Recently our customers are having real difficulty with Iframe viruses, Php shells and other kind of windows viruses are also a headache always.
ClamAV is already working with exim mail server in our servers for years. Why not make it also scan incoming FTP uploads.This will add more CPU Time to our servers, but preventing users to upload any kind of virus data makes sense.
How will this work? :
-we will add ClamAV support to ProFTPD using mod_clamav module.
-when a user uploads a file using FTP, ClamAV will scan incoming file after upload finishes.
-if any kind of virus like signature found by ClamAV, uploaded file will be deleted from server, notifying the FTP client.
1- we will need a working ClamAV installation on server before this. I prefer not to tell how to install ClamAV to server this time, because there is already a very handy script called update.script which can install ClamAV and tons of other stuff. I take portions of this script to automate my process. Thanks to original update.script creator!
If ClamAV is already installed and updating itself regularly please skip this step.
-INSTALL CLAMAV-
mkdir /usr/local/updatescript cd /usr/local/updatescript wget http://tools.web4host.net/update.script chmod 755 update.script
Run it once.
./update.script
Install Clamav
./update.script CLAMAV
Clamav Installation Done!
2- Update ProFTPD with current version. And patch it using mod_clamav for ClamAV usage.
cd ~ wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus chmod +x ftpantivirus ./ftpantivirus
-this script will download ProFTPD, download mod_clamav latest version, patch ProFTPD with mod_clamav, compile and install new ProFTPD package with ClamAV support.
3- We need to edit our clamav.conf file to allow TCPSocket connections to port 3310
nano /etc/clamd.conf
find #TCPSocket 3310 line and comment it out.
find #TCPAddr 127.0.0.1 line and comment it out.
Final file will look like this:
.................... # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /tmp/clamd # Remove stale socket after unclean shutdown. # Default: no FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 ....................
4- Finally we need to edit proftpd.conf to use our new mod_clamav module.
nano /etc/proftpd.conf
inside <Global></Global> tags at the end add:
<IfModule mod_clamav.c> ClamAV on ClamServer localhost ClamPort 3310 ClamMaxSize 5 Mb </IfModule>
we do not want to scan files bigger than 5 Mb to save some CPU time.
5- Restart ClamAv and ProFTPD to test this out!
service clamd restart service proftpd restart
6- Finally go to http://www.eicar.org/anti_virus_test_file.htm to download eicar test virus and upload it to your ftp server with your favorite FTP client.
If you see something like that on your FTP client logs, well done!
Command: STOR eicar_com.zip Response: 150 Opening BINARY mode data connection for eicar_com.zip Response: 550 Virus Detected and Removed: Eicar-Test-Signature Status: Retrieving directory listing...
7- IF something goes wrong and your ClamAV enabled ftp server is not scanning files as it should.
first check ProFTPD if mod_clamav is activated
proftpd -vv
If you see mod_clamav.c under Loaded modules:
you have mod_clamav ready.
For further investigation we can run our ProFTPD server in debug mode to see what’s going on:
service proftpd stop proftpd -n -d 10
Try to login and upload eicar test virus to your FTP now, you will see what’s going on under the hood in good detail…
FINAL NOTE: I tested this only on Centos 5.x i386 and X86_64 servers. So there is no guarantee that it will work on any other O/S.