1. First way is to have the HAVP as Parent proxy for squid.
Transparent Proxy*
192.168.0.253:3128
|| [eth1]
|| ||
[Intranet]--------[Squid]-+-[HAVP]--------[Internet]
|| ||
[eth0] Parent Proxy
192.168.0.0/24 127.0.0.1:8080
||
||
[ClamAV]
[ClamAV]
||
||
Transparent Proxy*
192.168.0.253:8080
|| [eth1]
|| ||
[Intranet]--------[HAVP]-+-[Squid]--------[Internet]
|| ||
[eth0] Parent Proxy
192.168.0.0/24 127.0.0.1:3128
I prefer Method-1, because the proxy only caches the content deemed safe.
Creating Method-1 Setup:
STEP1: Install Squid Proxy
The steps are outlined in my previous post.
STEP2: Install ClamAV.
I tried installing ClamAV using the command:
sudo apt-get install clamav
sudo freshclam
Before installing ClamAV, a new user and groupid needs to be created. The default userid and groupid are "clamav". They can be added using the commands:
groupadd clamav
useradd -g clamav clamav
tar -xzvf clamav-0.97.3.tar.gz
Move into the newly created directory and try to perform "configure" with any needed options (No need to specify any options unless userid and groupid are different from default, clamav-milter needs to be installed or new experimental features need to be added). Before we actually install, it would be good to check for previous versions of clamav and remove them. The commands to install are:
cd clamav-0.97.3
./configure
make
sudo apt-get remove --purge clamav
sudo make uninstall
sudo make install
Before updating clamav, it is good to edit the clamd.conf freshclam.conf files located in /usr/local/etc folder. One line containing "Example" needs to be commented and any other entries need to be uncommented as per need. The config files are self explanatory. However, one issue could arise. The log files and signature directories used by freshclam and clamd, specified in the .conf files, might not have required file permissions to be created/edited. You can manually create the file and folder and edit their permissions using "chmod/chown" command.
Update the antivirus signatures and try scanning a simple file.
sudo freshclam
clamscan -v filename
STEP3: Install HAVP
The instructions given in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ provide some guidance for the installation.
This command was installing an older version of HAVP.
sudo apt-get install havp
Hence, get the latest source code of HAVP from http://www.server-side.de/download.htm.
Install HAVP using the regular commands given below. They also add required userid and groupid "havp", allowing me to skip adding them manually.
tar -xvzf havp-0.92a.tar.gz
cd havp-0.92a
./configure
make
sudo make install
Add the below line in /usr/local/squid/etc/squid.conf
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
Next havp.config needs to be edited. This config file is located in /usr/local/etc/havp/havp.config. Most of the entries are self explanatory in the config file, however the configuration provided in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ can be used as a reference.
Two major steps need to be performed before successfully running HAVP. The first one is set to set appropriate permissions for the files used by HAVP. In my case, I enumerated the files and folders needing permission change by looking at the error messages. The INSTALL file provided in the extracted havp folder (havp-0.92a) provides the following commands.
Make sure the directories you are using have correct permissions:
# chown havp /var/tmp/havp /var/log/havp /var/run/havp
# chmod 700 /var/tmp/havp /var/log/havp /var/run/havp
The second major step is to ensure the scan file system has mandatory locks enabled. The INSTALL file indicates how this could be done. The file /etc/fstab indicates the file systems which are mounted when booting. In my case I just had the root file system (/). So, as indicated in the INSTALL file, I used the following command to activate mandatory locks.
mount -o remount,mand /
# <file system> <mount point> <type> <options> <dump> <pass>
/host/ubuntu/disks/root.disk / ext4 loop,mand,errors=remount-ro 0 1
We can then start havp using the command:
/usr/local/sbin/havp
sudo -u havp /usr/local/sbin/havp
STEP 4: Testing the setup.
Try configuring the browser to the squid proxy ip and port 3128, and try browsing few webpages. To test if HAVP is working properly, try visiting this link http://www.eicar.org/download/eicarcom2.zip. It should through a HAVP-ACCESS DENIED PAGE (shown below).
References:
1. http://volatile-minds.blogspot.com/2008/06/installing-clamav-latest-from-source.html
2. http://wiki.clamav.net/bin/view/Main/InstallFromSource
3. http://informatix.or.id/willy/installing-clamav-from-source.php
If you find that HAVP is throwing some error like "error libclamav.so.# cannot open shared object file: No such file or directory"
ReplyDeletecreate /etc/ld.so.conf if it does not exist with just a single line of the directory where your libclamav.so.# is located - like /usr/local/lib
If it is using a /etc/ld.so.conf.d directory, create a *.conf file with a single line indicating where your file is located.
Then run ldconfig.
How do you set up ssl/https virus scanning? HAVP/SQUID3 tools.
ReplyDeleteIt is useless to scan encrypted traffic, as the malware can easily get masked. Only way you can do it is my acting like a man-in-the-middle, decrypting the HTTPS/SSL traffic to plain HTTP and then performing the scan. There are some hurdles if you want to do it - your users should trust your certificate to accept you as middle man. The following reference [1] can give you some lead if you want to do it.
DeleteReference:
1. http://askubuntu.com/questions/266345/virus-scanning-for-ssl-https-connections-how