Saturday, July 13, 2013

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 6 Parting Thoughts


Network Security:

Keep all of your local ports closed. Use your Desktop and go to one of those free port scan utilities on the web and run it. This should probably be done quarterly and you want to make sure that no port is answering. Running a service on a home network is dangerous. If a port is open, go through your router and close it.

For the record, you can use this desktop computer for almost any reason that you would normally use a Windows PC. There is lots of software available, look around. On your desktop computer at least lock the screen before you walk away. Preferably, you should just sign off. Don't give your kids physical access to your desktop, let them know it is off limits. There was a story I heard in college, where one of the students created a fake sign on screen. By the end of the semester, this student had captured every other persons user ID & Password (including the teachers). It would be harder to pull off today, but not impossible. If the kids want to use the desktop, make them ssh in. There is a setting that would prevent your kids from signing on to the desktop via the desktop.

Passwords need to be strong. As I said before, your children know you. Use special characters and numbers in the password and use words or phrases that they don't connect with you. Don't make it easy for your kids to crack your network.

Known Issues

1. Raspberry Pi, it's a great little computer and has a 1001 uses. But it is cheap and your child could get a hold of one and go around all of your security and have free reign on the Internet without your knowledge. Ok, the router will still stop most of it, that's why we have several tiers of security. Most modern routers allow the owner to setup an Access List, which allows you to limit the computers that can connect to only those with approved MAC Addresses. Another issue is that your child could boot their laptop from a memory stick, which would also allow them to go anywhere on the internet. If you can't ssh in, something is wrong. Based on the MAC Address you should be able to figure out what computer it is.

2. Almost all browsers have a private browsing mode. I don't know of any way to completely disable this. I know of a add on for Firefox that will allegedly remove the menu item, but there is supposed to be an easy way to get around this. I don't know of a good solution for this other than locking the laptop down in such a way they can't be taken to another network.

Cutting the Rope

When your Children are young, you will want to have the security settings as tight as possible, but as they get older it will be necessary to relax them. Start with the e-mail and chatting. Relax the rules a little and if they behave responsibly leave them alone. If they are irresponsible, tighten it back up. By the time they are 15 or 16, they should be allowed a more free hand and hopefully if they have problems they will come to you.

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 5 How to Make your Life Easier


By doing a little bit of preparatory work, we can make the numerous tasks involved with monitoring of the children considerably simpler and also it would require less typing.

IP addresses are assigned on first come first serve basis. So one day, if your oldest son signs on first, he may get 192.168.0.2. On the next day, if he signs on late, he might get 192.168.0.4. This makes it harder for you to determine which computer is which. There are several things that can be done about this.

  1. On most routers, there is a setting to assign a specific IP address to a computers MAC address or Host Name. If you enter:

ifconfig

The first line displayed will have the word Hwaddr, followed by a series of numbers, that will be your MAC address. But you will have to get the right network interface. Eth0 is Ethernet, that is the one if you are using a cable to connect the laptop to the router. More then likely, it is going to be the paragraph starting with wlan0. That will be the wireless network.

  1. If when you set up each laptop, you set the hostname to the child that was going to use the laptop. Upon ssh in the prompt would display something similar to:

parent@johnslaptop

That tells you immediately whose computer you are on. Therefore, if you have already checked that computer this week, sign off and move on to the next one.

If you didn't set that up, it's not too late. Sign in to John's Computer and just type the following command:

sudo leafpad /etc/hostname

And change whatever name is there to johnslaptop and save the file.

If you are unsure of whose computer you are signed on to, you can type “w” (on the terminal program) and it will display any users signed on.

Let's start first with the desktop and the ugly fping utility. So, log into your desktop and start a terminal. We need to check that there is a “bin” directory and that it is in your path. So, type in the following command:

ls -l | grep bin

If nothing is returned, we need to create a bin directory. So type the following:

mkdir bin

Now to see if bin is in our path (case is important):

echo $PATH

If you don't see bin in the output, type

export PATH=$PATH:bin

Almost all Linux Distributions come with a basic GUI editor. Gnome and Xfce usually come with gedit, KDE usually comes with kate or kedit. Bohdi comes with leafpad, but you can install gedit to keep things consistent. Whatever your system came with, run that program. Now enter the following into the editor:

#!/bin/bash
echo 'My IP Address: '
ifconfig | grep 192
echo 'Network IP Addresses'
/usr/sbin/fping -s -g 192.168.0.0 192.168.0.255 -r 1 2> /dev/null | grep alive

Now save the file as “bin/myfping” and then issue the following command

chmod +x bin/myfping

Now when you type in “myfping”, your output will list your IP address first and then followed by all of the “alive” IP Addresses on your network.

Now on each laptop, you will want to create a bin directory on your user account. You will also want to make sure the bin directory is in your path statement. Do all of this as you did on the desktop.

In the E-mail step we determined what the profile name was. We can put this in a script making easy and quick starting of your childs E-mail Program. Note each laptop will have a unique profile filename, therefore your script will also need to be unique on each laptop. Using a text editor we will create a email script as follows:

#!/bin/bash
thunderbird -offline -P “”

Then between the double quotes, put in the Profile File Name. Save the file to something like bin/tbird and then run a:

chmod +x bin/tbird

Which will give the script execution rights. To run it, just type tbird.

Now we will do something similar for sqliteman. Again the places.sqlite filename will be unique on each laptop, so you will have to customize this script for each laptop.

#!/bin/bash
sqliteman /home/charles/.mozilla/firefox/mwad0hks.default/places.sqlite

Then save the file to something like bin/ffhistory and issue a chmod command to give it execution rights.

Eventully, your child will outgrow his or her laptop. They will need to run programs that won't run on these older computers. Make them make a case for it. If it is for entertainment you can always say no. But if the need is real, you can install the needed program on the desktop and then create a user id on the the desktop for them. If it is a Windows application, most will run under wine. And then from their laptop they can ssh into the desktop and they can run the needed programs.

This will maximize your investment in the desktop and their laptops will still be usable as dumb terminals.

Unusual behavior

You may notice one of your children keeping long hours on his or her laptop and be defensive about what they are doing. You can get an Approximate idea as to what they are up to. One easy thing that you can do ssh into there laptop and run the top command. This will show what programs are running. To make it easier to look at, run it as follows “top -u ” Where User ID is your child. This will just show the programs that are owned by your child and not system processes. By looking at the process names, you can determine if they are chatting, doing e-mail or just on the web. If you want a longer term idea of what is going on, you can set up a script like the following:

#!/bin/bash
echo `date` >> /home/parent/ CharlesLog.dat
ps -eo pcpu,pid,user,args | sort -k 1 -r | head -25 | grep >> /home/parent/ CharlesLog.dat

Replacing with your Child's user ID.
The 2nd echo command even though it goes 2 lines is actully just one line.
Note the quotes here are backward ticks (to the left of the one on most keyboards).

Now save this to bin/cmonitor & issue a “chmod + x” to it.

Now create a 2nd file and give it any name you like

*/5 * * * * /home/parent/bin/cmonitor

Save the file and issue the following command

crontab

With being the file you just created. Now the script file bin/cmonitor will run every five minutes adding the output to logfile. The Logfile will end up looking something like the following:

Tue Apr 17 13:28:47 EDT 2012
0.9 3752 charles gedit
0.9 3309 charles /opt/libreoffice3.4/program/soffice.bin --writer
0.3 2913 charles compiz --ignore-desktop-hints glib gconf gnomecompat
0.1 2761 charles /usr/libexec/multiload-applet-2


Each Program Run first writes the Date/Time.
The Columnar data has the first column being percent used, the 2nd has the program pid, the 3rd is the user who owns the script/program and the last column is the script. The next day, you should ssh back into this computer and enter the following command:

crontab -r

That will stop the script from running every 5 minutes. If you don't do this eventually the child would run out of disk space.

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 4 Monitoring Web Activity

We are going to ssh into the childs computer, like before:

    ssh -X [ParentName]@192.168.0.3   

First of all, you need to know what the file name is of the Firefox Database.  So we will run the following command on your childs laptop:

    locate places.sqlite | grep firefox

We are looking for something in the childs home directory that ends in “places.sqlite”.  If you want to make it easier to look at, you can grep your childs name against it, thus:
       
    locate places.sqlite | grep firefox | grep charles

Now just do a copy of the whole file name and add it to the command sqliteman, like so:

    sqliteman /home/charles/.mozilla/firefox/mwad0hks.default/places.sqlite

A GUI app window will open.  Copy and paste (use a control-V to paste) the following command into the top right pane of the app and then press the green arrow above it.


    SELECT datetime(moz_historyvisits.visit_date/1000000,'unixepoch'), moz_places.url
    FROM moz_places, moz_historyvisits
    WHERE moz_places.id = moz_historyvisits.place_id

There is an icon 2nd from the right is a Save As.  Save your script because you are probably going to be using it a lot.
Click anywhere in the second pane and do a Control-A, followed by a Control-C.  Open Libre Office's Calc Program on your desktop computer, Click on the A1 Cell and do a paste.  Select all of the data, go to Data->Sort and descending on Column A.  The History file will now be listed with most recent at the top.  You can now go through and spot check the web sites and see that they are ok. 

If you find a porn site, don't panic, and don't blow up!  Just like anyone else, the child could have gone there by accident or been tricked; it happens.  If he or she isn't spending significant time on these web sites, everything is probably ok.  Otherwise, use your best judgment.

If it was a porn site it probably didn't happen at the house.  They may have taken it to a friends house.  Talk to your child and find out where it happened.  If it was at a friends house, talk to the parents of the child and show them how to change their DNS settings so that it won't happen again.

     If it happened at the house, check your router settings, maybe change the router password. But the best guess is that your child attached to a hotspot that didn't block anything.

Friday, July 12, 2013

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 3 Moniitoring E-Mail


Identify your own IP address.  To do this type the following command in at a terminal:

    ifconfig | grep 192

And then you should see something like:

    inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

In this case your IP address is 192.168.0.2

Now to find your childs IP address run the following command:

    usr/sbin/fping -s -g 192.168.0.0 192.168.0.255 -r 1 2> /dev/null | grep alive

Be aware that this command takes a few minutes to run.  The output will look something like:

    192.168.0.1 is alive
    192.168.0.2 is alive
    192.168.0.3 is alive

If the command didn't work, check to see where fping is, by typing:
    whereis fping
And then change the command so it looks in the right directory.  I have seen it in both bin and sbin.
       
IP addresses ending in either 1 or 254 are probably the router (but not both).  In this case, the first address is probably the router, the 2nd is yours and the third is your child's.  Each child that is using their computer will have their own unique IP Address.  If you think of a computer as a house, the IP Address is the street address of each house and therefore each house (computer) gets their own unique street address.

Now just issue the following command from a terminal:

    ssh -X @192.168.0.3

with being the user ID you created for yourself and it will prompt you for your password.

Make sure the child isn't running email, you can't run email if he or she is already in it.  To find out type the following:

    ps -ef | grep thunderbird

If the output has a .bin, they are running Thunderbird.  If they are working on a paper or something, you can probably quietly kill Thunderbird and then start it up for yourself.  To kill it, type:

    sudo killall thunderbird

But be quick, get in spot check it and get out.  The longer you are in, the more likely he or she is going to catch on.

Now issue the following command to find their Thunderbird ini file

    locate profiles.ini | grep .thunderbird

If you didn't find the file, run “sudo updatedb” from the terminal and try it again.  Note: updatedb will run a few minutes. After updatedb finishes, redo  the locate command.  Now copy the whole file name.  Just highlight it and go to Edit → Copy.

Finally, you are ready to run thunderbird.  Type the following command and just do a File->Paste  with the cursor between the double quotes:

    thunderbird -offline -P ""

You should see their email client come up.  Just read sent or received e-mail.    Don't go ballistic over little discretions, you are looking for e-mails from sexual predators or something indicating your child could be getting in a lot of trouble.  Watch for e-mail volume dropping.  If your child is technically proficient he or she may have caught on and set up another e-mail account. Don't allow this, and Don't allow him or her to use Gmail. If they really need a gmail account, set it up so that it gets popped into their local hard disk, that way you can monitor it, Android Phones all require a Gmail Account.


You can save the command to start Thunderbird for each child, so that you don't have to go through these steps each time.  Each child will have their own unique profiles.ini file, but once it has been set up it won't change.

The easiest thing to do with e-mail is just create a filter that deletes any e-mail from someone who isn't in the Child's Address Book.  To set this filter up just go to Tools->Message Filters and click on New.  Give it a name, change the first drop down box to From, the 2nd drop down box to “Isn't in my Address...” and then the third drop down box to Personal Address Book.  Finally change Perform Action Drop Box to “Delete”.  Then just click the “OK” Button.  You will want to check periodically that your child hasn't played with these settings.  Of course you will want to make sure your child's teachers, relatives, school friends, club members, and members of your religious organization are added to his or her address book.

You may want to spot check the addresses in their address book.  If you don't know who it is ask the child.

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 2 Samba

For extra credit install and configure Samba.   Samba is a system that creates Network Drives.  There are some very good reasons to do this:

1. At some point one of your kids (or all) are going to accidentally delete an important file.  Probably an important school paper.  If instead of saving files to the local hard disk, they are saved to each child's private network drive and there are periodic backups made of the network drive, all that you would have to do is restore from the backup.

2. Your children won't be depleting their local hard disk (which is probably going to be small anyway.)

3. You can set it up a common common drive that everyone has access to, making file sharing easy.


 4. Your Children's Documents will be stored on the Desktop in your kids Samba Directories, making easy for you the parent to monitor them for quality.  If their is an Educational Issue, you could possibly catch it before it is turned in.  You may also get a heads up to a looming educational issue and perhaps be able to take corrective actions.

The following web page describes a very basic and easy way to configure Samba:

    http://www.unixmen.com/how-to-configure-samba-using-a-graphical-interface-in-ubuntu/


Sign on to each laptop as your child and issue the following commands from within their home directory:

    mkdir bin
    mkdir PrivDir
    mkdir ShareDir

Now on each laptop start the text editor  with “leafpad” and create the following file and save it to bin/AttachSamba

#!/bin/bash
mount -t cifs // [IP Address]/[Samba Share] /home/charles/PrivDir -o     rw,username=[Samba User Name],password=[Samba Password],uid=nnnn,gid=nnnn
mount -t cifs //[IP Address]/[Samba Share] /home/charles/ShareDir -o     rw,username=[Samba User Name],password=[Samba Password],uid=nnnn,gid=nnnn


Note the above file is only three lines long.  The mount command is one line long from the word "mount" to "gid=nnnn".  It won't fit in one line in this blog, but it is just one line.  If you break it up, the script will fail.

Now the explination of this is kind of messy.  The [IP Address] needs to be the IP Address of the Desktop.  The [Samba Share] is probably going to be the child's name.  The Samba User Name and Password would be this child's Samba User Name and Password. This is the share name that you set up with the Samba GUI Tool.

There is a GUI User Add utility that you can just use to display your child's User info with and it will display the gid and uid numbers or you can type the following command into a terminal:

    cat /etc/passwd | grep charles

There will be two 4 digit numbers displayed, they will probably be identical.  These are the uid and gid.

With charles being your child's name.  Finally from a terminal type the following command:

    sudo chmod +x /bin/AttachSamba


If you only set up a Private Directory for your child, delete the 2nd mount command.  But really, a common directory for files the whole family needs access to is going to be really useful.

Now create the following file in the Desktop Directory on your Child's computer.

    #!/bin/bash
    gksudo /home/charles/bin/AttachSamba

And save it as Connect.sh.  Then issue a chmod to make it executable:
    chmod +x Desktop/Connect.sh

Now your child will have an icon to connect to his/her private network drive and the common drive.   

There is one last thing that has to be done, right now your child can't run this command because he or she doesn't have super user rights.  You can give them the rights to just mount and unmount file systems though.  This can't be done from your child's account.  The easiest thing to do, since you are already logged into your childs account is issue the following command from a terminal:

    su - [Parent Account]

It will prompt you for your password and then issue the following command:

    sudo visudo

and then find the line that has “root    ALL=(ALL:ALL) ALL” and add the following line below it:
charles ALL=(ALL) /bin/mount, /bin/umount, /sbin/halt

Press F3 to save and F2 to exit.
Here is a webpage that discusses how to set up backups on a Linux System.

http://www.kubuntuforums.net/showthread.php?39666-Using-tar-scripts-and-CRON-to-back-up

 For backup media I recomend using usb hard drives.  I have tried in the past to use cd and then dvd, but their storage capacity is just inadequate.

This whole Samba setup is probably the most difficult thing I have talked about to set up.  If you are having trouble contact a local Linux User or ask question someplace like LinuxQuestions.org.  There are also books, which is how I originally did it.

Protecting Your Children on the Internet with Linux or How to be a Sneaky Parent Part 1

Recently a friend mentioned to me that he didn't have a computer.  He needed one, but couldn't afford it.  My wife had an old Pentium-4 laptop which wasn't being used.  It still had XP on it, which isn't very safe on the web, with only a 60 gb hard disk.  I blew XP away and put Bodhi Linux (after trying a half dozen lite distros) on it. Bodhi is a lite Linux Distro that is based on Ubuntu that actually looks pretty good. Bohdi runs the Enlightenment Window Manager, it will run Firefox web browser, LibreOffice (Formerly OpenOffice) and e-mail clients like Thunderbird. I came to the realization that pc's like these would make a good child's computer.  There performance is adequate, but not exceptional.  It got me thinking about what it would take to keep a child safe on the internet using Linux based computers.

To totally lock down Windows Computers, takes an expert, which is what Corporate America does..  The more recent and more secure Windows Operating Systems also require fairly fast and robust computers. If you use older Windows 98 laptops for your child's computer, you will find that they are virus magnets.  Therefore, to go the Windows route, you will need to be spending $350 - $500 per laptop, while if you install Linux on older laptops the price range will be in the $100 - $150 range.  And the sad fact is that these computers will perform about the same.  Why is this, Windows 7 and 8 require a lot horsepower just to run the Graphic User Interface, while Bohdi and a number of other Light Linux Distros have Graphic User Interfaces that use very little horsepower.Also, be aware that if you buy your child a Windows laptop and install one of those child protection apps, your child can boot a live distro and go around all of your security measures.  No system is perfect and your children and their friends will be exchanging info.

Basically, you as the parent can use a Multi-tiered protection scheme to keep your children safe on the internet.  On the outer level, OpenDNS will keep most of the bad sites away.  The second line of defense is your router. The Third line of defense is limiting the applications your child has access to.  And the last line of defense is you watching what your child is doing.

1. Most Router's today can filter out Phishing and Porn sites from getting onto your network.  This can be turned on for just certain computers or for the entire network.

2. There is a family friendly DNS Server that is free to use.  A DNS Server is a computer out on the internet where other computers go to look up Human Readable addresses and convert them into Computer Readable addresses (known as IP Addresses.)

3. By running a basic Linux Distro with only a few programs installed, we can limit your child's exposure to dangerous places.  If chat is dangerous, we don't have to install a chat Client.  And Bohdi Linux comes with nothing installed.

4. Good old fashioned spying.  Which is what I intend to spend most of this article talking about.

Using Linux technology, you the parent can monitor what web sites your child is visiting and what email they are receiving and sending and your child need not know and if they do find out, you can say I am the parent and I have the right and a duty to know.  If they are still giving you a hard time, give them the M3 rule: My Home, My Network, My Rules!!!

This is what you will need

1. Desktop preferably an i5 (an i3 would work) with at least a terabyte hard disk and wireless networking.  Cost $500 - $1000.  You could also get one of the AMD Desktops for as little as $350, but they don't perform quite as well.

2. One up to date wireless router. Cost $50 - $200.  

3. One low end laptop for each child. At least a Pentium-4, wireless networking, 512 Megabytes of RAM. Cost $50 - $100 on ebay.  If you can afford it get each child a little faster computer, that way they would be less likely to notice when you are poking around on them.  You can get Intel Core  2's on pricewatch.com for around $150, these probably would make a better laptop then old P4's.  I have found that the P4 was a little bit underpowered even for Bohdi and they are starting to become hard to get a hold of.

4. A single printer could be shared by the whole family.  Most printers now are wireless,  so the printer could be setup so that each computer send jobs to the printer independently or they could all go through the desktop.  I don't know of any real advantage to doing it either way.  You the System Administrator will have to set it up either way.

Setup the router.  This is usually done via a web browser.  Turn on all of security features, if you arn't real computer literate seek help from someone who is.  Set the DNS Addresses to the OpenDNS Servers, currently 208.67.222.123  and 208.67.220.123. OpenDNS is a family safe DNS Server and will return only safe sites to your childs computer.

On each laptop, install Bodhi Linux. Set the Laptop's hostname to the name of the child who will be using it, believe me, it will make everything easier. So if your son John is going to be using the laptop, set it's hostname to “johnslaptop” or just “john”, this is setup durring the Bohdi install as the computer's name. Create a user for yourself with full sudo rights, this is the normal way and you won't have to do anything special.  Set each laptop's Parent's User ID the same and give them all the same password, but don't make this password easy to guess.  A good password scheme for the Parent's Password would be to chose an obscure hobby like Astronomy.  And in Astronomy's case download a list of Common Star Names and choose one at random and then replace any “B”s with 8's, I's or L's with Ones and O's with zeros and E's with 3's.  So the word Denebola would become D3n3b01a. If you are a Macho Male leading a family chose a feminine hobby.  Or a Single Mother, chose a masculine hobby, like hunting or fishing.  Basically choose a hobby your kids won't expect.  If you have to write it down, lock it away in a safe.  

 Then create a user id for the child by typing in a terminal “sudo adduser ”. Of course remove the double quotes and replace with the actual child's name.  The child's name needs to be all lower case and you will be prompted for your password.  You will be prompted for about 6 fields, the only important one is the password. Next we need to install LxTerminal because it doesn't come preinstalled.  Click on Accessories->Applications->Preferences and then start “Synaptic Package Manager.” After entering your password search for lxterminal and then have Synaptic install it. From this point I will refer to LxTerminal as just Terminal. 

Finally we need to install some utilities on each laptop by issuing the following commands from a terminal:
   
    sudo apt-get update
    sudo apt-get bum
    sudo apt-get install openssh-server openssh-client
    sudo apt-get install sqlite sqlite3
    sudo apt-get install sqliteman
    sudo apt-get remove midori
    sudo apt-get install cifs-utils
    sudo apt-get install pcmanfm

Have more then one laptop to setup???
It may be a easier to prepare a script on a memory stick which then can be run on each laptop.  Open a text editor and save the following text to a file on a memory stick:

#!/bin/bash
apt-get update
apt-get install libreoffice
apt-get install firefox
apt-get install thunderbird
apt-get install openssh-server openssh-client
apt-get install sqlite sqlite3
apt-get install sqliteman
apt-get install bum
apt-get install cifs-utils
apt-get install pcmanfm

apt-get remove midori

You will have to copy this script file to each laptop and then run a
sudo chmod +x
Where [filename] is the file you saved it to.

Then type a:
    sudo ./ [filename]

For young children, I would defiantly not install a Chat Client.  If they want to chat, let them use Facebook.  Facebook allows you as the parent or guardian to go in after the fact and read the chat contents.

We are removing Midori Web Browser because it would complicate the monitoring of your children's computers. Also, I have noticed that new software doesn't show up in the menus until a reboot has occurred.

As soon as the installs here are done issue the following command from the terminal:

sudo bum

And then click on ssh-server so that it runs at boot up.

Now to set up the Desktop, I would recommend using Linux Mint Cinnamon or Mate spins. With minor modifications any other flavor of Linux on the desktop would also work.  For ease of explanation, we are doing everything on Debian descendant versions of Linux.  I am not doing this because I dislike rpm (Fedora/RedHat) systems, it just is easier to explain if it is consistent across the board.  On Linux Mint LxTerminal isn't installed, but Xterm or “Terminal” are, they are all pretty similar and I would recommend using what ever comes installed.  Now run the following commands in whatever terminal app you have on the desktop:

    sudo apt-get install openssh-server openssh-client
    sudo apt-get install fping

Via the router give the Desktop a Static IP Address on the network, the process of doing this will vary based on the router.  I would set the static address to something like 192.168.0.100.