[HowTo] Integrate ClamAV (Through mod_clamav) Into ProFTPd For Virus Scanning On Ubuntu
Posted: Mon Sep 10, 2018 3:45 pm
You should have a working ProFTPd setup on your Ubuntu server.
Because we will run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
Installing ClamAV (ClamAV comes pre-installed with VestaCP below steps are for in case you have removed ClamAV from your server.)
ClamAV can be installed as follows:
Now we must reconfigure ClamAV so that Clamd uses TCP connections instead of a local Unix socket. It is highly recommended that Unix socket connections are avoided when using the Chroot feature of ProFTPd (DefaultRoot ~). The reason is that if mod_clamav needs to connect to Clamd, the Unix socket is not available in the chroot environment.
Run
... and answer these questions as follows (accept the default values for all other questions):
Then restart Clamd and freshclam:
Now run
... and you should see that Clamd is listening on localhost through TCP:
Rebuilding ProFTPd
Unfortunately mod_clamav isn't part of ProFTPd by default, and there's no Ubuntu package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Ubuntu source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.
First we install all packages that are needed to rebuild ProFTPd:
We also need the following packages:
Now we download the ProFTPd source package to /usr/src:
Next we download mod_clamav to /usr/src and unpack it:
Then we copy the mod_clamav-0.11rc/mod_clamav.* files to the proftpd-dfsg-1.3.2c/contrib directory...
... and patch the ProFTPd sources:
Next we must edit debian/rules:
Search the CONF_ARGS section and add --with-modules=mod_clamav to it:
Now we can rebuild ProFTPd:
Now we go one directory up, that's where the new .deb packages have been created:
The command
shows you the available packages:
We can install the new ProFTPd .deb packages as follows:
Configuring ProFTPd
Now we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...
... and add the stanza
section:
Restart ProFTPd:
Now check if mod_clamav is loaded by running:
mod_clamav should be listed in the output:
That's it! Now whenever someone tries to upload malware to your server through ProFTPd, the "bad" file(s) will be deleted. You can test that by downloading the Eicar test virus from http://www.eicar.org/anti_virus_test_file.htm; try to upload it to your ProFTPd server, and if all goes well, it should be deleted
Because we will run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
Code: Select all
sudo suClamAV can be installed as follows:
Code: Select all
aptitude install clamav clamav-daemon libclamav-devRun
Code: Select all
dpkg-reconfigure clamav-baseCode: Select all
Socket type: <-- TCP
TCP port clamd will listen on: <-- 3310
IP address clamd will listen on: <-- 127.0.0.1Code: Select all
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restartCode: Select all
netstat -tap | grep clamdCode: Select all
root@server1:~# netstat -tap | grep clamd
tcp 0 0 localhost.localdom:3310 *:* LISTEN 7911/clamd
root@server1:~#Unfortunately mod_clamav isn't part of ProFTPd by default, and there's no Ubuntu package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Ubuntu source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.
First we install all packages that are needed to rebuild ProFTPd:
Code: Select all
aptitude build-dep proftpd-dfsgCode: Select all
aptitude install libpam-dev dpkg-dev libmysqlclient-dev debhelper libpq-dev libldap2-dev libwrap0-dev libcap2-dev autotools-dev libncurses5-dev dpatch libacl1-dev libattr1-dev unixodbc-dev libsqlite3-devCode: Select all
cd /usr/src
apt-get source proftpd-dfsgCode: Select all
wget --no-check-certificate https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-0.11rc.tar.gz
tar xzvf mod_clamav-0.11rc.tar.gzCode: Select all
cp mod_clamav-0.11rc/mod_clamav.* proftpd-dfsg-1.3.2c/contribCode: Select all
cd proftpd-dfsg-1.3.2c
patch -p1 < ../mod_clamav-0.11rc/proftpd.patchCode: Select all
vi debian/rulesCode: Select all
[...]
CONF_ARGS := --prefix=/usr \
--with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \
--mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \
--enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \
--enable-ipv6 --enable-nls --with-modules=mod_clamav
[...]Code: Select all
dpkg-buildpackageCode: Select all
cd ..Code: Select all
ls -lCode: Select all
root@server1:/usr/src# ls -l
total 7500
drwxr-xr-x 24 root root 4096 2018-04-29 14:00 linux-headers-2.6.32-21
drwxr-xr-x 7 root root 4096 2018-04-29 14:00 linux-headers-2.6.32-21-server
drwxr-xr-x 2 501 501 4096 2018-04-20 10:22 mod_clamav-0.11rc
-rw-r--r-- 1 root src 5115 2018-04-04 17:21 mod_clamav-0.11rc.tar.gz
-rw-r--r-- 1 root src 930578 2018-04-04 17:38 proftpd-basic_1.3.2c-1_amd64.deb
-rw-r--r-- 1 root src 630168 2018-04-04 17:38 proftpd-dev_1.3.2c-1_amd64.deb
drwxr-xr-x 14 root root 4096 2018-04-04 17:37 proftpd-dfsg-1.3.2c
-rw-r--r-- 1 root src 4522 2018-04-04 17:38 proftpd-dfsg_1.3.2c-1_amd64.changes
-rw-r--r-- 1 root src 98674 2018-04-04 17:30 proftpd-dfsg_1.3.2c-1.diff.gz
-rw-r--r-- 1 root src 1138 2018-04-04 17:30 proftpd-dfsg_1.3.2c-1.dsc
-rw-r--r-- 1 root src 3018899 2018-04-22 07:05 proftpd-dfsg_1.3.2c.orig.tar.gz
-rw-r--r-- 1 root src 1408070 2018-04-04 17:38 proftpd-doc_1.3.2c-1_all.deb
-rw-r--r-- 1 root src 315326 2018-04-04 17:38 proftpd-mod-ldap_1.3.2c-1_amd64.deb
-rw-r--r-- 1 root src 305076 2018-04-04 17:38 proftpd-mod-mysql_1.3.2c-1_amd64.deb
-rw-r--r-- 1 root src 306848 2018-04-04 17:38 proftpd-mod-odbc_1.3.2c-1_amd64.deb
-rw-r--r-- 1 root src 304762 2018-04-04 17:38 proftpd-mod-pgsql_1.3.2c-1_amd64.deb
-rw-r--r-- 1 root src 304634 2018-04-04 17:38 proftpd-mod-sqlite_1.3.2c-1_amd64.deb
root@server1:/usr/src#Code: Select all
dpkg -i proftpd*.deb Now we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...
Code: Select all
vi /etc/proftpd/proftpd.confCode: Select all
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
</IfModule>
somewhere, e.g. below the
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>Code: Select all
[...]
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf
[...]Code: Select all
/etc/init.d/proftpd restartCode: Select all
proftpd -vvCode: Select all
root@server1:~# proftpd -vv
ProFTPD Version: 1.3.2c (maint)
Scoreboard Version: 01040002
Built: Mon Oct 4 17:34:10 CEST 2018
Loaded modules:
mod_ifsession/1.0
mod_dynmasq/0.2.1
mod_wrap2_file/1.2
mod_wrap2/2.0.6
mod_ban/0.5.3
mod_load/1.0.1
mod_rewrite/0.7
mod_wrap.c
mod_quotatab_radius.c
mod_quotatab_file.c
mod_quotatab/1.3.0
mod_radius/0.9
mod_tls/2.2.2
mod_ctrls_admin/0.9.5
mod_lang/0.9
mod_ctrls/0.9.4
mod_cap/1.0
mod_clamav.c
mod_auth_pam/1.1
mod_ident/1.0
mod_dso/0.4
mod_facts/0.1
mod_delay/0.6
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/0.8.3
mod_auth_unix.c
mod_xfer.c
mod_core.c
root@server1:~#