Author Topic: Cannot get clamav module to work even it is compiled and loaded...  (Read 574 times)

Offline jamdev

  • New user
  • *
  • Posts: 18
    • View Profile
Hi all,

I've downloaded the latest version of the proftpd server 1.3.5e-2 and have compiled it with the spec file from Fedora.org as well as their patches and updates. The application works fine and without issues. One of the things I've been wanting to do is provide the mechanism to validate files that are been uploaded and making sure they do not have viruses. So I was looking and of course I find that there is a module for clamav integration into ProFTPD. I've tried both:

https://github.com/jbenden/mod_clamav
https://github.com/Castaglia/proftpd-mod_clamav

No matter which one I use, I can't make this work. This is the configuration file that I've setup:

DefaultServer off
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
IdentLookups off
UseReverseDNS off
User ftp
Group ftp
MaxInstances 150
MaxClientsPerUser 8
UseSendfile off
UseIPv6 off
LogFormat default   "%h %l %u %t \"%r\" %s %b"
ExtendedLog /var/log/secure AUTH auth
LogFormat auth "%v %t "%r" [%h] %s"
SystemLog /var/log/proftpd/proftpd.log
Port 0
TimeoutIdle 900
TimeoutNoTransfer 900
AllowOverwrite on
PassivePorts 60000 65534
TimesGMT Off
SetEnv TZ :/etc/localtime
LoadModule mod_ctrls_admin.c
LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c
LoadModule mod_site_misc.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
LoadModule mod_wrap2_sql.c
LoadModule mod_vroot.c
LoadModule mod_clamav.c
<Limit SITE_CHMOD>
  AllowAll
</Limit>
<Global>
  ServerIdent On "FTP Server Ready"
  Umask 0003
  AllowOverwrite yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
SiteMiscEngine on
</Global>
  <IfModule mod_ctrls_admin.c>
     AdminControlsEngine off
  </IfModule>
  <IfModule mod_clamav.c>
     ClamAV on
     ClamServer 127.0.0.1
     ClamPort 3310
     ClamMaxSize 250 Mb
  </IfModule>
  <IfModule mod_vroot.c>
        VRootEngine on
        DefaultRoot ~ !adm
        VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
  </IfModule>
  <IfModule mod_sftp.c>
    <VirtualHost 1.2.3.4>
      MaxClientsPerUser 8
      DefaultRoot  ~
      Umask 0003
      SyslogLevel info
      ServerLog /var/log/proftpd/proftpd-vhost.log
      <Limit ALL SITE_CHMOD>
        AllowAll
      </Limit>
      SFTPEngine on
      SFTPOptions IgnoreSFTPUploadPerms
      SFTPLog /var/log/proftpd/sftp.log
      Port 2222
      SFTPHostKey /etc/ssh/ssh_host_rsa_key
      SFTPHostKey /etc/ssh/ssh_host_dsa_key
      SFTPAuthorizedUserKeys file:/etc/proftpd/conf.d/auth_keys/%u_auth_keys
      SFTPCompression delayed
      MaxLoginAttempts 5
      SFTPClientMatch ".*J2SSH_Maverick.*" channelWindowSize 32MB
      SFTPClientMatch .* sftpProtocolVersion 3 channelWindowSize 1GB
      WrapEngine on
      WrapTables file:/etc/proftpd/conf.d/hosts.allow file:/etc/proftpd/conf.d/hosts.deny
      WrapLog    /var/log/proftpd/wrap.log
    </VirtualHost>
  </IfModule>
</IfDefine>

Running proftpd -vv output below:

ProFTPD Version: 1.3.5e (maint)
  Scoreboard Version: 01040003
  Built: Wed May 17 2017 07:48:15 PDT

Loaded modules:
  mod_clamav/0.14rc2
  mod_vroot/0.9.4
  mod_wrap2_sql/1.0
  mod_wrap2_file/1.3
  mod_wrap2/2.0.6
  mod_site_misc/1.5
  mod_sftp_pam/0.3
  mod_sftp/0.9.9
  mod_ctrls_admin/0.9.7
  mod_lang/1.0
  mod_ctrls/0.9.5
  mod_cap/1.1
  mod_tls/2.6
  mod_auth_pam/1.2
  mod_readme/1.0
  mod_ident/1.0
  mod_dso/0.5
  mod_facts/0.4
  mod_delay/0.7
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/1.0
  mod_auth_unix.c
  mod_rlimit/1.0
  mod_xfer.c
  mod_core.c

I've tried the uploading the test virus file "eicar.com.txt", but ClamAV is never triggered and it doesn't seem to want to even connect to the ClamAV server even though is on the same server.

Can you give me some pointer as to what I may be doing wrong here?

Below is the project from Fedora, I've used: https://src.fedoraproject.org/git/rpms/proftpd.git

The source code is the same from both of these locations:
http://pkgs.fedoraproject.org/repo/pkgs/proftpd/proftpd-1.3.5e.tar.gz/sha512/54a9700af803297697e4b7f2d7dc82139785f9f2cbeb40b226f94ff3e8690f2e3672aa80373005dfec4b53f3dd9ca7b0a658ea39bda63e71292c810ba994eac7/proftpd-1.3.5e.tar.gz
ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5e.tar.gz

Hope you can help.
jamdev12

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Cannot get clamav module to work even it is compiled and loaded...
« Reply #1 on: May 18, 2017, 04:07:12 pm »
Are you trying the EICAR file via SFTP?  If so, then your mod_sftp <VirtualHost> section will need to contain e.g.:

  <IfModule mod_clamav.c>
     ClamAV on
     ClamServer 127.0.0.1
     ClamPort 3310
     ClamMaxSize 250 Mb
  </IfModule>

Right now, the above mod_clamav configuration is *outside* of your SFTP virtual host, which means that it is not applied to that vhost.

Offline jamdev

  • New user
  • *
  • Posts: 18
    • View Profile
Re: Cannot get clamav module to work even it is compiled and loaded...
« Reply #2 on: May 18, 2017, 06:44:20 pm »
Castaglia,

As always you have corrected my error. Now it works with the configuration properly setup.  ;D

Only thing I would like to ask and I don't know if this is possible, can a message be sent to the client stating that their file has a virus if it is detected?

I see this in jbenden's code

      proto = pr_session_get_protocol(0);
      if (strncmp(proto, "ftp", 3) == 0 ||
          strncmp(proto, "ftps", 4) == 0) {
        pr_response_send(R_550, "Virus Detected and Removed: %s", pt);
}

But seems that this only happens for FTP and FTPS connections, not for SFTP.

Thanks,
jamdev

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5394
    • View Profile
    • http://www.castaglia.org/
Re: Cannot get clamav module to work even it is compiled and loaded...
« Reply #3 on: May 20, 2017, 02:58:54 am »
Unfortunately, SFTP as a protocol does not support sending textual messages back to clients like that.

Offline andrewmiskell

  • New user
  • *
  • Posts: 1
    • View Profile
Re: Cannot get clamav module to work even it is compiled and loaded...
« Reply #4 on: June 13, 2017, 05:05:02 pm »
Unfortunately, SFTP as a protocol does not support sending textual messages back to clients like that.

Is there a mechanism that could be used to notify in some other method? i.e. if someone uploads a file with a virus in it, we can generate an email or something similar?

I'm currently using the jbenden version of the ClamAV module (latest version, I pull it from GitHub when I build our packages) along with ProFTPd 1.3.6. I did recently see your module but noticed it hasn't been updated in almost 5 years so I wasn't sure if it still worked, etc.

 

sighted planning