How-to: Scan pure-ftpd content with ClamAV

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
10,628
Location
LT, EU
Pure-ftpd needs to be compiled with "--with-uploadscript" flag (used by default in CustomBuild 2.0) to use this feature and ClamAV must be installed on the system:

Create a post-upload checking script. Open /etc/pureftpd-antivirus.sh (for example) and post the following content to it:
Code:
echo '#!/bin/sh' > /etc/pureftpd-antivirus.sh
echo '/usr/bin/clamdscan --remove --quiet --no-summary $1' >> /etc/pureftpd-antivirus.sh
echo 'exit 0;' >> /etc/pureftpd-antivirus.sh
chmod 755 /etc/pureftpd-antivirus.sh
Important: replace /etc/init.d/pure-ftpd with /usr/local/etc/rc.d/pure-ftpd for the next steps on FreeBSD systems.

Save the file and close it. Add pure-uploadscript to pure-ftpd start/stop script:
Code:
perl -pi -e 's#touch /var/lock/subsys/pure-ftpd#touch /var/lock/subsys/pure-ftpd\n\t\t/usr/sbin/pure-uploadscript -B -r /etc/pureftpd-antivirus.sh 1>/dev/null 2>/dev/null#' /etc/init.d/pure-ftpd
perl -pi -e 's#rm -f /var/lock/subsys/pure-ftpd#rm -f /var/lock/subsys/pure-ftpd\n\t\tkillall -9 pure-uploadscript 1>/dev/null 2>/dev/null#' /etc/init.d/pure-ftpd
perl -pi -e 's#OPTIONS="-B#OPTIONS="-B -o#' /etc/init.d/pure-ftpd
Restart pure-ftpd with pure-uploadscript:
Code:
/etc/init.d/pure-ftpd restart

To remove pure-ftpd ClamAV scan:
Code:
perl -pi -e 's#touch /var/lock/subsys/pure-ftpd\n\t\t/usr/sbin/pure-uploadscript -B -r /etc/pureftpd-antivirus.sh 1>/dev/null 2>/dev/null#touch /var/lock/subsys/pure-ftpd#' /etc/init.d/pure-ftpd
perl -pi -e 's#rm -f /var/lock/subsys/pure-ftpd\n\t\tkillall -9 pure-uploadscript 1>/dev/null 2>/dev/null#rm -f /var/lock/subsys/pure-ftpd#' /etc/init.d/pure-ftpd
perl -pi -e 's#OPTIONS="-B -o#OPTIONS="-B#' /etc/init.d/pure-ftpd

Restart pure-ftpd without pure-uploadscript:
Code:
/etc/init.d/pure-ftpd restart
 
Last edited:
Sorry to bump this up, you have to add "-o" to end of OPTIONS line in /etc/init.d/pure-ftpd or upload script will not work.

And to log infected files add --log=/var/log/ftp-clamscan.log to end of clamdscan line on script:

/usr/bin/clamdscan --remove --quiet --no-summary $1 --log=/var/log/ftp-clamscan.log
 
Last edited:
you may change

/usr/bin/clamdscan --remove --quiet --no-summary $1

to

/usr/bin/clamscan --remove --quiet --no-summary $1

so you won't get permission errors.
 
Thank you for the comments. Guide is now updated.
 
This is great, thank you.

Suppose I want to undo (remove) the scanning of uploaded files, how to I do that?

And there is something wrong:
Code:
[root@server15 etc]# /etc/rc.d/init.d/pure-ftpd restart
Shutting down pure-ftpd:                                   [  OK  ]
Starting pure-ftpd: /usr/sbin/pure-ftpd: invalid option -- 'o'
                                                           [  OK  ]
 
You should re-install pure-ftpd with "--with-uploadscript" configuration option flag. This can be done by upgrading CustomBuild to 2.0 or just add --with-uploadscripts to /usr/local/directadmin/custombuild/custom/pureftpd/configure.pureftpd and run "./build pureftpd".
 
Ooooh..... I got confused by this line:
Pure-ftpd needs to be compiled with "--with-uploadscript" flag (used by default)
So it isn't always used by default.:)

Oke I will rebuild pure-ftpd then. But how can I uninstall the adjustment? What exactly has to be removed from /etc/rc.d/init.d/pureftpd?
 
Unfortunately I had to remove it. Clamscan often used a lot until 100% cpu time which made ftp uploads very slow.
 
Thank you. I've removed it in september last year as you can see, so it's a bit late now. :)
However better late then never, so thank you for the advise. I will try it on the next new server. Mostly when something bad gets onto a server it's injected malware (leak scripts or something like that), not uploaded malware and our current servers also run internet radio stations, so we're trying to put any delays to a minimum.
We run maldet every night anyway.
 
clam should be installed by custombuild ?
or install it from source will be fine ?
 
To scan files uploaded using pure-ftpd? It does not matter, however, if you install from the source, it gets installed to /usr/local, that means if you'd like to install it using CustomBUild, you'd get a conflict, because CustomBuild installs it to /usr.
 
Another benefit of installing it via custombuild is that you can also easily upgrade it that way.
 
To scan files uploaded using pure-ftpd? It does not matter, however, if you install from the source, it gets installed to /usr/local, that means if you'd like to install it using CustomBUild, you'd get a conflict, because CustomBuild installs it to /usr.
its not clear for me,
is this option "pureftpd_uploadscan" install clam too ? or it just add some rules for pureftpd to use clam ?
 
Back
Top