« B2Evolution 2.1.0 Beta UpgradeVMWare ESX 3 Boot Failure after Navisphere Agent Upgrade »

HOWTO: Implement an IPCOP/Cop+ Dansguardian Bypass Password


Permalink 12:00:06 am by guy, Categories: IPCop

The original intent I had in setting up my IPCop firewall PC was to implement a content filtering system for my kids. I’m not to worried they would look for “bad” stuff, but that they might stumble upon it by mistake. I have discussed IPCop and DansGuardian in previous blog entries (1, 2). Here I will attempt to describe not how to install DansGuardian, but how to enable a way for you to allow bypassing it as you see fit. This is for the situation where you want to protect the kids (or whoever else), but you don’t want to inhibit full access to the internet by certain others (yourself?).

DansGuardian can be quite agressive in blocking some sites depending on how you have it setup, but hey, you are an adult and you are the parent so why should you ever have to be blocked. The way DansGuardian blocks there are various ways that you can configure it to allow access to sites.

  • You can edit the /etc/dansguardian/exceptioniplist file to allow a specific IP or IPs full access. This works well, but assumes that you have a static IP and that you aren’t sharing the same computer with the kids.
  • You can edit the /etc/dansguardian/exceptionsitelist file and add individual sites that you want unblocked. This works, but can be tedious to maintain. It also assumes that you want these individual sites upblocked for everyone.
  • You can edit the /etc/dansguardian/exceptionuserlist file and add users that you don’t want blocked. I’ve never tried this, but I believe it requires each pc have an IDENT server on each client.
  • I’m sure there are MANY other methods in between, each with it’s own pluses and minuses.
  • My way. Well, not really mine, I just hacked what someone else had already done for smoothwall to work with IPCop and Cop+. Here is the best link I can find to the original work. I had a hard time re-finding this: DGBypass for Smoothwall mod

My way is to display the normal DansGuardian blocked page but to edit it to include a password text box

This method will allow you to allow a user with a valid password to bypass the block, but will still create log files that allow the admin to see which password/user accessed which sites.

This is what I did. Again, this is essentially a modification of the smoothwall mod. I’m not very comfortable with Linux yet and creating the installer was quite a challenge for me, but I decided I would make it available to anyone who is interested. I don’t have time to support it, but if you want to post a comment here I’ll try to followup.

Here are the steps to install this mod:

  1. Install IPCop - Duh!
  2. Install the Addons Server
  3. Install the DansGuardian Cop+ mod once you have this installed you have DansGuardian. This is the starting point for this mod on top of that mod… NOTE: It may be a bit tricky to get this mod working on IPCop versions greater than 1.4.13, but it does work (I tested on 1.4.16) and there are instructions on the Cop+ site on how to fix it.

At this point you should have a functional IPCop install with Cop+ (DansGuardian). Make sure it is working as expected before proceeding! Here I need to insert the standard super-duper disclaimer/warning. The following steps are at your own risk (actually ALL the steps are at your own risk)! This is the stuff that I hacked together to install this mod without it being completely manual. The install is automated using a shell script that I modified from the original author. Keep in mind that I am NOT a Linux guy so it could easily go awry. One option if you are nervous may be to peruse the script file and get comfortable with what it is doing or even to do the steps yourself. None of it is super complex. Also note, THERE IS NO UNINSTALL SCRIPT!

  1. Copy DGBypass.tar to a working directory on your IPCop computer. I created /root/DGBypass and copied it there. You can do this using WinSCP.
  2. Use PuTTY to login to your IPCop PC as the root user.
  3. Change to the directory where you copied the DGBypass.tar file
  4. Execute the following command
    tar vxf DGBypass.tar
  5. You should now have the following files in the directory:
    root@ipcop:~/DGBypass # ls -ls
    total 44
    4 -rw-r--r-- 1 root root 3091 2007-11-14 22:34 DGBypass.bz2
    4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.bz2.md5
    4 -rw-r--r-- 1 root root 144 2007-05-18 00:09 dgbypass.logrotate
    20 -rw-r--r-- 1 root root 20480 2007-11-14 22:34 DGBypass.tar
    4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.tar.md5
    8 -rwxr--r-- 1 root root 5527 2007-11-14 22:32 install-dgbypass.sh
  6. Execute the install script:
    Note that you will be asked to enter a number of minutes that your bypass will be effective after entering a valid password. I used 15.
  7. Take a look at the output from running the script, hopefully you have no errors. Note that the output below is from me RE-installing so yours may look different.
    root@ipcop:~/DGBypass # ./install-dgbypass.sh
    Backing up existing DG Stop template... Already done
    Checking archive integrity... perfect!
    Extracting files... done!
    Checking for DGBypass.cgi... Got it :)
    Checking for denied.html... Got it :)
    Checking for template.html... Got it :)
    Extracted Green IP. Green IP is template.html... Green IP updated.
    Modifying passwords.cgi... Green IP updated.
    How many minutes do you want the bypass link to be valid for? 15
    Modifying bypass time value in dansguardianf1.conf file
    Already on and set to 900 seconds.
    Restarting DansGuardian
    Shutting down dansguardian: [ OK ]
    Starting dansguardian: [ OK ]
    Modifying logrotate.conf... File already updated
  8. Be aware that at the end of the script it will restart DansGuardian. On my test machine (800mhz 256meg) this took upwards of 2 minutes, so don’t cancel out!
  9. Done!

Here is a quick overview of what the installer does.

  • Backs up your existing /etc/dansguardian/languages/ukenglish/template.html file
  • Extracts the following files:
  • Verifies that the files got extracted successfully to the right places
  • Extracts the IPCop PC’s Green IP address from /var/ipcop/ethernet/settings
  • Inserts the extracted IP into the template.html file for use in the bypass password validation
  • Inserts the extracted IP into the passwords.cgi file for use in the bypass password validation
  • Inserts the user specified bypass timeout into the /etc/dansguardian/dansguardianf1.conf file
  • Restarts DansGuardian
  • Modifies the /etc/logrotate.conf file to configure automatic rotation of the bypass log files.
  • Deletes temporary files

I didn’t modify the IPCop GUI to support editing of the DGBypassPasswords.txt file, so if you want to change the passwords you will need to edit it by hand. It is located at /home/httpd/DGBypassPasswords.txt. This is what the file looks like:
# User/Password list for DGBypass addon
# format is password,username
# note that username is NOT entered by the user, but is used for logging only
# so you would give out a password to a user and assign a username that will allow you to
# identify who is using the bypass by reviewing the log files (in /var/log/dansguardian/)
# if ident is available then this is unnecessary because the ident username will also show up
# in the log files.

Note that the passwords above are not the ones in the scripted install.

All bypass activity is logged, but again, I did not modify the GUI to view these logs. The logs are in the following location: /var/log/dansguardian/dgbypass.log. You can edit the /etc/logrotate.conf file to change how the log files are retained and rotated.

Download DGBypass.tar
Download zip file with tar and md5 signature DGBypass.zip

October 2016
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
I'm a generalist, at least if I'm honest. In my job I am primarily a developer, but also a sysadmin, and (as little as possible) technical support. I know a little about a lot of things, a lot about some things, and everything about nothing. Here I will post random learnings...


XML Feeds

User tools

powered by b2evolution free blog software