[Nepal] Dansguardian]

Prithak Sharma prithak at olenepal.org
Mon Oct 13 02:14:36 EDT 2008


Dear All,
Here is one way of blocking files using squid and I think this is will not
be bypassed by the URL injection attack.
Speaking about dansguardian ; if this vulnerability is not due to
misconfiguration then we need to upgrade to its latest release ASAP. First
lets makes sure that we have configured it properly.

acl blockeddownloads urlpath_regex -i "/etc/banned.list"
http_access deny banneddownloads

contents of /etc/banned.list

\.cab$
\.exe$
\.cab\?.*$
\.exe\?.*$

As you can see its only a regex trick.

Prithak


On Mon, Oct 13, 2008 at 9:40 AM, Roshan Karki <roshan at olenepal.org> wrote:

>  Tony Anderson wrote:
>
> Hi, Bernie
>
> I am trying to make a usb stick which can be used to install XS on a
> server with minimum intervention by the installer.
>
> My first attempt is to use livecd-iso-to-disk to load the XS_0_4 image.
> I plan to add dansguardian and mysql rpms plus a backup of Moodle to the
> usb stick filesystem. I am developing a post-install Bash script which
> will run rpm on dansguardian and mysql, copy the moodle directories,
> restore the moodle database, and configure the system.
>
> The problem with dansguardian at the moment is setting up the iptables
> which also involves squid. The scheme should go something like this:
>
> (http://www.nyetwork.org/wiki/DansGuardian)
>
>      * XO user types in address in browser
>      * Computer (e.g. 172.18.0.244) creates TCP/IP packet and sends it
> to the default gateway (e.g. 172.18.0.1)
>      * The gateway sees this outgoing request, and sends it to the local
> port 127.0.0.1:8081
>      * DansGuardian is listening on localhost:8081
>      * DansGuardian filters the URL. If the URL is ok and passes PICS
> ratings, it sends the request to localhost:3128 which is Squid
>      * Squid requests the page from the Internet.
>
> [here the request (for an mp3 file) goes to 192.168.5.1, i.e. to
> dansguardian at olenepal, and if ok, dansguardian returns the page to 192.168.5.44 - the server on the WAN (eth0). What is probably happening
> is that the access denied page is being returned to the server]
>
>      * Squid returns page to DG
>      * DG filters page for bad words
>      * DG returns page to browser
>      * Browser shows the "Denied!" page or the normal web page
>
> I am at home so I can't give you the specifics of what I am entering
> now. In any case, it works in the sense that the XOs communicate with
> the internet. However, the traffic gets intercepted by olenepal's
> dansguardian, not the one on the server.
>
> Hopefully, Sunday I can set up a restriction on the server's
> dansguardian for a page which is ok by the olenepal dansguardian to see
> if this is what is happening.
>
> Tony
>
>
> -------- Original Message --------
> Subject: Re: Dansguardian
> Date: Fri, 10 Oct 2008 12:53:21 +0545
> From: Bryan Berry <bryan at olenepal.org> <bryan at olenepal.org>
> Organization: OLE Nepal
> To: Bernie Innocenti <bernie at codewiz.org> <bernie at codewiz.org>
> CC: Nepal <Nepal at lists.laptop.org> <Nepal at lists.laptop.org>, Tony Anderson <tony_anderson at usa.net> <tony_anderson at usa.net>,  Prithak Sharma <prithak at olenepal.org> <prithak at olenepal.org>
> References: <48EE80E1.3020703 at codewiz.org> <48EE80E1.3020703 at codewiz.org>
>
> On Fri, 2008-10-10 at 00:08 +0200, Bernie Innocenti wrote:
>
>
>  Do you still plan to use Dans Guardian?
>
>
>  Absolutely, thanks.
>
> Bernie, meet Prithak Sharma. He is a super geek who will be working
> heavily on the XS and networking. Not only is he a linux geek, he is a
> FreeBSD geek! He will be starting full-time w/ us beginning Oct 19th,
> and has even started w/ Dansguardian during the current Dashain holiday.
>
> He is working w/ our other new volunteer, Tony Anderson aka "Master
> Yoda" on the XS. Tony is great, he is like you just a few years older ;)
>
>
>
>
>  I made a package for Fedora and I was pushing it through the review
> process back when I was at OLE, but it got stuck due to licensing
> concerns.
>
> Now the RH legal guy approved the package with a small change:
>
>    https://bugzilla.redhat.com/show_bug.cgi?id=458643
>
> If it seems useful for the school server, I might do this remaining
> work to get it in Rawhide and maybe backport it to F10.
>
>
>
>  Do you guys know a simple url injection is bypassing the dnsguardian. For
> case in a point last week I was trying to download few bunch of .msi files
> for cygwin. As expected it was blocked by dnsguardain. So I chnged the URL
> to something like www.server.com/file.msi to
> www.server.com/file.msi?test=123.php and I downloaded bunch of msi files.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/nepal/attachments/20081013/fd498843/attachment-0001.htm 


More information about the Nepal mailing list