Tuesday, December 13, 2011

Setting up HAVP (with ClamAV) + Squid to work as Secure Proxy

There are two ways in which HAVP can be made to interact with Squid (obtained from http://kokikode.wordpress.com/2010/03/14/configuring-squid-havpclamav-in-ubuntu-reviews/).
1. First way is to have the HAVP as Parent proxy for squid.
               Transparent Proxy*
               192.168.0.253:3128
                      ||                    [eth1]
                      ||                      ||
 [Intranet]--------[Squid]-+-[HAVP]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:8080
                               ||
                               ||
                            [ClamAV]
2. Second is to make Squid Proxy as the Parent proxy for HAVP.
                 [ClamAV]
                     ||
                     ||
               Transparent Proxy*
               192.168.0.253:8080
                     ||                     [eth1]
                     ||                       ||
 [Intranet]--------[HAVP]-+-[Squid]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:3128

There are advantages and disadvantages for each (as described in http://kokikode.wordpress.com/2010/03/14/configuring-squid-havpclamav-in-ubuntu-reviews/)

I prefer Method-1, because the proxy only caches the content deemed safe.

Creating Method-1 Setup:
STEP1: Install Squid Proxy
The steps are outlined in my previous post.
STEP2: Install ClamAV.
I tried installing ClamAV using the command:
sudo apt-get install clamav
When performing signature update using
sudo freshclam
I obtained some warning saying ClamAV engine is out of date. So I decided to install ClamAV from the source code. The latest stable source code can be obtained from http://www.clamav.net/lang/en/download/sources/.

Before installing ClamAV, a new user and groupid needs to be created. The default userid and groupid are "clamav". They can be added using the commands:
groupadd clamav
useradd -g clamav clamav
Untar the downloaded source code using the command:
tar -xzvf clamav-0.97.3.tar.gz

Move into the newly created directory and try to perform "configure" with any needed options (No need to specify any options unless userid and groupid are different from default, clamav-milter needs to be installed or new experimental features need to be added). Before we actually install, it would be good to check for previous versions of clamav and remove them. The commands to install are:
cd clamav-0.97.3
./configure
make
sudo apt-get remove --purge clamav
sudo make uninstall
sudo make install

Before updating clamav, it is good to edit the clamd.conf freshclam.conf files located in /usr/local/etc folder. One line containing "Example" needs to be commented and any other entries need to be uncommented as per need. The config files are self explanatory. However, one issue could arise. The log files and signature directories used by freshclam and clamd, specified in the .conf files, might not have required file permissions to be created/edited. You can manually create the file and folder and edit their permissions using "chmod/chown" command.

Update the antivirus signatures and try scanning a simple file.
sudo freshclam
clamscan -v filename

STEP3: Install HAVP
The instructions given in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ provide some guidance for the installation.

This command was installing an older version of HAVP.
sudo apt-get install havp

Hence, get the latest source code of HAVP from http://www.server-side.de/download.htm.

Install HAVP using the regular commands given below. They also add required userid and groupid "havp", allowing me to skip adding them manually.
tar -xvzf havp-0.92a.tar.gz
cd havp-0.92a
./configure
make
sudo make install

Add the below line in /usr/local/squid/etc/squid.conf
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default

Next havp.config needs to be edited. This config file is located in /usr/local/etc/havp/havp.config. Most of the entries are self explanatory in the config file, however the configuration provided in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ can be used as a reference.

Two major steps need to be performed before successfully running HAVP. The first one is set to set appropriate permissions for the files used by HAVP. In my case, I enumerated the files and folders needing permission change by looking at the error messages. The INSTALL file provided in the extracted havp folder (havp-0.92a) provides the following commands.
Make sure the directories you are using have correct permissions:

  # chown havp /var/tmp/havp /var/log/havp /var/run/havp
  # chmod 700 /var/tmp/havp /var/log/havp /var/run/havp

The second major step is to ensure the scan file system has mandatory locks enabled. The INSTALL file indicates how this could be done. The file /etc/fstab indicates the file systems which are mounted when booting. In my case I just had the root file system (/). So, as indicated in the INSTALL file, I used the following command to activate mandatory locks.
mount -o remount,mand /
The "mand" option could be similarly added to any other file system used by HAVP for scanning (maybe the file system specified for SCANTEMPFILE in havp.config?). To make the "mand" change permanent, we need to add the "mand" option in the fstab file, for the mount root file system entry. The entry in my case looks like:
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/host/ubuntu/disks/root.disk /               ext4    loop,mand,errors=remount-ro 0       1

We can then start havp using the command:
/usr/local/sbin/havp
We could also start HAVP as user "havp" using the command:
sudo -u havp /usr/local/sbin/havp

STEP 4: Testing the setup.
Try configuring the browser to the squid proxy ip and port 3128, and try browsing few webpages. To test if HAVP is working properly, try visiting this link http://www.eicar.org/download/eicarcom2.zip. It should through a HAVP-ACCESS DENIED PAGE (shown below).

References:
1. http://volatile-minds.blogspot.com/2008/06/installing-clamav-latest-from-source.html
2. http://wiki.clamav.net/bin/view/Main/InstallFromSource
3. http://informatix.or.id/willy/installing-clamav-from-source.php

3 comments:

  1. If you find that HAVP is throwing some error like "error libclamav.so.# cannot open shared object file: No such file or directory"

    create /etc/ld.so.conf if it does not exist with just a single line of the directory where your libclamav.so.# is located - like /usr/local/lib

    If it is using a /etc/ld.so.conf.d directory, create a *.conf file with a single line indicating where your file is located.

    Then run ldconfig.

    ReplyDelete
  2. How do you set up ssl/https virus scanning? HAVP/SQUID3 tools.

    ReplyDelete
    Replies
    1. It is useless to scan encrypted traffic, as the malware can easily get masked. Only way you can do it is my acting like a man-in-the-middle, decrypting the HTTPS/SSL traffic to plain HTTP and then performing the scan. There are some hurdles if you want to do it - your users should trust your certificate to accept you as middle man. The following reference [1] can give you some lead if you want to do it.

      Reference:
      1. http://askubuntu.com/questions/266345/virus-scanning-for-ssl-https-connections-how

      Delete