Slashdot Mirror
Metered HTTP Proxy?
Jon asks: "My brother-in-law has three teenage daughters. The only thing that he has to hold over their head is being online. I am trying to find him an HTTP proxy server that has metering built in. I started with Squid which has the authentication stuff in it but we would like something where we could allocate minutes, like some of the WiFi stuff you encounter at a hot spot."
If grounding isn't a punishment, that must mean their geeks since they have no desire to go outside
My requirements:
- need to be able to limit each daughter to e.g. 1Gb of traffic. Once they hit that, bzzt, no more Internet access till next month. After that, they can either experience the joys of 28kb/s downloading or grovel at someone's feet to let them browse under another login id
- each daughter needs to be able to check how much Internet "allowance" she has left
- need to be able to limit use to a specific period of the day. With holidays coming up, I don't want them to be sitting in their rooms all day chatting... Ideally, I'd be able to block out individual sites (e.g. MSN) while leaving other stuff untouched
- need to be able to block out the most noxious sites. For some reason, teenage girls can't seem to resist downloading crapware if it calls itself "PicOfGoodCharlotte.exe" or something similar...
Yep, I'm aware that I could set up something that does most/all of this, but frankly there's not enough hours in the day at present to do so.
My brother-in-law has three teenage daughters. The only thing that he has to hold over their head is being online.
I don't think so. There are a lot simpler carrots and sticks available, in order of decreasing importance to the average teenage girl:
1) Telephone privs - no cell phone for you
2) Grounding - no hanging out at the mall for you
3) Allowance - no buying the latest MTV-hyped fad product for you
4) Television privs - no watching MTV-hyped commercials-as-content for you
5) Driving privs - no freedom to move about for you
6) Food - no bulemia practice for you
When information is power, privacy is freedom.
Low tech, but works.
P.S. Blocking sites is a never-ending battle IMHO - Corporations (with dedicated IT teams) can't keep up with the spammers. I'd just review their surfing history occasionally and ask 'em about it.
Hulk SMASH Celiac Disease
Have you considered OpenBSD's Authpf? Here's the description and man page.
It runs on an OpenBSD firewall (which may be a pain for you; not sure what you've got installed already).
Anyway, what it does is it prevents packets from flowing UNLESS the user has authenticated to the firewall via an ssh session. From there, the packets are tagged as belonging to the user, and you can deal with a particular user's packets as you wish (prioritize, block, redirect, etc).
If you could apply standard login controls (amount of time, time of day, etc), then you can effectively limit access to the internet with the same granularity...
I realize that parents don't want their kid on the internet all the time, and like to encourage other acitivities, but why resort to something like this? It seems to me that the better idea would be to actually talk to the kids when it seems like they've been spending too much time online. Arbitrary rules like this only make kids see parents as a rival, and rules like this as something to try to get around, intstead of a reasonable guideline from people with more life experience.
Famous Last Words: "hmm...wikipedia says it's edible"
Dude - has your brother-in-law considered a non-technological alternative? He could try (drum-roll please) treating his daughters like human beings. Because if he's concentrating his efforts on how to control and punish them, maybe he should leave home and get a dog.
I have discovered a truly remarkable
Here's what my parents used for me, back in my BBS days:
"Get off the computer. Now."
If you were on the computer when you weren't supposed to, the phone cord from the computer to the wall would dissappear. Eventually they found the phone cord I bought at the hardware store, then the damn wall jack dissappeared.
...is being online.
Wow. That's quite the predicament. The only thing he can do as reward/punishment is control their net access. The. Only. Thing.
Makes one yearn for the good old days, when a parent was able to say "no" to borrowing the car, going on a date, purchasing the latest trendy thing, watching television, or assigning extra chores.
--
Don't like it? Respond with words, not karma.
NoCatAuth would be a good starting point. It'll at least provide you with a captive authentication system. In order to surf, they'd have to log in. Thus, you could control how and when they log in. Now the only thing you'd have to look into is limiting how long they stay authenticated. This may or may not already be in there.
Yeah, right.
Actually I haven't tried using it but you can use
http://www.netams.com/
It can't be bought in stores, it can only be evolved from within, but its the best thing for building character within oneself and one's children.
Enough other posters have said that the principle behind this is a bad idea, so instead of reiterating that, I'm going to comment on the technical method of metering HTTP usage.
First, if it's just time restrictions, you can probably use your router's features. My router's setup page lets me block access from an IP range to a port range between a time range; I've used this to block a spam daemon on my mom's computer from getting to port 25 [yes, this blocked normal e-mail], or to block myself from wasting time past 7PM.
Barring that, I'd suggest writing your own server, or getting someone to do so for you. An HTTP server and a client are not hard to write; I wrote them in about a week of classtime each (got bored in my programming class). Or you can simply put a Perl script together that uses standard modules. Once you have a client and a server, it's a simple matter to tie them together, totaling the number of bytes transferred into a variable/disk file.
On a completely unrelated and stupid-sounding idea: does Apache stop serving when it can't write to log files? If so, just make it log proxy requests to a floppy disk.
Proxys are too easy to get around. You'd end up having to lock down the desktops as well. At some point you'd probably want to extend the lockdown to IM, p2p etc.
Start clean and extensible. I advize you to follow jhealys advise - start at the network layer. You're gonna lose the turn-key soho router in favour of a custom firewall/router. Network metering will be ip/mac specific/box specific but you can incorporate some authentication aspect.
Try looking for something on Freshmeat or Google
I'm assuming they run windows here. Put the proxy IP in and don't them give admin rights. Viola! No getting around the proxy.
I'm not drunk, I just have a speech impediment. And a stomach virus. And an inner ear infection.
I too, use access to the internet as a carrot (or stick) over my kids head. It works well. They want to be on line 14 hrs a day, which I feel is unreasonable.
However, metering them x hours per day of usage or x GBs of IO doesn't seem practical. It could lead to many arguments and hair splitting about how much they were really on.
I mean, how do you measure it? Do I measure the time a socket is connected? If they open the NYtimes and walk away from their desk, they will eat up their meter. Do I measure bandwidth usage. Say they download 2 movies one day, poof metering over. All this would lead to mush complaining and gnashing of teeth. It would also lead to them using the internet when I don't want them to.
Instead, I set my router to disconnect them by script during the hours I don't want them on the internet.
My kids loose the internet 1 hour before bed, and during weekend days. During the summer, I limit them to different hours.
If they give me grief, I take an hour off at night . Surprisingly, even an hour is plenty of stick to get my kids to behave.
If you don't have a router, make a cheap one out of an old PC with Linux. Easy to setup and script. (I'm actually using W2K Ad. Server as a router and scripting their access using netsh.)
I have no qualms about using the internet to keep my kids in line, and I sleep better at night knowing they can't get up and start surfing instead of getting a good nights sleep.
machinator omnis sine licentia
Nope. Its not difficult to gain local admin rights on a windows box from the console. Its also not gonna stop them running firefox from a usb stick. Not gonna stop their IM. And on and on.
What if they are not just waisting time using IM, Chat, etc.? What if they are working on a project. When I was in high school I had many projects that required me to pull late nites on the computer using the internet for research. It is not fair to set a static limit for internet access. Just be a parent. How hard is it to say turn off the computer? If that is too hard just unplug it. Just because they don't have internet access doesn't mean they are going to abandon the computer, games are a great distraction.
http://www.softforyou.com/ip-index.html
http://www.akrontech.com/
So if OpenBSD is a firewall box, you control the incoming packets on the internal NIC--redirect all incoming port 80 to 3128: squid as transparent proxy. http://www.benzedrine.cx/transquid.html
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
If they can't handle the repsonsibility, they don't get the privilege. There are easy ways to see if they can handle the responsibility. Computer in a public place (family room); timers limiting time; chores and homework done first; Etc.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Static time restrictions make sense. If they REALLY need access after hours for a school project: Demand documentation: i.e. a project outline from a teacher (including a due date, so extended hours will cease on that date, if they go overtime, tough). If sufficient documentation isn't available, tell them "tough luck, better off researching rather than IM'ing"
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
i think an apache+mod_proxy + some metering mod would be a simple but effective solution
It's 10 PM. Do you know if you're un-American?
What I think everyone needs is CBQ.
So that you can say
"Prioritise this IP(and/or port), if not then share bandwidth equally"
Would a managed switch at least share bandwidth fairly?
I have CBQ on my smoothwall box but I'm finding it baffling - it should work but it isn't and so forth.
A default script that shares bandwidth equally would do everyone wonders.
I can't believe people are still walking into `the other room` and saying "Can you stop that download please?"
It should be built into every connection!
A blog I run for the wealth
The only thing that he has to hold over their head is being online.
... the /only/ thing? i can think of several:
/too/ obvious.
1) grounding
2) no telephone
3) no driving priveledges
4) no allowance
5) no working
there's also the obvious "unplug them from the router". maybe a little
Kind of inelegant, but you could have a script that tweaks the permitted MAC address table dynamically ("The time is 11 o'clock, you are offline NOW!"). Of course, this could mean resetting the router/switch regularly, depending on the product he uses. Of course, this assumes the kids have a different computer(s) than the folks.
Unplugging the WAN cord on the router works too but is more indiscriminate.
That is, parenting where you actually CHECK what the kids do, and keep track within your head how long they've been sitting on their boxen???
if i were them i would fire up ssh! go into a proxy and good to go! i would provide them with a proxy for favors (not sexually though i am a teen) if i were you i would setup a simple auth system. i can't remember the name but it is for internet caffees if i were u give them limited accounts. setup a script (in cygwin) like and it will do a test first to check :)
for i in `ps aux|grep AIM`; do killall $i; done
wee!
what is their aim SN so i can tell them how to circuvent it?
Nowhere in the post does it say that his friend has not discussed time spent online with his kids. All it says is that he's looking for something to meter the amount of online time they're spending. Far all you know, this is a *result* of discussing it with his kids. The kind of thing he's looking for will enable them all to be informed about the amount of time spent websurfing, whether that's to help enforce the house rules, or clear up any disagreements about exactly how much time is being spent on the internet anyway.
It may not be free, but i think it has everything you need http://inetshaper.com/
If you really think and act that way, then you have sold me on the scouts for my own children.
I say, every parent should beat their kids at least once a day (before breakfast or after dinner) for good measure! You don't know what the little shits have been up to, and they need some reinforcement!
maybe they're nerds.
world was created 5 seconds before this post as it is.
They know how to take my router off the network and reboot the cable modem to clear its MAC limit if they ever needed to bypass any protection I've set up on the router.
Dont put anything past teenagers. They're alot
smarter than most people give them credit for.
My oldest will have CCNA before he graduates HS.
I work from home semi-regularly, and my broadband connection is my lifeblood at those times. For a variety of reasons, the in-laws visit fairly regularly. My father-in-law doesn't travel anywhere without his laptop, and since he's without broadband where he lives, he takes every opportunity to suck my connection dry by downloading every latest Linux ISO image he can find -- which really blows when I'm trying to get serious work done. I'd really love to be able to throttle his bandwidth down to sub dial-up speeds during my normal working hours.
(Ok, before everyone starts pinging me for not to him about it: I DID. HE DIDN'T GET IT.)
Write two firewall configuration files. One allows access to the MACs of the teenagers ( the liberal file); the other blocks them (the restrictive file). Run 2 cron jobs to swap these (by renaming them so one is not regognised). At a certain time every day one cron swaps in the liberal script; later the other cron swaps in the restrictive one. You may also have restart the firewall to make it accept the new file.
I never thought I would see such a huge amount of control-crazed bastards on Slashdot.
Your kids aren't going to learn anything useful about the internet unless you give them complete, unrestricted access. It is your responsibility to teach them not to give out personal information, etc. Each child should have his/her own, personal computer. If they choose to do something stupid like install spyware, don't fix it for them. Let them repair the damage themselves and figure out how/why it happened. I'm not saying you can't give clues, but if you just go in and solve all the problems for them, nothing will be learned. If your kids get fat from being on the computer for 16 hours per day, so be it. They'll get the point eventually that they need to limit their own time on the computer, in order to stay physically and mentally healthy. Self control is a good thing.
I did something like this but it's based on time and not on traffic.
Create a simple tcp server using sockets in python that let's you login and a client to go with it:
a. Initially, the python server disables all the users in the squid acl.
b. When you login using the client, the server authenticates you and checks in a text file to see whether you are there and how much time you have left, based on which it enables-disables your accesss by changing the squid ACL.
c. It can run every few minutes to check all the logged-in users.
I did this for a neighbouring net-cafe for free. One big problem was that net-access was possible only through squid which can't be used to handle voice-chats and web-cams etc that doesn't go through http. I could do that but was no more willing to do it for free...
Wow, i feel sorry for your bro-in-law's daughters. I mean if my parents ever did something like that (and thankfully they never would) i would deam all their computers un-userable and put the TV so the picture doesnt fit on the screen (i am the only person in the house to be able to fix it lol) so yeah i feel sorry for them. I have used computers all my life, and if i had this crappy limit that he wants to put on, i am sure i wouldnt be as good on computers as i am now, and know as much as i do! unlucky girls
Visit My Blog at http://spaces.msn.com/members/chrisharries
As a father of 3 daughters, I have considered constructing a hot water metering system to keep natural gas bills in line. A microcontroller, keypad, and a solanoid valve in the hot water line in the shower. Each user gets say 120 minutes hot water each month. The wife and I shower together so that means we would have plenty of minutes.
Remember the Malcolm in the Middle episode where the parents' kept trying to punish Reese - except that Reese didn't care about anything they did. At least not until after he took a cooking class and found that he both had a talent for it and loved it?
IIRC, the last scene was them denying him kitchen privileges.
Not so far from the truth of some families.
8-PP
I've got plenty of beer and cigarettes, just have your brother-in-law send his daughters to my place. Internet overusage problem solved!
you can't get around a proxy if the firewall blocks all traffic not going through the proxy.
Snowden and Manning are heroes.
I registered just to tell you that your brother-in-law has some serious parenting problems. I am also the laziest fucker alive.
they go out and blow the whole football team ...
That'll teach 'em!
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
This is not a perfect solution for your needs, but it's not too far off. squidguard offers time based allowances (only surf the web from 5pm to 7pm nightly). The way to implement it is to put squid with squidguard on the proxy/firewall. Force all traffic through the firewall, and block all ports traversin the firewall (force them through the proxy). Setup squid to force authentication, with the appropriate timings and allowances in squidguard for each account. I do something similar at home for my children, but instead I only allow them a whitelist of sites to access (Disney, Nickelodeon, etc.). Works very well. There are *very* few ways around it, and when my kids get smart enough to tunnel out, I'll just use more l337 solutions :-)
This is true... within reason. However, the original poster only wanted to implement a proxy. A good approach to a complex problem usually involves condering a hierachy of potential solutions. At the very least, we can make the effort to intrude intensive enough to discourage the casual and intermediate hacker. The reality is that anyone with sufficient dedication will eventually surpass the most severe battery of defenses. Its not aways the fault of the solution provider! Mitnick made a (criminal) career of proving the most complex security solution often falls to the dumpster dive/user disclosure/Social Engineering/OSI Layer 1.
A proxy is simply not enough. Its absurdly easy to tunnel what ever you want (with a bias towards TCP) through a proxy (or any unfiltered port). Heres a brief rundown. Beside a proxy, a firewall and a desktop/server lockdown, I'd suggest you add the Big Brother approach of trend analysis, metrics, pattern recognition and scare tactics i.e. an IDS, IPS! We can hope the effort to circumvent the measures will teach as well as hamper. The question is who you are teaching and hampering!
Network security was an engineering afterthought. Its ironic considering the military built the Internet. We live with the aftermath. Encapsulation and spoofing have practical uses beside the malicious!
Why? Cause we're nerds damnit! I have the netgear router and it has the ability to filter access based on IP address, so if kid A has a computer 192.168.0.100 and kid B has 192.168.0.101 then I can give them different access and different times to log on. It even allows port blocking on a day/time basis and can email me when someone goes soemwhere they shouldn't. God, i want to have kids just so i can use these features!