Exploring the SafeSquid filter proxy
If you are looking for a secure option for home surfing and want to protect your children against questionable web content, you need a filtering proxy. SafeSquid is a commercial proxy tool, but it comes with a free version for private users.
SafeSquid acts as a proxy for home users and small to medium-sized networks. The software sits between the browser and the Internet and provides a number of content filters (including for Flash) to make surfing more secure by defining domain blacklists and scanning for malware. Additionally, SafeSquid provides access control in the form of website categories and profiles, as well as an image recognition feature for blocking pornographic material.
Thanks to a cache for web pages and images, in combination with intelligent prefetching for web pages, the SafeSquid also accelerates the surfing experience. A convenient web interface lets users evaluate logs and generate reports. Although the name might make you think otherwise, SafeSquid does not actually use the open source Squid proxy under the hood; instead, it uses a C/C++ in-house alternative developed by the vendor Office Efficiencies. SafeSquid also relies on Bash and Perl scripts for various application cases.
The vendor provides a free version and several commercial alternatives. The free Composite edition is likely more interesting for home users. One difference between the free and commercial variants is that the free version is limited to a maximum of three users. If more than three users access the network filter suite that is centrally installed on your home network, you need the commercial version .
SafeSquid is very picky about which version of Linux you are using. I tried, unsuccessfully, to install the software on Ubuntu 13.10. As the vendor later confirmed in a live chat, some packages are missing that cover all the dependencies of the installation scripts.
On Fedora 19, the setup worked well without any preparation, but SafeSquid failed to launch – the installation script had simply copied the
init.d script incorrectly. A manual launch of SafeSquid also failed because of follow-up errors. Because a supporter suggested Ubuntu 12.04 in the live chat, I used the 64-bit Ubuntu 12.04 variant for testing. Further research showed that SafeSquid works seamlessly with openSUSE 12.3 (64-bit).
sudo su -
lets you extend your privileges for administrative access; you then need to change to the
/root/ directory. For the setup to work smoothly, you need to install
apt-get up front. The libraries it contains meet some of the installation script's dependencies. Next, download the SafeSquid tarball from the download page  and unpack it.
Change to the newly created directory,
/root/safesquid/, and type
./install.sh to launch the installer (Figure 1). The installer sets up the proxy in the
/opt/safesquid/safesquid/safesquid directory. Go through the individual steps of the setup routine until SafeSquid confirms the successful installation. Pressing S starts the proxy.
Alternatively, you can start SafeSquid manually with the command
/etc/init.d/safesquid start. The service is now running in the background and listening on port 8080. You can use the
lsof -ni:8080 command to confirm that the proxy can be reached on the appropriate port. If everything worked, entering
update-rc.d safesquid default will ensure that the proxy is loaded automatically at every reboot.
The manufacturer requires you to activate the free SafeSquid on the Internet. You can use the web interface for this step, as well as for advanced configuration. Launch a browser and configure it to use the SafeSquid proxy (Figure 2) by specifying localhost and port 8080 as the proxy address and port. (Figure 2 shows the configuration dialog for Firefox. Other browsers are similar – see your browser's documentation.)
Enter http://safesquid.cfg as the URL in the browser and press About in the SafeSquid Interface (Figure 3). In the About window, you need to enter your email address and confirm the auto-generated activation key. Pressing Submit transfers the data to the manufacturer and thus activates the proxy installation. After successful activation, SafeSquid prompts you to reboot.
One benefit of a proxy is the option of setting up a blacklist. To configure a blacklist in SafeSquid, click the Config link on the SafeSquid interface start page. You will find a drop-down menu with many configuration categories. The first of these, Access restrictions, controls access to the proxy itself.
On the basis of various criteria, you can specify which users or which systems are allowed to use SafeSquid. The two predefined rules allow access for the local client and all other network nodes and users. To specify your own rules, you must delete these two default rules. However, for use on a home network, you will not usually need any additional access rules.
The second configuration category, cProfiles, manages the website categorization. The rules are disabled by default, but you can activate them by selecting Enabled. Website manages cProfiles in different categories based on their content, allowing you, theoretically, easily to block access to adult content, for example.
In the lab, I tried to filter out sports pages, and the software failed to recognize any of the web pages I visited, thus allowing free access to all sports content. Language did not seem to be the problem, as the proxy continued to allow access to US football sites. In fact, in further tests with other categories, it was initially impossible to talk SafeSquid into detecting unwanted content. It was only in the Chat content that the software managed to deny access to sites.
When I contacted the manufacturer of SafeSquid with a query, I learned that the filter lists might categorize many websites differently than expected. According to support, the website I used for the test (http://www.sport1.de) was more of a news page than a sports page. In such cases, you need to block both news and sports content.
The SafeSquid web interface offers users the ability to view the URL categorization (Test cProfiles), although this option rarely worked, at least for the URLs I used. Typically, the URL tests showed no associations, although SafeSquid might possibly assign them to a category internally.
If you want to try this yourself, enable categorization and press Add to add a new cProfile. Type Chat in the Comment box and, in the Category List, check the chat content category (Figure 4). Then, type blocked-category in the Added profiles text box.
Confirm your selection by pressing Submit and then navigate to the URL filter configuration category. Enable this module by the checking Enabled -> Yes and pressing Submit. In the Deny category, again follow the Add link to add a new rule with the following values:
Enabled: Yes Profiles: blocked-category
Warning: After restarting SafeSquid (thus, after each reboot), the specially created cProfiles and URL filtering disappear. A request for clarification confirmed my suspicions: SafeSquid only stores settings you save in RAM, which is why they are lost when you restart the software. As a remedy, you can back up the SafeSquid settings (link Save settings) on the main page. The application then saves the configuration in
/opt/safesquid/safesquid/config.xml. The Load settings section on the main page lets you load this file again later.
Another unpleasant side effect: The proxy does not filter websites that you have visited previously, although it would normally block them based on your settings. SafeSquid either seems to get confused here, or this is an undocumented feature.
If the SafeSquid cProfiles are not reliable enough for your liking, you can use the URL blacklist link for a configuration category to create your own blacklist. This feature is also useful for integrating external blacklists such as those offered, for example, by Shalla Secure Services , which is free for private users. You download the lists as a tarball, which you then integrate with SafeSquid (Listing 1).
$ cd /opt/safesquid $ wget http://www.shallalist.de/Downloads/shallalist.tar.gz $ tar xzvf shallalist.tar.gz
In the URL blacklist category, check Enabled and enter the path as /opt/safesquid/BL. When you are done, press Submit. SafeSquid loads all the entries from the URL lists into RAM at launch time, which gives you the added benefit of being able to surf without sacrificing performance due to filtering. To use the blacklists, create the following new rule under Deny:
Enabled: true Comment: Podcasts Categories: podcasts
Under Categories, enter the folder name in which the blacklist in question is located. In this example, the URLs for the podcast category are listed below
If those surf control variants do not meet your requirements, the Keyword filter configuration category contains large collections of keywords, to which you can add your own, as needed. DNS blacklist lets you block pages by referencing external DNS blacklist providers.
To provide at least rudimentary protection against viruses from downloads, it is a good idea to integrate an antivirus scanner into the proxy. SafeSquid supports the free ClamAV, as well as several commercial products; ClamAV should be sufficient for most purposes.
Click on the Client for ClamAV antivirus configuration category and then check the Yes box next to Enabled. Set a value of
/var/run/clamav/clamd.ctl for the ClamAV hostname or socket path field and press Submit to confirm. Next, switch to a terminal window and install ClamAV using the commands in Listing 2. The antivirus solution is now ready for use (Figure 6).
# apt-get install clamav clamav-daemon # freshclam # service clamav-daemon start
Buy this article as PDF
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.