Friday, July 8, 2016

How to integrate ClamAV into PureFTPd for virus scanning on CentOS 7

https://www.howtoforge.com/tutorial/how-to-integrate-clamav-into-pureftpd-for-virus-scanning-on-centos-7

This tutorial explains how you can integrate ClamAV into PureFTPd for virus scanning on a CentOS 7 system. In the end, whenever a file gets uploaded through PureFTPd, ClamAV will check the file and delete it if it contains a virus or malware.

1 Preliminary Note

You should have a working PureFTPd setup on your CentOS 7 server, e.g. as shown in this tutorial: Virtual Hosting with PureFTPd and MySQL (Incl. Quota and Bandwidth Management) on CentOS 7.

2 Installing ClamAV

ClamAV is not available in the official CentOS repositories, therefore, we enable the EPEL repository (if you haven't done so already. Start by importing the RPM GPK keys.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Then we enable the EPEL repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 7 repository:
yum -y install epel-release
yum -y install yum-priorities
Edit /etc/yum.repos.d/epel.repo...
nano /etc/yum.repos.d/epel.repo
... and add the line priority=10 to the [epel] section:
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[...]
Then we update our existing packages on the system:
yum update
Afterward, we can install ClamAV as follows:
yum -y clamav clamav-server clamav-data clamav-update clamav-filesystem clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Edit the file /etc/freshclam.conf and comment out the Example line:
nano /etc/freshclam.conf
by adding a # in front of the Example line:
.....
# Comment or remove the line below.
# Example

....
Then edit the file /etc/clamd.d/scan.conf:
nano /etc/clamd.d/scan.conf
and comment out the Example line like we did it in the file above and remove the # in front of the LocalSocket line.
.....
# Comment or remove the line below.
# Example

....
LocalSocket /var/run/clamd.scan/clamd.sock
....
Next we create the system startup links for clamd and start it:
systemctl enable clamd@.service
freshclam
Then start the clamav service:
systemctl start clamd@.service
You can check the status of the ClamAV daemon with this command:
 systemctl  status clamd@scan
The result should be like this:
[root@server1 system]# systemctl status clamd@scan
? clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2016-04-07 15:44:28 CEST; 1min 48s ago
Main PID: 10945 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
??10945 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
Apr 07 15:44:36 server1.example.com clamd[10945]: HTML support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: XMLDOCS support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: HWP3 support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: Self checking every 600 seconds.
Apr 07 15:44:36 server1.example.com clamd[10945]: PDF support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: SWF support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: HTML support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: XMLDOCS support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: HWP3 support enabled.
Apr 07 15:44:36 server1.example.com clamd[10945]: Self checking every 600 seconds.

3 Configuring PureFTPd

First we open /etc/pure-ftpd/pure-ftpd.conf and set CallUploadScript to yes :
nano /etc/pure-ftpd/pure-ftpd.conf
[...]
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.

CallUploadScript yes
[...]
Next we create the file /etc/pure-ftpd/clamav_check.sh (which will call /usr/bin/clamdscan whenever a file is uploaded through PureFTPd)...
nano /etc/pure-ftpd/clamav_check.sh
#!/bin/sh
/usr/bin/clamdscan --fdpass --remove --quiet --no-summary -c /etc/clamd.d/scan.conf "$1"
... and make it executable:
chmod 755 /etc/pure-ftpd/clamav_check.sh
Now we start the pure-uploadscript program as a daemon - it will call our /etc/pure-ftpd/clamav_check.sh script whenever a file is uploaded through PureFTPd:
pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
Of course, you don't want to start the daemon manually each time you boot the system - therefore we open /etc/rc.local...
nano /etc/rc.local
... and add the line /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh to it - e.g. as follows:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
touch /var/lock/subsys/local
Finally we restart PureFTPd:
systemctl restart clamd@.service
That's it! Now whenever someone tries to upload malware to your server through PureFTPd, the "bad" file(s) will be silently deleted.

4 Virtual Machine image

This tutorial is available as ready to use virtual machine in OVA / OVF format for Howtoforge subscribers. The VM format is compatible with VMWare and Virtualbox and other tools that can import this format. You can find the download link in the right menu on the top. Click on the filename to start the download.
The login details of the VM are:

SSH Login

Username: root
Password: howtoforge

MariaDB Login

Username: root
Password: howtoforge
Please change the passwords after the first boot.

No comments:

Post a Comment