SMBs

Block social networking sites with DansGuardian

If your SMB doesn't want to fool with the hassle of monitoring employees' use of social media sites and creating a social media policy, try the open source DansGuardian to block such sites altogether.

I'm on record as saying your company should not block social networking sites. I still feel strongly about my position, though I can understand why some SMBs might choose to block those sites. For instance, if you continue to warn an employee who abuses the freedoms he has been given with social networking sites, you might decide that prohibiting access to those sites will save your company time and resources. One tool for this task is DansGuardian.

This award-winning, open source, content filtering tool runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris and can be installed and up and running in minutes. Once the software is installed, it's easy to configure it to block social networking sites. With DansGuardian, you can even create different groups, which are subject to different filtering.

Installing DansGuardian

You can find DansGuardian in most distribution repositories; to that end, the software is very easy to install. I will demonstrate the installation on a Ubuntu system. If you plan to install it on other platforms, you should modify the commands to fit your package manager.

1. Open a terminal window.

2. Issue the command sudo apt-get install dansguardian.

3. Type your sudo password and hit Enter.

4. Accept any dependencies.

5. Allow the installation to complete.

Once installed, you need to configure the /etc/dansguardian/dansguardian.conf script. Near the top of that script, you will see the line UNCONFIGURED - Please remove this line after configuration. Delete that line and then walk through the configuration file and set up any necessary items that apply to your network. In particular, you will want to configure:

  • Filterport for DansGuardian
  • IP for proxy
  • Proxyport
  • Filtergroups (this is optional)

After you configure the dansguardian.conf file, you're ready to add the necessary configurations for blocking the sites.

Blocking sites

Within the /etc/dansguardian/lists directory, you will find a number of flat text files that allow you to set up various blocks. We want to focus on the following:

bannedurllist: block part of a site
bannedsitelist: block an entire site
bannediplist: block by IP address

Let's say that we're going to block Facebook. Since we're going to block that entire site, we'd list it in the bannedsitelist file. The entry will be listed under the:

#List other sites to block:

and will simply be:

facebook.com

You should restart DansGuardian, and then anyone in the default group will no longer be able to reach the Facebook site.

One issue with blocking social sites like Facebook is that users can get around this by using https. Since DansGuardian bans using http, the easiest way to ban the Facebook https link is to use the bannediplist file. Here's what to do:

1. Open a terminal window.

2. Open the file /etc/dansguardian/lists/bannediplist for editing.

3. Add the following IP addresses:

63.135.80.49

69.63.176.139

69.63.176.140

69.63.178.11

69.63.184.29

69.63.184.143

69.63.186.11

92.48.78.50

206.220.43.92

216.178.38.116

204.15.20.80

69.63.176.10

69.63.176.11

69.63.184.142

4. Save and close the file.

5. Open the /etc/dansguardian/bannedsitelist and add the following:

facebook.com

fbdn.net

tfbnw.net

6. Save that file and restart DansGuardian.

Once DansGuardian is restarted, you'll use the IP address of the machine hosting the service as the proxy for the client. Also remember the proxyport configured in dansguardian.conf.

Blocking groups

Let's say you want to block access to Facebook from only certain machines. You can do this by using Filtergroups. In the /etc/dansguardian folder there are, by default, two configuration files:

  • dansguardian.conf
  • dansguardianf1.conf

Here's how to create a specific group that cannot reach Facebook:

1. Copy the dansguardianf1.conf to dansguardianf2.conf (note configuration change below).

2. Copy the bannedsitelist to bannedfacebook.

3. Copy the bannediplist to bannedfacebookip.

4. Configure the dansguardianf2.conf to point to the newly created lists.

5. Add the Facebook IP addresses and URLs into the newly created files, respectively.

6. In the newly created dansguardianf2.conf, you need uncomment this line:

#groupname = ''

and then edit it to look like this:

groupname = 2

The easiest way to apply this is via IP address (instead of having to work out some form of authentication).

7. Set the machine to belong to group 2 on a static IP address.

8. Add the IP address in the file /etc/dansguardian/lists/filtergroupslist. The entry will look like IP_ADDRESS=filter2 (IP_ADDRESS is the address of the machine to be blocked from reaching Facebook).

9. Restart the service with the command sudo /etc/init.d/dansguardian restart.

10. Point the desktop machine to be banned to use the proxy server IP address.

Summary

Although I don't advocate such managerial tactics (happy employees are productive employees), there are times when you must resort to these types of actions. If you do, DansGuardian is an easy and free alternative to other, proprietary solutions.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

1 comments
sunilsinghgaur
sunilsinghgaur

I am using the same scenario to block the groups but I got stuck and not able to block the site through group. 

I have created two files in lists directory i.e.

1) bannedtwitter

2) bannedtwitterip

In dansgaurdianf2.conf, I have added below line as per the above instructions.

bannedtwitter = '/etc/dansguardian/lists/bannedtwitter'

According to point 8 -: I am confused for the IP. Please help me that which IP need to be put here. Is it the my machine static IP or It should be the website ip.

Also let me know that can we manage users with the group instead of IP?