Month: October 2012

Filter YouTube with YouTube For Schools and squidGuard

Posted on by Tyrone

Before we start

Your LAN must already run a production instance of squid running on a Linux operating system such as Ubuntu.

For this guide, I was using Ubuntu Server 12.04 LTS which ships with squid/3.1.19. The guide has been tested on both 32 & 64 bit builds.

Ensure the following top-level domains are not blocked

youtube.com
ytimg.com

Sign up for a YouTube for school account

Go to http://www.youtube.com/account_school and sign up for a YouTube For school Account. The sign up process should only take minutes.

Once you account is created go to http://www.youtube.com/account_school and under the Instrucations heading, Step 1, search for the following string X-YouTube-Edu-Filter: the random numbers and letters after that string are your account ID. The account ID is required for the redirection to work correctly. Please document your account ID.

ABCD1234567890abcdef

Install squidGuard

squidGuard is the URL rewrite program. To install use the following command

proxy:~$ sudo apt-get install squidguard

Edit squidGuard configuration

Lets backup the default squidGuard configuration as it has examples which as useful but none of which we require.
proxy:~$ sudo cp -v /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.original

So time to edit the squidGuard configuration and make it work for you.

proxy:~$ sudo vim /etc/squid/squidGuard.conf

Remove all the examples and paste in the new configuration from below. Please replace ABCD1234567890abcdef with your YouTube for Schools Account ID. Save and exit

#
# CONFIG FILE FOR SQUIDGUARD
#
# Caution: do NOT use comments inside { }
#
dbhome /var/lib/squidguard/db
logdir /var/log/squid
# ACL RULES:
#
rew youtube {
 s@(http://www.youtube.com/watch\?v=.*)@\1\&edufilter=ABCD1234567890abcdef@i
}
acl {
 default {
 pass any
 rewrite youtube
 }
}

Add squidGuard into your squid configuration

proxy:~$ sudo vim /etc/squid3/squid.conf

Search for url_rewrite_program and insert the following line. Save and exit.

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

Restart squid to enable squidGuard

To enable the config changes to the squid service.

proxy:~$ sudo service squid3 restart

YouTube for schools in now enabled

When you load http://www.youtube.com you be able to see all videos listed on the main page but when you attempt to watch these videos you will only be able to view content classified as educational by youtube or content that the has been added to the schools youtube account’s playlists.

While you can add staff into a list of teachers that can view all content, only the administrator (schools youtube account) can add content to be viewed by all students.

You may want to block access to youtube.com via HTTPS as squidGuard rewrite is unable to intercept SSL connections.

References

http://www.youtube.com/account_school

http://support.google.com/youtube/bin/static.py?hl=en&page=guide.cs&guide=2592683&topic=2592688

http://support.google.com/youtube/bin/static.py?hl=en&guide=2592683&topic=2592688&page=guide.cs&answer=2695317

http://squidguard.shalla.de/config/#Rewritegroups

https://help.ubuntu.com/community/SquidGuard

Configure HP Procurve Switch via Command Line Interface

Posted on by Tyrone

After getting my eyes of a Cisco 2960 configured created by DEECD, I decided to replicate their config on our HP Procurve switches.

Connect to the switch via telnet or the serial console and enter config mode

switch# config

Set IP address gateway

ip default-gateway 10.136.236.1

Set hostname and contact details

switch(config)# hostname "2510_01"
2510_01(config)# snmp-server contact "tyrone.wyatt@gmail.com"
2510_01(config)# snmp-server location "Senior Campus, Server Room"

Set timezone and network time protocol details

2510_01(config)# timesync sntp
2510_01(config)# sntp server 10.10.20.69
2510_01(config)# sntp unicast

Set timezone offset from GMT in minutes

2510_01(config)# time timezone 600

Enable web management SSL and disable web management plaintext

2510_01(config)# crypto key generate cert 1024
2510_01(config)# crypto host-cert generate self-signed
Validity start date [10/21/2012]: 10/21/2012
Validity end date [10/21/2013]: 10/21/2018
Common name [0.0.0.0]: 10.136.236.68
Organizational unit [Dept Name]: ICT
Organization [Company Name]: XXXX College
City or location [City]: XXXX
State name [State]: VIC
Country code [US]: AU
2510_01(config)# web-management ssl
2510_01(config)# no web-management plaintext

Enable SSH and disable telnet

2510_01(config)# crypto key generate ssh
Installing new RSA key. If the key/entropy cache is depleted, this could take up to a minute.

Enable SSH version 2 if supported

2510_01(config)# ip ssh version 2

Enable SSH version 1 if version 2 isn’t supported

2510_01(config)# ip ssh
2510_01(config)# no telnet-server

Set username and passwords

2510_01(config)# password manager user-name admin
2510_01(config)# password operator user-name monitor

Set banner

2510_01(config)# banner motd %
#######################################################################
# Authorised Users Only #
# The information on this computer and network is the property of #
# <COMPANY NAME> and is protected by intellectual property #
# rights. You must be assigned an account on this computer to #
# access the information and are only allowed to access information as #
# defined by the System Administrator(s). Your activities are #
# monitored for security reasons. #
########################################################################
%

Set name for interface/s

interface B1-B6 name " "

Save and view the configuration

2510_01(config)# write memory
2510_01(config)# show run

References

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01868095/c01868095.pdf
http://www.rienbroekstra.nl/?q=node/18
http://linuxman.wikispaces.com/HP+ProCurve+E-series+setup