CMC Systems

Computer Mediated Communications Team Articles

Archive for the ‘ClamAV’ Category

Clamd and Iptables

Tuesday, December 21st, 2010

Running Clam on a separate machine to our Mail Transfer Agent we needed to configure iptables to allow access to clam from those machines. Clamd listens for connections on port 3310 by default but appears to hand off to other ‘passive’ ports for each stream to scan. So allowing access to port 3310 was not enough.
In the /etc/clamd.conf file I uncommented the following lines:

StreamMinPort 30000
StreamMaxPort 32000

To restrict the ports which clamd would use and restarted clam with

/etc/init.d/clamd restart

Checking netstat with:

netstat -lntap | grep clam

I could see that clam was indeed now using ports 30000-32000 rather than the default of 1024-2048
So adding the following line to /etc/sysconfig/iptables allowed the machines in my class B network to make use of the clam service:

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3310 –source 111.222.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 30000:32000 –source 111.222.0.0/16 -j ACCEPT

Building an RPM Package (DansGuardian 2.10)

Wednesday, November 24th, 2010

After putting together an RPM for DansGuardian v2.10.1.1 I thought I would make a few notes. The version of DansGuardian in the repositories is currently version 2.8 and the only other repo or rpm I could find was a 32-bit 2.10.  Why DansGuardian 2.10?

  • Content Scanning Support with Clamd or Kapersky
  • Regular Expressions to enforce Google Safe Search (without patching)
  • NTLM support

So I set about generating the rpm for version 2.10.1.1 for 64-bit CentOS. My CentOS version is 5.5. I found this IBM developer works article useful for guidance on creating RPMs. I also did this build with DansGuardian v2.8 already installed via yum so I was able to make use of the existing init.d and logrotate.d scripts.

cd /usr/src/redhat/SOURCES
cp /etc/init.d/dansguardian /usr/src/redhat/SOURCES/dansguardian.init-centos
cp /etc/logrotate.d/dansguardian /usr/src/redhat/SOURCES/dansguardian.logrotate-centos
wget http://dansguardian.org/downloads/2/Stable/dansguardian-2.10.1.1.tar.gz
cd ../SPECS
wget http://ftp.qb.com.au/pub/yum/SPECS/dansguardian-centos-clamav.spec

Edit the above spec file to reflect version 2.10.1.1 removing the %patch0 line and setting –enable-clamav=no \
or use the SPEC file listed below.

yum install clamd clamav-devel pcre-devel

Build the RPM – keep an eye out for errors and install dependencies as needed:

cd ..
rpmbuild -v -bb –clean /usr/src/redhat/SPECS/dansguardian-centos-clamav.spec

After compilation you should have an rpm in /usr/src/redhat/RPMS/x86_64 which you can install after removing the existing 2.8 version of dansguardian:

yum remove dansguardian
rpm -Uvh /usr/src/redhat/RPMS/x86_64/dansguardian-clamav-2.10.1.1-0.1.el5.clamav.0.95.x86_64.rpm

In order to make use of the clamd content scanning in dansguardian it may be necessary to to change the owner and group in /etc/dansguardian/dansguardian.conf to clamav & clamav.

The RPM I created is available here: dansguardian-clamav-2.10.1.1-0.1.el5.clamav.0.95.x86_64.rpm – just in case anyone else can make use of it. I make no warranties.
 
SPEC FILE:

# $Id: dansguardian.spec  2007-04-06 dpv $
# Upstream: Daniel Barron <author$dansguardian,org>

#
# What to change when you build a new version:
# Version – match upstream version
# Release – Usually this would stay the same if the version is changed.
#           It is only things NOT in the .tar.gz file that will cause a release number change.
# Packager – if desired
# Vendor – if desired
# Patch0 – could easily become obsolete if the upstream version has changed
# %files – if files are added or removed, this section needs to be updated accordingly
#

%define real_name DansGuardian

Summary: Content filtering web proxy
Name: dansguardian-clamav
BuildRequires: gcc-c++ zlib-devel pcre-devel
Requires: coreutils squid
License: GPL
Group: System Environment/Daemons
URL: http://www.dansguardian.org/
Version: 2.10.1.1
Release: 0.1.el5.clamav.0.95
Packager: Jonny McCullagh <webmaster@qub.ac.uk>
Vendor: Queens University Belfast

# all of these files must live in /usr/src/redhat/SOURCES
Source: dansguardian-%{version}.tar.gz
Source1: dansguardian.init-centos
Source3: dansguardian.logrotate-centos
#Patch0: dansguardian_gcc43.patch
BuildRoot: %{_tmppath}/dansguardian-%{version}-%{release}-root

%description
DansGuardian is a web filtering engine that checks the content within
the page itself in addition to the more traditional URL filtering.

DansGuardian is a content filtering proxy. It filters using multiple methods,
including URL and domain filtering, content phrase filtering, PICS filtering,
MIME filtering, file extension filtering, POST filtering.

%prep
%setup -q -n dansguardian-%{version}
#%patch0 -p0

%build
%{configure} \
        –enable-clamav=no \
        –enable-clamd=yes \
        –enable-email=yes \
        –enable-icap=yes \
        –enable-kavd=yes \
        –enable-ntlm=yes \
        –enable-pcre=yes \

%{__perl} -pi.orig -e ‘
                s|^(CHKCONFIG) =.*$|$1 = :| ;
                s|^\tchown|#\tchown|;
                s|/usr/lib|%{_libdir}|g;
        ‘ Makefile

%{__make} %{?_smp_mflags}

%install
mkdir -p %{buildroot}/var/log/dansguardian/
#mkdir -p %{buildroot}/var/run
make install DESTDIR=%{buildroot}
%{__install} -D -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/dansguardian
%{__install} -D -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/dansguardian
ln -s /etc/init.d/dansguardian %{buildroot}%{_sbindir}/rcdansguardian

%post
chown -R nobody /var/log/dansguardian
chkconfig –add dansguardian

%preun
if [ $1 -eq 0 ]; then
        /etc/init.d/dansguardian stop &>/dev/null || :

fi

%postun

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-, root, root, 0755)
%doc INSTALL README
%doc /usr/share/doc/dansguardian/*
%doc %{_mandir}/man?/*
%config %{_sysconfdir}/dansguardian/*
%config %{_sysconfdir}/logrotate.d/dansguardian
%dir /etc/dansguardian
%dir /usr/share/dansguardian
/usr/share/dansguardian/*
%{_sbindir}/dansguardian
%{_initrddir}/dansguardian
%{_sbindir}/rcdansguardian
%dir /var/log/dansguardian

%changelog
* Mon Nov 22 2010 Jonny McCullagh <webmaster@qub.ac.uk> – 2.10-1.1
- Update to DG stable release and built for x86_64

* Wed Mar 11 2009 Rick Saul <rpm@qb.com.au> – 2.10-0.3
- Update to DG stable release.

* Wed Sep 17 2008 Paul Gear <rpm@libertysys.com.au>  – 2.9.9.8
- Created CentOS version based on Don Vosburg’s SUSE spec file. See http://dansguardian.org/downloads/2/Beta/SUSE.txt

Enhancing ClamAV with Extra Signatures

Friday, September 24th, 2010

We use ClamAV mainly for scanning incoming email for malware and phishing scams. ClamAV comes with a default database usually stored in /var/clamav or /var/lib/clamav . To get up-to-date malware definitions the following sources can be used:

Freshclam
The Freshclam binary should have been installed when you installed clamd and you should have a script /etc/cron.daily/freshclam which runs daily to update the clam definitions. If not, you could run freshclam or add a cronjob with:

/usr/bin/freshclam –quiet –datadir=”/var/clamav” –daemon-notify=”/etc/clamd.conf”

ClamNailer
The definitions from ScamNailer are aimed at stopping Spear Phishing attacks. There are definitions for SpamAssassin and Clam. Set up a cronjob to retrieve the defintion at http://www.mailscanner.eu/scamnailer.ndb There is a download which includes a Perl script for this purpose and you can run it e.g. every 4 hours as follows:

33 1-23/4 * * * /path/to/ClamNailer-1.01.pl > /var/log/clamav-ClamNailer.log

ClamAV Unoffical Sigs
Download the Update script (and config file) from http://sourceforge.net/projects/unofficial-sigs/
Amend the configuration file /etc/clamav-unofficial-sigs.conf and set the ss_dbs variable to include all the sources you want to use (depending on how aggressive you want to be – we had a few false positives in jurlbla.ndb):

ss_dbs=”
   junk.ndb
   jurlbl.ndb
   INetMsg-SpamDomains-2w.ndb
   phish.ndb
   rogue.hdb
   sanesecurity.ftm
   scam.ndb
   spamimg.hdb
   winnow_malware.hdb
   winnow_malware_links.ndb
   lott.ndb
   spam.ldb
   spear.ndb
   winnow_phish_complete.ndb
“ 

Then on the final line set:

user_configuration_complete=”yes”

Set up a cronjob to run the script:

/usr/local/bin/clamav-unofficial-sigs.sh -c /etc/clamav-unofficial-sigs.conf > /var/log/clamav-unofficial-sigs.log 2>&1

MSRBL
The MSRBL definitions are probably included in your clamav-unoffical-sigs script but can be run seperately if desired.
The MSRBL definitions can be used by running a shell script like the following, periodically as a cronjob:

#!/bin/bash
# Info at http://www.msrbl.com
PATH_TO_CLAM_DB=/var/clamav
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-FULL-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-FULL-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-3M-R-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-3M-R-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images-1M-R-SoN.hdb $PATH_TO_CLAM_DB/MSRBL-Images-1M-R-SoN.hdb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM-CR.ndb $PATH_TO_CLAM_DB/MSRBL-SPAM-CR.ndb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb $PATH_TO_CLAM_DB/MSRBL-SPAM.ndb
/etc/init.d/clamd reload

The following example will run this every 3 hours:

18 1-23/3 * * * /path/to/clam-update-MSRBL.sh > /var/log/clam-update-MSRBL.log

Atomic
Atomic Secured Linux offers some 30-day old signatures freely (up-to-date signatures require a subscription)
Create a script to download the database from:

http://downloads.prometheus-group.com/delayed/clamav/clamav/ASL-h.ndb

An example script might be:

#!/bin/bash
cd /var/clamav
wget http://downloads.prometheus-group.com/delayed/clamav/clamav/ASL-h.ndb
/etc/init.d/clamd reload

Then schedule it as a cron job.

40 7 * * * /root/scripts/getAtomicClamDefinition.sh > /var/log/getAtomicClamDefinition.log

White-list Domain in ClamAV SaneSecurity Database

Friday, June 18th, 2010

The SaneSecurity domain blacklist is held in the file INetMsg-SpamDomains-2w.ndb. In our case this is located in the /var/clamav directory. We can white-list troublesome domains by adding their signature to the local.ign2 file. The signature lines are of the form INetMsg.SpamDomain-2w.bad_domain – you can grep the exact signature from the ndb file. When you add a signature you should reload the clamd databases using the command: clamdscan –reload

You are currently browsing the archives for the ClamAV category.