sHuKKo
Verified User
These lines are from FTP clients connection log window.
What do you want to do? If you tell it we can help.
HOWTO: ProFTPD Antivirus using CLAMAV
- Thread starter sHuKKo
- Start date
These lines are from FTP clients connection log window.
What do you want to do? If you tell it we can help.
nimafire
Verified User
- Joined
- Aug 10, 2008
- Messages
- 245
Last edited:
massive
Verified User
- Joined
- Feb 16, 2006
- Messages
- 299
Thanks for your reply floyd.
I think that it will be good if the email protection will be here too in a single post, so
Add in the begining of /etc/exim.conf :
av_scanner = clamd:127.0.0.1 3310
and after check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat: com: pif: prf:scr : vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
I think that it will be good if the email protection will be here too in a single post, so
Add in the begining of /etc/exim.conf :
av_scanner = clamd:127.0.0.1 3310
and after check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat: com: pif: prf:scr : vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
Last edited:
i tried and everything looks fine apparently (after spending time to fix some errors)... however, when i uploaded the test virus file.. it's not removed! 
when running proftpd in debug mode.. i found the below lines...
from the last line.. it looks like it scanNED the file and found no virus.. but how can that be?
and for the below 2 lines..
it seems there are problems? is this the error that makes it not cleaning up properly? please kindly help!
when running proftpd in debug mode.. i found the below lines...
Code:
session.xfer.path is '/eicar.com'.
ClamMinSize=0 ClamMaxSize=5242880 Filesize=68
Going to virus scan absolute filename = '/home/demouser/eicar.com' with relative filename = '/eicar.com'.
mod_clamav/0.11rc: Connecting to remote Clamd host 'localhost' on port 3310
ROOT PRIVS at mod_clamav.c:227
ROOT PRIVS: ID switching disabled
PRIVS_RELINQUISH: ID switching disabled
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success
No virus detected in filename = '/home/demouser/eicar.com'.from the last line.. it looks like it scanNED the file and found no virus.. but how can that be?
and for the below 2 lines..
Code:
mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost'
mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Successit seems there are problems? is this the error that makes it not cleaning up properly? please kindly help!
GREAT! I got it working after using the following codes in /etc/proftpd.conf instead...
Code:
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
ClamMaxSize 5 Mb
</IfModule>i tried and everything looks fine apparently (after spending time to fix some errors)... however, when i uploaded the test virus file.. it's not removed!
when running proftpd in debug mode.. i found the below lines...
Code:session.xfer.path is '/eicar.com'. ClamMinSize=0 ClamMaxSize=5242880 Filesize=68 Going to virus scan absolute filename = '/home/demouser/eicar.com' with relative filename = '/eicar.com'. mod_clamav/0.11rc: Connecting to remote Clamd host 'localhost' on port 3310 ROOT PRIVS at mod_clamav.c:227 ROOT PRIVS: ID switching disabled PRIVS_RELINQUISH: ID switching disabled mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost' mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success No virus detected in filename = '/home/demouser/eicar.com'.
from the last line.. it looks like it scanNED the file and found no virus.. but how can that be?
Code:mod_clamav/0.11rc: error: Cannot resolve hostname 'localhost' mod_clamav/0.11rc: error: Cannot re-connect to Clamd (0): Success
it seems there are problems? is this the error that makes it not cleaning up properly? please kindly help!
Hello,
Whether somebody tried to configure CLAMAV on the remote server? Locally all works fine for me, but when I try to specify a remote host in ProFTPd configuration, on a remote host I receive an error after uploading file:
-> WARNING: lstat () failed on: <file name>
I suspect that the problem can be linked to the rights of users, maybe somebody faced it?
ProFTPd configuration:
<IfModule mod_clamav.c>
ClamAV on
ClamServer remote.hostname
ClamPort 3310
ClamMaxSize 5 Mb
</IfModule>
CLAMAV configuration at remote.hostname:
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
FixStaleSocket yes
TCPSocket 3310
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User root
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
As I understand ProFTPd connects to the remote server but for some reason can not check file for viruses.
Whether somebody tried to configure CLAMAV on the remote server? Locally all works fine for me, but when I try to specify a remote host in ProFTPd configuration, on a remote host I receive an error after uploading file:
-> WARNING: lstat () failed on: <file name>
I suspect that the problem can be linked to the rights of users, maybe somebody faced it?
ProFTPd configuration:
<IfModule mod_clamav.c>
ClamAV on
ClamServer remote.hostname
ClamPort 3310
ClamMaxSize 5 Mb
</IfModule>
CLAMAV configuration at remote.hostname:
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
FixStaleSocket yes
TCPSocket 3310
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User root
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
As I understand ProFTPd connects to the remote server but for some reason can not check file for viruses.
SupermanInNY
Verified User
- Joined
- Sep 28, 2004
- Messages
- 425
This is horrible! (just kidding of course ).
However, I do have a problem with the clam_mod.
I have my fair share of iframe injections and I have a sanitize script that helps clean already infected files recurrsively.
However, I just tested the following scenario:
I have a valid index.php file on the server - clean with no virus.
I then uploaded a new INFECTED copy of the index.php file to the same location, whereas it is overwritting the clean file.
I was alerted by proftpd that ClamAV found the virus and deleted the file.
Well.. guess what: it left me with NO files at all.
While previously I was able to run a cleaning script, now I have no files to clean,. it simply erases the entire file.
That is not good for me!
In an EMAIL scenario, that is perfect, but in FTP,. it will erase existing files with no way to fix them.
Is there any way to NOT erase the file, but instead - clean it?
Thanks,
-Sup.
).However, I do have a problem with the clam_mod.
I have my fair share of iframe injections and I have a sanitize script that helps clean already infected files recurrsively.
However, I just tested the following scenario:
I have a valid index.php file on the server - clean with no virus.
I then uploaded a new INFECTED copy of the index.php file to the same location, whereas it is overwritting the clean file.
I was alerted by proftpd that ClamAV found the virus and deleted the file.
Well.. guess what: it left me with NO files at all.
While previously I was able to run a cleaning script, now I have no files to clean,. it simply erases the entire file.
That is not good for me!
In an EMAIL scenario, that is perfect, but in FTP,. it will erase existing files with no way to fix them.
Is there any way to NOT erase the file, but instead - clean it?
Thanks,
-Sup.
sHuKKo
Verified User
Well then ask this from clamav developers.
This is how clamav is programmed.
Here is a quote from their FAQ which you can find in: http://www.clamav.net/support/faq/faq-misc/ address
SupermanInNY
Verified User
- Joined
- Sep 28, 2004
- Messages
- 425
Thanks for pinpointing the answer.
I have a specific server that is being hit by numerous iframe injection attacks from multiple IPs.
This is obviously a bot attack that runs in a recursive way all over the account that is being hit.
I'm thinking that I might look into mod_wrap to Deny all IPs in the proftpd.conf, then if you visit a specific page on the server, it will capture your IP, enter your IP for a 24 hours approved to access the FTP login.
That way,. unless your IP is in the Allow list of the mod_wrap, you won't be able to log in to proftpd.
This will not prevent a virus to be uploaded to the server, but it will effectively deny access from random attackers that try to brute force their way in via FTP, and even if they have the FTP username and password, unless they visit that webpage, they will not be able to log in. Not a perfect solution, but I'm thinking it is an effective blocking mechanism which reminds the "change your ssh port number" solution, and possibly even more effective.
-Sup.
SupermanInNY
Verified User
- Joined
- Sep 28, 2004
- Messages
- 425
What seems to be the problem? I just ran the update.script on 3 servers with no problem to upgrade to version 1.3.2b.
What errors did you get?
cd ~
wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
chmod +x ftpantivirus
./ftpantivirus
Is giving me the old version... When I update manual then I get the version without ClamAV?
wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
chmod +x ftpantivirus
./ftpantivirus
Is giving me the old version... When I update manual then I get the version without ClamAV?