Starting at Fedora 11, Fedora now supports dansguardian, so you may use the dansguardian rpm package provided by Fedora.
[ Current Release: 184.108.40.206 ] for Fedora 20
I have built an rpm file of the newest version (220.127.116.11) for Fedora 20 and is available here.
I have also built an rpm file of this version for CentOS 5 and is available here.
Dansguardian And ClamAV
Here, I will describe the changes I made to dansguardian configuration files in order to connect and use ClamAV.
I am using ClamAV rpm files which I built myself, and if you are using a different ClamAV rpm to install, the location of your files might be different. So adjust accordingly. The ClamAV rpm files I built are available for download (download and install only clamav and clamav-server): Fedora 20 and CentOS5.
clamd runs as user(clamav):group(clamav), while dansguardian runs as user(nobody):group(nobody). The user:group clamd and dansguardian use are different, this need to be changed otherwise dansguardian is not able to connect to clamd.
The following is what I did so that dansguardian is able to use clamd to scan the incoming packets for virii.
1. Edit /etc/dansguardian/dansguardian.conf:
- uncomment: #contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf' (that is, delete the character #)
- uncomment and change: #daemonuser = 'nobody' ==> 'clamav'
- uncomment and change: #daemongroup = 'nobody' ==> 'clamav'
2. Edit /etc/dansguardian/contentscanners/clamdscan.conf:
- uncomment: #clamdudsfile = '/var/run/clamav/clamd.sock'
3. cd to /var/log and change the user:group of the directory dansguardian:
- cd /var/log
- chown -R clamav:clamav dansguardian
4. Restart dansguardian:
- systemctl restart dansguardian.service
There is no new release for dansguardian. But since I have upgraded our servers to Fedora 15, I wanted to build one for Fedora 15. Although the dansguardian rpm package for Fedora 13 works in Fedora 15 without any problem, nervertheless since Fedora 15 is now using systemd instead of SysV initscript, I wanted to build one that uses systemd service file.
You can download it here
This package has been compiled with support for anti-virus scanning: clamd (clamav), icap (Dr. Web ICAP) and kavd (Kaspersky).
If you want to enable this functionality you need to edit the following files:
1. Uncomment the one you want to use in /etc/dansguardian/dansguardian.conf:
#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
#contentscanner = '/etc/dansguardian/contentscanners/kavdscan.conf'
#contentscanner = '/etc/dansguardian/contentscanners/icapscan.conf'
2. Edit the corresponding config file that you need:
Note: Since I am not able to test the use of the anti-virus scanning in dansguardian, I can not guarantee that they will work.
In our school (St. Aloysius Technical School), we use one computer exclusively as a proxy server. We have configured all the computers in the computer classroom to connect to this proxy whenever the students browse the Internet. Everyday, after school, we open up the computer classroom to let the students use these computers. Quite a lot of students would come and enjoy what they call a "free" Internet Cafe! Of course, there is nothing wrong with this. Students, after school, come and by using these computers, hopefully, they can learn something. At the least, this keeps the students away from the streets doing things they should not be doing.
But we are an educational institution. We need to control what the students access in the Internet. But you can not say that because we are a school, therefore we have to control. Control, for the sake of control, is nonsense. But, precisely because we are a school, we care for our students, we care for the safety of our students. To control is to protect our students from the bad elements that are proliferating in the Internet. After all, our students are young and they have not yet developed the capacity to discern the good from the bad.
Here, I am introducing a proxy filter program, DansGuardian, that is small but very powerful. And the best part is that it is free for educational use. This prevents the students from accessing materials from the Internet that are not suitable for them.
Features of DansGuardian:
How to install DansGuardian? Below, I presume the following:
First, download the program. Currently, the latest version is:
You can go here:
to download the program. If you want an rpm package, I have built one for Fedora 13 which can be downloaded here
I am now also providing rpm packages for CentOS 5.5 which you can get here.
The installation procedure is quite simple.
Note: In executing ./configure, you need the parameter --prefix= otherwise the whole package will be installed in /usr/local/ which is not the default directory in Fedora 13.
After installation, you need to edit /etc/dansguardian/dansguardian.conf before you can start it:
DansGuardian uses 'ukenglish' as the default language. If you are using a different language, you need to change the configuration in /etc/dansguardian/dansguardian.conf to the language you need. For example, if you want to use Traditional Chinese as your language, change to: language = 'chinesebig5'.
Now, DansGuardian's installation is finished. To start the program:
1. To ensure that DansGuardian is started during boot:
chkconfig dansguardian on
2. Manually start DansGuardian:
service dansguardian start
DansGuardian is now running and is using port 8080.
And that's the problem. Squid is using port 3128. The computers used by the students are configured to connect to squid which means connect to port 3128. In this kind of configuration, DansGuardian becomes useless. The computers used must be configured to use port 8080 in order to use DansGuardian.
There are two solutions to this problem:
The first solution is to re-configure all the computers to connect to port 8080. This is a tall order and therefore not ideal.
The second solution is not to re-configure the computers to connect to port 8080, but rather "fool" the computers. The computers used by the students continue to connect to port 3128, but in reality they are automatically connected to 8080. How to "fool" these computers? Very simple, use iptables.
iptables is usually used in a firewall. But our proxy server does not use a firewall. It really does not matter. We can still use iptables, nevertheless.
We can use iptables for redirection. To redirect all tcp connections from port 3128 to port 8080, execute the following:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
And that's it!
Fr. Visminlu Vicente L. Chua, S.J.