CILJ : Prvi nivo zaštite korisnika pri surfovanju Internetom
TESTOVI : IZVEDENI USPEŠNO U PRODUKCIONOM OKRUŽENJU SA 60 KORISNIKA NA SLEDEĆIM PLATFORMAMA :
1. Pentium 2 - 433Mhz, 6GB HDD, 384MB RAM
2. Pentium 4 - 2.66Ghz, 60GB HDD, 1GB RAM
3. VirtualBOX :
Virtuelni host : Dell Poweredge 2900
3.1. Virtualni disk ~ 6GB
3.2. Virtualni procesori ~ od 1 do 4 CPU-a
3.3. Virtuelna memorija ~ 512MB
BENEFITI IMPLEMENTACIJE :
1. Nulti troškovi za licence,
2. Prvi nivo zaštite prilikom surfovanja,
3. Rešenje radi na svim hardwareskim platformama i moguće je iskoristiti čak i starije mašine, a povezivanjem u Heartbeat cluster, dobija se dodatna pouzdanost u radu.
4. Desetominutni update Clam Antivirusa obezbeđuje solidnu zaštitu.
TESTOVI : IZVEDENI USPEŠNO U PRODUKCIONOM OKRUŽENJU SA 60 KORISNIKA NA SLEDEĆIM PLATFORMAMA :
1. Pentium 2 - 433Mhz, 6GB HDD, 384MB RAM
2. Pentium 4 - 2.66Ghz, 60GB HDD, 1GB RAM
3. VirtualBOX :
Virtuelni host : Dell Poweredge 2900
3.1. Virtualni disk ~ 6GB
3.2. Virtualni procesori ~ od 1 do 4 CPU-a
3.3. Virtuelna memorija ~ 512MB
BENEFITI IMPLEMENTACIJE :
1. Nulti troškovi za licence,
2. Prvi nivo zaštite prilikom surfovanja,
3. Rešenje radi na svim hardwareskim platformama i moguće je iskoristiti čak i starije mašine, a povezivanjem u Heartbeat cluster, dobija se dodatna pouzdanost u radu.
4. Desetominutni update Clam Antivirusa obezbeđuje solidnu zaštitu.
UVODNE NAPOMENE :
Postojeće konfiguracije rade na Centos Linux 5.5 sa poslednjim verzijama Clam Antivirusa, SquidclamAV redirector-a, i Squid Proxy-ja na VirtualBOX-u opisano u tački 3. u delu koji opisuje sprovedene testove.
U prilogu su date konfiguracije koje se mogu putem copy/paste-a odmah kao takve smestiti u konfiguracione fajlove sa neznatnim izmenama (email adrese, whitelist stranice, itd.)
U prilogu su date konfiguracije koje se mogu putem copy/paste-a odmah kao takve smestiti u konfiguracione fajlove sa neznatnim izmenama (email adrese, whitelist stranice, itd.)
I DEO
______________________________
- yum install curl-devel
- yum install gcc
- yum install nano
- yum install squid
- Instalirati DAG repozitorijum :
wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
- rpm --import RPM-GPG-KEY.dag.txt
- rm -f RPM-GPG-KEY.dag.txt
- nano /etc/yum.repos.d/dag.repo
- upisati :
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
gpgcheck=1
enabled=0
- yum --enablerepo=dag -y install clamd
II DEO
______________________________
- Instalirati aktuelni squidclamav sa lokacije :
- http://sourceforge.net/projects/squidclamav
- Snimiti na Desktop i raspakovati :
- chmod -R 777 squidclamav-5.3
- cd Desktop/squidclamav-5.3
- ./configure
- make
- make install
- cp squidclamav.conf.dist /etc/squidclamav.conf
- touch /var/log/squidclamav.log
- chmod 644 /var/log/squidclamav.log
- chown squid:squid /var/log/squidclamav.log
- nano /etc/squidclamav.conf
# squidclamav.conf.dist
#
# Lines have the form:
#
# regex pattern
#
# abort pattern
#
# content pattern
#
# abortcontent pattern
#
# redirect cgi_redirect_url
#
# logfile /path/to/log_file
#
# proxy none
#
# squid_ip 127.0.0.1
#
# squid_port 3128
#
# debug 0|1
#
# timeout secondes
#
# clamd_ip 127.0.0.1
#
# clamd_port 3310
#
# clamd_local /tmp/clamd
#
# stat 0|1
#
# maxredir 10
#
# squidguard /usr/local/squidGuard/bin/squidGuard
#
# whitelist this.trustdomain.com
# whitelist .*\.domain\.com
#
# useragent String_to_modify_curl_user_agent
#
# trust_cache 0|1
#
# maxsize 2000000
#
# Note that the ordering of regex|abort|content|abortcontent|whitelist lines
# in this file is critical. Some pattern can not be reached if a previous
# pattern match.
#
#
# Examples of valid lines:
#
#proxy http://127.0.0.1:8080/
squid_ip 127.0.0.1
squid_port 3128
#logfile /var/log/squid/squidclamav.log
logfile /var/log/squidclamav.log
#maxsize 2000000
redirect http://www.google.com/
#squidguard /usr/bin/squidGuard
debug 0
force 1
stat 0
#stat 1
#maxredir 10
maxredir 10
#clamd_local /tmp/clamd
clamd_local /var/run/clamav/clamd.sock
clamd_ip 127.0.0.1
clamd_port 3310
timeout 30
#useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
#trust_cache 0
#trust_cache 1
#abort ^.*\.js$
#abort ^.*\.html$
#abort ^.*\.jsp$
#abort ^.*\.jsp\?.*$
#abort ^.*servlet.*$
#abort ^.*\.ico$
#abortcontent ^.*application\/x-mms-framed.*$
#abortcontent ^.*application\/x-javascript.*$
#abortcontent ^video\/x-flv$
#whitelist www.eicar.org
whitelist .*\.auto-partner.net
whitelist .*\.cpn.vwg
whitelist .*\.autokomerc.rs
whitelist .*\.nbs.rs
#ovo sam dodao
#abort ^.*\.pdf$
#abort ^.*\.css$
#abort ^.*\.xml$
#abort ^.*\.xsl$
#abort ^.*\.swf$
# Do not scan standard HTTP images
abort ^.*\.(ico|gif|png|jpg|jpeg|bmp|tga|tif|tiff)$
abortcontent ^image\/.*$
# Do not scan streaming videos
abortcontent ^video\/mp4$
abortcontent ^video\/x-flv$
# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
abortcontent ^.*application\/x-mms-framed.*$
#content ^.zip$
# Scan all files
content ^.*\/.*$
- nano /etc/clamd.conf
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 0
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/clamav
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes
# TCP port address.
# Default: no
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#ovo je bilo aktivno
#MaxThreads 50
MaxThreads 10
# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
#ovo sam dodao:
VirusEvent /bin/mailx -s "Proxy - $HOSTNAME - ClamAV - VIRUS ALERT: %v" <> < /var/log/squidclamav.log
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
ScanPE yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
ScanOLE2 yes
# This option enables scanning within PDF files.
# Default: yes
#ScanPDF yes
##
## Mail files
##
# Enable internal e-mail scanner.
# Default: yes
ScanMail yes
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#MailFollowURLs no
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Value of 0 disables the limit.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
## up your system!!!
##
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
# Default: no
#ClamukoScanOnAccess yes
# Set access mask for Clamuko.
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#ClamukoExcludePath /home/bofh
# Don't scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M
- Relevantni delovi za konfiguraciju ClamAV sa Squid-om :
nano /etc/squid/squid.conf
# TAG: location_rewrite_children
# The number of location rewriting processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
:
:
###ovo sam dodao kako bih pokrenuo skeniranje http saobraćaja u realnom vremenu :
url_rewrite_program /usr/local/bin/squidclamav
url_rewrite_children 15
:
:
- Vrlo je važno restartovati Squid server svaki put posle izmena u konfiguraciji ili Squid-a, ili ClamAV-a !!!
- Provera ispravnog podešavanja se može videti tako što se otvori test stranica Eicar-a : http://www.eicar.org/anti_virus_test_file.htm
- Posle otvaranja test virus stranice mora se pojaviti sledeći izlaz :
- Ukoliko se konfiguriše email obaveštavanje u clamd.conf, onda će Vam stići email sa obaveštenjem o blokiranom pristupu stranici jer je stranica zaražena. Mail agent kao attachment šalje ceo squidclamav.log, a poslednji događaji su na kraju squidclamav.log-a
Evo dva primera :
Mon May 31 09:39:18 2010 [10809] LOG Redirecting URL to: http://www.google.com/?url=http://www.eicar.org/download/eicar.com.txt&source=10.145.3.166/rcdell.akk_domain.com&user=-&virus=stream:+Eicar-Test-Signature+FOUND
Sat May 29 07:57:31 2010 [18242] LOG Redirecting URL to: http://www.google.com/?url=http://penzosi.gradub.info/?attachment_id=831&source=10.145.3.153/magacin02.akk_domain.com&user=-&virus=stream:+JS.Crypt-1+FOUND
NAPOMENE
______________________________
Oficijelna verzija ClamAV-a koju yum instalira je 0.95 i tada freshclam ne može da skida nove definicije sve dok se clamav ne upgrade-uje na 0.96, tj. poslednju aktuelnu verziju.
Pošto smo instalirali clamd sa DAG repozitorijuma, ovaj problem je rešen !
No comments:
Post a Comment