Content Filtering

Home‎ > ‎Software‎ > ‎

Because setting up Parental Controls on Ubuntu is more difficult than it should be, I have included the following instructions about how I did it. It looks complex, but it's easy really!

This is a multi-layered solution that is transparent to users, and therefore pretty secure. It also 'just works' for all users on each PC once set up, and is difficult to get around without Administrator status.

1. OpenDNS

I use OpenDNS as the main filter ... it filters out most of the material that my children shouldn't need to see.

a. Sign up to OpenDNS and change your DNS Settings

Simple solution:

Go to https://store.opendns.com/familyshield/
Sign up to OpenDNS [important ... you will not get full filtering unless signed up]
Follow the instructions for installing on your router (best solution), OR on each PC

More configurable solution:

Go to http://www.opendns.com/start/
Sign up to OpenDNS [important ... you will not get full filtering unless signed up]
Select the SignUp button for OpenDNS Basic
Follow the router set-up instructions for your router (best solution) OR the PC set-up instructions for each PC

b. Turning on OpenDNS filtering

This means you are now working through OpenDNS, but you have still not told OpenDNS which is the router IP address that it should filter for. If you are fortunate, you may have a router that allows you to tell OpenDNS what IP it is running on. If you do not have a router like that, we need each PC on the network that could be turned on interdependently of the others to do this job for us. In order to do this we will set up a small program that periodically 'tells' OpenDNS what IP address your router is on currently. We will use ddclient to do this:

From the Ubuntu Software Centre, install ddclient. The installer will ask you some questions. You can leave the various questions with their default values, or blank, because we will enter these details directly.
Configure ddclient using an editor: sudo gedit /etc/ddclient.conf
Edit the file to ensure it looks like this (if you are using the wireless connection) ... replace the text from <...> inclusive of the angle braces with your own details, and making sure you leave the single quotes around the password string:

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

pid=/var/run/ddclient.pid
ssl=yes
use=if, if=wlan0
server=updates.opendns.com
protocol=dyndns2
login=<your opendns username (not the email address you use to log in)>
password='<your opendns password>'
Home

Save the file and restart ddclient by typing: sudo /etc/init.d/ddclient restart
If there are errors from this command, check over your configuration file to ensure that you have entered your login and password correctly and try to restart once again.

Note: ddclient needs to be installed and configured on each PC you want filtering to be active on.

c. Setting up the Filter

You now need to set up the Filter categories you want to filter if you are not using FamilyShield. To do this:

Go to the OpenDNS website page, click 'Dashboard' at the top of the page, then click 'Settings' on that page
You will need to give a name to your current network that OpenDNS has detected. To do this:

Look to the top of the page. You will see there some small text that says 'Your current IP is: xx.xx.xx.xx'.
Enter this IP address into the four boxes by the label 'IP' under the title 'Add a network'
Select the 'Add this network' button

Once your network is added, you will either be directed to a page where you can configure the filter, or you can get there on successive visits by, on the 'Settings' page, going to the 'Your networks' box and clicking on the IP address of your network.
On the Network Settings page, choose the filtering you want to have for your family network. When you are happy with your selection, save it using the 'Apply' button.
If you wish, you can add extra protection against Malware and various bots by selecting the 'Security' page on the left menu and choosing options on that page.
Finally, [and this is important] go to the 'Advanced Settings' page in the left menu and tick the box to turn on 'Dynamic IP Update'

d. Configuring your 'network settings'

Note ... this is not the ideal way to set things up. If your router has a means of setting the DNS settings on the router, then configure these settings on the router. The DNS settings cannot then be bypassed by your users. However, if you have no other option, use the following procedure (on Ubuntu:)

Go to the Network icon on the Panel, right click the mouse to raise the menu, and choose 'Edit Network Connections'
In the window that appears (entitled 'Network Connections'), find the connection entry under 'Wired' and/or 'Wireless' that your PC normally connects with. Select this connection and click on the 'Edit' button to the right hand side of the tab.
In the window that appears (entitled 'Editing ...' with the name of your Network connection), go to the IPv4 settings tab. In that tab, locate the 'DNS Servers' text boxes.
If the 'DNS Servers' text boxes are greyed out, you will need to change the 'Method' drop-down at the top of the tab from 'Automatic' to 'Automatic (DHCP) addresses only', and the 'DNS servers' text box will become available.
In the 'DNS Servers' text box add the following settings: 208.67.222.222, 208.67.220.220
Now, click on the 'Save' button. This will save the new DNS settings that direct all your network traffic through OpenDNS, and therefore also through their filters!

You are now fully configured!

They suggest you wait at least 3 minutes for your details to push through to their active servers. Once you have waited, you can check that OpenDNS is protecting you by trying to access their test page at: http://www.exampleadultsite.com/

Usually the configuration you choose initially will turn out to be too strict. As you find out what you want and don't want, you can configure it further using the Filter configuration pages, adding or removing categories and adding or removing exceptions.

2. Dansguardian and Privoxy

Dansguardian provides a further layer of protection. In some ways it is duplicating what OpenDNS already does well. But, what it does do that OpenDNS does not is ensure that Google and other search engines will always use SafeSearch.

Dansguardian is the bit that does the filtering. But it needs a Proxy server to work. We therefore firstly have to install the proxy, then install DansGuardian, and then set things up so that all web page connections automatically uses the filters without needing other modifications, and that only a user with administrative rights can change this.

We will take this in easy steps, testing to ensure things work as we go along. Again, it looks lengthy, but it only takes about 10 minutes to do and is pretty straightforward.

a. Install Privoxy

I am using Privoxy because it is more lightweight than the usual proxy, called Squid, and much more reliable than the next most commonly recommended, called Tinyproxy. None of this installation will slow down your browsing experience.

In the Ubuntu Software Centre, search for and install Privoxy
Edit the Privoxy settings file to configure Privoxy: sudo gedit /etc/privoxy/config

Search for the phrase listen-address:
Change the entry to read: listen-address 127.0.0.1:3128

Save the file, and restart privoxy by typing in the following command:

sudo /etc/init.d/privoxy stop
sudo /etc/init.d/privoxy start

You can test to see if privoxy is working by changing the connection settings in your browser to 'Manual proxy settings' with the settings for HTTP set as: IP: localhost port: 3128. If you then type http://p.p/ in your browser address bar you will see the Privoxy page loaded. Make sure that you change the browser setting back to normal afterwards.

b. Install Dansguardian

In the Ubuntu Software Centre, search for and install DansGuardian
Edit the DansGuardian configuration file: sudo gedit /etc/dansguardian/dansguardian.conf
Go down to the line which has the word UNCONFIGURED and change it to #UNCONFIGURED
Save the file, and restart dansguardian by typing in the following commands in a terminal:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

You can test to see if dansguardian is working in a similar way to testing privoxy ... change the connection settings in your browser to 'Manual proxy settings' with the settings for HTTP set as: IP: localhost port: 8080. If you then try to access the OpenDNS test site: http://www.exampleadultsite.com/ in your browser address bar you will see the DansGuardian site blocking page loaded. Make sure that you change the browser setting back to normal afterwards.

c. Redirect all Web requests so that all Web Pages go through the filter

This step ensures that the filter is now operational for all users on all browsers

In a terminal window, type the following three commands exactly as they appear here:

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner privoxy -j REDIRECT --to-port 8080

The first line allows the root administrator through everything so that we can use updates and software centre as root without having the filter in the way. The second line redirects all users (other then root) so that they cannot directly connect to the proxy without going through dansguardian, and the third line redirects everything else which is not specifically calling privoxy through the dansguardian. (many thanks to http://blog.bodhizazen.net/linux/how-to-transparent-proxy/, from whom I got this information).

If you get any of these lines wrong, simply repeat the errant command replacing the -A with -D to delete what you just added, and then add the correct version of the line.

You can test that everything now works together as follows:

In any browser window type: http://p.p/, and you should see the privoxy header page

In any browser window type: http://www.exampleadultsite.com/, and you should see the Dansguardian page

We need to make these setting permanent, and so we need to capture the settings and then reapply them at boot time. We can do this as follows (as recommended at: http://blog.bodhizazen.net/linux/how-to-transparent-proxy/):

In the terminal window type:

sudo iptables-save > iptables.saved
sudo chown root:root iptables.saved
sudo mv iptables.saved /etc/dansguardian

Now we need to edit a file: sudo gedit /etc/rc.local
Just above the line exit 0, add the following line:

iptables-restore /etc/dansguardian/iptables.saved

Save the file and close the editor

You now have the local Internet filter working transparently, as well as OpenDNS

(Note that if you, for any reason, turn off the Proxy or Dansguardian (e.g. you uninstall them), then you will not be able to connect to the internet through your browser, since we have now told Ubuntu to only get to the internet through them. To restore internet access you will have to run each of the above iptables commands, replacing the -A with -D in each to delete the entry. Finally, remove the additional line we added to the /etc/rc.local file. Then access to the internet will be restored.)

3. Additional Settings

The following are all optional steps to set up additional filtering:

a. Ensuring Google and Yahoo safe search is always on for images

To ensure that inappropriate images cannot be returned through Google or Yahoo search, use the following:

In a terminal window type: sudo gedit /etc/dansguardian/lists/urlregexplist
Find the line starting # Google, go ... . Uncomment the line below (i.e. delete the leading #), and the third line below [the two lines starting "(^http ]
Find the line starting #Yahoo ... . Uncomment the two lines below (i.e. delete the leading #)
Save this file
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

b. Permitting YouTube website to display properly

The YouTube website is not banned by default. If you want it, though, you will find that it displays incorrectly. This is because Dansguardian is filtering out content from some of the subsidiary servers that Youtube uses. You can re-enable YouTube by adding these subsidiary sites to the WhiteList files of the filter.

In a terminal window type: sudo gedit /etc/dansguardian/lists/exceptionsitelist
In the first gap after the initial comment lines (lines starting #) add:

s.ytimg.com
static.youtube.com
(I also added opendns.com here as well, since we want to be able to access the OpenDNS site to configure our filter settings, but this is also banned because of the phrases used on that page)

Save this file
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

(If you wanted to allow these sites past the banned list, but still filter the sites for adult phrases, add these lines to the file /etc/dansguardian/lists/greysitelist instead)

c. Removing the restrictions on 'time wasting' and 'vulnerable' file formats

By default DansGuardian takes a hyper-sensitive view on what constitutes 'time wasting', banning most media file formats. It also has a very restrictive view on what file formats constitute a danger ... file formats that are a danger on Windows, but which do not normally present much of a danger for a normal (non-administrator) Linux user. You can lift these restrictions as follows:

In a terminal window type: sudo gedit /etc/dansguardian/lists/bannedextensionlist
Look through the list of file extensions in the file. For any that you want to allow, add a # as the first character of that line.
Save and close this file

Similarly, type: sudo gedit /etc/dansguardian/lists/bannedmimetypelist
Look through the list of file extensions in the file. For any that you want to allow, add a # as the first character of that line. (I just added a # to them all!)
Save this file
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

d. Changing filter sensitivity

By default DansGuardian scans each page to look for phrases, and filters out sites based on a score it produces from the occurrence of these phrases. The default setting is for a young child. If this score-based setting is too harsh, you can change it as follows:

In a terminal window type: sudo gedit /etc/dansguardian/dansguardianf1.conf
Search for the line beginning naughtynesslimit =
The comments above this line in the file explain this setting. Use this guidance to change the value to a more appropriate value.
Save this file
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

Alternatively, if you don't want this phrase count filtering at all (I leave it on because it is useful, but it can become annoying):

In a terminal window type: sudo gedit /etc/dansguardian/dansguardian.conf
Search for the line beginning weightedphrasemode =
Change this line to weightedphrasemode = 0
Save this file
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

e. Adding in additional Blacklists

This feature is not really needed, since OpenDNS already filters based on URL blacklists. However, if you want additional local Blacklists, here is what you need to do:

To obtain the lists manually:

Download the script to obtain the blacklists from http://www.shallalist.de/Downloads/shallalist.tar.gz
In a terminal window, use the following commands (assuming you downloaded the blacklist file to your home directory):

   cd /etc/dansguardian/lists/blacklists
   sudo mv ~/shallalist.tar.gz .
   sudo tar xvzf shallalist.tar.gz
   sudo rm shallalist.tar.gz
ls

You will see, when you issue the 'ls' command that a new folder entitled BL has been created with the blacklists in it. Each subject area blacklist has it's own subdirectory within the BL folder, and in that subdirectory there are separate blacklists for URLs (the web addresses you type into a browser) and domains (the numbers, like 50.172.27.63, that you can type instead of a web address). This is so that you cannot bypass a web address block by just typing in the domain number.
We need to change the ownerships and permissions of these files to the correct settings. In a terminal window, use the following commands:

cd /etc/dansguardian/lists/blacklists
sudo chown root:root BL
cd BL
sudo chown -R dansguardian:dansguardian *

Now we need to tell Dansguardian to use the lists we want:

In a terminal window type: sudo gedit /etc/dansguardian/lists/bannedurllist
Go to the very bottom of this file, where you will see the comment: # You will need to edit to add and remove categories you want
I have added the following. I give these as an example for you ... you can remove the lines you don't want, or add other directories you might find in the BL folder we downloaded.

# Shalla collection:
.Include</etc/dansguardian/lists/blacklists/BL/drugs/urls>
.Include</etc/dansguardian/lists/blacklists/BL/porn/urls>
.Include</etc/dansguardian/lists/blacklists/BL/sex/education/urls>
.Include</etc/dansguardian/lists/blacklists/BL/sex/lingerie/urls>
.Include</etc/dansguardian/lists/blacklists/BL/spyware/urls>
.Include</etc/dansguardian/lists/blacklists/BL/violence/urls>

Save that file and close it. We have now only blacklisted the URLs ... we need also to blacklist the web domains, as follows:
In a terminal window type: sudo gedit /etc/dansguardian/lists/bannedsitelist
Go to the very bottom of this file, where you will see the comment: # You will need to edit to add and remove categories you want
I have added the following. I give these as an example for you, as before:

# Shalla collection:
.Include</etc/dansguardian/lists/blacklists/BL/drugs/domains>
.Include</etc/dansguardian/lists/blacklists/BL/porn/domains>
.Include</etc/dansguardian/lists/blacklists/BL/sex/education/domains>
.Include</etc/dansguardian/lists/blacklists/BL/sex/lingerie/domains>
.Include</etc/dansguardian/lists/blacklists/BL/spyware/domains>
.Include</etc/dansguardian/lists/blacklists/BL/violence/domains>

Save the file and close it.
Restart dansguardian:

sudo /etc/init.d/dansguardian stop
sudo /etc/init.d/dansguardian start

If you have not correctly typed the path to a blacklist, dansguardian will refuse to restart with the message [Fail]. If you see that, check through the paths you have entered into these files to see where the typo might be and correct it, and then try to restart dansguardian again, until you get it right.

You have now configured additional Blacklists.

f. Automatically updating Blacklists

Automatic update of the Blacklists is a bit more complex. I managed to do so after modifying a script that I found in http://www.shallalist.de/Downloads/ called updshalla.tgz. The problem is that this script requires a mail application that no longer works with secure mail servers. I give the steps I used to implement regular updates here, but this is not quite so easy:

Download the script files to your home directory:

Download http://www.shallalist.de/Downloads/updshalla.tgz
In a terminal window type: sudo tar xvzf updshalla.tgz
Remove the archive file: rm updshalla.tgz
Descend into the directory it creates: cd updshalla

We now need to change the configuration file:

Edit it using the command: sudo gedit updshalla.conf
Look for the line starting LISTBASE
Change it to LISTBASE='/etc/dansguardian/lists/blacklists/BL'
Save the file

Now we need to change the script file to remove the emailing part:

Edit it using the command: sudo gedit updshalla
Search for the line starting: $MAILSEND in function mailmsg
Change the line by adding a # as the first character in the line to change the line to a comment. This stops the script trying to call the non-existent mail program.
Search for the line: [ ! -x $MAILSEND ] && logmsg "$ERRMSG9" && exit 1
Change it by adding a # as the first character in the line to change the line to a comment. This stops the script checking for the non-existent mailer program.
Save the file
Move out of the directory by typing: cd ..

Now we need to move the whole directory to a directory where installed programs are stored.

In the terminal window type: sudo mv updshalla /opt

Just in case the ownership of these files are set incorrectly, enter the following commands:

In a terminal window, move to the program directory: cd /opt
To change the ownership: sudo chown -R root:root updshalla
Now move into the program directory to set the permissions: cd updshalla
To change the permissions: sudo chmod 755 updshalla

We can now finally test to see if the update program works:

Run the program: sudo ./updshalla
You should see various logs coming out in the terminal window to show that it is all working correctly
If you see an error that complains that the command 'patch' was not found, just run the following command in the terminal to install the 'patch' command: sudo apt-get install patch

Ok, now we have the update program installed and it is working. Finally, we need to schedule it to run weekly. We are going to do that by creating a new script which we will then copy to the scheduler directory, from where it will be discovered and run each week.

Move to your home directory: cd ~
In a terminal window, type: sudo gedit updshallaCron
Add the following lines to the file:

#! /bin/sh

# Cron script to run updshalla from it's own directory

test -x /opt/updshalla/updshalla || exit 0
cd /opt/updshalla
./updshalla >> /dev/null 2>&1
exit 0

Make sure that you have this all correct. The first line just checks that the updshalla script is actually present (so that if you uninstall it, this script doesn't go wrong!). We then change to the script directory, run the script redirecting all that output so that no-one can see it (because we are going to run this in the background), and then exit the script.
Save the file and close the editor
We now need to move the file to the directory of scripts that are automatically run weekly. In a terminal window type: sudo mv updshallaCron /etc/cron.weekly
We will set the ownership and permissions appropriately using these commands:

cd /etc/cron.weekly
sudo chown root:root updshallaCron
sudo chmod 755 updshallaCron
Now we can test the script. Type: sudo /etc/cron.weekly/updshallaCron
There will be a pause for a while with no output, but eventually the prompt should return. You can check that it all performed correctly by looking in the log file it writes ... type in the terminal: more /var/log/updshalla.log

That's it! You now will have the Blacklist files kept up to date automatically each week.

[I have not restarted DansGuardian in the above script, since I turn my PCs off each night. However, if you have a PC that is left on, you should add /etc/init.d/dansguardian restart before the exit 0 in the above file to ensure that DansGuardian uses the new Blacklists straight away.]

Clearly this configuration is a lot to do for each machine, but you can save yourself the effort by copying these modified files over to each machine once you have set them up on one.

Alwyn Barry Academic