More Layers

A gruesome means of execution in the old days was crushing people by piling rocks on them. One victim is reported to have called for “more weight” to end his suffering quicker…

That’s how IT is going. With that other OS we keep adding firewalls and scanners to hold back the onslaught of malware. Even then it gets through one way or enother. Like any insurgency, it works best to co-opt the innocent users who have no clue what horrors are out there. Now that GNU/Linux is getting more attention from malware writers we have to add more layers.

This weekend I put Dansguardian and Squid web cache/proxy to work. I expect to hear a storm of protest today after it blocks innocent sites with certain keyword/phrases. I have white-listed important sites for educators. Dansguardian is simple to install in Debian GNU/Linux:

  • apt-get install dansguardian squid clamav-daemon

Dansguardian is a bit of a dog to configure but it does a lot.

  • set IP address/port
  • set level of messages
  • modify /etc/dansguardian/languages/ukenglish/template.html to give the right information when something is found/blocked
  • set clamdscan as the virus-scanner
  • point it to squid: localhost:3128
  • comment out the “not configured” line
  • restart /etc/init.d/dansguardian stop;/etc/init.d/dansguardian start (restart does not seem to work)

Squid was interesting. I needed to create the right access controls and restart it. Edit /etc/squid/squid.conf

The fun part was transparent proxying. I did not want to go around to every PC in the school and campus to set proxies so I modified /etc/dhcp3-server/chcpd.conf on our DHCP server to use “option routers ipaddressofdansguardian; for all clients except certain servers like my .deb package-cache and of course the dansguardian server. I added some routing on the dansguardian server:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp –src 192.168.0.0/24 –dport 80 -j REDIRECT –to-ports 8080

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

And it all works. Here is some of the log of clamav:
Sun Nov 7 13:02:04 2010 -> SelfCheck: Database status OK.
Sun Nov 7 13:30:25 2010 -> /tmp/tfJeowwL: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Sun Nov 7 14:02:04 2010 -> SelfCheck: Database status OK.
Sun Nov 7 15:02:05 2010 -> SelfCheck: Database status OK.
Sun Nov 7 16:02:05 2010 -> SelfCheck: Database status OK.
Sun Nov 7 17:02:05 2010 -> SelfCheck: Database status OK.
Sun Nov 7 18:02:13 2010 -> SelfCheck: Database status OK.
Sun Nov 7 19:02:13 2010 -> SelfCheck: Database status OK.
Sun Nov 7 20:02:13 2010 -> SelfCheck: Database status OK.
Sun Nov 7 21:02:16 2010 -> SelfCheck: Database modification detected. Forcing reload.
Sun Nov 7 21:02:17 2010 -> Reading databases from /var/lib/clamav
Sun Nov 7 21:02:21 2010 -> Database correctly reloaded (848467 signatures)
Sun Nov 7 22:02:32 2010 -> SelfCheck: Database status OK.
Sun Nov 7 23:02:32 2010 -> SelfCheck: Database status OK.
Mon Nov 8 00:02:36 2010 -> SelfCheck: Database status OK.
Mon Nov 8 01:26:01 2010 -> SelfCheck: Database status OK.
Mon Nov 8 02:28:26 2010 -> SelfCheck: Database status OK.
Mon Nov 8 03:29:26 2010 -> SelfCheck: Database modification detected. Forcing reload.
Mon Nov 8 03:29:26 2010 -> Reading databases from /var/lib/clamav
Mon Nov 8 03:29:31 2010 -> Database correctly reloaded (848994 signatures)
Mon Nov 8 04:37:58 2010 -> SelfCheck: Database status OK.

I tested with EICAR. There is also a Debian package for that: clamav-testfiles.

Here’s a false-positive from Dansguardian:

2010.11.8 6:44:06 – 192.168.0.170 http://europa.eu/rapid/stylesheet/europa.css *SCANNED* GET 5802 -10 1 200 text/css tc-amd64 –
2010.11.8 6:44:07 – 192.168.0.170 http://europa.eu/rapid/stylesheet/rapid.css *SCANNED* GET 12500 -10 1 200 text/css tc-amd64 –
2010.11.8 6:44:07 – 192.168.0.170 http://europa.eu/rapid/stylesheet/rapid-print.css *SCANNED* GET 12344 -10 1 200 text/css tc-amd64-3.rsl.edu –
2010.11.8 6:44:10 – 192.168.0.170 http://europa.eu/rapid/images/banner_right.png *DENIED* Weighted phrase limit of 50 –


Here’s Playboy being blocked (testing purposes only…):
2010.11.6 19:43:25 – 192.168.0.29 http://some_inappropriate_site *SCANNED* GET 231 50 1 301 – xeon –
2010.11.6 19:43:28 – 192.168.0.29 http://some_inappriopriate_site *SCANNED* *DENIED* Weighted phrase limit of 50 :

Here’s EICAR being detected:
2010.11.6 19:44:59 – 192.168.0.29 http://www.eicar.org/calendar.css *SCANNED* GET 925 0 1 200 text/css xeon –
2010.11.6 19:45:00 – 192.168.0.29 http://www.eicar.org/eicar_css.css *SCANNED* GET 16871 -30 1 200 text/css xeon –
2010.11.6 19:45:01 – 192.168.0.29 http://www.eicar.org/eicar_nav.css *SCANNED* GET 27956 -30 1 200 text/css xeon –
2010.11.6 19:45:35 – 192.168.0.29 http://www.eicar.org/download/eicarcom2.zip *DENIED* Banned extension: .zip GET 0 0 Banned extension 1 403 application/zip xeon –
2010.11.6 19:45:47 – 192.168.0.29 http://www.eicar.org/download/eicar.com.txt *INFECTED* *DENIED* Virus or bad content detected. Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) GET 68 0 Content scanning 1 403 text/plain xeon –
2010.11.6 19:47:47 – 192.168.0.29 http://www.eicar.org/download/eicar.com.txt *INFECTED* *DENIED* Virus or bad content detected. Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) GET 68 0 Content scanning 1 403 text/plain xeon

When blocked a distinctive/colourful web page is put up instead of the content requested. It informs the user that the content is blocked and why with instructions to contact the system administrator if the content should not be blocked.

So, now we have more layers. This slows down web access a bit but the cache should help the performance of the overall system.

Irony… It blocked my view of this page. I put my site on the whitelist: /etc/exceptionsitelist.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in Linux in Education, technology. Bookmark the permalink.

4 Responses to More Layers

  1. Sorry about that. It did not register with my brain that if I had a problem viewing my site, that others would… I am twit sometimes. I have replaced a naughty site with “some_inappropriate_site” and cut out the keywords Dansguardian uses for filtering.

  2. Brian Page says:

    Robert,

    you could have done some of us folks-at-work-reading-pogson a favour and buried the output stings from dansguardian and plyboy behind a NFSW link.

    hope no one is reading my download logs…

  3. At least the anti-malware layer running on the router does not load the PC/take up RAM.

  4. Richard Chapman says:

    Even with layers, GNU/Linux still out-performs Microsoft’s OS. I guess there’s a difference between a layer and a band-aid.

Leave a Reply