Creating a parental web filtering box-HOWTO


Subject: Creating a parental web filtering box-HOWTO
From: Chris de Vidal (cdevidal@yahoo.com)
Date: Tue Sep 04 2001 - 18:00:25 EDT


These are instructions I wrote to create a locked-down
kiosk-style workstation. It runs well on a Pentium 75
with 64MB of RAM and a 1.5GB drive. You could easily
throw IPTables on it and force all data through it so
that it would filter to other computers in a LAN.
Instructions on creating an intercepting proxy are at:

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html

It would also be easy to create a "DMZ," that is, an
unfiltered zone to add unprotected PCs. Ozz, you
could use your Smoothwall 386 and put this on a newer
computer acting something like a proxy gateway. It
should be just dandy on the 386 but 32 MB RAM doesn't
seem to be enough, unless perhaps the machine were not
running X. Then I'd try it on your 386 with 32MB RAM
along with Smoothwall. Be sure to have at least 1GB
as Squid eats drive space. Review squid.conf to see
how to prevent Squid from taking over your drive!

CD

=====================
Start RedHat install.

Install as a Workstation.

Add a webuser account and a secure password.

Remove KDE, GNOME, and GAMES.

Install at least these individual packages (some are
turned on by default):
ftp, links, netscape-common, netscape-navigator, cpp,
gcc, gcc-c++, kernel-headers, autoconf, automake,
bison, byacc, flex, make, man-pages, iptables,
XFree86-xfs, apache, iputils, sendmail-cf, squid,
tcp_wrappers, xinetd, WindowMaker, wmakerconf,
XFree86, XFree86-100dpi-fonts, XFree-75dpi-fonts,
Xconfigurator, xscreensaver, perl, netcfg

Use your judgement on what to remove. If it looks
unnecessary, remove it. If you're not sure what it
is, leave it.

Allow any dependencies to be installed.

Wait for install to finish.

Configure X Windows to run at 1024x768, preferably at
16bpp or more.

Create a boot disk.

After reboot, log in as webuser.

Open a terminal and run "su". Put the root user's
password. You will need to be "su" for most commands
listed here.

Get the latest RedHat Errata at
http://www.redhat.com/support/errata/

Run "/sbin/chkconfig --list". These are some of the
programs that load when the computer starts. Remove
any unnecessary programs with "/sbin/chkconfig
(PROGRAM) off" Example: "/sbin/chkconfig atd off".
Examples of unnecessary programs: kudzu (unless you
need Plug N' Play), rwhod, netfs, apmd, identd.

Make squid and httpd start on level 5. Example:
"/sbin/chkconfig --level 5 squid on"

Run "switchdesk WindowMaker"

Run "netcfg".

Under Interfaces, edit the eth0 Ethernet interface by
double-clicking. Specify an IP address and Netmask.
Activate interface at boot. Interface configuration
protocol: none.

Under Routing, set the Default Gateway and set the
Default Gateway Device to eth0.

Open /etc/inittab in an editor and comment out
"ca::ctrlaltdel:/sbin/shutdown -t3 -r now"

Create a custom home page for the browser to start on.
 Put the home page in the httpd html directory
(example: /var/www/html)

Download and install autologin:
http://www.linux-easy.com/development.php

Create /etc/sysconfig/autologin and insert
"USER=webuser"

Run "chmod 444 /etc/sysconfig/autologin" and "chattr
+i /etc/sysconfig/autologin"

Open /etc/httpd/conf/httpd.conf in an editor.

Change Serveradmin to your name_with_underscores.
Example: ServerAdmin "Chris_de_Vidal"

Open /etc/squid/squid.conf in an editor.

Uncomment "cache_mgr" and put your
name_with_underscores; example: "Chris_de_Vidal" with
the quotes ("") and underscores.

Uncomment "cache_effective_user squid" and
"cache_effective_group squid"

Download DansGuardian:
http://dansguardian.org/?page=download

Edit the Makefile for DansGuardian so that it places
dansguardian.pl in the correct httpd home/cgi-bin
directory (/var/www/cgi-bin on this computer). Read
the DansGuardian installation documentation.

Install DansGuardian.

Customize /var/www/cgi-bin/dansguardian.pl

Run "/usr/sbin/squid -z" then "/usr/sbin/squid"

Run "/etc/rc.d/init.d/dansguardian start"

Set Netscape to use manual proxy servers. Set all to
IP-ADDRESS port 8080. Also set the Netscape home page
to the custom home page that you created.

{Here's where you would use IPTables to force traffic
coming in on port 80 to go to port 8080. The browsers
you set up DON'T NEED A PROXY SERVER IN THEIR
PRERFERENCES. This is a transparent, or intercepting
proxy. It is best if you read this documentation:

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html}

Test out some web pages.

Download, install, and configure squidGuard:
http://www.squidguard.org/install/

squidGuard install tricks:

Be sure to get Berkeley DB 2.7.7 because, as of this
writing, Berkeley DB 3.0+ isn't supported with
squidGuard.

Create /etc/squidGuard/squidGuard.conf and refer to
the squidGuard config file documentation at:
http://www.squidguard.org/config/ For the redirect
page, use
http://IP-ADDRESS/cgi-bin/dansguardian.pl?DENIEDURL=%u&REASON=Site%20blocked

Blocking ads with squidGuard is unnecessary and
confusing.

Create two directories: /usr/local/squidGuard/db and
/usr/local/squidGuard/log

Download the current blacklist from:
http://www.squidguard.org/blacklist/

Unpack the contents of the blacklist to
/usr/local/squidGuard/db Be sure not to have the
directory structure look like:
/usr/local/squidGuard/db/blacklists/ads Instead,
unpack the blacklist file first and then copy the
contents to /usr/local/squidGuard/db so that you get
/usr/local/squidGuard/db/ads instead.

Run "chown squid.squid /usr/local/squidGuard/log
/usr/local/squidGuard/db"

Run "chmod 700 -R /usr/local/squidGuard/db"

When compiling squidGuard, use this command:
CC="gcc" CFLAGS="-O3" ./configure
-with-sg-config=/etc/squidGuard/squidGuard.conf

After install, run /usr/local/bin/squidGuard -d

Open /etc/squid/squid.conf in an editor and change
"redirect_program none" to "redirect_program
/usr/local/bin/squidGuard". Also uncomment
"redirect_children 5" and change it to
"redirect_children 4"

Run "/etc/rc.d/init.d/squid restart"

Test out some web pages.

Create
/usr/local/screensaver-watcher/screensaver-watcher.pl
and edit it.

Insert:
# This script monitors xscreensaver to see if it is
active. If it is, the
# restart-netscape script is run.
#
#!/usr/bin/perl
 
my $blanked = 0;
        open (IN, "xscreensaver-command -watch |");
        while (<IN>) {
                if (m/^(BLANK|LOCK)/) {
                        if (!$blanked) {
                                system
"/usr/local/screensaver-watcher/restart-netscape";
                                $blanked = 1;
                        }
                } elsif (m/^UNBLANK/) {
                        $blanked = 0;
                }
        }

Create /usr/local/screensaver-watcher/restart-netscape
and edit it.

Insert:
# This script closes any instances of Netscape and
reopens it to the home page.
#
killall -9 netscape-navigator &
netscape http://IP-ADDRESS/ -geometry 1024x738+0+0
-display :0 &

Run "chmod 755 /usr/local/screensaver-watcher/*"

Open ~webuser/GNUstep/Library/WindowMaker/autostart in
an editor.

Insert:
export DISPLAY=webbox:0
xhost +localhost
xscreensaver-command -exit
xscreensaver -nosplash &
perl
/usr/local/screensaver-watcher/screensaver-watcher.pl
&

Make Netscape launch at WindowMaker startup by first
launching Netscape, then dragging the Netscape icon
(in the upper-right corner) onto the dock. Then
right-click on that icon and choose settings. Launch
at startup, lock, and change the command line to
"netscape http://IP-ADDRESS/ -geometry 1024x738+0+0".

Right-click on the dock and click "Allow Lowering."
Create a background for the desktop with a message
something like "If Netscape does not load within 30
seconds, double-click the Netscape icon". Put it in
/usr/share/WindowMaker/Backgrounds Change the
WindowMaker background to the new picture.

Lock down WindowMaker by removing extra icons and
disabling mouse actions. Run "chown root.root -R
~webuser/GNUstep/Defaults" and "chmod 555 -R
~webuser/GNUstep/Defaults" and "chattr +i -R
~webuser/GNUstep/Defaults"

Lock down Netscape with "chown root.root -R
~webuser/.netscape" "chmod 000
~webuser/.netscape/bookmarks.html
~webuser/.netscape/preferences.js" and "chattr +i
~webuser/.netscape/bookmarks.html
~webuser/.netscape/preferences.js"

Run "crontab -e" and add these lines:
59 23 * * * rm -f ~webuser/.netscape/bookmarks.html.*
59 23 * * * rm -Rf ~webuser/.netscape/cache/*
59 23 * * sat reboot

Run "crontab -e -u squid" and add these lines:
59 23 * * sun /etc/dansguardian/logrotation

Reboot and lock down the BIOS (remove floppy boot, add
a password, etc?)

Test it out.

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com



This archive was generated by hypermail 2b25 : Mon Nov 19 2001 - 01:40:24 EST