Saturday, November 17, 2018

Parental Controls in Linux Machines


Using Linux PAM (Pluggable Authentication Modules) & Pi Hole (to block websites)


Background: I had set parental controls on Windows 10 and restricted screen time for my kids. But my 13 year old son, with my permission, found a way to hack Windows 10 and gain administrator controls (or password for any user in the machine). That made me to install Ubuntu and add Windows as Virtual Machine inside Ubuntu.

But Ubuntu doesn't have a good support for some of the parental control apps (nanny, timekpr etc). Internet search were all pointing to PAM and then I decided to document what I did so that it helps others and/or other help me to improve my settings. Here we go...


Section 1: Linux PAM settings for screen time management

Follow the steps below, if you wish to restrict screen time for your kids.

Step1: Enable pam_time.so modules 


$ sudo vi /etc/pam.d/common-account

# Add the following lines to the end of file for Parental Controls
account required pam_time.so


$ sudo vi /etc/pam.d/login

# Uncomment the following line for Parental Control
account    requisite  pam_time.so


$ sudo vi /etc/pam.d/su

# Uncomment the following line for Parental Control
account    requisite  pam_time.so



Step 2: Setup timing restriction 


We have reached a point where we now need to setup timing restriction to our children.

$ sudo vi /etc/security/time.conf

# Add the following lines for Parental controls
*; *; child1; Al1400-1455
*; *; child2; Al1500-1555



Note: child1 and child2 are the user names of my children. Please read the following article for more details and better control of timing
https://www.linuxjournal.com/article/2120



Step 3: Setup up cron job to logout if already logged-in


The steps 1 & 2 can prevent your child from logging into the system. But if your child had already logged in, then he/she gets unlimited time. So, we have reached a point where we need to stop all applications and log the child out of the system.

$ sudo vi  /etc/crontab

# Add the following lines for Parental controls
56 14 * * * root skill -KILL -u child1
56 15 * * * root skill -KILL -u child2



This will ensure that the children will be logged out and if they attempt to login again,  steps 1 & 2 will prevent them from accessing till the next allowed time slot.


Section 2: Blocking websites


There are 2 solutions known to me at this time. One is based on open source project Pi-Hole. Please read https://pi-hole.net/ to understand it better.

The 2nd solution is based on IP Tables. With IP tables we can bring user ID based network access controls with or without timing. The details will be provided later.

But for now, the easiest approach is to setup Pi-Hole and Router so that, we block certain web-sites even for everyone including adults (let me as an adult set examples to kids).

Here we go...
  • Buy a Raspberry Pi or configure your Linux PC to run Pi-Hole
  • In case of Raspberry Pi, do the following:
    • Download Raspbian "Lite" Image (~400 MB) from RPi download page.
    • Make sure that you change the password for user "pi"
    • Run raspi-config to setup keyboard, expand the SD card image size, setup Open SSH etc.
    • Install git and docker.io using apt-get install commands.
  • The run the following commands on the machine that will host Pi-Hole
    • git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
    • cd "Pi-hole/automated install/"
    • sudo bash basic-install.sh
  • The last step above may ask some questions such as installation of httpd etc, please answer Yes for most of them.
  • At the end of the installation, you will get a pop-up message (ncurses style) which will show the admin password for the DNS you have setup so far. Please note it down for future use.
  • Once the installation is done, please go back to https://pi-hole.net/ page (installation section, step 3) and follow the instructions provided to configure the DNS server and router. 
    • In my case, I have statically configured 192.168.0.200 as my DNS IP address in my home router using the MAC address of my raspberrypi.
    • Also my router did not support configuring the above IP as DNS server, hence I had to disable the DHCP server and statically configure my router's IP address as 192.168.0.1
  • Once you are done with the above steps, you are pretty much done. Just login from your PC or phone using ip address of the DNS server (in my case http://192.168.0.200/admin). 
  • Use the admin password you had noted down in the 4th bullet point above.
  • You have now reached a point where you can browse through pages and tabs on the DNS server and add additional web-sites you wish to block for your kids. For example you may see this link to know how to block adult only sites.

Happy techno parenting...







No comments:

Post a Comment