Auf http://www.fatbsd.com/openbsd/ findet man einen unofficial CLAMAV
Port fuer OpenBSD 3.4.
# cd /usr/ports/security
# wget http://www.fatbsd.com/openbsd/clamav-0.67-1_3.4.tar.gz
# tar xvzf clamav-0.67-1_3.4.tar.gz
# mv clamav-0.67-1 clamav
Der clamav port hat auch ein milter FLAVOR:
# make show=FLAVORS
# milter
Diesen FLAVOR wollen wir haben da wir den Sendmail dann mitteilen dass
er alle Mails an den clamav-milter weiterleiten soll, wo diese dann
gescannt werden.
Damit wir clamav-milter mit Sendmail betreiben koennen muessen wir Sendmail
mit Milter support neu kompilieren.
# echo WANT_LIBMILTER=1 > /etc/mk.conf
# cd /usr/src/gnu/usr.sbin/sendmail
# make depend
# make
# make install
Nun muss sendmail nur mehr neu gestartet werden!! Eine Sache muessen wir
aber noch machen, sonst schlaegt der BUILD von clamav-milter fehl. Wir
muessen die Milter Header files fuer den clamav Port verfuegbar machen:
# cd /usr/include
# ln -s ../src/gnu/usr.sbin/sendmail/include/libmilter libmilter
Nun koennen wir endlich den clamav Port mit milter FLAVOR bauen :)
# cd /usr/ports/security
# env FLAVOR="milter" make install
Nach der Installation sollte man folgenden cron job hinzufuegen damit
die Viren DB up to date bleibt:
------------------------------------------------------------------------------
#
# CLAMAV update
#
0 8 * * * /usr/local/bin/freshclam --quiet -l \
/var/log/clam-update.log --daemon-notify
------------------------------------------------------------------------------
Als naechstes muss das clamav.conf file angepasst werden damit auch
Mails gescannt werden. Ein Beispiel file findet sich unter
/usr/local/share/examples/clamav.conf aber man kann auch die folgende
Config nach /etc/clamav.conf spielen:
------------------------------------------------------------------------------
##
## Example config file for the Clam AV daemon
## Please read the clamav.conf(5) manual before editing this file.
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running the daemon.
# Full path is required.
LogFile /tmp/clamd.log
# Maximal size of the log file. Default is 1 Mb.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
LogFileMaxSize 1M
# Log time with an each message.
LogTime
# This option allows you to save the process identifier of the listening
# daemon (main thread).
PidFile /var/run/clamd/clamd.pid
# Optional path to the global temporary directory.
# Default is system specific - usually /var/tmp or /tmp.
TemporaryDirectory /tmp
# Path to the database directory.
# Default is the hardcoded directory (mostly /usr/local/share/clamav,
# but it depends on installation options).
DatabaseDirectory /usr/local/share/clamav
# The daemon works in local or network mode. Currently the local mode is
# recommended for security reasons.
# Path to the local socket. The daemon doesn't change the mode of the
# created file (portability reasons). You may want to create it in a directory
# which is only accessible for a user running daemon.
LocalSocket /var/run/clamd/clamd.sock
# Remove stale socket after unclean shutdown.
FixStaleSocket
# TCP port address.
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default is 15.
MaxConnectionQueueLength 30
# When activated, input stream (see STREAM command) will be saved to disk before
# scanning - this allows scanning within archives.
StreamSaveToDisk
# Close the connection if this limit is exceeded.
#StreamMaxLength 10M
# Maximal number of a threads running at the same time.
# Default is 5, and it should be sufficient for a typical workstation.
# You may need to increase threads number for a server machine.
MaxThreads 10
# Thread (scanner - single task) will be stopped after this time (seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the
# timeout instead of disabling it.
ThreadTimeout 500
# Maximal depth the directories are scanned at.
MaxDirectoryRecursion 15
# Follow a directory symlinks.
# SECURITY HINT: You should have enabled directory recursion limit to
# avoid potential problems.
FollowDirectorySymlinks
# Follow regular file symlinks.
FollowFileSymlinks
# Do internal checks (eg. check the integrity of the database structures)
# By default clamd checks itself every 3600 seconds (1 hour).
SelfCheck 600
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
# eg. by using some special file name when %f is used.
# Always use a full path to the command.
# Never delete/move files with this directive !
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %f: %v"
# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
User _clamd
# Initialize the supplementary group access (for all groups in /etc/group
# user is added in. clamd must be started by root).
#AllowSupplementaryGroups
##
## Mail support
##
# Uncomment this option if you are planning to scan mail files.
ScanMail
##
## Archive support
##
# Comment this line to disable scanning of the archives.
ScanArchive
# By default the built-in RAR unpacker is disabled by default because the code
# terribly leaks, however it's probably a good idea to enable it.
ScanRAR
# Options below protect your system against Denial of Service attacks
# with archive bombs.
# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR
# archives are decompressed to the memory. That's why never disable
# this limit (but you may increase it of course!)
ArchiveMaxFileSize 10M
# Archives are scanned recursively - e.g. if Zip archive contains RAR file,
# the RAR file will be decompressed, too (but only if recursion limit is set
# at least to 1). With this option you may set the recursion level.
# Value of 0 disables the limit.
ArchiveMaxRecursion 5
# Number of files to be scanned within archive.
# Value of 0 disables the limit.
ArchiveMaxFiles 1000
# Mark potential archive bombs as viruses (0 disables the limit)
ArchiveMaxCompressionRatio 200
# Use slower decompression algorithm which uses less memory. This option
# affects bzip2 decompressor only.
ArchiveLimitMemoryUsage
DatabaseMirror database.clamav.net
------------------------------------------------------------------------------
So, jetzt muss nur mehr Sendmail so konfiguriert werden dass er Mails
an den clamav-milter weiterleitet. Dazu fuegen wir folgendes in unser
Sendmail unser_super_sendmail.mc file ein:
------------------------------------------------------------------------------
dnl #################
dnl ## milter clamav
dnl #################
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamd/clmilter.sock, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')
------------------------------------------------------------------------------
Dann kommt das gewohnte:
# cd /usr/share/sendmail/cf
# make unser_super_sendmail.cf
# cp unser_super_sendmail.cf /etc/mail/
Bevor wir den Sendmail nun neu starten, starten wir mal clamd,
clamav-milter und machen auch gleich mal ein update der Viren DB.
An dieser Stelle wird dringend Empfohlen folgende Man Pages zu lesen
damit man weiss welche Auswirkungen die Optionen in den conf files und
die Optionen fuer clamav-milter und clamd haben:
* man 8 clamav-milter
* man 5 clamav.conf
* man 8 clamd
# /usr/local/sbin/clamd
# /usr/local/bin/freshclam --quiet -l \
/var/log/clam-update.log --daemon-notify
# /usr/local/sbin/clamav-milter -lo --noreject /var/run/clamd/clmilter.sock
Ich habe noch folgenden Alias in /etc/mail/aliases hinzugefuegt:
--> _clamd: root
# /usr/bin/newaliases
Nun koennen wir endlich den Sendmail neu starten und hoffen das alles
geklappt hat! Damit clamd und clamav-milter beim naechsten neustart
automatisch gestartet werden empfiehlt es sich folgendes in rc.local zu
geben:
------------------------------------------------------------------------------
#################################
# CLAMD && CLAMAV-MILTER
################################
if [ -x /usr/local/sbin/clamd ]; then
/usr/local/sbin/clamd ;
echo -n ' clamd' ;
if [ -x /usr/local/sbin/clamav-milter ]; then
# Remove stale socket file if present because
# clamav-milter will not start if an old socket
# is there.
rm -f /var/run/clamd/clmilter.sock ;
/usr/local/sbin/clamav-milter -lo --noreject /var/run/clamd/clmilter.sock ;
echo -n ' clamav-milter'
fi
fi
------------------------------------------------------------------------------
Man moechte keinem System blind vertrauen und deshalb sollte man ein
paar Tests durchfuehren um zu kontrollieren das alles so laeuft wie man
es gerne haben moechte. Dazu kann man /usr/ports/distfiles/clamav-0.67-1.tar.gz
z.B. nach /tmp kopieren und dort entpacken. Im Verzeichniss clamav-0.67-1/test
findet man dann einige Testfiles die man sich per E-Mail zuschicken
sollte. Dabei sollte man schauen was in /var/log/maillog und
/tmp/clamd.log so alles passiert :). Weiters bekommt nun jedes Mail ein neues
Feld hinzugefuegt:
--> X-Virus-Scanned: clamd / ClamAV version 0.67-1, clamav-milter version 0.67a
Weitere Infos findet man unter:
* http://www.linux-sxs.org/administration/clamav-milter.html
* http://activeintra.net/projects/clamav/openbsd/
* http://www.clamav.net/
--
Igor
|