ die Virenfilterung! Diese ist im aktuellen neuen Release-Kandidaten enthalten - die Installation ist im folgenden [[centos: | ||
+ | |||
+ | |||
+ | ===== Installation ===== | ||
+ | Wie sollte es auch hier anders sein, die Installation der benötigten Programme erfolgt im gewohnten Rahmen via **yum**, welches wir als User **root** ausführen. | ||
+ | # su - | ||
+ | |||
+ | # yum install dansguardian | ||
+ | Was uns das Paket **dansguardian** alles mitbringt offenbart eine detailierte Blick((zum besseren Vergleich zwischen der Verison 2.8.0.6 zur 2.10.1.1 erfolgt der //Abdruck// der gesamten Abfrage durch **rpm -iql**)), nach erfolgter Installation des Paketes, in das **RPM**. | ||
+ | < | ||
+ | Name : dansguardian | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Sa 08 Nov 2008 13:55:11 CET Build Host: lisse.leuven.wieers.com | ||
+ | Group : System Environment/ | ||
+ | Size : 736787 | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | DansGuardian is a web filtering engine that checks the content within | ||
+ | the page itself in addition to the more traditional URL filtering. | ||
+ | |||
+ | DansGuardian is a content filtering proxy. It filters using multiple methods, | ||
+ | including URL and domain filtering, content phrase filtering, PICS filtering, | ||
+ | MIME filtering, file extension filtering, POST filtering. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | ===== Konfiguration ===== | ||
+ | Mit dem Editor unserer Wahl z.B. **vim** bearbeiten wir nun die Konfigurationsdatei des Contentfilters: | ||
+ | # vim / | ||
+ | Das erste und wichtigste, was wir hier groß einstellen, sind die Adress- und Portangaben: | ||
+ | < | ||
+ | filterport = 8080 | ||
+ | |||
+ | # the ip of the proxy (default is the loopback - i.e. this server) | ||
+ | proxyip = 127.0.0.1 | ||
+ | |||
+ | # the port DansGuardian connects to proxy on | ||
+ | proxyport = 3128 | ||
+ | </ | ||
+ | Ferner passen wir noch die // | ||
+ | < | ||
+ | language = ' | ||
+ | In Summe ergibt sich also folgende Gesamtkonfiguration: | ||
+ | < | ||
+ | reportinglevel = 3 | ||
+ | languagedir = '/ | ||
+ | language = ' | ||
+ | loglevel = 3 | ||
+ | logexceptionhits = on | ||
+ | logfileformat = 1 | ||
+ | filterip = | ||
+ | filterport = 8080 | ||
+ | proxyip = 127.0.0.1 | ||
+ | proxyport = 3128 | ||
+ | accessdeniedaddress = ' | ||
+ | nonstandarddelimiter = on | ||
+ | usecustombannedimage = 1 | ||
+ | custombannedimagefile = '/ | ||
+ | filtergroups = 1 | ||
+ | filtergroupslist = '/ | ||
+ | bannediplist = '/ | ||
+ | exceptioniplist = '/ | ||
+ | banneduserlist = '/ | ||
+ | exceptionuserlist = '/ | ||
+ | showweightedfound = on | ||
+ | weightedphrasemode = 2 | ||
+ | urlcachenumber = 1000 | ||
+ | urlcacheage = 900 | ||
+ | phrasefiltermode = 2 | ||
+ | preservecase = 0 | ||
+ | hexdecodecontent = 0 | ||
+ | forcequicksearch = 0 | ||
+ | reverseaddresslookups = off | ||
+ | reverseclientiplookups = off | ||
+ | createlistcachefiles = on | ||
+ | maxuploadsize = -1 | ||
+ | maxcontentfiltersize = 256 | ||
+ | usernameidmethodproxyauth = on | ||
+ | usernameidmethodident = off | ||
+ | preemptivebanning = on | ||
+ | forwardedfor = off | ||
+ | usexforwardedfor = off | ||
+ | logconnectionhandlingerrors = on | ||
+ | maxchildren = 120 | ||
+ | minchildren = 8 | ||
+ | minsparechildren = 4 | ||
+ | preforkchildren = 6 | ||
+ | maxsparechildren = 32 | ||
+ | maxagechildren = 500 | ||
+ | ipcfilename = '/ | ||
+ | urlipcfilename = '/ | ||
+ | nodaemon = off | ||
+ | nologger = off | ||
+ | softrestart = off</ | ||
+ | Nach der erfolgten Inbetriebnahme drehen wir dem Dansguardian etwas //die Luft ab//, was heissen will, wir lassen uns nur noch die geblockten Seiten reporten, da das Logfile ggf. etwas arg überschwemmt wird mit Informationen, | ||
+ | < | ||
+ | |||
+ | # Logging Settings | ||
+ | # | ||
+ | # 0 = none 1 = just denied | ||
+ | loglevel = 1</ | ||
+ | In der zweiten Konfig-Datei **/ | ||
+ | # vim / | ||
+ | Mit einem **Naughtyness limit** von **100** liegt man schon mal in einem praktikablen Bereich. | ||
+ | < | ||
+ | # This the limit over which the page will be blocked. | ||
+ | # a value either positive or negative and the values added up. Phrases to do with | ||
+ | # good subjects will have negative values, and bad subjects will have positive | ||
+ | # values. | ||
+ | # As a guide: | ||
+ | # 50 is for young children, | ||
+ | naughtynesslimit = 100</ | ||
+ | Somit ergibt sich hier folgende Gesamtkonfiguration: | ||
+ | < | ||
+ | bannedphraselist = '/ | ||
+ | weightedphraselist = '/ | ||
+ | exceptionphraselist = '/ | ||
+ | bannedsitelist = '/ | ||
+ | greysitelist = '/ | ||
+ | exceptionsitelist = '/ | ||
+ | bannedurllist = '/ | ||
+ | greyurllist = '/ | ||
+ | exceptionurllist = '/ | ||
+ | bannedregexpurllist = '/ | ||
+ | bannedextensionlist = '/ | ||
+ | bannedmimetypelist = '/ | ||
+ | picsfile = '/ | ||
+ | contentregexplist = '/ | ||
+ | naughtynesslimit = 100 | ||
+ | bypass = 0 | ||
+ | bypasskey = ''</ | ||
+ | |||
+ | ===== Starten von Dansguardian ===== | ||
+ | Nun starten wir das erste mal unsere neuen Dienst **dansguardian**: | ||
+ | # service dansguardian start | ||
+ | Web Content Filter (dansguardian) starten: | ||
+ | |||
+ | ==== automatisches Starten von Dansguardian beim Systemstart ==== | ||
+ | Damit der Dansguardian-daemon automatisch bei jedem Systemstart startet, kann die Einrichtung des Start-Scriptes über folgenden Befehl erreicht werden: | ||
+ | # chkconfig dansguardian on | ||
+ | |||
+ | Die Überprüfungung ob der Dienst (Daemons) Dansguardian wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden: | ||
+ | # chkconfig --list | grep dansguardian | ||
+ | | ||
+ | Wichtig sind jeweils die Schalter **on** bzw. **Ein** bei den Runleveln - **2 3 4 5**. | ||
+ | ===== Optimierung von dansguardian | ||
+ | Von Haus aus, ist der " | ||
+ | ==== Ausnahmelisten für Web-Sites ==== | ||
+ | Ganze Seiten können von der inhaltlichen Bewertung ausgenommen werden, wenn in der **/ | ||
+ | < | ||
+ | |||
+ | #Sites in exception list | ||
+ | #Don't bother with the www. or | ||
+ | #the http:// | ||
+ | # | ||
+ | #These are specifically domains and are not URLs. | ||
+ | #For example ' | ||
+ | #to just have ' | ||
+ | # | ||
+ | #You can also match IPs here too. | ||
+ | # | ||
+ | #As of DansGuardian 2.7.3 you can now include | ||
+ | #.tld so for example you can match .gov for example | ||
+ | |||
+ | |||
+ | dansguardian.org | ||
+ | |||
+ | nausch.org | ||
+ | urlblacklist.com | ||
+ | ebay.de | ||
+ | bay.com | ||
+ | </ | ||
+ | ==== Ausnahmelisten für Hosts ==== | ||
+ | Will man einzelne Workstations ausnehmen, so trägt man diese in die **/ | ||
+ | < | ||
+ | |||
+ | #IP addresses of computers to not filter | ||
+ | #and just pass requests straight through to | ||
+ | # | ||
+ | #These would be servers which | ||
+ | #need unfiltered access for | ||
+ | # | ||
+ | # | ||
+ | #download programs and check | ||
+ | #out blocked sites should be | ||
+ | #put here. | ||
+ | # | ||
+ | #Only put IP addresses here, | ||
+ | #not host names | ||
+ | # | ||
+ | #This is not the IP of web servers | ||
+ | #you don't want to filter. | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # | ||
+ | 192.168.20.10</ | ||
+ | ==== Sperrlisten für Dateiextensions ==== | ||
+ | Über die **/ | ||
+ | < | ||
+ | |||
+ | #Banned extension list | ||
+ | |||
+ | # File extensions with executable code | ||
+ | |||
+ | # The following file extensions can contain executable code. | ||
+ | # This means they can potentially carry a virus to infect your computer. | ||
+ | |||
+ | .ade # Microsoft Access project extension | ||
+ | .adp # Microsoft Access project | ||
+ | .asx # Windows Media Audio / Video | ||
+ | .bas # Microsoft Visual Basic class module | ||
+ | .bat # Batch file | ||
+ | .cab # Windows setup file | ||
+ | .chm # Compiled HTML Help file | ||
+ | .cmd # Microsoft Windows NT Command script | ||
+ | .com # Microsoft MS-DOS program | ||
+ | .cpl # Control Panel extension | ||
+ | .crt # Security certificate | ||
+ | .dll # Windows system file | ||
+ | .exe # Program | ||
+ | .hlp # Help file | ||
+ | .ini # Windows system file | ||
+ | .hta # HTML program | ||
+ | .inf # Setup Information | ||
+ | .ins # Internet Naming Service | ||
+ | .isp # Internet Communication settings | ||
+ | # .js # JScript file - often needed in web pages | ||
+ | # .jse # Jscript Encoded Script file - often needed in web pages | ||
+ | .lnk # Windows Shortcut | ||
+ | .mda # Microsoft Access add-in program | ||
+ | .mdb # Microsoft Access program | ||
+ | .mde # Microsoft Access MDE database | ||
+ | .mdt # Microsoft Access workgroup information | ||
+ | .mdw # Microsoft Access workgroup information | ||
+ | .mdz # Microsoft Access wizard program | ||
+ | .msc # Microsoft Common Console document | ||
+ | .msi # Microsoft Windows Installer package | ||
+ | .msp # Microsoft Windows Installer patch | ||
+ | .mst # Microsoft Visual Test source files | ||
+ | .pcd # Photo CD image, Microsoft Visual compiled script | ||
+ | .pif # Shortcut to MS-DOS program | ||
+ | .prf # Microsoft Outlook profile settings | ||
+ | .reg # Windows registry entries | ||
+ | .scf # Windows Explorer command | ||
+ | .scr # Screen saver | ||
+ | .sct # Windows Script Component | ||
+ | .sh # Shell script | ||
+ | .shs # Shell Scrap object | ||
+ | .shb # Shell Scrap object | ||
+ | .sys # Windows system file | ||
+ | .url # Internet shortcut | ||
+ | .vb # VBScript file | ||
+ | .vbe # VBScript Encoded script file | ||
+ | .vbs # VBScript file | ||
+ | .vxd # Windows system file | ||
+ | .wsc # Windows Script Component | ||
+ | .wsf # Windows Script file | ||
+ | .wsh # Windows Script Host Settings file | ||
+ | .otf # Font file - can be used to instant reboot 2k and xp | ||
+ | .ops # Office XP settings | ||
+ | |||
+ | |||
+ | |||
+ | # Files which one normally things as non-executable but | ||
+ | # can contain harmful macros and viruses | ||
+ | |||
+ | .doc # Word document | ||
+ | .xls # Excel document | ||
+ | .pps # PowerPoint selfrunning | ||
+ | |||
+ | # Other files which may contain files with executable code | ||
+ | |||
+ | #.gz # Gziped file | ||
+ | #.tar # Tape ARchive file | ||
+ | .zip # Windows compressed file | ||
+ | #.tgz # Unix compressed file | ||
+ | #.bz2 # Unix compressed file | ||
+ | .cdr # Mac disk image | ||
+ | .dmg # Mac disk image | ||
+ | .smi # Mac self mounting disk image | ||
+ | .sit # Mac compressed file | ||
+ | .sea # Mac compressed file, self extracting | ||
+ | .bin # Mac binary compressed file | ||
+ | .hqx # Mac binhex encoded file | ||
+ | .rar # Similar to zip | ||
+ | |||
+ | |||
+ | # Time/ | ||
+ | |||
+ | .mp3 # Music file | ||
+ | .mpeg # Movie file | ||
+ | .mpg # Movie file | ||
+ | .avi # Movie file | ||
+ | .asf # this can also exploit a security hole allowing virus infection | ||
+ | .iso # CD ISO image | ||
+ | .ogg # Music file | ||
+ | .wmf # Movie file | ||
+ | .bin # CD ISO image | ||
+ | .cue # CD ISO image | ||
+ | |||
+ | # meine eigenen | ||
+ | .ani # animated cursor</ | ||
+ | ==== Sperrlisten für URLS (regex) ==== | ||
+ | Über die **/ | ||
+ | < | ||
+ | |||
+ | #Banned URLs based on Regular Expressions | ||
+ | # | ||
+ | # E.g. ' | ||
+ | |||
+ | # The following two lines may work better than the above - Philip Pearce 9/11/2004 | ||
+ | (^|[-\? | ||
+ | (^|[-\? | ||
+ | |||
+ | # Onlinegaming | ||
+ | (gladiatus|4story|gameforge|ikariam|pog.com|cracymonkeygames|poissonrouge) | ||
+ | |||
+ | # Musikmaffia | ||
+ | (musicload|musikload) | ||
+ | |||
+ | # videoportale | ||
+ | (vo.llnwd) | ||
+ | |||
+ | # Werbemüll | ||
+ | (Standardteaser|sponsorads|google-analytics) | ||
+ | |||
+ | # Schnackslanbahnungsportale | ||
+ | (facebook)</ | ||
+ | ===== Filtergruppen bei dansguardian ===== | ||
+ | Oft ist es wünschenswert einzelen User(gruppen) bei der Bewertung der Verbindungswünsche in's WWW unterschiedlich zu behandeln. So könnten zum Beispiel Schüler und Lehrer, DAUs, Null- Halb- und Stellenleiter wie auch VIPs mit eigenen Filterregelsätzen belegt werden.\\ | ||
+ | Was zunächst kompliziert anmutet, funktioniert recht einfach und auch überschaubar.\\ | ||
+ | ==== dansguardian.conf ==== | ||
+ | Als erstes geben wir unserem Kontentfilter mit, wieviele Filtergruppen (max. 99) wir verwenden möchten. | ||
+ | < | ||
+ | |||
+ | # Filter groups options | ||
+ | # filtergroups sets the number of filter groups. A filter group is a set of content | ||
+ | # filtering options you can apply to a group of users. | ||
+ | # DansGuardian will automatically look for dansguardianfN.conf where N is the filter | ||
+ | # group. | ||
+ | # to filter group 1. You must have some sort of authentication to be able to map users | ||
+ | # to a group. | ||
+ | # use as few as possible. | ||
+ | filtergroups = 2 | ||
+ | filtergroupslist = '/ | ||
+ | ==== filtergroupslist ==== | ||
+ | In der Datei **filtergroupslist** geben wir nun all diejenigen Nutzer an, die nicht in der Standardgruppe bewertet werden sollen, sondern in einer der zuvor definierten Filtergruppen. | ||
+ | < | ||
+ | |||
+ | # Filter Groups List file for DansGuardian | ||
+ | # | ||
+ | # Format is < | ||
+ | # | ||
+ | jakob=filter2</ | ||
+ | ==== dansguardianf2.conf ==== | ||
+ | Die eigentliche Änderungen zur Standardkonfiguration nehmen wir nun, in der // | ||
+ | < | ||
+ | |||
+ | # Content filtering files location | ||
+ | bannedphraselist = '/ | ||
+ | weightedphraselist = '/ | ||
+ | exceptionphraselist = '/ | ||
+ | bannedsitelist = '/ | ||
+ | greysitelist = '/ | ||
+ | exceptionsitelist = '/ | ||
+ | bannedurllist = '/ | ||
+ | greyurllist = '/ | ||
+ | exceptionurllist = '/ | ||
+ | bannedregexpurllist = '/ | ||
+ | bannedextensionlist = '/ | ||
+ | bannedmimetypelist = '/ | ||
+ | picsfile = '/ | ||
+ | contentregexplist = '/ | ||
+ | </ | ||
+ | In den jeweiligen Listen erweitern wir nun die entsprechenden gesperrten Seiten oder definieren entsprechende Ausnahmeregelungen. | ||