[Nepal] Dansguardian]

Roshan Karki roshan at olenepal.org
Mon Oct 13 02:16:32 EDT 2008 

Prithak Sharma wrote:
>
> Dear All,
> Here is one way of blocking files using squid and I think this is will 
> not be bypassed by the URL injection attack.
> Speaking about dansguardian ; if this vulnerability is not due to 
> misconfiguration then we need to upgrade to its latest release ASAP. 
> First lets makes sure that we have configured it properly.
>
> acl blockeddownloads urlpath_regex -i "/etc/banned.list"
> http_access deny banneddownloads
>
> contents of /etc/banned.list
>
> \.cab$
> \.exe$
> \.cab\?.*$
> \.exe\?.*$
>  
> As you can see its only a regex trick.
>
> Prithak
>   
>
> On Mon, Oct 13, 2008 at 9:40 AM, Roshan Karki <roshan at olenepal.org 
> <mailto:roshan at olenepal.org>> wrote:
>
>     Tony Anderson wrote:
>>     Hi, Bernie
>>
>>     I am trying to make a usb stick which can be used to install XS on a 
>>     server with minimum intervention by the installer.
>>
>>     My first attempt is to use livecd-iso-to-disk to load the XS_0_4 image. 
>>     I plan to add dansguardian and mysql rpms plus a backup of Moodle to the 
>>     usb stick filesystem. I am developing a post-install Bash script which 
>>     will run rpm on dansguardian and mysql, copy the moodle directories, 
>>     restore the moodle database, and configure the system.
>>
>>     The problem with dansguardian at the moment is setting up the iptables 
>>     which also involves squid. The scheme should go something like this:
>>
>>     (http://www.nyetwork.org/wiki/DansGuardian)
>>
>>          * XO user types in address in browser
>>          * Computer (e.g. 172.18.0.244 <http://172.18.0.244>) creates TCP/IP packet and sends it 
>>     to the default gateway (e.g. 172.18.0.1 <http://172.18.0.1>)
>>          * The gateway sees this outgoing request, and sends it to the local 
>>     port 127.0.0.1:8081 <http://127.0.0.1:8081>
>>          * DansGuardian is listening on localhost:8081
>>          * DansGuardian filters the URL. If the URL is ok and passes PICS 
>>     ratings, it sends the request to localhost:3128 which is Squid
>>          * Squid requests the page from the Internet.
>>
>>     [here the request (for an mp3 file) goes to 192.168.5.1 <http://192.168.5.1>, i.e. to 
>>     dansguardian at olenepal, and if ok, dansguardian returns the page to 
>>     192.168.5.44 <http://192.168.5.44> - the server on the WAN (eth0). What is probably happening 
>>     is that the access denied page is being returned to the server]
>>
>>          * Squid returns page to DG
>>          * DG filters page for bad words
>>          * DG returns page to browser
>>          * Browser shows the "Denied!" page or the normal web page
>>
>>     I am at home so I can't give you the specifics of what I am entering 
>>     now. In any case, it works in the sense that the XOs communicate with 
>>     the internet. However, the traffic gets intercepted by olenepal's 
>>     dansguardian, not the one on the server.
>>
>>     Hopefully, Sunday I can set up a restriction on the server's 
>>     dansguardian for a page which is ok by the olenepal dansguardian to see 
>>     if this is what is happening.
>>
>>     Tony
>>
>>
>>     -------- Original Message --------
>>     Subject: Re: Dansguardian
>>     Date: Fri, 10 Oct 2008 12:53:21 +0545
>>     From: Bryan Berry <bryan at olenepal.org> <mailto:bryan at olenepal.org>
>>     Organization: OLE Nepal
>>     To: Bernie Innocenti <bernie at codewiz.org> <mailto:bernie at codewiz.org>
>>     CC: Nepal <Nepal at lists.laptop.org> <mailto:Nepal at lists.laptop.org>, Tony Anderson 
>>     <tony_anderson at usa.net> <mailto:tony_anderson at usa.net>,  Prithak Sharma <prithak at olenepal.org> <mailto:prithak at olenepal.org>
>>     References: <48EE80E1.3020703 at codewiz.org> <mailto:48EE80E1.3020703 at codewiz.org>
>>
>>     On Fri, 2008-10-10 at 00:08 +0200, Bernie Innocenti wrote:
>>       
>>>     Do you still plan to use Dans Guardian?
>>>         
>>     Absolutely, thanks.
>>
>>     Bernie, meet Prithak Sharma. He is a super geek who will be working
>>     heavily on the XS and networking. Not only is he a linux geek, he is a
>>     FreeBSD geek! He will be starting full-time w/ us beginning Oct 19th,
>>     and has even started w/ Dansguardian during the current Dashain holiday.
>>
>>     He is working w/ our other new volunteer, Tony Anderson aka "Master
>>     Yoda" on the XS. Tony is great, he is like you just a few years older ;)
>>
>>
>>       
>>>     I made a package for Fedora and I was pushing it through the review 
>>>     process back when I was at OLE, but it got stuck due to licensing 
>>>     concerns.
>>>
>>>     Now the RH legal guy approved the package with a small change:
>>>
>>>        https://bugzilla.redhat.com/show_bug.cgi?id=458643
>>>
>>>     If it seems useful for the school server, I might do this remaining 
>>>     work to get it in Rawhide and maybe backport it to F10.
>>>
>>>         
>     Do you guys know a simple url injection is bypassing the
>     dnsguardian. For case in a point last week I was trying to
>     download few bunch of .msi files for cygwin. As expected it was
>     blocked by dnsguardain. So I chnged the URL to something like
>     www.server.com/file.msi <http://www.server.com/file.msi> to
>     www.server.com/file.msi?test=123.php
>     <http://www.server.com/file.msi?test=123.php> and I downloaded
>     bunch of msi files.
>
>
Instead of blocking them, I suggest to use delay pools on squid.

More information about the Nepal mailing list