I’m on record as saying your company should not block social networking sites. I still feel strongly about my position, though I can understand why some SMBs might choose to block those sites. For instance, if you continue to warn an employee who abuses the freedoms he has been given with social networking sites, you might decide that prohibiting access to those sites will save your company time and resources. One tool for this task is DansGuardian.
This award-winning, open source, content filtering tool runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris and can be installed and up and running in minutes. Once the software is installed, it’s easy to configure it to block social networking sites. With DansGuardian, you can even create different groups, which are subject to different filtering.
You can find DansGuardian in most distribution repositories; to that end, the software is very easy to install. I will demonstrate the installation on a Ubuntu system. If you plan to install it on other platforms, you should modify the commands to fit your package manager.
1. Open a terminal window.
2. Issue the command sudo apt-get install dansguardian.
3. Type your sudo password and hit Enter.
4. Accept any dependencies.
5. Allow the installation to complete.
Once installed, you need to configure the /etc/dansguardian/dansguardian.conf script. Near the top of that script, you will see the line UNCONFIGURED - Please remove this line after configuration. Delete that line and then walk through the configuration file and set up any necessary items that apply to your network. In particular, you will want to configure:
- Filterport for DansGuardian
- IP for proxy
- Filtergroups (this is optional)
After you configure the dansguardian.conf file, you’re ready to add the necessary configurations for blocking the sites.
Within the /etc/dansguardian/lists directory, you will find a number of flat text files that allow you to set up various blocks. We want to focus on the following:
bannedurllist: block part of a site
bannedsitelist: block an entire site
bannediplist: block by IP address
Let’s say that we’re going to block Facebook. Since we’re going to block that entire site, we’d list it in the bannedsitelist file. The entry will be listed under the:
#List other sites to block:
and will simply be:
You should restart DansGuardian, and then anyone in the default group will no longer be able to reach the Facebook site.
One issue with blocking social sites like Facebook is that users can get around this by using https. Since DansGuardian bans using http, the easiest way to ban the Facebook https link is to use the bannediplist file. Here’s what to do:
1. Open a terminal window.
2. Open the file /etc/dansguardian/lists/bannediplist for editing.
3. Add the following IP addresses:
4. Save and close the file.
5. Open the /etc/dansguardian/bannedsitelist and add the following:
6. Save that file and restart DansGuardian.
Once DansGuardian is restarted, you’ll use the IP address of the machine hosting the service as the proxy for the client. Also remember the proxyport configured in dansguardian.conf.
Let’s say you want to block access to Facebook from only certain machines. You can do this by using Filtergroups. In the /etc/dansguardian folder there are, by default, two configuration files:
Here’s how to create a specific group that cannot reach Facebook:
1. Copy the dansguardianf1.conf to dansguardianf2.conf (note configuration change below).
2. Copy the bannedsitelist to bannedfacebook.
3. Copy the bannediplist to bannedfacebookip.
4. Configure the dansguardianf2.conf to point to the newly created lists.
5. Add the Facebook IP addresses and URLs into the newly created files, respectively.
6. In the newly created dansguardianf2.conf, you need uncomment this line:
#groupname = ”
and then edit it to look like this:
groupname = 2
The easiest way to apply this is via IP address (instead of having to work out some form of authentication).
7. Set the machine to belong to group 2 on a static IP address.
8. Add the IP address in the file /etc/dansguardian/lists/filtergroupslist. The entry will look like IP_ADDRESS=filter2 (IP_ADDRESS is the address of the machine to be blocked from reaching Facebook).
9. Restart the service with the command sudo /etc/init.d/dansguardian restart.
10. Point the desktop machine to be banned to use the proxy server IP address.
Although I don’t advocate such managerial tactics (happy employees are productive employees), there are times when you must resort to these types of actions. If you do, DansGuardian is an easy and free alternative to other, proprietary solutions.