Difference between revisions of "Parental Control"

From ArchWiki
Jump to: navigation, search
(timeoutd)
(simplification and beautification of wikilinks, fixing whitespace, capitalization and section fragments (https://github.com/lahwaacz/wiki-scripts/blob/master/link-checker.py (interactive)))
 
(26 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
{{Article summary start}}
+
[[ja:ペアレンタルコントロール]]
{{Article summary text|Some tools and methods for parental control, protecting and limiting children's activity on the computer.}}
+
Several methods exist to protect and limit child activity on a computer.
{{Article summary end}}
+
  
==Timekpr==
+
{{Note|Any security features will be effective only on the level you enforce them. For example, even after installing a parental control application in the operating system, the child may bypass it by downloading and booting any Linux distribution live image.}}
  
Homepage: https://launchpad.net/timekpr
+
== Applications ==
  
Package: {{aur|timekpr}}
+
* {{App|timekpr|A program controlling use of user accounts. It can limit by access duration with the daemon ''timed'', and configure at what time users can log in. A client in the traybar warns the users about their time running out, while administration is done in a graphical GTK GUI.|https://launchpad.net/timekpr|{{AUR|timekpr}}}}
 +
* {{App|timeoutd|A lightweight alternative to timekpr, it scans {{ic|/var/run/utmp}} every minute and checks {{ic|/etc/timeouts}} for an entry matching a restricted user. Restrictions are based on idle time, login time, maximum time, and time of day.||{{AUR|timeoutd}}}}
 +
* {{App|logkeys|A daemon that logs keypresses into a logfile for later inspection. The log file resides by default in {{ic|/var/log}}, but it is recommended to move it to an encrypted partition; it will for example contain every password entered in the system. Use the --keymap option if using a localized, non-US keyboard. For supervision purposes, the {{ic|--no-func-keys}} option is recommended.|https://github.com/kernc/logkeys|{{AUR|logkeys-git}}}}
 +
* [[DansGuardian]]. If you wish, you might even set up an Arch based router running DansGuardian and enforce all other devices in your physical network to connect to the internet through this router.
  
This program will control the computer usage of your user accounts. You can limit their daily usage based on a timed access duration and configure periods of day when they can log in. The program consist of a daemon which supervises the time allowed for any user, and a client in the traybar, that warns the users about their time running out. Administration is done in a graphical GTK GUI.
+
== Whitelist with Tinyproxy and Firehol ==
  
==Timeoutd==
+
The following description will enable you to filter any user's access to the internet with a whitelist of url-s using {{AUR|firehol}} and {{pkg|tinyproxy}} (or {{AUR|tinyproxy-git}}).
 
+
Package: {{aur|timeoutd}}
+
 
+
A lightweight alternative to timekpr is timeoutd. It scans /var/run/utmp every minute and checks /etc/timeouts for an entry which matches a restricted user. Restrictions can be done on idle time, login time, maximum time, and time of day.
+
 
+
==Logkeys==
+
 
+
Homepage: http://code.google.com/p/logkeys/
+
 
+
Package: {{aur|logkeys-svn}} (The -svn version is recommended. It is stable and includes the latest patch that allows logkeys to work in Archlinux)
+
 
+
This program logs every keypress into a logfile for later inspection. It runs as daemon. The logfile by default resides in {{ic|/var/log}}, but it is recommended to move it to an encrypted partition as it will contain every password ever entered in the system. For supervision purposes I recommend using the {{ic|--no-func-keys}} option. Also there is some keymaps in the {{aur|logkeys-keymap-svn}} package, use them with the {{ic|--keymap}} option, this is necessary to log the keys properly if you use a localized non US keyboard.
+
 
+
==Whitelist with Tinyproxy and Firehol==
+
The following description will enable you to filter any user's access to the internet with a whitelist of url-s using {{pkg|firehol}} and {{pkg|tinyproxy}} (or {{aur|tinyproxy-git}}).
+
  
 
{{ic|/etc/tinyproxy/tinyproxy.conf}} consists of the following changes:
 
{{ic|/etc/tinyproxy/tinyproxy.conf}} consists of the following changes:
 +
 
  FilterURLs On
 
  FilterURLs On
 
  FilterDefaultDeny Yes
 
  FilterDefaultDeny Yes
 
  Filter "/etc/tinyproxy/whitelist"
 
  Filter "/etc/tinyproxy/whitelist"
 +
 
{{ic|/etc/tinyproxy/whitelist}} should hold the url's that will be only allowed accessed by selected users. A silly example:
 
{{ic|/etc/tinyproxy/whitelist}} should hold the url's that will be only allowed accessed by selected users. A silly example:
 +
 
  (www|wiki|static).archlinux.org
 
  (www|wiki|static).archlinux.org
 
  google.com
 
  google.com
Line 39: Line 29:
 
  transparent_proxy "80 443" 8888 "nobody root bin myaccount"
 
  transparent_proxy "80 443" 8888 "nobody root bin myaccount"
 
where myaccount is my account that should no be filtered by Tinyproxy.
 
where myaccount is my account that should no be filtered by Tinyproxy.
 +
 +
== OpenDNS Parental Control ==
 +
 +
[http://www.opendns.com/home-solutions/parental-controls/ OpenDNS] provides free DNS services as an alternative to your ISP's default servers. Furthermore, they provide optional filtering capabilities. Different levels of filtering is possible; see the OpenDNS main page for details.
 +
 +
For dynamic IP addresses, it is a good idea to keep them updated on OpenDNS. Use {{Pkg|ddclient}} and edit {{ic|/etc/ddclient/ddclient.conf}} as follows:
 +
 +
# OpenDNS.com account-configuration
 +
use=web, web=myip.dnsomatic.com
 +
server=updates.opendns.com
 +
protocol=dyndns2
 +
login=myopendns@email.address
 +
password=myopendnspassword
 +
myhostname
 +
 +
You may sometimes even set up your router to use OpenDNS, therefore allowing protection spanning on all devices connected to that router.
 +
 +
== Editing /etc/hosts ==
 +
You may configure your [[wikipedia:Hosts (file)|/etc/hosts]] file to block access to certain domains. A more draconian approach is to only allow domains explicitly stated in /etc/hosts, as described [https://help.ubuntu.com/community/ParentalControls#Do_It_Yourself_Whitelisting here]. If you do this, please remember that this will affect your whole system, so for example pacman may be unable to connect to the update server unless you make a proper binding in your /etc/hosts.
 +
 +
== Browser add-ons ==
 +
Several add-ons exist for web browsers to filter web content. Some of them can even block out pages examining on their body, not only on their URL. Be warned, however, that this is not a very secure way. Starting Firefox in safe mode, messing with the Firefox profile directory or Firefox profile manager are obvious ways to attempt to shut down Firefox-based add-ons. If all else fails, the kid may simply use a different browser.

Latest revision as of 12:32, 28 March 2016

Several methods exist to protect and limit child activity on a computer.

Note: Any security features will be effective only on the level you enforce them. For example, even after installing a parental control application in the operating system, the child may bypass it by downloading and booting any Linux distribution live image.

Applications

  • timekpr — A program controlling use of user accounts. It can limit by access duration with the daemon timed, and configure at what time users can log in. A client in the traybar warns the users about their time running out, while administration is done in a graphical GTK GUI.
https://launchpad.net/timekpr || timekprAUR
  • timeoutd — A lightweight alternative to timekpr, it scans /var/run/utmp every minute and checks /etc/timeouts for an entry matching a restricted user. Restrictions are based on idle time, login time, maximum time, and time of day.
|| timeoutdAUR
  • logkeys — A daemon that logs keypresses into a logfile for later inspection. The log file resides by default in /var/log, but it is recommended to move it to an encrypted partition; it will for example contain every password entered in the system. Use the --keymap option if using a localized, non-US keyboard. For supervision purposes, the --no-func-keys option is recommended.
https://github.com/kernc/logkeys || logkeys-gitAUR
  • DansGuardian. If you wish, you might even set up an Arch based router running DansGuardian and enforce all other devices in your physical network to connect to the internet through this router.

Whitelist with Tinyproxy and Firehol

The following description will enable you to filter any user's access to the internet with a whitelist of url-s using fireholAUR and tinyproxy (or tinyproxy-gitAUR).

/etc/tinyproxy/tinyproxy.conf consists of the following changes:

FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/tinyproxy/whitelist"

/etc/tinyproxy/whitelist should hold the url's that will be only allowed accessed by selected users. A silly example:

(www|wiki|static).archlinux.org
google.com

/etc/firehol/firehol.conf should contain the following line:

transparent_proxy "80 443" 8888 "nobody root bin myaccount"

where myaccount is my account that should no be filtered by Tinyproxy.

OpenDNS Parental Control

OpenDNS provides free DNS services as an alternative to your ISP's default servers. Furthermore, they provide optional filtering capabilities. Different levels of filtering is possible; see the OpenDNS main page for details.

For dynamic IP addresses, it is a good idea to keep them updated on OpenDNS. Use ddclient and edit /etc/ddclient/ddclient.conf as follows:

# OpenDNS.com account-configuration
use=web, web=myip.dnsomatic.com
server=updates.opendns.com
protocol=dyndns2
login=myopendns@email.address
password=myopendnspassword
myhostname

You may sometimes even set up your router to use OpenDNS, therefore allowing protection spanning on all devices connected to that router.

Editing /etc/hosts

You may configure your /etc/hosts file to block access to certain domains. A more draconian approach is to only allow domains explicitly stated in /etc/hosts, as described here. If you do this, please remember that this will affect your whole system, so for example pacman may be unable to connect to the update server unless you make a proper binding in your /etc/hosts.

Browser add-ons

Several add-ons exist for web browsers to filter web content. Some of them can even block out pages examining on their body, not only on their URL. Be warned, however, that this is not a very secure way. Starting Firefox in safe mode, messing with the Firefox profile directory or Firefox profile manager are obvious ways to attempt to shut down Firefox-based add-ons. If all else fails, the kid may simply use a different browser.