• Archives

  • Post Catagories

  • .::Admin Tools::.

  • I review for the O'Reilly Blogger Review Program

Tech Notes: Ubuntu Server 10.04 LTS – Squid + Dansguardian + Webmin + ClamAV

PLEASE NOTE: The information listed here is purely for my convenience. Please feel free to use it any way that you like, but I will not take any responsibility for inaccuracies or damage resulting in the use of this information.

DansGuardian logo

Image via Wikipedia

Ubuntu Server 10.04.2 LTS + Squid + Dans Guardian + Webmin = Webfiltering Proxy with idiot proof perl frontend 🙂

1. Install Ubuntu Server 10.04.2 LTS in the usual manner. Slice disks up how you like! follow the install and select none of the options when you get to “tasksel”

2.(OPTIONAL) Install Apache with…Might need Apache later for zero config proxy.. client side

# sudo apt-get install apache2
3. If you don’t have a static IP then edit interfaces…
# sudo nano /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address    192.168.1.2     #Your IP
netmask    255.255.255.0     #Your Netmask
gateway    192.168.1.1    #Your Gateway

4. Save and Exit…duh 🙂

5. Restart Networking to bring the new config into play…

# sudo /etc/init.d/networking restart

6. Install and Config Squid….first up…

# sudo apt-get install squid
7. Backup our clean squid.conf file with…

# sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup

8. Edit squid.conf with…

# sudo nano /etc/squid/squid.conf

NOTE: If you want to change the default port that squid listens on [3128], change the http_port tag
Ctrl+W is your friend here…look for the “http_access” (No quotes) section on or around line 1860.

#Create an acl (Access Control List) with...
acl our_networks src 192.168.1.0/24 # Replace with your subnet!
#Then Create http access rule with....
http_access allow our_networks

OPTIONAL = if you get a startup error ‘FATAL: Could not determine fully qualified hostname.
Please set visible_hostname’ you will also need to modify the visible_hostname tag (Ctrl+W is your friend to find the bugger!!)

visible_hostname localhost

9. Save and Exit…really!! 🙂

10.Install Dansguardian with…

# sudo aptitude install dansguardian

11. We need to check /etc/dansguardian/dansguardian.conf for the following:
# UNCONFIGURED
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

All of the above was present and correct in my dansguardian.conf…..but I still needed to Comment UNCONFIGURED

Also set reportinglevel=-1 as I wanted to log traffic at first rather than block it.

DANSGUARDIAN INFO:
To configure banned/exception sites based on either phrases, ip addresses, urls, mime type,
etc… you would need to edit one of the following files using nano. All files are located in /etc/dansguardian/

bannedextensionlist
bannediplist
bannedmimetypelist
bannedphraselist
bannedregexpurllist
bannedsitelist
bannedurllist
banneduserlist

exceptioniplist
exceptionphraselist
exceptionsitelist
exceptionurllist
exceptionuserlist
exceptionvirusextensionlist
exceptionvirusmimetypelist
exceptionvirussitelist
exceptionvirusurllist

REMEMBER: Whenever you edit these files it is good practice to restart both Squid and Dansguardian
# sudo /etc/init.d/dansguardian stop
# sudo /etc/init.d/squid stop
# sudo /etc/init.d/squid start
# sudo /etc/init.d/dansguardian start
# ps –e | grep dansguardian ## to see if the service is running

Now that Squid and DansGuardian are configured, test it by setting up your browser to use the proxy server
with port 8080. A site that is blocked by default in DansGuardian is http://tits.com if you get a page redirect then you’re good to go (See Image below) Note: you will not get a page redirect if you have set reporting level to -1 in dansguardian.conf like I did.

whitehouse.com in Firefox through Dan's Guardian

Image via Wikipedia

INSTALLING WEBMIN

Webmin is a web-based interface for system administration for Unix.
Using any browser that supports tables and forms (and Java for the File Manager module)

1. Install dependencies: Perl 5 interpreter and libnet-ssleay-perl

# sudo aptitude install perl5 libnet-ssleay-perl
2. Install Webmin
# cd /usr/local/src
# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.550.tar.gz

NOTE: Check the URL to make sure you are getting the latest!!
…This is the big daddy of Webmin Packages….low fat it ain’t everything is included
….except DansGuardian 😦

# sudo tar -xvzf webmin-1.550.tar.gz
# cd /webmin-1.550
# sudo sh setup.sh

Setup script will run…Answer all questions correctly, I personally set up SSL but it’s up to you

3.Navigate to https://server-name:10000 and log in with the username and pass that you provided to
setup.sh.

4. NO DANSGUARDIAN!! WE HAVE BEEN ROBBED….not so…we need to install it!!
5. Navigate to Webmin | Webmin Configuration | Webmin Modules
6. Make sure the Install Tab is selected and then enter the following URL into the field marked “From ftp or http URL”
# http://sourceforge.net/projects/dgwebminmodule/files/dgwebmin-stable/0.7/dgwebmin-0.7.1.wbm/download
7. Click the “Install Module” cmd button
8. Almost done we now need to select our newly installed module
9. CRISIS there are errors!! never fear we just need to configure the module for the Ubuntu environment.

"Warning - DansGuardian binary file not found, maybe you need to update your module config (especially the directory paths).
(Expected location: /sbin/dansguardian)

Warning - the version of DansGuardian you have is not supported by this Webmin module version
Webmin Module Version 0.7.1 supports DG version 2.10 (& 2.9)
Currently installed DG version ?

Warning - running as root(superuser) may cause new files to be innaccessible by production DansGuardian"

10. Select the “module config” hyperlink and update the Configurable Options as follows:

Leave everything as it is except:

Full path to DG binary = /usr/sbin/dansguardian

Command to restart DG (if allowed) = /etc/init.d/dansguardian restart
Command to start DG (if allowed) = /etc/init.d/dansguardian start
Command to stop DG (if allowed) = /etc/init.d/dansguardian stop

Basically lose the rc.d directory listing in the three lines above!!

11. Add webmin startup file to /etc/init.d

If you installed webmin in the default folder
(/etc/webmin/) you follow these steps:

# cd /etc/init.d

# sudo nano webmin

#! /bin/sh
DEAMON=/etc/webmin/start
test -x $DEAMON || exit 0
./etc/webmin/start

Save the file and make it executable:
# chmod 755 /etc/init.d/webmin

It must be started on boot, we want to start it as root:

# sudo update-rc.d webmin defaults
Note: If something goes wrong and you want to
remove this addition in starting up, you
execute:

# update-rc.d -f webmin remove

INSTALL CLAMAV

1. Execute the following from a shell to install ClamAV:

sudo apt-get install clamav-daemon clamav-freshclam

2. We will get a warning!!

LibClamAV Warning:***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated.***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************

======================================================

NOTE: To keep Clam up to date I decided to add the ubuntu-clamav/ppa PPA

First up we need add-apt-repository

So…

#sudo apt-get install python-software-properties

once installed we can add a ppa with, for example:

#sudo add-apt-repository ppa:ubuntu-clamav/ppa
#sudo apt-get update/upgrade

If you prefer to roll your own take a look at this excellent post

=======================================================

3. Fresh-Clam will look for def updates every hour….if you need to change this behaviour then edit:

/etc/clamav/freshclam.conf
then...
sudo /etc/init.d/clamav-freshclam restart

4. Open dansguardian.conf and un-comment this line:

contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'

NOTE: I have not been able to get Dansguardian and Clam Daemon to work together yet. I have listed some info below to remind me of a couple of key bits of info when I get time to look into this.

All looks ok so we can test the configuration with page: http://www.eicar.org/download/eicar.com.txt

You should see: Virus or bad content detected. Eicar-Test-Signature on page.

NOTE: Good Site for Blacklists and auto update scripts http://www.shallalist.de/ also http://contentfilter.futuragts.com/wiki/doku.php?id=downloadable_blacklists for general info and links to more blacklists.

INFO

When building DansGuardian, use the –enable-clamd ./configure option, but not the –enable-clamav option too. In an ideal world, all DansGuardian packages obtained from distribution repositories should already be built this way. However in the real (not ideal) world, repository errors are possible. Once DansGuardian is bult correctly, you can then control whether or not to use ClamAV purely through the configuration options in dansguardian.conf; in other words once the build/configure options are correct, you will never need to revisit them no matter what you do with anti-virus.

In dansguardian.conf, use the ‘clamdscan’ option rather than the ‘clamav’ option. The ‘clamdscan’ option interfaces to ClamAV through the interprocess named pipe socket provided by the clam daemon. (The old ‘clamav’ option tries to interface to ClamAV through a version dependent library [a *nix “shared object” (.so) is analogous to a Windows “dynamic link library” (.dll)]which is probably no longer supported nor even available.)

Advertisements

5 Responses

  1. Hello, thanks for the tutorial, short and concise, however there is a little mistake:

    reads as:
    #sudo apt-get-repository ppa:ubuntu-clamav/ppa

    shoud be:
    #sudo add-apt-repository ppa:ubuntu-clamav/ppa

    Thanx

    • Hi Aldo

      Many thanks for spotting this error, I have now corrected the typo. Thank you for taking the time to comment about this issue, it is really appreciated.

      Best Regards
      Ade

  2. Excellent tutorial…. I have already implemented squid with Dansguardian four times with the help of this tutorial….Thanks a lot demontek…just wanted to know is it possible to prevent file download depends upon file extension ?

    • Hi Lentin, sorry for the delay in getting back to you! With Dans Guardian you can turn downloads off or only allow the download of certain file types (ie .doc .pdf etc). The dansguardian.conf file is where we need to start to configure this feature. Look for the following lines:

      blockdownloads = off <–NOTE: To block all downloads leave this option set to "off"
      exceptionextensionlist = ‘/etc/dansguardian/lists/exceptionextensionlist’ <– This is the line that points to the list of accepted file extension, put any file extensions that you want to allow to be downloaded in the /etc/dansguardian/lists/exceptionextensionlist file!

      Note that you can also filter by mime types.

      Hope this helps, and thanks for your kind comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: