|
Commercial filters are often expensive, especially when used on a large number of computers, as would be the case in a school computer lab or in small or medium companies with computer networks. In contrast, open source filters are generally freely available for download. In addition, since commercial filters are proprietary, in many cases the system administrator does not have the opportunity to modify or even view the lists of blocked sites.
With a typical server-based filtering and virus scan solution running on a proprietary operating system, you would have to pay hundreds or possibly thousands of dollars for the server's operating system, on top of per-seat user licensing fees for the server as well as the filtering software. With an open source solution you can be up and running with no software and upgrade costs whatsoever.
In the first part of the article we installed SquidGuard, which works through the caching and proxying program Squid. We will now combine the solution with the virus scan engine ClamAV and will get a complete content filtering and virus scanning proxy.
Step 1: Install ClamAV
We will use the rpm packages provided by Suse and will install CLAMAV using Yast. Open a console and start the yast command: 
Switch over to the software section and search for clamav. The version current available is 0.90.2. The tool will automatically handle the file dependencies and will install all related packages if necessary.
It is now time to download the latest virus definitions. Execute the following commands using your console: touch /var/log/clamav/clamav-updater.log
chmod 600 /var/log/clamav/clamav-updater.log
chown vsan /var/log/clamav/clamav-updater.log
freshclam –d –c 2 –l /var/log/clamav/clamav-update
|
Please check the log file (/var/log/clamav/clamav-updater.log ) for possible errors.
The following command will start clamav in daemon mode automatically after rebooting the server.
Start the daemon now with the following command:
I recommend scanning you harddisk using the latest virus definitions like this:
After checking all files you will get a virus scan report similar to this:
Step 2: Installing Viralator
Viralator is a Perl script that virus scans HTTP/FTP downloads request on a UNIX server after passing through the Squid proxy server. A lot of Linux distributions including RedHat, Mandriva, Suse and Debian are supported. The script is able to work together with redirectors like Squirm, SquidGuard and Jesred. Supported virus scanners are: - AntiVir
- AVP
- RAV
- Inoculate
- Sohos Sweep
- McAffee
- Trend
- ClamAV
- Bit Defender
The original concept for Viralator came from the Viromat project. Without Viromat the Viralator project would not have had a starting point. The script is released under the GPL.
How does Viralator work?
First, the script is picking up the URL of the file the user wants to download, but it will download the file into its own directory on the server using Wget. The user can monitor the status of the download in a separate pop up window. After downloading, the files will be checked for viruses using one of the supported scanners. In case of a virus infection, the file will be deleted immediately and the user will get a “virus found” message. If the file is correct and not infected the script will start an automated download to the user’s hard disk.
What do we need to get it running?
Well, we will use the same Squid proxy server already described in the first part of the article. The redirector will be SquidGard and we will use the antivirus scanner ClamAV. We also need Apache to run the cgi script.
Let’s start - download the Viralator script from the following website and store it into your Download directory: http://viralator.sourceforge.net/
If you are still using your Apache server like described in part 1 of the article, please shut it down like this:
Make sure to have the following subdirectories available on your server. Set the correct ownership and file permissions.
/srv/www/cgi-bin 755 wwwrun:www
/srv/www/htdocs/downloads 755 wwwrun:www
/etc/viralator
The following commands will help to unpack the package and to copy everything in the destination directories: su
cd /home/user/Downloads
tar xzf viralator-0.9.7.tar.gz
cd viralator
cp viralator.cgi /srv/www/cgi-bin
chown wwwrun:www /srv/www/cgi-bin/viralator.cgi
chmod 755 /srv/www/cgi-bin/viralator.cgi
cp bar.png progress.png style.css /srv/www/htdocs
cd /home/user/Downloads/viralator/etc/viralator
cp –R * /etc/viralator
|
Viralator now comes with its own config file “viralator.conf”. We copied the file to /etc/viralator. Please make sure to set the parameters correctly.
Here are my settings:
default_language -> english.txt
charset -> ISO-8859-1
lang -> en-US
virusscanner -> clamdscan
scannerpath -> /usr/bin
viruscmd -> --verbose –stdout
alert -> FOUND
scannersummary -> true
downloads -> /srv/www/htdocs/downloads
skip_downloads -> true
downloadsdir -> /downloads
popupfast -> false
popupback -> false
popupwidth -> 600
popupheight -> 400
filechmod -> 0644
dirmask -> 0022
secret -> Use your own passphrase
progress_unit -> bar.png
progress_indicator -> progress.png
css_file -> style.css
|
Step 3 :Prepare Apache to run the Viralator script
Apache 2 works just “out of the box”. There is no need to configure it. Please make sure to set the “AddHandler” correctly. You will find the settings in /etc/apache2/default-server.conf ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
AddHandler cgi-script .cgi .pl
Order allow,deny
Allow from all
</Directory>
|
In addition, you should check if apache runs as user “wwwrun”. In /etc/apache2/uid.conf you will find the necessary settings.
User wwwrun
Group www
Remark:
If your browser is trying to download the cgi script instead of executing it, you possibly have a problem with your AddHandler in the Apache configuration. Please look-over the cgi file permission and ownership as well.
If everything looks fine, you can start Apache like this:
Step 4: Configuring SquidGuard
Like already mentioned in the previous steps, we will use the SquidGuard script that we created in the first part of the article. We just have to change view lines to combine the content check with the virus check.
First of all, you should create a subdirectory called vsan
cd /var/lib/squidGuard/db
mkdir vsan
|
Create I file called “files” with the following content:
(\.exe$|\.com$|\.bat$|\.zip$)
Like you can see, these are the file extensions the viralator script will use to initiate a virus scan. You can later add other extensions. Set the permissions and ownership similar to the other directories in the db folder.
In the “Destination” section we have to add the entry “dest files”. The SquidGuard config file will looks like this: # Squid Guard config file
#-------------------------
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db
# DESTINATIONS
dest spy {
domainlist spyware/domains
urllist spyware/urls
redirect http://192.168.1.1
log /var/log/squidGuard/blocked.log
}
dest porn {
domainlist porn/domains
urllist porn/urls
redirect http://192.168.1.1
log /var/log/squidGuard/blocked.log
}
dest files {
expressionlist vscan/files
redirect http://192.168.1.1/cgi-bin/viralator.cgi?url=%u
log /var/log/squidGuard/viruscheck.log
}
# ACCESS CONTROL LISTS
acl {
default {
pass !files !porn !spy !in-addr all
}
}
|
As you already realized, we are redirecting all “spy” and “porn” traffic to http://192.168.1.1 and all files with the extension .com, .exe and .zip to http://192.168.1.1/cgi-bin/viralator.cgi
There is no need the change the Squid configuration file. Please use the same file mentioned in the first part of the article.
Step 5: Running and trouble-shooting the Proxy
OK, it’s time to check if our configuration works. Use your Linux or Windows client and configure the proxy settings according to the workshop setup (see here).
Proxy server: 192.168.1.1
Proxy port 3128
Browsing, except of “porn” and “spy“, should work properly. Blocked pages should appear like this:
Downloading a file - the pop up window informs the user about the status.
Virus found! The file is deleted automatically.
In case of problems you should check the following log files using the “tail –f” command.
Apache
/var/log/apache2/access.log
/var/log/apache2/error_log
SquidGuard
/var/log/squidGuard/blocked.log
/var/log/squidGuard/viruscheck.log
Squid
/var/log/squid/cache.log
/var/log/squid/store.log
I recommend reading the following documents:
http://httpd.apache.org/docs/2.0/howto/cgi.html
http://viralator.sourceforge.net/
http://www.maynidea.com/squidguard/config.html
http://www.kernel-panic.it/openbsd/proxy/
http://www.aerospacesoftware.com/squidguard-howto.html
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
|
