URL Filter requires IPcop be installed and running first. The IPcop website has very detailed instructions on installation and configuration. The install process for IPcop only takes about 15 minutes and almost any old computer can be used because the system requirements are so low. (Should be in above paragraph?)
Installing URL filter
First, verify that SSH access is enabled on the IPcop firewall by going to the System Menu, selecting SSH access and enabling SSH access. Next, download the URLfilter installer to your computer and upload it to the IPcop firewall via SCP (secure copy). WinSCP is a simple and free SCP utility to upload the file. Remember that IPcop uses port 222 for SSH rather than the standard 22.
Log into the IPcop with an SSH client like Putty or log directly into the firewall at the keyboard. Use the root user id and password that was specified in the IPcop install process rather than the admin user that is used for the web administration page. Enter the following commands:
root@ipcop:~ #tar -xvf ipcop-urlfilter-1.9.1.tar.gz
root@ipcop:~ # cd ipcop-urlfilter
root@ipcop:~ # ./install
The URL filter will scroll through the installation steps on the console and verify that installation was successful.
Enable the web proxy
After answering yes to the installer script, URLfilter should be installed and accessible through the web administration page, although it will not be actively filtering web access yet. First activate URLFilter by going to the Services menu, selecting Proxy server and checking the following options:
Enabled on Green: This turns on the web proxy
Transparent on Green: This silently redirects web traffic to be processed by the web proxy
Log Enabled: Creates a log of all web usage, even what is not blocked.
Configure URL Filter
Next, go to the URL filter administrative web page, by clicking on the Services Menu again and selecting URL Filter. Remember, IPcop’s administration page is on port 445 (https://IpcopIPAddress:445.) URL filter is highly configurable with many options, but its simple web filter is easy to setup. Simply click the block categories that you want blocked. URL Filter will come with a small block list by default that it out of date. To update the filter list, scroll down to Automatic blacklist update and select how often the blacklist is updated and an update source. Weekly updates are fine for most applications. All four of the blacklist update sources in the dropdown menu are free. A commercial blacklist is available for a fee from URLblacklist.
Using larger blacklists like Shalia and University of Toulouse will increase the number of filter categories to choose from. After clicking update now, it can take up to two hours to download and prepare the blacklist for use, depending on your internet connection speed and how fast the firewall is. When the firewall is finished, it will display a last successful update message in the Automatic blacklist update section. The web administration page will probably time out before the list is finished.

Key Advanced Settings
After you have updated the blacklist and selected categories to block, there are a few options that most people want to add.
Under Block page settings
Show category on block page: When a page is blocked, this will show the user what web filter category had an entry that caused the site to be blocked. Useful for troubleshooting.
Show URL on block page: This will show the actual web address that triggered the web filter.
Under Advanced Settings
Block “ads” with empty window: If the ads category is selected, this will replaced the ad with a blank picture rather than the typical (what?)
Enable SafeSearch: This feature forces the SafeSearch option (what is this option?) on web searches at Google, Yahoo and other search engines. Even if the user de-selects the option, it will not be passed to the search engine. Viewing cached content from a search engine is a simple way of bypassing web filters.
Enable expression lists: This allows URL filter to block content based on a list of bad words in addition to its list of known bad sites.
Block sites accessed by an IP address: Almost no legitimate web sites are addressed by their IP address. This is another way of bypassing web filter and blocks users from typing something like http://10.105.4.5 into their web browser
Enable Log: This creates a record of all websites blocked by the filter and the IP address of the computer that requested the website.
After URL filter has been downloaded, has compiled a blacklist and has been configured with the desired options, web filtering can be enabled globally by checking the Enabled box under URL filter at the bottom of the Proxy page under the Services menu.
A more detailed explanation of the URL filter settings are available at the URL filter FAQ.
Tweaking URL Filter
Anytime the web is filtered, it is possible to get false positives and have a website blocked that should not be. Most of the blacklists are not created by hand, they are created by robot programs that crawl the internet and record sites with objectionable material much like Yahoo or Google crawls the internet to create their search indexes. To remove a site or web address from blacklist, go back to the URL filter web administration page under the Services menu and add the site to the Custom Whitelist section. If you want to allow the entire website (www.mydomain.com), add the site to the allowed domains section. If you want to just allow access to a page (www.mydomain.com/myFavoritePage), then add the address to the allowed URL sections.
With URL filter and IPcop, your firewall will automatically block inappropriate websites and log all internet usage.

Related posts:

1. Upgrade to an Open Source Firewall Firewall companies have a little secret that they do not...
2. Cisco sets End of Sale for PIX Firewall Cisco announced the End of Life for the PIX firewall...
3. Configure Policy-based routing with Route-Map Statements Route-maps allow to you deal with traffic on your router...

Related posts brought to you by Yet Another Related Posts Plugin.

RouterA#configure terminal
RouterA(config)# line vty 0 4
A router’s telnet interface is called a vty, short for Virtual Teletype Terminal.
RouterA(config)# password letmein
RouterA(config)# end
This will allow access to router via telnet by just the password letmein. Below is an example of configuring a router for username and password authentication from a local database stored on the router itself. If you have more than one router or switch, each router will need to be configured. Either way is more secure than just a password by itself. A more complex password increases security, so use passwords that are difficult to guess and create usernames that are not as simple to guess like admin or cisco..

RouterA#configure terminal
RouterA(config)# username Jane password Doe
RouterA(config)# username Bob password Smith
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default local
RouterA(config)# end

The configuration creates the usernames Jane and Bob with the passwords Doe and Smith respectively. AAA stands for authentication, authorization and accounting. The line ‘aaa authentication login default local’ specifies that local authentication should be used for login by default. The passwords will show up in the configuration just as you typed them and be readable by everyone that has access to the router configuration file unless the service password-encryption command is used. For example:

RouterA#configure terminal
RouterA(config)# service password-encryption
RouterA(config)# end

Now your passwords will be encrypted in the configuration. There are tools available that can decrypt these passwords, so configurations should still be stored in a secure place.

Here is a look at configuring TACACS+ authentication, a centralized authentication protocol that passes authentication of to a server. In this example, the switch or router will first look to TACACS+ for authentication and then if that fails, it will look in the local user database. This will give you access if your network device loses network connectivity to the TACACS+ server. This example assumes there is a working TACACS+ server already running on your network. If not, notes on configuring a TACACS+ server on linux can be found here.

RouterA#configure terminal
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default group tacacs+ local
RouterA(config)# tacacs-server host 10.1.1.1
RouterA(config)# tacacs-server host 10.1.1.2
RouterA(config)# tacacs-server key SecretPassword
RouterA(config)# end

If the switch or router has access to the authentication server, then the next time that you log in, the device should prompt you for a username rather than just a password. Complete details on configuring aaa access can be found on Cisco’s website.

Related posts:

1. Configuring SSH on Cisco routers/switches (How-to) With all of the security problems out there today, it...
2. Showing the configuration at the interface level One of the pains about Cisco is that once you...
3. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...

Related posts brought to you by Yet Another Related Posts Plugin.

I found several articles on Cisco’s site regarding SSH, so I wanted to boil it down and document what worked for me.

RouterA#conf t

RouterA(config)#hostname RouterA

RouterA(config)#ip domain-name routernotes.com

Encryption keys are identified by DNS name

RouterA(config)#crypto key generate rsa

<output abbreviated>

How many bits in the modulus [512] 1024

Choose 1024 because most clients will balk at anything less

RouterA(config)#ip ssh time-out 120

This command limits your authentication time to 120 seconds. You should be able to lookup/remember your password in two minutes.

RouterA(config)#ip ssh authentication-retries 4

This limits the number of failed connection tries

RouterA(config)#service tcp-keepalives-in
RouterA(config)#service tcp-keepalives-out

This keeps your SSH sessions from getting hung

RouterA(config)#line vty 0 4
RouterA(config-line)# transport input SSH

This limits incoming administration access to SSH only

Related posts:

1. Authentication in Cisco IOS Adding username and password authentication to Cisco routers and switches...
2. Troubleshoot CPU spikes on Cisco switches and routers CPU spikes on switches and routers can cause crazy problems...
3. Configuring and Using Secondary IP Addresses on Cisco Routers n a perfect world, every subnet would have its own...

Related posts brought to you by Yet Another Related Posts Plugin.