« B2Evolution 2.1.0 Beta UpgradeVMWare ESX 3 Boot Failure after Navisphere Agent Upgrade »

HOWTO: Implement an IPCOP/Cop+ Dansguardian Bypass Password

11/15/07

Permalink 12:00:06 am by guy, Categories: IPCop

The original intent I had in setting up my IPCop firewall PC was to implement a content filtering system for my kids. I’m not to worried they would look for “bad” stuff, but that they might stumble upon it by mistake. I have discussed IPCop and DansGuardian in previous blog entries (1, 2). Here I will attempt to describe not how to install DansGuardian, but how to enable a way for you to allow bypassing it as you see fit. This is for the situation where you want to protect the kids (or whoever else), but you don’t want to inhibit full access to the internet by certain others (yourself?).

DansGuardian can be quite agressive in blocking some sites depending on how you have it setup, but hey, you are an adult and you are the parent so why should you ever have to be blocked. The way DansGuardian blocks there are various ways that you can configure it to allow access to sites.

  • You can edit the /etc/dansguardian/exceptioniplist file to allow a specific IP or IPs full access. This works well, but assumes that you have a static IP and that you aren’t sharing the same computer with the kids.
  • You can edit the /etc/dansguardian/exceptionsitelist file and add individual sites that you want unblocked. This works, but can be tedious to maintain. It also assumes that you want these individual sites upblocked for everyone.
  • You can edit the /etc/dansguardian/exceptionuserlist file and add users that you don’t want blocked. I’ve never tried this, but I believe it requires each pc have an IDENT server on each client.
  • I’m sure there are MANY other methods in between, each with it’s own pluses and minuses.
  • My way. Well, not really mine, I just hacked what someone else had already done for smoothwall to work with IPCop and Cop+. Here is the best link I can find to the original work. I had a hard time re-finding this: DGBypass for Smoothwall mod

My way is to display the normal DansGuardian blocked page but to edit it to include a password text box


This method will allow you to allow a user with a valid password to bypass the block, but will still create log files that allow the admin to see which password/user accessed which sites.

This is what I did. Again, this is essentially a modification of the smoothwall mod. I’m not very comfortable with Linux yet and creating the installer was quite a challenge for me, but I decided I would make it available to anyone who is interested. I don’t have time to support it, but if you want to post a comment here I’ll try to followup.

Here are the steps to install this mod:

  1. Install IPCop - Duh!
  2. Install the Addons Server
  3. Install the DansGuardian Cop+ mod once you have this installed you have DansGuardian. This is the starting point for this mod on top of that mod… NOTE: It may be a bit tricky to get this mod working on IPCop versions greater than 1.4.13, but it does work (I tested on 1.4.16) and there are instructions on the Cop+ site on how to fix it.

At this point you should have a functional IPCop install with Cop+ (DansGuardian). Make sure it is working as expected before proceeding! Here I need to insert the standard super-duper disclaimer/warning. The following steps are at your own risk (actually ALL the steps are at your own risk)! This is the stuff that I hacked together to install this mod without it being completely manual. The install is automated using a shell script that I modified from the original author. Keep in mind that I am NOT a Linux guy so it could easily go awry. One option if you are nervous may be to peruse the script file and get comfortable with what it is doing or even to do the steps yourself. None of it is super complex. Also note, THERE IS NO UNINSTALL SCRIPT!

  1. Copy DGBypass.tar to a working directory on your IPCop computer. I created /root/DGBypass and copied it there. You can do this using WinSCP.
  2. Use PuTTY to login to your IPCop PC as the root user.
  3. Change to the directory where you copied the DGBypass.tar file
  4. Execute the following command
    tar vxf DGBypass.tar
  5. You should now have the following files in the directory:
    root@ipcop:~/DGBypass # ls -ls
    total 44
    4 -rw-r--r-- 1 root root 3091 2007-11-14 22:34 DGBypass.bz2
    4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.bz2.md5
    4 -rw-r--r-- 1 root root 144 2007-05-18 00:09 dgbypass.logrotate
    20 -rw-r--r-- 1 root root 20480 2007-11-14 22:34 DGBypass.tar
    4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.tar.md5
    8 -rwxr--r-- 1 root root 5527 2007-11-14 22:32 install-dgbypass.sh
  6. Execute the install script:
    install-dgbypass.sh
    Note that you will be asked to enter a number of minutes that your bypass will be effective after entering a valid password. I used 15.
  7. Take a look at the output from running the script, hopefully you have no errors. Note that the output below is from me RE-installing so yours may look different.
    root@ipcop:~/DGBypass # ./install-dgbypass.sh
    Backing up existing DG Stop template... Already done
    Checking archive integrity... perfect!
    Extracting files... done!
    Checking for DGBypass.cgi... Got it :)
    Checking for denied.html... Got it :)
    Checking for template.html... Got it :)
    Extracted Green IP. Green IP is 192.168.2.254Modifying template.html... Green IP updated.
    Modifying passwords.cgi... Green IP updated.
    How many minutes do you want the bypass link to be valid for? 15
    Modifying bypass time value in dansguardianf1.conf file
    Already on and set to 900 seconds.
    Restarting DansGuardian
    Shutting down dansguardian: [ OK ]
    Starting dansguardian: [ OK ]
    Modifying logrotate.conf... File already updated
    done!
  8. Be aware that at the end of the script it will restart DansGuardian. On my test machine (800mhz 256meg) this took upwards of 2 minutes, so don’t cancel out!
  9. Done!

Here is a quick overview of what the installer does.

  • Backs up your existing /etc/dansguardian/languages/ukenglish/template.html file
  • Extracts the following files:
    /home/httpd/html/denied.html
    /home/httpd/html/DGBypass.cgi
    /home/httpd/DGBypassPasswords.txt
    /var/log/dansguardian/dgbypass.log
    /etc/dansguardian/languages/ukenglish/template.html
  • Verifies that the files got extracted successfully to the right places
  • Extracts the IPCop PC’s Green IP address from /var/ipcop/ethernet/settings
  • Inserts the extracted IP into the template.html file for use in the bypass password validation
  • Inserts the extracted IP into the passwords.cgi file for use in the bypass password validation
  • Inserts the user specified bypass timeout into the /etc/dansguardian/dansguardianf1.conf file
  • Restarts DansGuardian
  • Modifies the /etc/logrotate.conf file to configure automatic rotation of the bypass log files.
  • Deletes temporary files

I didn’t modify the IPCop GUI to support editing of the DGBypassPasswords.txt file, so if you want to change the passwords you will need to edit it by hand. It is located at /home/httpd/DGBypassPasswords.txt. This is what the file looks like:
# User/Password list for DGBypass addon
# format is password,username
# note that username is NOT entered by the user, but is used for logging only
# so you would give out a password to a user and assign a username that will allow you to
# identify who is using the bypass by reviewing the log files (in /var/log/dansguardian/)
# if ident is available then this is unnecessary because the ident username will also show up
# in the log files.
bypass,admin
otherpass,admin

Note that the passwords above are not the ones in the scripted install.

All bypass activity is logged, but again, I did not modify the GUI to view these logs. The logs are in the following location: /var/log/dansguardian/dgbypass.log. You can edit the /etc/logrotate.conf file to change how the log files are retained and rotated.

Download DGBypass.tar
Download zip file with tar and md5 signature DGBypass.zip

10 comments

Comment from: db [Visitor]
tnx!

if you kinda track how DG works, this can be bent to work on non-IPCop DG installs too. the info was great and made the tweaks a lot easier to work out. thanks again

--d
08/14/08 @ 02:37
Comment from: Jay [Visitor]
Has anyone got this guide but for DG and Squid?

thanks ;)
08/29/08 @ 05:19
Comment from: Jason Daniel [Visitor]
I am having a extremely hard time accessing IP cop from the gui once connected using a cross over cable to my PC. I am prompted once I put in 192.168.1.1:81 in my browser. I get the tabs, once I access any of the menus for the tabs, I get a login screen requesting username and password, I put it in but it is not accepted.

When I sit down to the box and log in to the box I can access with the username and password that I am trying through the browser. Any Ideas on how to get pass this or fix it. Please Advise.

Jason
09/22/08 @ 11:16
Comment from: guy [Member] Email
Are you using the 'root' username and password? It has been a while since I did a clean install, but I believe that you would use the password for 'admin', not root. I just tried and root is not able to login to the GUI, only the console or through an SSH session.

If this is the case then try logging into the console using 'root' and then, once logged in, type 'setup'. This will put you into the console setup application where you can reset the 'admin' password.

Good luck.
09/23/08 @ 00:08
Comment from: guy [Member] Email
If the above doesn't work then you might try posting to the IPCop mailing list. That is where the experts are.

http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopSupport and then subscribe to the 'User' list and post your question.
09/23/08 @ 00:12
Comment from: Mark [Visitor] Email
Thanks for this, this is great solution. I am try this on Ubuntu, with Squid and Dansguardian. So far so good. Just confused on the DGBypass.cgi and the use of port number 81. Where is that set? Is that in Apache?
11/05/08 @ 13:03
Comment from: Humorme2003 [Visitor] · http://www.rebelresistance.org
Thank you for walking me through this works nice. Would be pretty cool to have some links in the GUI but I can probably add them myself.
03/11/09 @ 00:33
Comment from: yin yoga [Visitor] · http://www.yin-yoga.net
informative post to read!!!
01/13/10 @ 08:07
Comment from: slava [Visitor] · http://skillsearch.ca
Thank you on this tutorial everything working very well.
02/01/10 @ 23:15
Comment from: stefan [Visitor]
It seems to work, but i can't get the bypass section to appear on my "access denied" page. Maybe something to do with dutch computers?
09/06/10 @ 10:17

Comments are closed for this post.

October 2014
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
I'm a generalist, at least if I'm honest. In my job I am primarily a developer, but also a sysadmin, and (as little as possible) technical support. I know a little about a lot of things, a lot about some things, and everything about nothing. Here I will post random learnings...

Search

XML Feeds

User tools

powered by b2evolution free blog software