Jeg har lagt opp til at ClamAV skal fungere sammen med amavisd-new for å scanne epost for virus (og spam v.h.a. spamassassin). Noen vil kanskje legge opp til andre løsninger.
apt-get install clamav apt-get install clamav-clamd apt-get install spamassassinUnder konfigurering av clamd, sett
clamav
som medlem av gruppa
amavis
for at amavis skal kunne kontakte clamd for
virusscanning (etter hva jeg kan finne ut). Dette betyr kanskje at
amavisd-new må installeres før clamav-clamd
,
ellers må en ta en dpkg-reconfigure clamav-daemon
etter at amavisd-new
er installert.
Nightly CVS snapshot:
http://clamav.sourceforge.net/snapshot/
CVS web interface:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/clamav/#dirlist
Fungerer sammen med Postfix, se beskrivelse her: scrubber
Postfix-Cyrus-Web-cyradm-HOWTO
Hi All, My next project is to some how get squid and clamav to work together. Has any one got this to work yet?
Hi Thomas, take a look at SquidClamAV Redirector: http://www.jackal-net.at/tiki-read_article.php?articleId=1.
Installer disse pakkene først:
groupadd -g 96 clamav useradd -u 96 -g clamav -c ClamAV -s /bin/false clamav
Deretter er det vanlig tarball-installering med
./configure make su -c "make install"
Filplassering:
/usr/local/share/clamav/*
(database)/usr/local/etc/clamav.conf
/usr/local/etc/freshclam.conf
Freshclam.log plasseret jeg i /home/clamav/ for å være sikker på at loggfilen beholdt korrekte rettigheter (Mandrake serveren ville absolutt endre eierskap til root i /var/log/).
[root@mx root]# cat /etc/logrotate.d/clamav /var/log/clamav/clamav.log { missingok create 640 clamav clamav weekly compress postrotate /bin/kill -HUP `cat /var/run/clamav/clamd.pid` 2>/dev/null || true endscript }
You're welcome to test out my project, it's quite fast (could easily do 5m messages / day on modern hardware) with clamav, and integrates with postfix. The postfix filter is very small and fast, and the scanning runs as a service thereby reducing all overhead except the TCP/IP connection. You may test it with a couple accounts before migrating to complete postfix integration. The only caveat is that it requires you to know what you're doing.. =)
ClamAV manual states "It's highly recommended to install the GNU MP 3 library in order to enable support for a database digital signatures." What RPM of RH9 should I install to get GNU MP 3 library and enabling DIGITAL SIGNATURES? I assume that DIGITAL SIGNATURES is the source of problem to "integrate" ClamAV 0.66 to qmail-scanner.
Just install the gmp and gmp-devel package (which are version 4.x IIRC) and come in the RedHat CDs or on one of the FTP sites (pulls out his trusty bookmarks):
ftp://194.199.20.114/linux/redhat/9/en/os/i386/RedHat/RPMS/gmp-4.1.2-2.i386.rpm ftp://194.199.20.114/linux/redhat/9/en/os/i386/RedHat/RPMS/gmp-devel-4.1.2-2.i386.rpm
If this kind of bursty traffic (it will network copy both cvd files to each host in your network immediately after upgrade, so you will have (number of hosts * size of both cvd files) in traffic for each update), you can do a lazier update style, where the slaves query the master: On 10.1.100.10, use the normal DNSDataBaseInfo and DatabaseMirror directives. On the slaves, omit DNSDataBaseInfo, and just use:
DatabaseMirror 10.1.100.10in freshclam.conf on each of the slaves.
grep FOUND /var/log/messages \ | cut -d ":" -f 5 \ | sed -e "s/\ FOUND//" \ | sort \ | uniq -c \ | sort -rThis gives us the following output (yes, no percentages, one might hack that into it):
9353 Worm.SomeFool.Gen-1 3647 Worm.SomeFool.P 2312 Worm.SomeFool.Gen-2 912 Worm.Sober.D 521 Worm.Dumaru.A 174 Worm.SomeFool.I 55 Worm.Mydoom.F 53 Worm.Dumaru.K 39 Worm.Dumaru.Y 35 Worm.Bagle.Gen-zippwd 23 Worm.Bagle.Gen-1 [...]
Send this file - http://www.eicar.org/download/eicar_com.zip
to yourself, and look in log of clamd:
If clamd will detect it "eicar_com.zip: Eicar-Test-Signature FOUND", it's OK.
To enable attachment scanning uncomment parameters in clamav.conf:
ScanOLE2 ScanMail ScanArchive ScanRAR
squidclam should behave like SquidClamAV_Redirector.py I like SCAVR's technic to save bandwidth and performance.
At the moment the following code is a PoC showing what I'm going to do. Please have a look at it and post me some comments/opinions. If this is usefull for some more people I'll think of maintaining it at sf.net
To compile, you need libcurl and libclamav *surprise* ;)
Make sure you set ERROR and MY_PROXY to something useful.
in squid just set redirect_program /usr/local/bin/squidclam and an acl redirector_access deny localhost to prevent loops.
for an example ERROR Page have a look at Michael Lang's page. http://www.jackal-net.at/tiki-read_article.php?articleId=1
TODO:
Greetings Daniel Lord
I use ClamAssassin for that: http://drivel.com/clamassassin/ No RPM AFAIK, but the setup looks like this:
:0fw: clamassassin.lock | /usr/local/bin/clamassassin*Exactly* like spamc, and puts X-Virus headers in mails like this: X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.2 with clamdscan / ClamAV 0.85.1/907/Thu Jun 2 14:50:12 2005 When there is a virus in the mail, the X-Virus-Status will be Yes and the name of the virus put in.
Installasjon:
./configure make su make installTrenger autoconf, automake, gettext, m4 og bison (el. flexx+yacc).
Mailfilter kan scanne mailkonto på POP-server og fjerne uønsket mail fra server før nedlasting. Filtrering kan være størrelse eller innholde i Subject o.l.
apt-get install amavisd-new
Rediger /etc/amavis/amavisd.conf :
$mydomain = 'example.net'; # Sett ditt domenenavn #@bypass_spam_checks_acl = qw( . ); # Kommenter ut denne linja for spam-sjekk $final_spam_destiny = D_DISCARD; # Endre fra default
Dette og tilføyelsene til Postfix, er alt som skal til for Debian.
Denne installasjonen gjelder Postfix og allerede installert ClamAV virus
scanner. Derfor kjøres amavisd
under bruker clamav
o.l.
/home/clamav
amavisd
til /usr/local/sbin
chmod 755amavisd.conf
til /usr/local/etc
chmod 644/var/mail/virusmails
chmod 750Gjelder både for Debian og Mandrake. Eneste forskjellen jeg kan se er at Mandrake kjører chroot, mens Debian ikke gjør det som default.
# Amavisd / clamav virus control content_filter = smtp-amavis:[127.0.0.1]:10024
# Added for amavisd-new smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000(Merk at 'n' i kolonne 5 skal settes til 'y' dersom chroot, noe som Mandrak Linux hadde!)
Først må du ta en titt på IPMasquerading-HOWTO (Du finner den f.eks. på www.linux.no).
Kjerne 2.2 bruker ipchains, 2.4 kan bruke ipchains eller iptables (som er
nyere). Du finner et halvautomatisk oppsatt ipchains-script her:
http://packetfilter.amotken.com
Andre har gitt gode peker til Howto's. Du kan kanskje titte på Trustix, som faktisk fulgte med siste utgave av Norske Linux-magasinet. Skal visstnok være en forbedret utgave av RedHat, spes. med tanke på sikkerhet. Skal faktisk sette opp en brannmur med Trustix selv om ikke så lenge.
-- Kenneth Rørvik 91841353/22950312 Nordbergv. 60 A kenneth@spambuster.rorvik.com 0875 OSLO home.no.net/stasis
Installasjon på Debian. Jeg har ADSL-modem koplet direkte til switch og
har satt opp shorewall til å beskytte serveren min (ikke satt serveren til
å fungere som brannmur for LAN'et mitt). Installasjon på Debian sarge
skjer med kommando apt-get install shorewall
. Deretter kopierte jeg
filene:
fra /usr/share/doc/shorewall/default-config/
til
/etc/shorewall/
og redigerte filene til å inneholde:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 192.168.1.255
#ZONE HOST(S) OPTIONS loc eth0:192.168.1.0/24
# #ZONE DISPLAY COMMENTS loc Local Local Network net Internet The big bad Internet
Siden jeg bare har ett interface, men definerer to soner på eth0, er det visst viktig at sonene defineres i viste rekkefølge.
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw net ACCEPT net all DROP info all all REJECT info
#ACTION SOURCE DEST PROTO DEST SOURCE AllowWeb loc fw AllowSSH loc fw:192.168.1.201 ACCEPT loc fw:192.168.1.201 icmp # Mail protocols ACCEPT loc fw:192.168.1.201 tcp 25 # Insecure SMTP ACCEPT fw:192.168.1.201 net tcp 25 # Insecure SMTP ACCEPT fw:192.168.1.201 net tcp 465 # SMTP over SSL (TLS) ACCEPT loc fw:192.168.1.201 tcp 993 # IMAPS ACCEPT fw net tcp 143,993 # IMAP # News ACCEPT loc fw:192.168.1.201 tcp 119,563 ACCEPT loc fw:192.168.1.201 udp 563 # DNS ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 #NTP ACCEPT fw all tcp 123 ACCEPT fw all udp 123 # NFS ACCEPT loc fw:192.168.1.201 tcp 111 # RPC ACCEPT loc fw:192.168.1.201 tcp 2049 ACCEPT loc fw:192.168.1.201 tcp 811 ACCEPT loc fw:192.168.1.201 tcp - 1023 ACCEPT loc fw:192.168.1.201 udp # Samba (SMB, NMB) ACCEPT loc fw:192.168.1.201 tcp 137,139,445 ACCEPT loc fw:192.168.1.201 udp 137:139 ACCEPT fw:192.168.1.201 loc tcp 137,139,445 ACCEPT fw:192.168.1.201 loc udp 137:139 # IPP (CUPS) ACCEPT loc fw:192.168.1.201 tcp 631 ACCEPT loc fw:192.168.1.201 udp 631 ACCEPT fw:192.168.1.201 loc tcp 631 ACCEPT fw:192.168.1.201 loc udp 631
Det er bare å følge med i meldingene fra Shorewall om noe blokkeres og legge inn regler for det som skal tillates.
Denna prater ikke med noen, men mindre vi prater først. I tillegg til at den MASQUERADER lokalnettet ut på internett.
[hhg@hhg hhg]$ cat /etc/rc.d/init.d/firewall /sbin/iptables -F /sbin/iptables -X /sbin/iptables -N FILTER /sbin/iptables -N LOKAL /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -i eth1 -j FILTER /sbin/iptables -A INPUT -i ! eth1 -j LOKAL /sbin/iptables -A FILTER -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FILTER -p tcp --dport 113 -j ACCEPT // slepper inn auth for IRC-tilgang /sbin/iptables -A FILTER -p tcp --dport 6346 -j ACCEPT // slepper inn gnutella /sbin/iptables -A FILTER -p tcp --dport 2110 -j ACCEPT //slepper inn licq /sbin/iptables -A FILTER -p tcp --dport 22 -j ACCEPT //slepper inn SSH /sbin/iptables -A LOKAL -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE> Oops, beklager en liten feil der, slik kan det vel vaere: >
iptables -A FORWARD -s 0/0 -d 192.168.1.0/24 -i ppp0 -j ACCEPT iptables -A FORWARD -d 0/0 -s 192.168.1.0/24 -o ppp0 -j ACCEPT iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.1.0/24 -o ppp0 \ -j MASQUERADE> Men det er jo ikke noe forskjell fra å si P ACCEPT...
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -f -j ACCEPT iptables -A FORWARD -d 0/0 -s 192.168.1.0/24 -i ! ppp0 -j ACCEPT iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADEDette er kanskje nærmere hva en vil ha?