Fungerer sammen med Postfix, se beskrivelse her: scrubber

Postfix-Cyrus-Web-cyradm-HOWTO

clamav-milter

Hi All, My next project is to some how get squid and clamav to work together. Has any one got this to work yet?

Hi Thomas, take a look at SquidClamAV Redirector: http://www.jackal-net.at/tiki-read_article.php?articleId=1.

Mitt oppsett

Installer disse pakkene først:

• bzip2-devel
• libgmp3-devel
• zlib-devel

  groupadd -g 96 clamav
  useradd -u 96 -g clamav -c ClamAV -s /bin/false clamav

Deretter er det vanlig tarball-installering med

  ./configure
  make
  su -c "make install"

Filplassering:

• /usr/local/share/clamav/* (database)
• /usr/local/etc/clamav.conf
• /usr/local/etc/freshclam.conf

Freshclam.log plasseret jeg i /home/clamav/ for å være sikker på at loggfilen beholdt korrekte rettigheter (Mandrake serveren ville absolutt endre eierskap til root i /var/log/).

Logrotate

[root@mx root]# cat /etc/logrotate.d/clamav
  /var/log/clamav/clamav.log {
      missingok
      create 640 clamav clamav
      weekly
      compress
      postrotate
       	  /bin/kill -HUP `cat /var/run/clamav/clamd.pid` 2>/dev/null || true
      endscript
  }

Andre kommentarer

You're welcome to test out my project, it's quite fast (could easily do 5m messages / day on modern hardware) with clamav, and integrates with postfix. The postfix filter is very small and fast, and the scanning runs as a service thereby reducing all overhead except the TCP/IP connection. You may test it with a couple accounts before migrating to complete postfix integration. The only caveat is that it requires you to know what you're doing.. =)

ClamAV manual states "It's highly recommended to install the GNU MP 3 library in order to enable support for a database digital signatures." What RPM of RH9 should I install to get GNU MP 3 library and enabling DIGITAL SIGNATURES? I assume that DIGITAL SIGNATURES is the source of problem to "integrate" ClamAV 0.66 to qmail-scanner.

Just install the gmp and gmp-devel package (which are version 4.x IIRC) and come in the RedHat CDs or on one of the FTP sites (pulls out his trusty bookmarks):

ftp://194.199.20.114/linux/redhat/9/en/os/i386/RedHat/RPMS/gmp-4.1.2-2.i386.rpm
ftp://194.199.20.114/linux/redhat/9/en/os/i386/RedHat/RPMS/gmp-devel-4.1.2-2.i386.rpm

Clam-clienter på LAN

If this kind of bursty traffic (it will network copy both cvd files to each host in your network immediately after upgrade, so you will have (number of hosts * size of both cvd files) in traffic for each update), you can do a lazier update style, where the slaves query the master: On 10.1.100.10, use the normal DNSDataBaseInfo and DatabaseMirror directives. On the slaves, omit DNSDataBaseInfo, and just use:

DatabaseMirror 10.1.100.10

Stat script for ClamAV

      grep FOUND /var/log/messages \
      | cut -d ":" -f 5 \
      | sed -e "s/\ FOUND//" \
      | sort \
      | uniq -c \
      | sort -r

     9353  Worm.SomeFool.Gen-1
     3647  Worm.SomeFool.P
     2312  Worm.SomeFool.Gen-2
      912  Worm.Sober.D
      521  Worm.Dumaru.A
      174  Worm.SomeFool.I
       55  Worm.Mydoom.F
       53  Worm.Dumaru.K
       39  Worm.Dumaru.Y
       35  Worm.Bagle.Gen-zippwd
       23  Worm.Bagle.Gen-1
      [...]

Scan archives

Send this file - http://www.eicar.org/download/eicar_com.zip to yourself, and look in log of clamd: If clamd will detect it "eicar_com.zip: Eicar-Test-Signature FOUND", it's OK. To enable attachment scanning uncomment parameters in clamav.conf:

ScanOLE2
ScanMail
ScanArchive
ScanRAR

squidclam

squidclam should behave like SquidClamAV_Redirector.py I like SCAVR's technic to save bandwidth and performance.

At the moment the following code is a PoC showing what I'm going to do. Please have a look at it and post me some comments/opinions. If this is usefull for some more people I'll think of maintaining it at sf.net

To compile, you need libcurl and libclamav *surprise* ;)

Make sure you set ERROR and MY_PROXY to something useful.

in squid just set redirect_program /usr/local/bin/squidclam and an acl redirector_access deny localhost to prevent loops.

for an example ERROR Page have a look at Michael Lang's page. http://www.jackal-net.at/tiki-read_article.php?articleId=1

TODO:

• clean infected buffer properly
• kick tmpfile usage out (use big buffer in memory)

Greetings Daniel Lord

ClamAssassin

I use ClamAssassin for that: http://drivel.com/clamassassin/ No RPM AFAIK, but the setup looks like this:

:0fw: clamassassin.lock
| /usr/local/bin/clamassassin

Mail

Mailfilter

Installasjon:

  ./configure
  make
  su
  make install

Mailfilter kan scanne mailkonto på POP-server og fjerne uønsket mail fra server før nedlasting. Filtrering kan være størrelse eller innholde i Subject o.l.

Amavisd-new

Installasjon

Debian (sarge)

  apt-get install amavisd-new

Rediger /etc/amavis/amavisd.conf :

  $mydomain = 'example.net';             # Sett ditt domenenavn
  #@bypass_spam_checks_acl  = qw( . );   # Kommenter ut denne linja for spam-sjekk
  $final_spam_destiny       = D_DISCARD; # Endre fra default

Dette og tilføyelsene til Postfix, er alt som skal til for Debian.

Mandrake Linux (10.0)

Denne installasjonen gjelder Postfix og allerede installert ClamAV virus scanner. Derfor kjøres amavisd under bruker clamav o.l.

• Hjemmekatalog: /home/clamav
• Pakk ut tarball i temp. katalog
• Kopier amavisd til /usr/local/sbin chmod 755
• Kopier amavisd.conf til /usr/local/etc chmod 644
• Opprett katalogen /var/mail/virusmails chmod 750

• compress
• mailtools
• IO-stringy
• mime-tools
• perl-Archive-Tar
• perl-Archive-Zip
• perl-Convert-TNEF
• perl-Converg-UUlib
• perl-IO-Multiplex
• perl-IO-Socket-SSL
• perl-Net-Server
• perl-Net-SSLeay
• perl-Unix-Syslog

• Unix::Syslog
• Net::Server
• Net::Server::PreForkSimple

Tilpasning i Postfix

Gjelder både for Debian og Mandrake. Eneste forskjellen jeg kan se er at Mandrake kjører chroot, mens Debian ikke gjør det som default.

/etc/postfix/main.cf :

  # Amavisd / clamav virus control
  content_filter = smtp-amavis:[127.0.0.1]:10024

/etc/postfix/master.cf :

  # Added for amavisd-new
  smtp-amavis     unix    -       -       n       -       2       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

  127.0.0.1:10025 inet    n       -       n       -       -       smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000

Firewall

Først må du ta en titt på IPMasquerading-HOWTO (Du finner den f.eks. på www.linux.no).

Kjerne 2.2 bruker ipchains, 2.4 kan bruke ipchains eller iptables (som er nyere). Du finner et halvautomatisk oppsatt ipchains-script her: http://packetfilter.amotken.com

Andre har gitt gode peker til Howto's. Du kan kanskje titte på Trustix, som faktisk fulgte med siste utgave av Norske Linux-magasinet. Skal visstnok være en forbedret utgave av RedHat, spes. med tanke på sikkerhet. Skal faktisk sette opp en brannmur med Trustix selv om ikke så lenge.

--
Kenneth Rørvik          91841353/22950312
Nordbergv. 60 A         kenneth@spambuster.rorvik.com
0875 OSLO               home.no.net/stasis

Shorewall

Installasjon på Debian. Jeg har ADSL-modem koplet direkte til switch og har satt opp shorewall til å beskytte serveren min (ikke satt serveren til å fungere som brannmur for LAN'et mitt). Installasjon på Debian sarge skjer med kommando apt-get install shorewall. Deretter kopierte jeg filene:

• interfaces
• policy
• rules
• zones
• hosts

fra /usr/share/doc/shorewall/default-config/ til /etc/shorewall/ og redigerte filene til å inneholde:

/etc/shorewall/interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            192.168.1.255

/etc/shorewall/hosts

#ZONE           HOST(S)                         OPTIONS
loc             eth0:192.168.1.0/24

/etc/shorewall/zones

#       #ZONE   DISPLAY         COMMENTS
        loc     Local           Local Network
        net     Internet        The big bad Internet

Siden jeg bare har ett interface, men definerer to soner på eth0, er det visst viktig at sonene defineres i viste rekkefølge.

/etc/shorewall/policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

/etc/shorewall/rules

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE
AllowWeb        loc     fw
AllowSSH        loc     fw:192.168.1.201
ACCEPT          loc     fw:192.168.1.201 icmp
# Mail protocols
ACCEPT          loc     fw:192.168.1.201 tcp    25      # Insecure SMTP
ACCEPT          fw:192.168.1.201 net    tcp     25      # Insecure SMTP
ACCEPT          fw:192.168.1.201 net    tcp     465     # SMTP over SSL (TLS)
ACCEPT          loc     fw:192.168.1.201 tcp    993     # IMAPS
ACCEPT          fw      net             tcp     143,993 # IMAP
# News
ACCEPT          loc     fw:192.168.1.201 tcp    119,563
ACCEPT          loc     fw:192.168.1.201 udp    563
# DNS
ACCEPT          loc     fw              tcp     53
ACCEPT          loc     fw              udp     53
ACCEPT          fw      net             tcp     53
ACCEPT          fw      net             udp     53
#NTP
ACCEPT          fw      all             tcp     123
ACCEPT          fw      all             udp     123
# NFS
ACCEPT          loc     fw:192.168.1.201 tcp    111     # RPC
ACCEPT          loc     fw:192.168.1.201 tcp    2049
ACCEPT          loc     fw:192.168.1.201 tcp    811
ACCEPT          loc     fw:192.168.1.201 tcp    -       1023
ACCEPT          loc     fw:192.168.1.201 udp
# Samba (SMB, NMB)
ACCEPT          loc     fw:192.168.1.201        tcp     137,139,445
ACCEPT          loc     fw:192.168.1.201        udp     137:139
ACCEPT          fw:192.168.1.201 loc    tcp     137,139,445
ACCEPT          fw:192.168.1.201 loc    udp     137:139
# IPP (CUPS)
ACCEPT          loc     fw:192.168.1.201 tcp    631
ACCEPT          loc     fw:192.168.1.201 udp    631
ACCEPT          fw:192.168.1.201 loc    tcp     631
ACCEPT          fw:192.168.1.201 loc    udp     631

Det er bare å følge med i meldingene fra Shorewall om noe blokkeres og legge inn regler for det som skal tillates.

iptables

Denna prater ikke med noen, men mindre vi prater først. I tillegg til at den MASQUERADER lokalnettet ut på internett.

[hhg@hhg hhg]$ cat /etc/rc.d/init.d/firewall
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -N FILTER
/sbin/iptables -N LOKAL
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i eth1 -j FILTER
/sbin/iptables -A INPUT -i ! eth1 -j LOKAL
/sbin/iptables -A FILTER -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FILTER -p tcp --dport 113 -j ACCEPT // slepper inn auth for IRC-tilgang
/sbin/iptables -A FILTER -p tcp --dport 6346 -j ACCEPT // slepper inn gnutella
/sbin/iptables -A FILTER -p tcp --dport 2110 -j ACCEPT //slepper inn licq
/sbin/iptables -A FILTER -p tcp --dport 22 -j ACCEPT //slepper inn SSH
/sbin/iptables -A LOKAL -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

 iptables -A FORWARD -s 0/0 -d 192.168.1.0/24 -i ppp0 -j ACCEPT
 iptables -A FORWARD -d 0/0 -s 192.168.1.0/24 -o ppp0 -j ACCEPT
 iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.1.0/24 -o ppp0 \
            -j MASQUERADE

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -f -j ACCEPT
iptables -A FORWARD -d 0/0 -s 192.168.1.0/24 -i ! ppp0 -j ACCEPT
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE