Ubuntu & Parental Controls By Jason Holtzapple This presentation doesn't deal with the “should you or shouldn't you” part of the parental controls debate. The focus is on one solution for the “should” side. Requirements ● Children should have a limited amount of computer time per day on certain computers. ● Children's web access should use a white list of domains. ● Adults must be able to access unfiltered web content from the children's computers with a password. ● Controls should be non-trivial to bypass. In order to achieve this, we need two basic things: 1. No shared accounts - every person has their own login. 2. A home server. Only adults have logins on this server.

Home Network Diagram ● – consumer WAP/router ● – home proxy server (Ubuntu latest - wired) ● – parent's laptop (any OS – wireless) ● – kid's computer (dual boot Ubuntu/Windows - wireless

Step 1 - Lock Down The Router This is not a high security configuration but hopefully it will be enough to last until your kids are in middle school. For slightly higher security you might block all outgoing Internet access from your home network except from the proxy server. You need a router with the ability to block Internet access from certain computers – ideally by MAC address but IP address would also be acceptable. Most if not all current consumer routers should have this ability. Enter the kid's computers MAC addresses and remove all access – this will force them to use the proxy server. If your router supports it, assign static DHCP IP address to the children's computers. The screenshots below are examples using Tomato 3rd party firmware on a Linksys WRT54G v4 wireless access point.

Access Control

Static DHCP assignment

Step 2 – Set Up Squid Install squid and dansguardian on your home server before continuing: $ sudo aptitude install squid $ sudo aptitude install dansguardian These examples use software provided in the Ubuntu 9.04 repositories – Squid 2.7 and DansGuardian 2.9. I chose the Squid proxy for my own setup because of prior familiarity and because it supports user authentication. TinyProxy would have been my first choice but it does not support user authentication.

Step 2 – Set Up Squid You could spend several months learning all the Squid options in /etc/squid/squid.conf, but here are the ones most important for this project: auth_param basic program /usr/lib/squid/pam_auth auth_param basic children 5 auth_param basic realm Please enter your name and password auth_param basic credentialsttl 2 hours acl password proxy_auth user1 user2 These directives allow users user1 and user2 to authenticate to the proxy using their Ubuntu account user and password (accounts have been created separately on the proxy server in the standard way).

Step 2 – Set Up Squid acl our_networks src /24 acl DAY time 06:00-20:00 acl DANSGUARDIAN src acl CHILDRENS src http_access allow DANSGUARDIAN DAY http_access deny DANSGUARDIAN http_access allow CHILDRENS password http_access allow our_networks http_access allow localhost http_access deny all These directives allow access through the local DansGuardian proxy during the DAY, allow access directly from the children's computers (i.e. not through DansGuardian) with a password, and allow access from any other computer on the local subnet. The entire squid.conf file is very large. If you'd like to see these options in context, an example squid.conf file is available in the “Presentations” section of

Step 3 – Set Up DansGuardian This step is also done on your home server. First, configure dansguardian as a filtering proxy by setting groupmode = 1 In /etc/dansguardian/dansguardianf1.conf Next, add any domains you need to enable to /etc/dansguardian/lists/exceptionsitelist (white list) and /etc/dansguardian/lists/greysitelist (grey list). The difference between the two lists is that Dansguardian will still scan domains in the grey list for inappropriate content and viruses. Domains in the white list are not scanned for content at all. I usually use the grey list for most domains except software updates. I did need to move littlestpetshop.com to the white list as some of the Flash content was being inappropriately flagged as containing Japanese pornography. No filter is foolproof and it's likely you'll need to fine tune your configuration at some point.

Step 3 – Set Up DansGuardian Example exceptionsitelist: avast.com littlestpetshop.com windowsupdate.microsoft.com dansguardian.org safer-networking.org spybotupdates.com ubuntu.com virtualbox.org weather.noaa.gov update.microsoft.com windowsupdate.com dell.com Example greysitelist: funbrain.com learningbox.com lego.com oswego.org primarygames.com rainforestmaths.com shiningstars.com starfall.com pbskids.org scratch.mit.edu By default in Ubuntu, Dansguardian blocks known viruses (through ClamAV), certain file extensions and pornography. If you need to add additional filtered categories (violence, gambling, etc) or unblock certain extensions, edit the configuration files in /etc/dansguardian/lists.

Step 4 – Create Proxy AutoConfig If you would like to use the proxy auto-detect feature of your favorite browser, you can set up a proxy auto- config file. You'll need a web server running on your home server – setting this up is not covered in this presentation, but there are many guides available. For best support in all browsers, you should set up DHCP and DNS discovery methods. First, create a javascript URL->proxy definition.

Step 4 – Create Proxy AutoConfig function FindProxyForURL(url, host) { if (shExpMatch(url, "*.home/*")) {return "DIRECT";} # no proxy for our LAN DNS domain if (shExpMatch(url, " /*")) {return "DIRECT";} # no proxy if (shExpMatch(url, "localhost/*")) {return "DIRECT";} # no proxy # children use DansGuardian if (isInNet(host, " ", " ")) { return "PROXY :8080"; } # all others use Squid if available, otherwise no proxy return "PROXY :3128; DIRECT"; } I have.home defined as a local TLD for devices on my home LAN. Save this file as proxy.pac and wpad.dat in the document root of your home web server.

Step 4 – Create Proxy AutoConfig For the DNS method, create a DNS alias in your DNS server for “wpad.myhomedomain”. Your browser will request the URL for proxy auto-configuration. This is supported by Firefox and IE. For the DCHP method, add dhcp-option 252 to your DHCP server configuration containing the proxy auto-config URL. This is supported by IE.

Proxy AutoConfig DHCP Setup

Step 5 – Set Up Clients Web Filtering This is the easy part. Set the proxy on the children's web browsers to the IP address of your new proxy server and use the DansGuardian port – 8080 ( On computers that don't need filtering you can set the proxy directly to Squid port If you've configured proxy auto- config you can select that instead. If you have multiple computers at home I recommend setting up your distro's package manager to use the new proxy. You can do this in Synaptic in the Preferences->Settings->Network tab.

Step 5 – Set Up Clients Time Limits If you are using Ubuntu and want to set up time limits on the computers, you can use timekpr – available from Source code is available for timekpr, but it may not work with non-Ubuntu flavors of Linux. I know of no equivalent free to use program for Windows but there are several that can be purchased. TimezUpKids - ($30) is one that I have used successfully.

Timekpr Setup Part 1

Timekpr Setup Part 2

Step 6 – Application Control If only kids use the computer, don't install software you don't want them use and don't put kids in the administrator group. On a shared computer, group execute bits may be the solution. The installer of Ubuntu is put in the admin group. To limit application usage to members of this group: $ sudo chgrp admin /usr/bin/pidgin $ sudo chmod o-rwx /usr/bin/pidgin

Step 7 – Optional Programs It would be nice to be able to add domains to the white and grey lists without editing text files and restarting DansGuardian. Then other members of your family will be able to change the lists easily as well. I wrote a simple CGI script to allow these to be changed with a web page. Because the script needs to run certain commands as root (restart DansGuardian and modify the DansGuardian configuration files), /etc/sudoers needs to be updated with these commands. Also, so as not to defeat the entire purpose of our project, the script should be password- protected. Source code for this program is available at in the “Presentations” section.

Step 7 – Optional Programs

Conclusion For better or worse Ubuntu does not have the suite of parental controls included in current versions of Windows and MacOS. However, those controls can often be trivially bypassed with Live CDs or other methods. Parental controls are not a substitute for good parenting, but they can be used to create a safer computing environment at home.