Using E2guardian to Monitor Internet Access Locally

Sooner or later, modern parents face the problem of regulating relations between the child and the Internet. Apparently, there is no single correct approach to overcome it, however, in my understanding, it is inevitably complex and consists of a pedagogical and complementary technical components. The solution I found, the e2guardian program, can significantly reduce the likelihood random meeting the child with unwanted materials, as well as to insure against unintentionalbut potentially dangerous activity (visiting phishing sites, downloading infected files).

Before proceeding with the description of my experience with the program, I will make a reservation that I am not an IT specialist, so I will be especially grateful for comments from people who are competent in this field.

E2guardian is a continuation of the DansGuardian project, so information, including on Habr (link, link, link), dedicated to configuring DansGuardian can be transferred to e2guardian in many ways. Unfortunately, DansGuardian has not been maintained since 2013 and the official site has been taken down along with the materials hosted on it. At the same time, the content of the e2guardian help system is not as extensive as its forerunners.

E2guardian operates under Linux OS, which limits its use in conditions of both Windows dominance on personal computers and the use of predominantly mobile devices to access the Internet. However, the presence of a dedicated proxy server with configured user authentication (e2guardian developers recommend using Squid, which can work, for example, in conjunction with Kerberos) and forced redirection of connections from all local devices to it (see below). material on Youtube), as well as the ability to install in a container, allows you to significantly expand the range of use of e2guardian. In this article, I will consider only the option of local installation and basic configuration of the program under Debian 11.

Installing E2guardian

Version 5.3.4 for Debian 11 is available in the official repository (it is assumed that the account under which the child will work has limited access rights, without the possibility of administration):

~$ sudo apt-get install e2guardian

During testing, however, it turned out that even with the recommended settings, filtering information in Russian does not work. The version from the developer’s site (link at the time of writing article 5.4.5) this shortcoming has been eliminated.

In the DansGuardian documentation baboutMost of the information relates to working with HTTP, while HTTPS is now mainly used. This makes it necessary to use traffic interception (Man-In-The-Middle) with certificate substitution. DansGuardian and e2guardian before version 5 needed a proxy server, but now the program handles this task on its own. Before further configuration, you need to make sure that e2guardian is compiled with MITM support:

~$ sudo e2guardian -version | grep -i ‘enable-sslmitm=yes’

and also that the program has been successfully launched

~$ sudo service e2guardian status

and monitors the specified ports (default 8080 and/or 8443)

~$ sudo netstat -lntup | grep e2guardian

or

~$ sudo ss -lnup | grep e2guardian

Further using openssl:

~$ sudo apt-get install openssl

generate a private key for the root CA certificate,

~$ openssl genrca 4096 > private_root.pem

root CA certificate (when entering the requested data in the “Common name” column, enter the address of the proxy server that you plan to use (in case of local installation without a proxy server – 127.0.0.1))

~$ openssl req -new -x509 -days 3650 -key private_root.pem -out my_rootCA.crt

and public key.

~$ openssl genrca > private_cert.pem

Create a directory to store them

~$ sudo mkdir -p /etc/e2guardian/ssl/cert

and copy the keys and certificate there:

~$ sudo mv private_root.pem /etc/e2guardian/ssl
~$ sudo mv my_rootCA.crt /etc/e2guardian/ssl
~$ sudo mv private_cert.pem /etc/e2guardian/ssl

Set the owner of the directory to the e2guardian user and group:

~$ sudo shown -R e2guardian. /etc/e2guardian/ssl

Configuring E2guardian

The program has a lot of settings, which are described in sufficient detail in the corresponding configuration files. I will touch only on those that are necessary for the correct work with sites in Russian (see. source). I also recommend that you do not make all the changes at the same time, but successively changing the specified parameters, check the serviceability of the service:

~$ sudo service e2guardian restart
~$ sudo service e2guardian status

In the main config file:

~$ sudo nano /etc/e2guardian/e2guardian.conf

remove the comments and modify the following parameters:

loglevel = 3

level 3 – documentation of all requests

filterports = 8080

the port that e2guardian will monitor. You need to redirect traffic to it in the proxy server settings in Firefox.

weightedphrasemode = 1

the parameter “1” means that when analyzing pages, the program assigns weight coefficients to the words found in the lists, which are summed up. When the threshold is reached, the page will be blocked. Parameter “2” means blocking the page at the only mention of words from the lists on the page.

phrasefiltermode = 2

analysis of pages both with markup and without it.

preservecase = 2

filtering in two steps: the first time – by converting all characters to lower case, and then – using the original spelling

hexdecodecontent = on

HEX encoding of all characters to filter pages with different encodings. Required for correct work with non-Latin characters.

forcequicksearch = on

Replacing the standard DFA algorithm that does not work correctly with Unicode.

reverseaddresslookups = on

if an IP address is specified in the browser’s query string, the program checks its domain name and compares it with the block lists

maxcontentfiltersize = 2048

Sets the size of the filtered document. Used both to prevent filtering of large binary files erroneously marked as text, and for pages that are large in size (for example, Youtube).

enablessl = on

Enable SSL,

cacertificatepath="/etc/e2guardian/ssl/my_rootCA.crt"

the paths to the certificate files specified in the previous step,

caprivatekeypath="/etc/e2guardian/ssl/private_root.pem"

public and

certprivatekeypath="/etc/e2guardian/ssl/private_cert.pem"

private keys, and

generatedcertpath="/etc/e2guardian/ssl/generatedcerts"

path to generated certificates.

In case of using a proxy server:

proxyip = XXX.XXX.XXX.XXX

proxyport = 3128

IP address and port of the proxy server.

Next, you need to set the settings for individual user groups in the file e2guardianf1.conf. I will consider the case for only one group, but if there are several groups, the corresponding parameters are specified separately for each in the files e2guardianf1.conf, e2guardianf2.conf and so on and also examplef1.story, examplef2.story. In addition, it is necessary to set up a user authentication mechanism and enter information about their membership in a particular group in the file etc/e2guardian/listsfiltergrouplist.

In file

~$ 	sudo nano /etc/e2guardian/e2guardianf1.conf

remove the comments and modify the following parameters:

specifying paths to filter lists, in particular

bannedsitelist="/etc/e2guardian/lists/bannedsitelist"

a list of websites to be blocked (see details below),

bannedphraselist="/etc/e2guardian/lists/bannedphraselist"

a list of words that lead to an immediate blocking of the page,

weightedphraselist="/etc/e2guardian/lists/weightedphraselist"

a list of words evaluated by weight coefficients (see below for details),

exceptionphraselist="/etc/e2guardian/lists/exceptionphraselist"

a list of words that lower weights.

textmimetypes="application/xhtml+xml,application/xml,application/json,application/javascript,application/x-javascript"

analysis of data other than simple text. The parameter is required, for example, to filter queries in some search engines.

fileextlist="name=bannedextension,messageno=900,path=/etc/e2guardian/lists/bannedextensionlist"

mimelist="name=bannedmime,messageno=800,path=/etc/e2guardian/lists/bannedmimetypelist"

types of files and data prohibited from downloading

weightedphrasemode = 1

the parameter is set for individual groups and prevails over that of the file e2guardian.conf,

naughtynesslimit = 50

threshold value above which the page will be blocked

sslsiteregexplist="name=searchterms,path=/etc/e2guardian/lists/sslsiteregexplist"

forced switching of search engines, including Youtube, to safe search mode. Unfortunately, despite the presence of family mode in Yandex (213.180.193.56), I could not configure e2guardian to work with this service.

sslmitm = on

enabling the MITM mechanism for SSL

mitmcheckcert = on

indication to check certificates when intercepting MITM

Setting up some individual lists:

List of sites forbidden to view:

~$ sudo nano /etc/e2guardian/lists/bannedsitelist

may contain both direct addresses of blocked sites and links to lists of such sites located in the corresponding directories. Updated blacklists for Dansguardian/e2guardian on various topics can be found here address.

The access time limit can also be specified in this file. It is worth noting that the specified time will apply to all resources marked in bannedsitelistwhich is not always convenient. You can work around this difficulty by placing access times and lists of matching sites in additional configuration files. For example, to limit access time to the site https://www.loremipsum.com from 17:30 to 19:30 from Monday to Friday, you must add to bannedsitelist string

.Include</etc/e2guardian/lists/timedbannedsitelist1

then create the corresponding file

~$ sudo nano /etc/e2guardian/lists/timedbannedsitelist1

and specify the time and resource in it (the # symbol before time must be present)

#time: 17 30 19 30 01234

loremipsum.com

List of words evaluated by weight coefficients

~$ sudo nano /etc/e2guardian/lists/weightedphraselist

A little about the rules for compiling dictionaries, adhering to which you can expand the coverage of unwanted terms while maintaining an acceptable level of false positives.

<комар>,<50> – Adds +50 points to the estimated page for each occurrence of any word containing “mosquito”, including mosquitoother, onmosquitoNick

< комар>,<50> – Adds +50 points to the estimated page for each occurrence of any word that begins with “mosquito”, for example, mosquitoother

< комар >,<50> – adds +50 to the total score of the evaluated page for each occurrence of the word “mosquito”, ignoring the rest of the words with the same root.

In the Russian-speaking segment of the Internet, there are still sometimes sites that use encodings other than UTF-8, so word lists for filtering should be created first in UTF-8 and then converted to KOI-8R and WIN1251:

~$ iconv -f UTF-8 -t WINDOWS-1251 weighted_russian_utf8 > weighted_russian_1251
~$ iconv -c -f UTF-8 -t KOI8-R weighted_russian_utf8 > weighted_russian_koi8r

put the created lists in the appropriate directories, for example

~$	sudo mv .weighted_russian_utf8	/etc/e2guardian/lists/phraselists/badwords/weighted_russian_utf8
~$ 	sudo mv	.weighted_russian_1251	/etc/e2guardian/lists/phraselists/badwords/weighted_russian_1251
~$ 	sudo mv	.weighted_russian_koi8r /etc/e2guardian/lists/phraselists/badwords/weighted_russian_koi8r

and show them the path to weightedphraselist:

~$ sudo nano /etc/e2guardian/lists/weightedphraselist

#Bad Words - swearing
.Include</etc/e2guardian/lists/phraselists/badwords/weighted_russian_utf8>
.Include</etc/e2guardian/lists/phraselists/badwords/weighted_russian_koi8r>
.Include</etc/e2guardian/lists/phraselists/badwords/weighted_russian_1251>

List of weight-reducing words

exceptionphraselist="/etc/e2guardian/lists/exceptionphraselist"

where you can specify, for example, that if the words “breast” and “medical” are on the same page, then the weight coefficient of this phrase will be negative, in contrast to the case when the last word is missing.

< грудь ><10>

< грудь >,< медицинский ><-10>

List of sites whose content is not filtered (white list):

~$ sudo nano /etc/e2guardian/lists/exceptionsitelist

This list includes obviously safe resources, especially those whose information interception is undesirable (banking services, etc.). It should be noted that setting only the domain name of the site is often not enough to provide full access to it. In some cases (for example, Office365), the web service provider may provide a list of domain names, access to which is necessary for the normal functioning of the service. In other cases, URLs for sites included in the white list can be determined using the built-in Firefox tools: Firefox → Tools → Browser Tools → Web Developer Tools → Network monitor (Ctrl+Shift+E) domain names are displayed in the Domain field: copy those from which are necessary for the normal operation of the site in question.

If, as a rule, at the beginning of working with the Internet, it becomes necessary to restrict access to the network only by this list of sites, then in addition to actually compiling it, you should modify the file

~$ 	sudo nano /etc/e2guardian/examplef1.story

removing comments in the following lines

function(checkblanketblock)

if(true,,502) return setblock


function(sslcheckblanketblock)

if(true,,506) return setblock

Now after all the changes made, you can restart the e2guardian service

~$ sudo e2guardian restart

and make sure it functions correctly.

~$ sudo e2guardian status
~$ sudo netstat -lntup | grep e2guardian

Configuring Firefox (for version >60)

(link):

1. import the certificate created in the previous step: Firefox →Settings → Privacy and Security → Security → View Certificates → Import → select my_rootCA.crt → Open

2. in the directory /usr/lib/firefox-esr/distribution create a file policies.json

   ~$ sudo nano /usr/lib/firefox-esr/distribution/policies.json

3. in which we configure the redirection of connections to the appropriate port of the proxy server and define the rules for accessing Firefox functions:

 	{
 	  "policies": {
 	    "Proxy": {
 	      "Mode": "manual",
 	      "Locked": true,
 	      "HTTPProxy": "127.0.0.1:8080",
 	      "UseHTTPProxyForAllProtocols": true,
 	      "Passthrough": "<local>",
 	      "AutoLogin": false,
 	      "UseProxyForDNS": false
 	    },
 	    "Certificates": {
 	      "ImportEnterpriseRoots": true
 	    }
 	  }
 	}

If the settings are correct, then after restarting Firefox, the monitoring system should produce the expected results.

As you can see, configuring a flexible system for analyzing the content of web pages is a rather time-consuming task. In addition, the following questions remained unresolved at the time of this writing:

• configuring e2guardian to work with clamd antivirus scanner

• setting a ban on registration on various services (forums, chats)

• setting a browser other than Firefox

• switching yandex.ru and mail.ru to a protected search mode

However, the result, combined with the availability of this solution, in my opinion, was worth the effort. Thank you for your attention and I will be glad to productive comments.