How-to: Scan pure-ftpd content with ClamAV

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,300
Location
LT, EU
Pure-ftpd needs to be compiled with "--with-uploadscript" flag (used by default in CustomBuild 2.0) to use this feature and ClamAV must be installed on the system:

Create a post-upload checking script. Open /etc/pureftpd-antivirus.sh (for example) and post the following content to it:
Code:
echo '#!/bin/sh' > /etc/pureftpd-antivirus.sh
echo '/usr/bin/clamdscan --remove --quiet --no-summary $1' >> /etc/pureftpd-antivirus.sh
echo 'exit 0;' >> /etc/pureftpd-antivirus.sh
chmod 755 /etc/pureftpd-antivirus.sh
Important: replace /etc/init.d/pure-ftpd with /usr/local/etc/rc.d/pure-ftpd for the next steps on FreeBSD systems.

Save the file and close it. Add pure-uploadscript to pure-ftpd start/stop script:
Code:
perl -pi -e 's#touch /var/lock/subsys/pure-ftpd#touch /var/lock/subsys/pure-ftpd\n\t\t/usr/sbin/pure-uploadscript -B -r /etc/pureftpd-antivirus.sh 1>/dev/null 2>/dev/null#' /etc/init.d/pure-ftpd
perl -pi -e 's#rm -f /var/lock/subsys/pure-ftpd#rm -f /var/lock/subsys/pure-ftpd\n\t\tkillall -9 pure-uploadscript 1>/dev/null 2>/dev/null#' /etc/init.d/pure-ftpd
perl -pi -e 's#OPTIONS="-B#OPTIONS="-B -o#' /etc/init.d/pure-ftpd
Restart pure-ftpd with pure-uploadscript:
Code:
/etc/init.d/pure-ftpd restart
To remove pure-ftpd ClamAV scan:
Code:
perl -pi -e 's#touch /var/lock/subsys/pure-ftpd\n\t\t/usr/sbin/pure-uploadscript -B -r /etc/pureftpd-antivirus.sh 1>/dev/null 2>/dev/null#touch /var/lock/subsys/pure-ftpd#' /etc/init.d/pure-ftpd
perl -pi -e 's#rm -f /var/lock/subsys/pure-ftpd\n\t\tkillall -9 pure-uploadscript 1>/dev/null 2>/dev/null#rm -f /var/lock/subsys/pure-ftpd#' /etc/init.d/pure-ftpd
perl -pi -e 's#OPTIONS="-B -o#OPTIONS="-B#' /etc/init.d/pure-ftpd
Restart pure-ftpd without pure-uploadscript:
Code:
/etc/init.d/pure-ftpd restart
 
Last edited:

Rackset

Verified User
Joined
Aug 22, 2009
Messages
6
Sorry to bump this up, you have to add "-o" to end of OPTIONS line in /etc/init.d/pure-ftpd or upload script will not work.

And to log infected files add --log=/var/log/ftp-clamscan.log to end of clamdscan line on script:

/usr/bin/clamdscan --remove --quiet --no-summary $1 --log=/var/log/ftp-clamscan.log
 
Last edited:

BestBoard

Verified User
Joined
Sep 8, 2006
Messages
195
you may change

/usr/bin/clamdscan --remove --quiet --no-summary $1

to

/usr/bin/clamscan --remove --quiet --no-summary $1

so you won't get permission errors.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,245
Location
Maastricht
This is great, thank you.

Suppose I want to undo (remove) the scanning of uploaded files, how to I do that?

And there is something wrong:
Code:
[root@server15 etc]# /etc/rc.d/init.d/pure-ftpd restart
Shutting down pure-ftpd:                                   [  OK  ]
Starting pure-ftpd: /usr/sbin/pure-ftpd: invalid option -- 'o'
                                                           [  OK  ]
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,300
Location
LT, EU
You should re-install pure-ftpd with "--with-uploadscript" configuration option flag. This can be done by upgrading CustomBuild to 2.0 or just add --with-uploadscripts to /usr/local/directadmin/custombuild/custom/pureftpd/configure.pureftpd and run "./build pureftpd".
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,245
Location
Maastricht
Ooooh..... I got confused by this line:
Pure-ftpd needs to be compiled with "--with-uploadscript" flag (used by default)
So it isn't always used by default.:)

Oke I will rebuild pure-ftpd then. But how can I uninstall the adjustment? What exactly has to be removed from /etc/rc.d/init.d/pureftpd?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,245
Location
Maastricht
Unfortunately I had to remove it. Clamscan often used a lot until 100% cpu time which made ftp uploads very slow.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,245
Location
Maastricht
Thank you. I've removed it in september last year as you can see, so it's a bit late now. :)
However better late then never, so thank you for the advise. I will try it on the next new server. Mostly when something bad gets onto a server it's injected malware (leak scripts or something like that), not uploaded malware and our current servers also run internet radio stations, so we're trying to put any delays to a minimum.
We run maldet every night anyway.
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
clam should be installed by custombuild ?
or install it from source will be fine ?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,300
Location
LT, EU
To scan files uploaded using pure-ftpd? It does not matter, however, if you install from the source, it gets installed to /usr/local, that means if you'd like to install it using CustomBUild, you'd get a conflict, because CustomBuild installs it to /usr.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,245
Location
Maastricht
Another benefit of installing it via custombuild is that you can also easily upgrade it that way.
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
To scan files uploaded using pure-ftpd? It does not matter, however, if you install from the source, it gets installed to /usr/local, that means if you'd like to install it using CustomBUild, you'd get a conflict, because CustomBuild installs it to /usr.
its not clear for me,
is this option "pureftpd_uploadscan" install clam too ? or it just add some rules for pureftpd to use clam ?
 
Top