Page 1 of 5 123 ... LastLast
Results 1 to 20 of 87

Thread: HOWTO: ProFTPD Antivirus using CLAMAV

  1. #1
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89

    Lightbulb HOWTO: ProFTPD Antivirus using CLAMAV

    UPDATED: 26/07/2010
    Proftpd is now 1.3.3a
    ---------------------

    This howto is about making ProFTPD work with CLAMAV to scan all files uploaded by users using a FTP client.
    Recently our customers are having real difficulty with Iframe viruses, Php shells and other kind of windows viruses are also a headache always.
    ClamAV is already working with exim mail server in our servers for years. Why not make it also scan incoming FTP uploads.This will add more CPU Time to our servers, but preventing users to upload any kind of virus data makes sense.

    How will this work? :
    -we will add ClamAV support to ProFTPD using mod_clamav module.
    -when a user uploads a file using FTP, ClamAV will scan incoming file after upload finishes.
    -if any kind of virus like signature found by ClamAV, uploaded file will be deleted from server, notifying the FTP client.

    1- we will need a working ClamAV installation on server before this. I prefer not to tell how to install ClamAV to server this time, because there is already a very handy script called update.script which can install ClamAV and tons of other stuff. I take portions of this script to automate my process. Thanks to original update.script creator!

    If ClamAV is already installed and updating itself regularly please skip this step.

    -INSTALL CLAMAV-
    Code:
    mkdir /usr/local/updatescript
    cd /usr/local/updatescript
    wget http://tools.web4host.net/update.script
    chmod 755 update.script
    Run it once.
    Code:
    ./update.script
    Install Clamav
    Code:
    ./update.script CLAMAV
    Clamav Installation Done!

    2- Update ProFTPD with current version. And patch it using mod_clamav for ClamAV usage.

    Code:
    cd ~
    wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
    chmod +x ftpantivirus
    ./ftpantivirus
    -this script will download ProFTPD, download mod_clamav latest version, patch ProFTPD with mod_clamav, compile and install new ProFTPD package with ClamAV support.

    3- We need to edit our clamav.conf file to allow TCPSocket connections to port 3310

    Code:
    nano /etc/clamd.conf
    find #TCPSocket 3310 line and comment it out.
    find #TCPAddr 127.0.0.1 line and comment it out.
    Final file will look like this:

    Code:
    ....................
    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    LocalSocket /tmp/clamd
    
    # Remove stale socket after unclean shutdown.
    # Default: no
    FixStaleSocket yes
    
    # TCP port address.
    # Default: no
    TCPSocket 3310
    
    # TCP address.
    # By default we bind to INADDR_ANY, probably not wise.
    # Enable the following to provide some degree of protection
    # from the outside world.
    # Default: no
    TCPAddr 127.0.0.1
    ....................
    4- Finally we need to edit proftpd.conf to use our new mod_clamav module.

    Code:
    nano /etc/proftpd.conf
    inside <Global></Global> tags at the end add:

    Code:
    <IfModule mod_clamav.c>
       ClamAV on
       ClamServer 127.0.0.1
       ClamPort 3310
       ClamMaxSize 5 Mb
    </IfModule>
    we do not want to scan files bigger than 5 Mb to save some CPU time.

    5- Restart ClamAv and ProFTPD to test this out!

    Code:
    service clamd restart
    service proftpd restart
    6- Finally go to http://www.eicar.org/anti_virus_test_file.htm to download eicar test virus and upload it to your ftp server with your favorite FTP client.

    If you see something like that on your FTP client logs, well done!

    Code:
    Command:	STOR eicar_com.zip
    Response:	150 Opening BINARY mode data connection for eicar_com.zip
    Response:	550 Virus Detected and Removed: Eicar-Test-Signature
    Status:	Retrieving directory listing...
    7- IF something goes wrong and your ClamAV enabled ftp server is not scanning files as it should.

    first check ProFTPD if mod_clamav is activated

    Code:
    proftpd -vv
    If you see mod_clamav.c under Loaded modules:
    you have mod_clamav ready.

    For further investigation we can run our ProFTPD server in debug mode to see what's going on:

    Code:
    service proftpd stop
    proftpd -n -d 10
    Try to login and upload eicar test virus to your FTP now, you will see what's going on under the hood in good detail...

    FINAL NOTE: I tested this only on Centos 5.x i386 and X86_64 servers. So there is no guarantee that it will work on any other O/S.
    Last edited by sHuKKo; 07-26-2010 at 09:28 AM.
    http://www.youripaddy.com/
    What is your ip address?

  2. #2
    Join Date
    Oct 2007
    Location
    Switzerland
    Posts
    861
    Nice tutorial, thanks! I believe you wrote "mod_proftpd" instead of "mod_clamav" a few times though.
    Martino Dell'Ambrogio <tillo@tillo.ch> http://www.tillo.ch/ Security Auditor

  3. #3
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89

    Smile

    Quote Originally Posted by tillo View Post
    Nice tutorial, thanks! I believe you wrote "mod_proftpd" instead of "mod_clamav" a few times though.
    Yes you're absolutely right!
    I changed all mod_proftpd's to mod_clamav's.
    Thank you very much for pointing this
    http://www.youripaddy.com/
    What is your ip address?

  4. #4
    Join Date
    Mar 2009
    Location
    Ha Noi - Viet Nam
    Posts
    19
    Oh very good!
    I test upload a c99 shell, it was removed!

  5. #5
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    I am getting nothing, it's all installed, patched and what not.

    It just gives me a message saying no virus has been detected in any file that I upload.

    Going to virus scan absolute filename = '/home/admin/eicar_com.zip' with relative filename = '/eicar_com.zip'.
    mod_clamav/0.10: Connecting to remote Clamd host '127.0.0.1' on port 3310
    ROOT PRIVS at mod_clamav.c:252
    ROOT PRIVS: ID switching disabled
    PRIVS_RELINQUISH: ID switching disabled
    Successfully reconnected to Clamd.
    No virus detected in filename = '/home/admin/eicar_com.zip'.
    dispatching POST_CMD command 'STOR eicar_com.zip' to mod_ratio
    dispatching POST_CMD command 'STOR eicar_com.zip' to mod_xfer
    dispatching LOG_CMD command 'STOR eicar_com.zip' to mod_log
    dispatching LOG_CMD command 'STOR eicar_com.zip' to mod_xfer
    Transfer completed: 184 bytes in 0.05 seconds
    Last edited by Brightlayer; 05-10-2009 at 01:16 PM.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  6. #6
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89
    Chris
    download a eicar test virus directly to server and scan it using clamav on the server.

    Code:
    wget http://www.eicar.org/download/eicar_com.zip
    clamscan eicar_com.zip
    If clamav installed correctly it *must* find the virus

    your proftpd log looks very good. everything is working as it should be.
    maybe the av software on your client pc removes the test virus before you try to upload it
    http://www.youripaddy.com/
    What is your ip address?

  7. #7
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    [root@fuchsia ~]# clamscan eicar_com.zip
    eicar_com.zip: Eicar-Test-Signature FOUND

    ----------- SCAN SUMMARY -----------
    Known viruses: 549222
    Engine version: 0.95.1
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 4.480 sec (0 m 4 s)

    That worked fine, and I have tried this on a development machine with no antivirus, so it's not the client pc deleting the virus before it uploads.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  8. #8
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89
    Chris
    In that case I really don't have a clue about this.
    I tried to replicate the same situation in 5 of my servers.
    Each time it works!
    http://www.youripaddy.com/
    What is your ip address?

  9. #9
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Can you check if mod_clam is installed?
    Code:
    proftpd -vv
    Ive just installed this on my box without any problems;
    [11-5-2009 9:56:16] 150 Opening BINARY mode data connection for eicar_com.zip
    [11-5-2009 9:56:16] 550 Virus Detected and Removed: Eicar-Test-Signature
    Last edited by daveyw; 05-11-2009 at 02:00 AM.

  10. #10
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    This is the output from the version parameter on the proftpd build.

    [root@fuchsia /]# proftpd -vv
    ProFTPD Version: 1.3.2 (stable)
    Scoreboard Version: 01040002
    Built: Sun May 10 19:47:59 BST 2009

    Loaded modules:
    mod_cap/1.0
    mod_clamav.c
    mod_tls/2.2.1
    mod_readme.c
    mod_ratio/3.3
    mod_ident/1.0
    mod_facts/0.1
    mod_delay/0.6
    mod_site.c
    mod_log.c
    mod_ls.c
    mod_auth.c
    mod_auth_file/0.8.3
    mod_auth_unix.c
    mod_xfer.c
    mod_core.c
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  11. #11
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    I just want to find out if everyone who had this working, installed ClamAV using the 'update.script' or did you have an existing installation of it?

    I have an existing install that I've modified the config to support the TCP socket connections, it is linked into Exim prior to this however, for scanning inbound email.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  12. #12
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89
    Quote Originally Posted by Brightlayer View Post
    I just want to find out if everyone who had this working, installed ClamAV using the 'update.script' or did you have an existing installation of it?

    I have an existing install that I've modified the config to support the TCP socket connections, it is linked into Exim prior to this however, for scanning inbound email.
    In my own tests and installations I always used update.script
    Maybe your clamav installation paths are different.
    backup your clamd.conf and reinstall clamav using update.script if possible.
    http://www.youripaddy.com/
    What is your ip address?

  13. #13
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    I'll give it a go, will drop a reply with my findings.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  14. #14
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    Just installed ClamAV as per the 'update.script' and still the same result.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  15. #15
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    At very last we have some joy, I have no idea what's different, just did a make uninstall and went back to basics. I used the scripts as a reference but did not actually execute any of them.

    Going to virus scan absolute filename = '/home/admin/eicar_com.zip' with relative filename = '/eicar_com.zip'.
    mod_clamav/0.11rc: Connecting to remote Clamd host '127.0.0.1' on port 3310
    ROOT PRIVS at mod_clamav.c:227
    ROOT PRIVS: ID switching disabled
    PRIVS_RELINQUISH: ID switching disabled
    Successfully reconnected to Clamd.
    mod_clamav/0.11rc: Virus 'Eicar-Test-Signature' found in '/home/admin/eicar_com.zip'
    dispatching LOG_CMD_ERR command 'STOR eicar_com.zip' to mod_log
    dispatching LOG_CMD_ERR command 'STOR eicar_com.zip' to mod_xfer
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  16. #16
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    I guess you have forgot to edit the clamd.conf. If needed you can send me a PM with your SSH login and a 'test' FTP to fix your problem.

  17. #17
    Join Date
    Mar 2009
    Location
    UK
    Posts
    10
    daveyw

    I did not forget to do anything, it's just the first two builds with mod_clamav v0.10 did not show as working.

    I proceeded to use mod_clamav v0.11rc1 and I saw some action with the scanning while in an ftp transaction, so it seems to be an issue with the version of mod_clamav, as that's the only thing I changed in the latest build.
    Chris Imrie
    Brightlayer Solutions


    "If you have any trouble sounding condescending, find a Unix user to show you how it's done."

  18. #18
    Join Date
    Jan 2008
    Location
    /dev/null
    Posts
    702
    Mmmm i'm runnning the mod_clamav on CentOS 5.3 x86_64 without any problems (and for me he downloaded 0.11rc)

    I guess he (sHuKKo) updated before I've installed it :P

  19. #19
    Join Date
    Jun 2003
    Location
    on the net!
    Posts
    89
    Quote Originally Posted by daveyw View Post
    Mmmm i'm runnning the mod_clamav on CentOS 5.3 x86_64 without any problems (and for me he downloaded 0.11rc)

    I guess he (sHuKKo) updated before I've installed it :P
    current versions I used in this howto are:

    clamav: 0.95.1
    proftpd: 1.3.2
    mod_clamav: 0.11rc

    I will update my script used in this howto whenever a new version appears.
    http://www.youripaddy.com/
    What is your ip address?

  20. #20
    Join Date
    Apr 2007
    Posts
    264
    Will / how can this also work with file uploads via the web ?

Page 1 of 5 123 ... LastLast

Similar Threads

  1. HowTo: ClamAV
    By ju5t in forum How-To Guides
    Replies: 115
    Last Post: 11-21-2010, 11:17 AM
  2. ClamAV Antivirus HOWTO
    By hci in forum How-To Guides
    Replies: 40
    Last Post: 08-03-2009, 11:55 AM
  3. EASY HOWTO MAILSCANNER/Clamav/RazorDCC/ and more..
    By sohaib in forum How-To Guides
    Replies: 27
    Last Post: 11-06-2005, 12:04 PM
  4. [req HOWTO]exim+exiscan+SA+clamav
    By sander815 in forum How-To Guides
    Replies: 1
    Last Post: 09-17-2004, 12:33 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •