{"id":132,"date":"2009-05-11T09:24:08","date_gmt":"2009-05-11T07:24:08","guid":{"rendered":"http:\/\/www.shukko.com\/x3\/?p=132"},"modified":"2009-05-11T09:24:08","modified_gmt":"2009-05-11T07:24:08","slug":"howto-proftpd-antivirus-using-clamav","status":"publish","type":"post","link":"https:\/\/www.shukko.com\/x3\/2009\/05\/11\/howto-proftpd-antivirus-using-clamav\/","title":{"rendered":"HOWTO: ProFTPD Antivirus using CLAMAV"},"content":{"rendered":"
This howto is about making ProFTPD work with CLAMAV to scan all files uploaded by users using a FTP client.
\nRecently our customers are having real difficulty with Iframe viruses, Php shells and other kind of windows viruses are also a headache always.
\nClamAV is already working with exim mail server in our servers for years. Why not make it also scan incoming FTP uploads.This will add more CPU Time to our servers, but preventing users to upload any kind of virus data makes sense.<\/p>\n

How will this work? :
\n-we will add ClamAV support to ProFTPD using mod_clamav<\/a> module.
\n-when a user uploads a file using FTP, ClamAV will scan incoming file after upload finishes.
\n-if any kind of virus like signature found by ClamAV, uploaded file will be deleted from server, notifying the FTP client.<\/p>\n

1- we will need a working ClamAV installation on server before this. I prefer not to tell how to install ClamAV to server this time, because there is already a very handy script called update.script<\/a> which can install ClamAV and tons of other stuff. I take portions of this script to automate my process. Thanks to original update.script creator!<\/p>\n

If ClamAV is already installed and updating itself regularly please skip this step.<\/p>\n

-INSTALL CLAMAV-<\/p>\n

\n
Code:<\/div>\n
mkdir \/usr\/local\/updatescript\r\ncd \/usr\/local\/updatescript\r\nwget http:\/\/tools.web4host.net\/update.script\r\nchmod 755 update.script<\/pre>\n<\/div>\n
Run it once.<\/p>\n
\n
Code:<\/div>\n
.\/update.script<\/pre>\n<\/div>\n
Install Clamav<\/p>\n
\n
Code:<\/div>\n
.\/update.script CLAMAV<\/pre>\n<\/div>\n
Clamav Installation Done!<\/p>\n
2- Update ProFTPD with current version. And patch it using mod_clamav for ClamAV usage.<\/p>\n
\n
Code:<\/div>\n
cd ~\r\nwget http:\/\/www.serverdirekt.com\/DA\/FTPAV\/ftpantivirus\r\nchmod +x ftpantivirus\r\n.\/ftpantivirus<\/pre>\n<\/div>\n
-this script will download ProFTPD, download mod_clamav latest version, patch ProFTPD with mod_clamav, compile and install new ProFTPD package with ClamAV support.<\/p>\n
3- We need to edit our clamav.conf file to allow TCPSocket connections to port 3310<\/p>\n
\n
Code:<\/div>\n
nano \/etc\/clamd.conf<\/pre>\n<\/div>\n
find #TCPSocket 3310 line and comment it out.
\nfind #TCPAddr 127.0.0.1 line and comment it out.
\nFinal file will look like this:<\/p>\n
\n
Code:<\/div>\n
....................\r\n# Path to a local socket file the daemon will listen on.\r\n# Default: disabled (must be specified by a user)\r\nLocalSocket \/tmp\/clamd\r\n\r\n# Remove stale socket after unclean shutdown.\r\n# Default: no\r\nFixStaleSocket yes\r\n\r\n# TCP port address.\r\n# Default: no\r\nTCPSocket 3310\r\n\r\n# TCP address.\r\n# By default we bind to INADDR_ANY, probably not wise.\r\n# Enable the following to provide some degree of protection\r\n# from the outside world.\r\n# Default: no\r\nTCPAddr 127.0.0.1\r\n....................<\/pre>\n<\/div>\n
4- Finally we need to edit proftpd.conf to use our new mod_clamav module.<\/p>\n
\n
Code:<\/div>\n
nano \/etc\/proftpd.conf<\/pre>\n<\/div>\n
inside <Global><\/Global> tags at the end add:<\/p>\n
\n
Code:<\/div>\n
<IfModule mod_clamav.c>\r\n   ClamAV on\r\n   ClamServer localhost\r\n   ClamPort 3310\r\n   ClamMaxSize 5 Mb\r\n<\/IfModule><\/pre>\n<\/div>\n
we do not want to scan files bigger than 5 Mb to save some CPU time.<\/p>\n
5- Restart ClamAv and ProFTPD to test this out!<\/p>\n
\n
Code:<\/div>\n
service clamd restart\r\nservice proftpd restart<\/pre>\n<\/div>\n
6- Finally go to http:\/\/www.eicar.org\/anti_virus_test_file.htm<\/a> to download eicar test virus and upload it to your ftp server with your favorite FTP client.<\/p>\n
If you see something like that on your FTP client logs, well done!<\/p>\n
\n
Code:<\/div>\n
Command:\tSTOR eicar_com.zip\r\nResponse:\t150 Opening BINARY mode data connection for eicar_com.zip\r\nResponse:\t550 Virus Detected and Removed: Eicar-Test-Signature\r\nStatus:\tRetrieving directory listing...<\/pre>\n<\/div>\n
7- IF something goes wrong and your ClamAV enabled ftp server is not scanning files as it should.<\/p>\n
first check ProFTPD if mod_clamav is activated<\/p>\n
\n
Code:<\/div>\n
proftpd -vv<\/pre>\n<\/div>\n
If you see mod_clamav.c under Loaded modules:
\nyou have mod_clamav ready.<\/p>\n
For further investigation we can run our ProFTPD server in debug mode to see what’s going on:<\/p>\n
\n
Code:<\/div>\n
service proftpd stop\r\nproftpd -n -d 10<\/pre>\n<\/div>\n
Try to login and upload eicar test virus to your FTP now, you will see what’s going on under the hood in good detail…<\/p>\n
FINAL NOTE: I tested this only on Centos 5.x i386 and X86_64 servers. So there is no guarantee that it will work on any other O\/S.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
This howto is about making ProFTPD work with CLAMAV to scan all files uploaded by users using a FTP client. Recently our customers are having real difficulty with Iframe viruses, Php shells and other kind of windows viruses are also a headache always. ClamAV is already working with exim mail server in our servers for […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-kategerisiz"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":1,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":133,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/132\/revisions\/133"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}