Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:mail_c7:spam_7 [20.11.2014 14:12. ] – [clamav] django | centos:mail_c7:spam_7 [15.07.2020 11:07. ] (aktuell) – [freschcalm Update] django | ||
---|---|---|---|
Zeile 164: | Zeile 164: | ||
/ | / | ||
</ | </ | ||
- | ==== clamav-server-systemd ==== | ||
- | # | ||
- | < | ||
- | Version | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Fri 14 Nov 2014 02:09:09 PM CET | ||
- | Group : System Environment/ | ||
- | Size : 231 | ||
- | License | ||
- | Signature | ||
- | Source RPM : clamav-0.98.4-1.el7.src.rpm | ||
- | Build Date : Wed 23 Jul 2014 11:35:56 PM CEST | ||
- | Build Host : buildhw-02.phx2.fedoraproject.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | Systemd template for the clamav server | ||
- | / | ||
- | </ | ||
==== clamav ==== | ==== clamav ==== | ||
# rpm -qil clamav | # rpm -qil clamav | ||
Zeile 250: | Zeile 227: | ||
==== clamav-update ==== | ==== clamav-update ==== | ||
+ | # rpm -qil clamav-update | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | FIXME | ||
- | ===== clamav ===== | ||
- | # yum install clamav -y | ||
- | |||
- | |||
- | # rpm -qil clamav | ||
- | < | ||
- | Version | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Tue 18 Nov 2014 10:23:01 AM CET | ||
- | Group : Applications/ | ||
- | Size : 2306673 | ||
- | License | ||
- | Signature | ||
- | Source RPM : clamav-0.98.4-1.el7.src.rpm | ||
- | Build Date : Wed 23 Jul 2014 11:35:56 PM CEST | ||
- | Build Host : buildhw-02.phx2.fedoraproject.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this | ||
- | software is the integration with mail servers (attachment scanning). The | ||
- | package provides a flexible and scalable multi-threaded daemon, a command | ||
- | line scanner, and a tool for automatic updating via Internet. The programs | ||
- | are based on a shared library distributed with the Clam AntiVirus package, | ||
- | which you can use with your own software. The virus database is based on | ||
- | the virus database from OpenAntiVirus, | ||
- | (including signatures for popular polymorphic viruses, too) and is KEPT UP | ||
- | TO DATE. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ===== clamav-update ===== | ||
- | |||
- | # rpm -qil clamav-update | ||
< | < | ||
Version | Version | ||
Zeile 357: | Zeile 263: | ||
</ | </ | ||
- | ==== freschcalm | + | |
+ | |||
+ | |||
+ | ==== freshclam | ||
# vim / | # vim / | ||
< | < | ||
Zeile 427: | Zeile 336: | ||
- | ==== Dokumentation ==== | + | ===== Dokumentation |
+ | ==== clamav ==== | ||
# less / | # less / | ||
- | < | + | < |
here may not be available in binary packages. | here may not be available in binary packages. | ||
-- | -- | ||
Zeile 2946: | Zeile 2855: | ||
</ | </ | ||
- | ===== clamav-update ===== | + | ==== clamav-server |
+ | # cat / | ||
+ | < | ||
+ | modify/copy them in the suggested way: | ||
+ | clamd.conf: | ||
+ | * set LocalSocket (or better: TCPSocket) and User to suitable values; | ||
+ | avoid PidFile unless it is required by system monitoring or something | ||
+ | else. Logging through syslog is usually better than an individual | ||
+ | Logfile. | ||
+ | * place this file into / | ||
+ | e.g. as / | ||
+ | When using TCPSocket, create iptables rules which are limiting the | ||
+ | access by source and/or by using '-m owner' | ||
+ | |||
+ | When LogFile feature is wanted, it must be writable for the assigned | ||
+ | User. Recommended way to reach this, is to: | ||
+ | * make it owned by the User's *group* | ||
+ | * assign at least 0620 (u+rw,g+w) permissions | ||
+ | |||
+ | A suitable command might be | ||
+ | | # touch < | ||
+ | | # chgrp < | ||
+ | | # chmod 0620 < | ||
+ | | # restorecon < | ||
+ | |||
+ | NEVER use ' | ||
+ | This is the user who is running the application; | ||
+ | (http:// | ||
+ | ' | ||
+ | made sure that the application-user can write into the socket-file, | ||
+ | and that the clamd-user can access the files asked by the | ||
+ | application to be checked. | ||
+ | |||
+ | clamd.logrotate: | ||
+ | * set the correct value for the logfile | ||
+ | * place it into / | ||
+ | |||
+ | clamd@< | ||
+ | * instance of clamd@.service | ||
+ | |||
+ | Additionally, | ||
+ | for the socket file must be created. | ||
+ | might want to create a file / | ||
+ | with a content of | ||
+ | |||
+ | | d / | ||
+ | |||
+ | Adjust < | ||
+ | so that the socket can be accessed by clamd and by the applications | ||
+ | using clamd. Make sure that the socket is not world accessible; else, | ||
+ | DOS attacks or worse are trivial. | ||
+ | |||
+ | |||
+ | [Disclaimer: | ||
+ | this file and the script/ | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | ==== clamav-update ==== | ||
+ | Damit [[http:// | ||
+ | |||
+ | In der Standardkonfiguration sorgt **freshclam** dafür, dass **alle 3 Stunden** ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbank einfließen zu lassen. | ||
+ | |||
+ | Als erstes aktivieren wir die mitgelieferte Konfigurationsdatei // | ||
# vim / | # vim / | ||
- | < | + | < |
+ | ## Example config file for freshclam | ||
+ | ## Please read the freshclam.conf(5) manual before editing this file. | ||
+ | ## | ||
+ | |||
+ | |||
+ | # Comment or remove the line below. | ||
+ | # Django : 2014-11-15 | ||
+ | # default: Example | ||
+ | #Example | ||
+ | |||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Somit beschränkt sich diese Konfigurationsdatei lediglich auf zwei Zeilen. | ||
+ | # egrep -v ' | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | Die komplette Konfigurationsdatei lautet somit. | ||
+ | # vim / | ||
+ | <file bash / | ||
## Example config file for freshclam | ## Example config file for freshclam | ||
## Please read the freshclam.conf(5) manual before editing this file. | ## Please read the freshclam.conf(5) manual before editing this file. | ||
Zeile 3187: | Zeile 3186: | ||
# | # | ||
# | # | ||
+ | </ | ||
+ | |||
+ | Der Pattern-Update erfolgt mit Hilfe der Datei **clamav-update** im Verzeichnis // | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | MAILTO=root | ||
+ | |||
+ | ## It is ok to execute it as root; freshclam drops privileges and becomes | ||
+ | ## user ' | ||
+ | # Django : 2014-11-15 | ||
+ | # default: alle 3 Stunden | ||
+ | # 0 */3 * * * root / | ||
+ | 0 */3 * * * root / | ||
+ | </ | ||
+ | |||
+ | Damit nun alle drei Stunden der Update auch wirklich stattfinden kann, muss noch der Eintrag am Ende der Datei // | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | ## this value must be adjusted also. Its value is the timespan between | ||
+ | ## two subsequent freshclam runs in minutes. E.g. for the default | ||
+ | ## | ||
+ | ## | 0 */3 * * * ... | ||
+ | ## | ||
+ | ## crontab line, the value is 180 (minutes). | ||
+ | # FRESHCLAM_MOD= | ||
+ | |||
+ | ## A predefined value for the delay in seconds. By default, the value is | ||
+ | ## calculated by the ' | ||
+ | ## constant timespans of 3 hours between two subsequent freshclam runs. | ||
+ | ## | ||
+ | ## This option accepts two special values: | ||
+ | ## ' | ||
+ | ## gives out a warning | ||
+ | ## ' | ||
+ | # FRESHCLAM_DELAY= | ||
+ | |||
+ | |||
+ | ### !!!!! REMOVE ME !!!!!! | ||
+ | ### REMOVE ME: By default, the freshclam update is disabled to avoid | ||
+ | ### REMOVE ME: network access without prior activation | ||
+ | # | ||
+ | # Django : 2014-11-15 | ||
+ | # default: FRESHCLAM_DELAY=disabled-warn | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ==== clamav-server ==== | ||
+ | Für die Konfiguration des ClamAV-Servers sind im **RPM**-Paket neben der [[centos: | ||
+ | |||
+ | Als erstes kopieren wir die Datei // | ||
+ | # cp / | ||
+ | |||
+ | Die Konfigurationsdatei passen wir nun an unsere Installation an, in dem wir für unser **[[centos: | ||
+ | |||
+ | # vim / | ||
+ | <file bash / | ||
+ | # default: # | ||
+ | # # | ||
+ | CLAMD_CONFIGFILE=/ | ||
+ | CLAMD_SOCKET=/ | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Die verweiste Konfigurationsdatei **/ | ||
+ | # less / | ||
+ | <code bash># Use system logger. | ||
+ | LogSyslog yes | ||
+ | |||
+ | # Specify the type of syslog messages - please refer to 'man syslog' | ||
+ | # for facility names. | ||
+ | LogFacility LOG_MAIL | ||
+ | |||
+ | # This option allows you to save a process identifier of the listening | ||
+ | # daemon (main thread). | ||
+ | PidFile / | ||
+ | |||
+ | # Remove stale socket after unclean shutdown. | ||
+ | # Default: disabled | ||
+ | FixStaleSocket yes | ||
+ | |||
+ | # Run as a selected user (clamd must be started by root). | ||
+ | User amavis | ||
+ | |||
+ | # Path to a local socket file the daemon will listen on. | ||
+ | LocalSocket / | ||
</ | </ | ||
+ | Bei **[[http:// | ||
+ | # vim / | ||
- | ===== Installation ===== | + | <file bash/ |
- | + | d / | |
+ | </ | ||
- | # rpm -qil clamav-server | + | Bevor wir unseren ClamAV-Daemon starten können müssen wir noch kurz die zugehörige systemd-Konfigurationsdatei |
- | < | + | <WRAP center round alert 60%> |
- | Version | + | |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Fri 14 Nov 2014 02:09:08 PM CET | + | |
- | Group : System Environment/Daemons | + | |
- | Size : 194068 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : clamav-0.98.4-1.el7.src.rpm | + | |
- | Build Date : Wed 23 Jul 2014 11:35:56 PM CEST | + | |
- | Build Host : buildhw-02.phx2.fedoraproject.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
- | URL : http://www.clamav.net | + | |
- | Summary | + | |
- | Description : | + | |
- | ATTENTION: most users do not need this package; the main package has | + | |
- | everything (or depends on it) which is needed to scan for virii on | + | |
- | workstations. | + | |
- | This package contains files which are needed to execute the clamd-daemon. | + | **ACHTUNG** \\ |
- | This daemon does not provide a system-wide service. Instead of, an instance | + | Keinenfalls die Datei direkt im Verzeichnis **// / |
- | of this daemon should be started for each service requiring it. | + | </ |
- | See the README file how this can be done with a minimum of effort. | + | Wir kopieren also das **systemc-startscript** nach //**/etc/systemd/system/**// und bearbeiten dort eine lokale Kopie vom Original. Dadurch sind wir dann auch update-fest! |
- | /etc/clamd.d | + | |
- | /usr/sbin/clamav-notify-servers | + | # cp /usr/lib/ |
- | /usr/sbin/clamd | + | |
- | /usr/share/doc/clamav-server-0.98.4 | + | # vim /etc/systemd/system/clamd@.service |
- | /usr/share/doc/clamav-server-0.98.4/README | + | |
- | /usr/share/doc/clamav-server-0.98.4/ | + | <file bash /etc/systemd/system/clamd@.service> |
- | / | + | Description = clamd scanner (%i) daemon |
- | / | + | After = syslog.target nss-lookup.target network.target |
- | / | + | |
- | / | + | [Service] |
- | / | + | Type = simple |
+ | ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes | ||
+ | Restart = on-failure | ||
+ | PrivateTmp = true | ||
+ | |||
+ | # Django : 2014-11-15 | ||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </file> | ||
+ | |||
+ | Anschließend führen wir einen Reload des **systemctl**-Daemon aus. | ||
+ | # systemctl daemon-reload | ||
+ | |||
+ | ==== amavisd ==== | ||
+ | Die **ClamAV** spezifischen Konfigurationsoptionen befinden sich in mehreren Sectionen. So finden sich die Angaben zu den Packprogrammen in der Section **PFADANGABEN DER LOKALEN INSTALLATION** | ||
+ | |||
+ | <code perl>... | ||
+ | |||
+ | # Utilities mit denen amavis Archive auspackt | ||
+ | @decoders = ( | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | 'lzma -dc', ' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [[' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [' | ||
+ | [[' | ||
+ | [[' | ||
+ | [' | ||
+ | [[qw(7z zip gz bz2 Z tar)], \& | ||
+ | [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \& | ||
+ | [' | ||
+ | ); | ||
+ | |||
+ | # eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven | ||
+ | # wird grundsätzlich nicht vertraut. | ||
+ | @keep_decoded_original_maps = (new_RE( | ||
+ | qr' | ||
+ | qr' | ||
+ | qr' | ||
+ | )); | ||
+ | |||
+ | ... | ||
</ | </ | ||
+ | In der Section **VIRUS POLICY** finden sich die Definitionen zum Virenscanner **ClamAV**. | ||
+ | <code perl>################################################################################ | ||
+ | ## VIRUS POLICY | ||
+ | # | ||
- | # rpm -qil clamav-server-systemd | + | # Check aktivieren? |
- | < | + | # @bypass_virus_checks_maps = (1); |
- | Version | + | |
- | Release | + | # In Quarantäne? |
- | Architecture: | + | $virus_quarantine_to = undef; |
- | Install Date: Fri 14 Nov 2014 02:09:09 PM CET | + | |
- | Group : System Environment/ | + | # Admin benachrichtigen? |
- | Size : 231 | + | $virus_admin = undef; |
- | License | + | |
- | Signature | + | # Empfänger benachrichtigen? |
- | Source RPM : clamav-0.98.4-1.el7.src.rpm | + | $warnvirusrecip = 1; |
- | Build Date : Wed 23 Jul 2014 11:35:56 PM CEST | + | |
- | Build Host : buildhw-02.phx2.fedoraproject.org | + | # Recipient-Adresse bei Release erweitern? |
- | Relocations : (not relocatable) | + | @addr_extension_virus_maps = (' |
- | Packager | + | |
- | Vendor | + | # eMail bei Release wrappen? |
- | URL : | + | $defang_virus |
- | Summary | + | |
- | Description : | + | # Wollen wir Content transportieren? |
- | Systemd template for the clamav server | + | $final_virus_destiny = D_REJECT; |
- | /usr/lib/systemd/system/clamd@.service | + | |
+ | @av_scanners = ( | ||
+ | ### http:// | ||
+ | | ||
+ | | ||
+ | qr/\bOK$/m, qr/\bFOUND$/m, | ||
+ | qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], | ||
+ | ); | ||
+ | |||
+ | @av_scanners_backup = (); | ||
</ | </ | ||
- | ===== Dokumentation ===== | ||
- | # cat / | ||
- | < | ||
- | modify/copy them in the suggested way: | ||
- | clamd.conf: | + | ===== Programmstart ===== |
- | * set LocalSocket | + | ==== freshclam ==== |
- | avoid PidFile unless it is required by system monitoring or something | + | Der Update der Virensignatur-Datenbank läuft bereits automatisch über den cron-job. Im Syslog finden wir dazu die entsprechenden Transferversuche und -erfolge. |
- | else. Logging through syslog is usually better than an individual | + | # less / |
- | | + | < |
- | * place this file into /etc/clamd.d with an unique service-name; | + | Nov 18 15:48:33 vml000067 freshclam[10698]: |
- | e.g. as /etc/clamd.d/<SERVICE>.conf | + | Nov 18 15:48:34 vml000067 freshclam[10698]: |
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:48:34 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:49:36 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:49:41 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:49:42 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:49:42 vml000067 freshclam[10698]: | ||
+ | Nov 18 15:49:46 vml000067 freshclam[10698]: | ||
+ | </code> | ||
- | When using TCPSocket, create iptables rules which are limiting the | + | ==== erster Start von clamd ==== |
- | | + | Den ClamAV-Daemon, den wir speziell f+r AMaViS konfiguriert haben, starten wir mit folgendem Aufruf. |
+ | # systemctl start clamd@amavisd | ||
- | When LogFile feature is wanted, it must be writable for the assigned | + | Fragen wir nun den Serverstatus ab, erhalten wir detailierte Angaben zum laufenden Daemon. |
- | User. Recommended way to reach this, is to: | + | # systemctl status clamd@amavisd |
- | * make it owned by the User's *group* | + | < |
- | * assign at least 0620 (u+rw,g+w) permissions | + | |
+ | Active: active (running) since Thu 2014-11-20 21:39:50 CET; 18s ago | ||
+ | Main PID: 3054 (clamd) | ||
+ | | ||
+ | | ||
- | A suitable command might be | + | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: |
- | | # touch < | + | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: |
- | | # chgrp < | + | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: |
- | | # chmod 0620 < | + | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: |
- | | # restorecon | + | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: |
+ | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: | ||
+ | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: | ||
+ | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: | ||
+ | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: | ||
+ | Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: | ||
+ | </code> | ||
- | NEVER use ' | + | Im Syslog finden wir naturlich auch Informationen zum erfolgreichen Start des Daemon. |
- | This is the user who is running the application; | + | # less /var/log/messages |
- | (http://www.roaringpenguin.com/mimedefang), | + | |
- | ' | + | |
- | made sure that the application-user can write into the socket-file, | + | |
- | and that the clamd-user can access the files asked by the | + | |
- | application to be checked. | + | |
- | clamd.logrotate: (only when LogFile feature is used) | + | < |
- | | + | Nov 20 21:39:50 vml000067 systemd: Started clamd scanner |
- | * place it into / | + | Nov 20 21:40:02 vml000067 clamd: Limits: Global size limit set to 104857600 bytes. |
+ | Nov 20 21:40:02 vml000067 clamd: Limits: File size limit set to 26214400 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: Recursion level limit set to 16. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: Files limit set to 10000. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxEmbeddedPE limit set to 10485760 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxHTMLNormalize limit set to 10485760 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxHTMLNoTags limit set to 2097152 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxScriptNormalize limit set to 5242880 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxZipTypeRcg limit set to 1048576 bytes. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxPartitions limit set to 50. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Limits: MaxIconsPE limit set to 100. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Archive support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Algorithmic detection enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Portable Executable support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: ELF support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Mail files support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: OLE2 support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: PDF support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: SWF support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: HTML support enabled. | ||
+ | Nov 20 21:40:02 vml000067 clamd: Self checking every 600 seconds. | ||
+ | </ | ||
- | clamd@< | + | ==== automatischer Start des clamd ==== |
- | * instance of clamd@.service | + | Damit nun unser AMaViS-Server beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor. |
+ | # systemctl enable | ||
- | Additionally, | + | ln -s '/usr/lib/systemd/ |
- | for the socket file must be created. | + | |
- | might want to create a file /usr/lib/tmpfiles.d/clamd.< | + | |
- | with a content of | + | |
- | | d / | + | Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf. |
+ | # systemctl is-enabled clamd@amavisd | ||
- | Adjust < | + | |
- | so that the socket can be accessed by clamd and by the applications | + | |
- | using clamd. Make sure that the socket is not world accessible; else, | + | |
- | DOS attacks or worse are trivial. | + | |
+ | Die Rückmeldung **enabled** zeigt an, dass der Dienst automatisch startet; ein **disabled** zeigt entsprechend an, dass der Dienst __nicht__ automatisch startet. | ||
- | [Disclaimer: | ||
- | this file and the script/ | ||
- | | ||
- | | + | |
- | mailto:enrico.scholz@informatik.tu-chemnitz.de!] | + | ===== Test ===== |
+ | Haben wir die Konfiguration unseres **[[centos:mail_c7: | ||
+ | |||
+ | ===== HAM ===== | ||
+ | Als erstes wollen wir ein beliebiges ZIP-Archiv per eMail verschicken. In diesem Beispiel nehmen wir einfach ein Lied/ZIP-Archiv der [[http:// | ||
+ | # curl -O http:// | ||
+ | |||
+ | < | ||
+ | | ||
+ | 100 717k 100 717k 0 | ||
</ | </ | ||
- | ===== Konfiguration ===== | + | Anschließend generieren wir mit Hilfe von **[[http:// |
+ | # swaks --to django@nausch.org --from michael@nausch.org --attach - --server 10.0.0.87 --suppress-data </ | ||
- | # cp / | + | < |
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> MAIL FROM:< | ||
+ | <- 250 2.1.0 Ok | ||
+ | -> RCPT TO:< | ||
+ | <- 250 2.1.5 Ok | ||
+ | -> DATA | ||
+ | <- 354 End data with < | ||
+ | -> 12914 lines sent | ||
+ | <- 250 2.0.0 Ok: queued as 20560C00088 | ||
+ | -> QUIT | ||
+ | <- 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
- | # vim / | + | Im Maillog des **MTA**((**M**ail **T**ransport **A**gent)) finden wir die einträge der erfolgreichen Zustellung. |
- | <file bash / | + | |
- | # default: # | + | |
- | # # | + | |
- | CLAMD_CONFIGFILE=/ | + | |
- | CLAMD_SOCKET=/ | + | |
- | # | + | |
- | </file> | + | |
+ | < | ||
+ | Nov 20 22:37:43 vml000087 postfix/ | ||
+ | Nov 20 22:37:43 vml000087 postfix/ | ||
+ | Nov 20 22:37:44 vml000087 postfix/ | ||
+ | Nov 20 22:37:44 vml000087 postfix/ | ||
+ | Nov 20 22:37:44 vml000087 postfix/ | ||
+ | Nov 20 22:37:44 vml000087 postfix/ | ||
+ | </ | ||
- | # vim /etc/tmpfiles.d/clamd.amavisd.conf | + | Auf Seiten unseres **AS/ |
- | <file bash/etc/tmpfiles.d/ | + | # less /var/log/ |
- | d / | + | |
- | </ | + | < |
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:43 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:44 vml000067 amavis[3310]: | ||
+ | Nov 20 22:37:44 vml000067 amavis[3310]: | ||
+ | </ | ||
+ | |||
+ | In der Inbox unseres **MUA**((**M**ail **U**ser **A**gent))s POP3/ | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id KmGbByhfblQOXQAArK2B9Q | ||
+ | for < | ||
+ | X-Spam-Flag: | ||
+ | X-Spam-Score: | ||
+ | X-Spam-Level: | ||
+ | X-Spam-Status: | ||
+ | tests=[ALL_TRUSTED=-1, | ||
+ | Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id 20560C00088 | ||
+ | for < | ||
+ | Date: Thu, 20 Nov 2014 22:37:43 +0100 | ||
+ | To: django@nausch.org | ||
+ | From: michael@nausch.org | ||
+ | Subject: Ebersberger Liedersammlung: | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | MIME-Version: | ||
+ | Content-Type: | ||
+ | Message-Id: < | ||
+ | |||
+ | ------=_MIME_BOUNDARY_000_12110 | ||
+ | Content-Type: | ||
+ | |||
+ | This is a test mailing | ||
+ | ------=_MIME_BOUNDARY_000_12110 | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | UEsDBBQDAAAIAFNyDUN6/ | ||
+ | pxiCECBB2coq9lXsiFVClZCTTBKDYwfbYQdxB36R+OEMfPHXm3ASnh1CCoWwiEpNE2f8Znsz426m | ||
+ | M5IdO7pqPOtMCe/ | ||
+ | Tm2XKZnveMjPaNfTPXsPzk8fnB/ | ||
+ | 9KDLpDIprX+i7bR8l7GFaitLT4DpPaEn0hb0nLW3kq2nCk76535G0OG67JsaSjds2DDAPWHp2fK4 | ||
+ | ... | ||
+ | |||
+ | ... | ||
+ | G9kGAAClEgAAEgAAAAAAAAAAACCAtIEAAAAAaW5fZHVsY2lfanViaWxvLmx5UEsBAj8DFAMAAAgA | ||
+ | U3INQ1XNopkpAgAA7QcAABQAAAAAAAAAAAAggLSBCQcAAGluX2R1bGNpX2p1Ymlsby5taWRpUEsB | ||
+ | Aj8DFAMAAAgAU3INQzZ3dvYIwgkAgAAKABMAAAAAAAAAAAAggLSBZAkAAGluX2R1bGNpX2p1Ymls | ||
+ | by5tcDNQSwECPwMUAwAACABTcg1DPURRdX5pAQAQDgIAEwAAAAAAAAAAACCAtIGdywkAaW5fZHVs | ||
+ | Y2lfanViaWxvLnBkZlBLBQYAAAAABAAEAAQBAABMNQsAAAA= | ||
+ | |||
+ | ------=_MIME_BOUNDARY_000_12110-- | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Virus-Mail ===== | ||
+ | Beim nächsten Test versuchen wir eine eMail mit einem Virus im Anhang an einen Benutzer zu schicken. Hierzu greifen wir auf ein Testsignatur-Datei der **[[http:// | ||
+ | Als erstes laden wir uns eine Testsignaturdatei auf unseren Rechner. | ||
+ | # curl -O http:// | ||
+ | < | ||
+ | | ||
+ | 100 | ||
+ | </ | ||
+ | Wie auch schon bei unserem vorherigen Test nutzen wir auch hier **swaks** zum verschicken einer eMail mit der eicar-Testdatei im Anhang. | ||
+ | # swaks --to django@nausch.org --from michael@nausch.org --attach - --server 10.0.0.87 --suppress-data </ | ||
+ | |||
+ | < | ||
+ | === Connected to 10.0.0.87. | ||
+ | <- 220 mx01.nausch.org ESMTP Postfix | ||
+ | -> EHLO vml000087.dmz.nausch.org | ||
+ | <- 250-mx01.nausch.org | ||
+ | <- 250-PIPELINING | ||
+ | <- 250-SIZE 52428800 | ||
+ | <- 250-ETRN | ||
+ | <- 250-STARTTLS | ||
+ | <- 250-ENHANCEDSTATUSCODES | ||
+ | <- 250-8BITMIME | ||
+ | <- 250 DSN | ||
+ | -> MAIL FROM:< | ||
+ | <- 250 2.1.0 Ok | ||
+ | -> RCPT TO:< | ||
+ | <- 250 2.1.5 Ok | ||
+ | -> DATA | ||
+ | <- 354 End data with < | ||
+ | -> 28 lines sent | ||
+ | <** 554 5.7.0 Reject, id=03311-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/ | ||
+ | -> QUIT | ||
+ | <- 221 2.0.0 Bye | ||
+ | === Connection closed with remote host. | ||
+ | </ | ||
+ | Wie wir sehen, wurde die Annahme der eMail vom Mailserver abgelehnt. Der einliefernde Client bekommt auch sofort mit der Fehlermeldung **554 5.7.0 Reject, id=03311-01 - INFECTED: Eicar-Test-Signature.** einen Hinweis, warum die Nachricht nicht angenommen wurde. | ||
+ | |||
+ | Im Maillog des **MTA**((**M**ail **T**ransport **A**gent)) finden wir die Einträge des Zustellungsversuch. | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | Nov 20 22:43:10 vml000087 postfix/ | ||
+ | </ | ||
+ | |||
+ | Details zum Scannvorgang und -ergebnis können wir mit der id **03311-01** im Maillog des **AS/ | ||
+ | # less / | ||
+ | |||
+ | < | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:09 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 | ||
+ | Nov 20 22:43:10 vml000067 | ||
+ | Nov 20 22:43:10 vml000067 clamd[3288]: | ||
+ | Nov 20 22:43:10 vml000067 clamd[3288]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | Nov 20 22:43:10 vml000067 amavis[3311]: | ||
+ | </ | ||
+ | |||
+ | Hier suche wir dann nach besagter ID 03311-01 und erfahren den eigentlichen Grund, warum die Annahme der Nachricht verweigert wurde. | ||
+ | |||
+ | Gemäß unseren Einstellungen im **[[|AMaViS]]** erhält der Empfänger eine Nachricht, dass versucht wurde ihm eine NAchricht zuzustellen, | ||
+ | |||
+ | < | ||
+ | Delivered-To: | ||
+ | Received: from mx01.nausch.org ([10.0.0.87]) | ||
+ | by imap.nausch.org (Dovecot) with LMTP id YmGbByhfblQOXQAArK2B9Q | ||
+ | for < | ||
+ | Received: from localhost (vml000067.dmz.nausch.org [10.0.0.67]) | ||
+ | by mx01.nausch.org (Postfix) with ESMTP id 44A0AC00089 | ||
+ | for < | ||
+ | MIME-Version: | ||
+ | From: Postmaster < | ||
+ | Date: Thu, 20 Nov 2014 22:43:09 +0100 (CET) | ||
+ | Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from < | ||
+ | To: django@nausch.org | ||
+ | Message-ID: < | ||
+ | Content-Type: | ||
+ | Content-Disposition: | ||
+ | Content-Transfer-Encoding: | ||
+ | |||
+ | VIRUS ALERT | ||
+ | |||
+ | Our content checker found | ||
+ | virus: Eicar-Test-Signature | ||
+ | |||
+ | in an email to you from probably faked sender: | ||
+ | |||
+ | claiming to be: < | ||
+ | |||
+ | Content type: Virus | ||
+ | Our internal reference code for your message is 03311-01/ | ||
+ | |||
+ | First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org | ||
+ | Received from: 10.0.0.87 | ||
+ | |||
+ | Return-Path: | ||
+ | From: michael@nausch.org | ||
+ | Message-ID: < | ||
+ | X-Mailer: swaks v20130209.0 jetmore.org/ | ||
+ | Subject: Eicar Virentestpattern | ||
+ | Not quarantined. | ||
+ | |||
+ | Please contact your system administrator for details. | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Optimierung / RAM-Disk für AMaViS ===== | ||
+ | Da sich bei entsprechenden Traffic die Zugriffe auf die Harddisk ungünstig auf die Performance auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann ClamAV dann die Dateianhänge der Nachrichten entpacken, ablegen und auf Schadcode hin überprüfen. | ||
+ | |||
+ | <WRAP center round tip 60%> \\ | ||
+ | Denn wie lautet die alte Serverkonfiguration? | ||
+ | </ | ||
+ | |||
+ | Bei der Festlegung, wie groß die RAM-Disk denn sein soll, kann man folgende Formel heranziehen: | ||
+ | |||
+ | **RAM-Disk ≈ Anzahl AMaViS-Instanzen * (max. e-Mailgröße + (max. e-Mailgröße * Auspackfaktor))** | ||
+ | |||
+ | Diesen theoretischen Wert, wird man aber in den seltensten Fällen einstellen können/ | ||
+ | |||
+ | Bei einigen Installationen hat sich die Faustregel | ||
+ | **RAM-Disk ≈ Anzahl AMaViS-Instanzen * (1,25 * max. Dateigröße)** | ||
+ | bestens bewährt. Bei vier Instanzen reicht also eine 250MB große RAM-Disk dicke aus! | ||
+ | |||
+ | Damit wir die Zugriffsrechte auf die Ramdisk richtig setzen können, schließlich soll nicht jedermann die Inhalte der eMails lesen können, ermitteln wird zu erst noch die **gid** und **uid**. | ||
+ | # grep amavis / | ||
+ | |||
+ | | ||
+ | |||
+ | Die **UID** lautet also **996** und die **GID** **995**. | ||
+ | |||
+ | Da wir nun die Werte **RAM-Disk-Größe**, | ||
+ | # vim / | ||
+ | <code bash> | ||
+ | |||
+ | # Django : 2014-11-21 | ||
+ | # RAM-Disk für ClamAV eingerichtet | ||
+ | tmpfs / | ||
+ | </ | ||
+ | |||
+ | Anschließend mounten wir unser neues Laufwerk mit dem folgenden Aufruf. | ||
+ | # mount / | ||
+ | |||
+ | Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt. | ||
+ | # df -h -t tmpfs | ||
+ | |||
+ | < | ||
+ | tmpfs | ||
+ | tmpfs | ||
+ | tmpfs | ||
+ | / | ||
- | # vim /usr/lib/systemd/ | + | Der Scanvorgang unserer Nachrichten wird nun wesentlich schneller ablaufen, als bei den Tests ohne die RAM-Disk! |
+ | ====== Links ====== | ||
+ | * **⇐ [[centos: | ||
+ | * **⇒ [[centos: | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http://dokuwiki.nausch.org/doku.php/ | ||