Topic: need to filter https...kids bypassing dansguardian! Help!

[David Trask]

Wasn't sure where to address this issue....I (and others in Maine) have kids using this URL   https://4.5.74.236/cgi-bin/nph-088958.cgi

to bypass my filter...which incidentally is set up as a transparent proxy on E-Smith 5.6 using Stephen Noble's Dansguardian module.  I've tried entering 4.5.74.236/cgi-bin/nph-088958.cgi as a URL in the deny url panel....no use.....I even put in the https.....also no good...tried it in the deny site....also...nada.  Even tried denying IP addresses....since it's https I can't seem to stop it...Any ideas....I've got to get this under control.  Thanks for any help you can provide

David Trask

[Patrick Hickey]

I hope someone can help you to configure the SME to support what you seek.

When our children were smaller I used a Sonic firewall (sonicsys.com) for one simple feature - a built-in subscription based content filter which is granular to a huge degree. A discreet firewall is always superior to one using access lists and also is designed for the single purpose of being a firewall. You need to block a single address, you block it with a web GUI. Stateful inspection of packets, NAT so you can make up an infinite address scheme inside the firewall, etc.

I am not dismissing the SME as a very good firewall....but I am saying you can get a higher degree of flexibility from companies focused upon just firewalls and let the SME handle the rest of the load. So you may need to look outside the SME for this specific solution.

regards,

patrick

[Ed]

May be try using ipchains to block that ip.
Ed

[Jack]

Try watching your kids and quit using a computer for your baby-sitter.

[Patrick Hickey]

Ahhh...sage advice.

Maybe you should troll the alt.pseudo.intellectual USENET groups?

regards,

patrick

[David Trask]

Thank you so much Jack...

It's people like you we don't need here on this forum!  

If you had any sense at all you'd realize that...

A.)  I'm a network administrator asking for advice on how to be proactive and maintain as much CIPA compliance as possible.

B.) You'd know that kids will try anything they can to challenge you.

C.)  My email address indicates that I'm from Maine....and in Maine everything 7th and 8th grader has a laptop.  It's a little difficult for me to monitor an entire school of laptops (hence the proactive preventative piece)

So....cut the crap with the "geekier" than thou attitude and try using this forum for what it was designed for....helping people.

[David Trask]

Actually I have managed to solve it for the most part....here's what I did....

Using the DG (DansGuardian) "regular expression URL" panel one can specify "words or strings" in a URL such as "chat"....which will block any URL with the string "chat" in it....such as www.chatzone.com.....www.teenchat.com...etc.

I found that many CGI proxies by design need to have a leading "nph-" as part of their URL.  So I decided to enter "nph-" as an expression to be filtered.  While I haven't done so....I may enter the word "proxy" as well and test to see how it does.  I'm not having a big problem yet, but in Maine all 7th and 8th graders have laptops and email...so once an exploit gets out it travels like wildfire!  Just trying to stay ahead of the kids.  As for the SonicWall....my colleagues who use this report the same issue....since it's https....but making a deny rule seems to help with them.  In any case....Thanks for the advice  

David

[Patrick Hickey]

Good work.

What you are trying to do is often glossed by people who devise the otherwise superor code for products like the SME.I think it simply never occurs to them.

I would love to see some pre-built templates for using the not-intuitive interfaces of DansGuardian, for example. It may seem to be a niche issue, but I would argue a huge potential base of users exists who are looking for cookie cutter ways to filter content. This applies not only for children and porn, but for downloading movies and non-business related material. Sorry, it isn't that easy to work out.

Developers...think about the number of people who need this feature and who are not command line dwellers. The core functionality presumably is in place but the UI or some guidelines are not. Example templates would be awesome.

regards,

patrick

[Samer Pharaon]

I was able to block the site using SquidGuard. Instead of blocking the URL, I have blocked the domain: 4.5.74.236. It worked for both http and https. When the users try to access the http site, they will receive the usual "Access Denied" page. For the https, they will receive a "Bad Gateway" msg.

good luck,
Samer

[Andy MacDonald]

Thanks for that.
Not the fix, but the exploit. Now I and a few others can get to legitimate sites we need for work!

[Michiel]

> Not the fix, but the exploit. Now I and a few others can get
> to legitimate sites we need for work!

)

http://www.anonymizer.com/ does the same thing and seems to be faster. Their commercial solution ($30/year) is really good.

[George Siegel]

Using "/sbin/iptables -I INPUT -s 4.5.74.236 -i eth1 -j DROP" from the command line, a script, or a template fragment for masq will stop access, at least it did for me. I have a custome template fragment that I use for several ip addresses and ports  that I want blocked.

[Jack]

I just came across this wonderful website: http://www.samair.ru/proxy/. It lists 1.354 free anonymizer proxies, neetly sorted by country

I'm afraid the State of Main has to wake up to the fact that they can't control what their kids can see and what not. And rightly so. Freedom of speech is worth nothing without the freedom to listen/read.

[David Trask]

Jack...

Maybe if you spent just a wee more time on your studies and a little less time surfing the net for proxies you'd learn how to spell.  (neatly) and (Maine)....nonetheless...it's obvious that you have no idea about the laws governing schools with regard to content filtering.  If you did, you'd know about CIPA (child internet protection act) and the fact that failure to comply would mean the loss of lots of $$$ from the government.  Aside from that is the obvious innocent attempts by young children to get to certain websites and as a result of unscrupulous web site operators who prey on this many times they stumble onto porn sites.  I had a couple of third graders trying to find a site about KidPix (a wonderful piece of kid's drawing software) and stumbled on to a teen porn web site.  One of about 4 incidents that drove us to purchasing an internet content filter, prior to my discovering the open source alternative.  Freedom of speech?  Get real!  We're talking about minors here.  Should we openly allow the sale of porno mags to any child who wants one?  Why not sell cigarettes to young teens so it can be part of their "self-expression"?  In fact, let's have strip clubs run a "kids night"!  I sincerely hope that you are not an IT professional working anywhere near a school.  I am...and I resisted filtering as long as I could, but I sleep better at night now knowing that my own children and their peers are going to have their "childhood innocence" preserved a little while longer....

D

[Mike]

Have struck a similar problem at a school and the little sneaks were changing the port in the browser to slip past Dans Guardian filtered. Stopped this trick by removing the Connections TAB in the browser through W2000 Server their logon machine, just passing this on for anybody interested.