Parental control

From ArchWiki

Several methods exist to protect and limit child activity on a computer.

Note: Any security features will be effective only on the level you enforce them. For example, even after installing a parental control application in the operating system, the child may bypass it by downloading and booting any Linux distribution live image.

Applications

  • timekpr-next — Timekpr-nExT, a fresh, simple and easy to use screen time managing application that helps optimizing time spent at computer.
https://mjasnik.gitlab.io/timekpr-next/ || timekpr-nextAUR
  • timeoutd — A lightweight alternative to timekpr, it scans /var/run/utmp every minute and checks /etc/timeouts for an entry matching a restricted user.
https://github.com/sohonet/timeoutd || timeoutdAUR
  • logkeys — A daemon that logs keypresses into a logfile for later inspection.
https://github.com/kernc/logkeys || logkeysAUR

Restrict opening applications

malcontent allows setting access restrictions for flatpak based applications.

malcontent-client set-app-filter timmy x-scheme-handler/http

This will disallow the user timmy from opening a web browser provided by Flatpak.

Whitelist with Tinyproxy and Firehol

The following description will enable you to filter any user's access to the internet with a whitelist of url-s using fireholAUR and tinyproxy (or tinyproxy-gitAUR).

/etc/tinyproxy/tinyproxy.conf consists of the following changes:

FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/tinyproxy/whitelist"

/etc/tinyproxy/whitelist should hold the url's that will be only allowed accessed by selected users. A silly example:

(www|wiki|static).archlinux.org
google.com

/etc/firehol/firehol.conf should contain the following line:

transparent_proxy "80 443" 8888 "nobody root bin myaccount"

where myaccount is my account that should not be filtered by Tinyproxy.

OpenDNS Parental Control

OpenDNS provides free DNS services as an alternative to your ISP's default servers. Furthermore, they provide optional filtering capabilities. Different levels of filtering is possible; see the OpenDNS main page for details.

For dynamic IP addresses, it is a good idea to keep them updated on OpenDNS. Use ddclient and edit /etc/ddclient/ddclient.conf as follows:

# OpenDNS.com account-configuration
use=web, web=myip.dnsomatic.com
server=updates.opendns.com
protocol=dyndns2
login=myopendns@email.address
password=myopendnspassword
myhostname

You may sometimes even set up your router to use OpenDNS, therefore allowing protection spanning on all devices connected to that router.

Editing /etc/hosts

You may configure your /etc/hosts file to block access to certain domains. A more draconian approach is to only allow domains explicitly stated in /etc/hosts, as described here. If you do this, please remember that this will affect your whole system, so for example pacman may be unable to connect to the update server unless you make a proper binding in your /etc/hosts.

Blocklisting using named

See also: BIND

Create stub zone file ("/var/named/denied.zone") that redirects everything to localhost

@                               1D IN SOA   ns1.example.com. root.example.com. (
                                   42    ; serial (yyyymmdd##)
                                   3H    ; refresh
                                   15M   ; retry
                                   1W    ; expiry
                                   1D )  ; minimum ttl
                               1D  IN  NS      ns.example.com.
                      1D  IN  A       127.0.0.1
                      1D  IN  AAAA    ::1

*                      1D  IN  A       127.0.0.1
*                      1D  IN  AAAA    ::1

Add

zone "SOME-DOMAIN-1.TLD" IN { type master; file "denied.zone"; };
...
zone "SOME-DOMAIN-N.TLD" IN { type master; file "denied.zone"; };

to named.conf.

Recent named versions support DoT and DoH, so you can expose named to internet and use it from outside your lan. (For example Firefox can use DoH, android devices has global "private DNS server" setting for DoT)

Squid

Squid is feature reach proxy that supports authorization, caching, TLS bumping, transparency with firewall, access lists based on MAC, IP, domain, and TLS SNI. It has separate article. In combination with nftables, Squid can be used to fully control which websites can be browsed by the children (see [1]).

Browser add-ons

Several add-ons exist for web browsers to filter web content. Some of them can even block out pages examining on their body, not only on their URL. Be warned, however, that this is not a very secure way. Starting Firefox in safe mode, messing with the Firefox profile directory or Firefox profile manager are obvious ways to attempt to shut down Firefox-based add-ons. If all else fails, the kid may simply use a different browser.