Installing and Configuring ICAP on ClamAV: Difference between revisions
No edit summary |
|||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems. | |||
Overview of c-icap and ClamAV Integration | |||
* '''c-icap''' | |||
: It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers. | |||
* '''ClamAV''' | |||
: ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass. | |||
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo | |||
= Procedure = | = Procedure = | ||
Line 9: | Line 23: | ||
2) run dnf | 2) run dnf | ||
<nowiki>dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm | <nowiki>dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm</nowiki> | ||
3) Install Clamav packages | 3) Install Clamav packages | ||
Line 17: | Line 31: | ||
4) Install C-ICAP packages | 4) Install C-ICAP packages | ||
dnf install c-icap c-icap-libs c-icap-modules | dnf -y install c-icap c-icap-libs c-icap-modules | ||
== Clamav Server == | == Clamav Server == | ||
Line 31: | Line 45: | ||
systemctl enable clamav-freshclam.service | systemctl enable clamav-freshclam.service | ||
systemctl start clamav-freshclam.service | |||
Check status | |||
systemctl status clamav-freshclam.service | systemctl status clamav-freshclam.service | ||
Line 44: | Line 62: | ||
<nowiki> | <nowiki> | ||
LogFile /var/log/clamd.scan.log | |||
LogFileMaxSize 10M | |||
LogTime yes | |||
LogClean yes | |||
LogVerbose yes | |||
LogRotate yes | |||
TCPSocket 3310 | TCPSocket 3310 | ||
PidFile /run/clamd.scan/clamd.pid | |||
LocalSocket /run/clamd.scan/clamd.sock | |||
User clamscan | User clamscan | ||
</nowiki> | </nowiki> | ||
Line 53: | Line 78: | ||
=== Start the Clamav Server === | === Start the Clamav Server === | ||
systemctl enable clamd.service | systemctl enable clamd@scan.service' | ||
systemctl start clamd.service | systemctl start clamd@scan.service | ||
== Configure ICAP Server == | == Configure ICAP Server == | ||
Line 118: | Line 143: | ||
Service antivirus_module virus_scan.so | Service antivirus_module virus_scan.so | ||
ServiceAlias srv_clamav virus_scan | ServiceAlias srv_clamav virus_scan | ||
ServiceAlias | ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple | ||
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE | virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE | ||
virus_scan.SendPercentData 5 | virus_scan.SendPercentData 5 | ||
virus_scan.StartSendPercentDataAfter 2M | virus_scan.StartSendPercentDataAfter 2M | ||
virus_scan.MaxObjectSize 5M | virus_scan.MaxObjectSize 5M | ||
virus_scan.DefaultEngine | virus_scan.DefaultEngine clamd | ||
Include clamd_mod.conf | Include clamd_mod.conf | ||
</nowiki> | </nowiki> | ||
Line 134: | Line 159: | ||
<nowiki> | <nowiki> | ||
Module common clamd_mod.so | Module common clamd_mod.so | ||
clamd_mod.ClamdSocket /run/ | clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock | ||
</nowiki> | </nowiki> | ||
Line 163: | Line 188: | ||
== Verify Configuration == | == Verify Configuration == | ||
1) Testing your instalation | |||
To test your c-icap server you can use the c-icap-client utility which included in c-icap package. | |||
c-icap-client | |||
Sample result: | |||
<small><nowiki>c-icap-client | |||
ICAP server:localhost, ip:127.0.0.1, port:1344 | |||
OPTIONS: | |||
Allow 204: Yes | |||
Allow 206: No | |||
Preview: 1024 | |||
Keep alive: Yes | |||
ICAP HEADERS: | |||
ICAP/1.0 200 OK | |||
Methods: RESPMOD, REQMOD | |||
Service: C-ICAP/0.6.2 server - Echo demo service | |||
ISTag: "CI0001-XXXXXXXXX" | |||
Transfer-Preview: * | |||
Options-TTL: 3600 | |||
Date: Mon, 30 Sep 2024 19:49:43 GMT | |||
Preview: 1024 | |||
Allow: 204 | |||
X-Include: X-Authenticated-User, X-Authenticated-Groups | |||
Encapsulated: null-body=0 | |||
</nowiki></small> | |||
Line 170: | Line 225: | ||
tail -f /var/log/c-icap/access.log | tail -f /var/log/c-icap/access.log | ||
== Know Problems == | |||
=== C-ICAP: Cannot connect to clamd server === | |||
In /var/log/c-icap/server.log, I had the following error: | |||
<small><nowiki>Tue Oct 1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock! | |||
Tue Oct 1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server | |||
Tue Oct 1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!</nowiki></small> | |||
To fix, change permissions of clamd.scan directory: | |||
chmod g+rx,o+rx /run/clamd.scan | |||
== Ver também == | == Ver também == |
Latest revision as of 19:48, 1 October 2024
The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems.
Overview of c-icap and ClamAV Integration
- c-icap
- It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers.
- ClamAV
- ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass.
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo
Procedure
Install Packages on RHEL 9
1) Install EPEL Repository in RHEL 9
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
2) run dnf
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
3) Install Clamav packages
dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd
4) Install C-ICAP packages
dnf -y install c-icap c-icap-libs c-icap-modules
Clamav Server
Update Virus definition
Check install with update virus definition
freshclam
Enable as service
systemctl enable clamav-freshclam.service systemctl start clamav-freshclam.service
Check status
systemctl status clamav-freshclam.service
Configure clamav
1) Backup default ICAP server configuration file:
cd /etc/clamd.d mv scan.conf scan.conf_original
2) Create a scan.conf and add the following content:
LogFile /var/log/clamd.scan.log LogFileMaxSize 10M LogTime yes LogClean yes LogVerbose yes LogRotate yes TCPSocket 3310 PidFile /run/clamd.scan/clamd.pid LocalSocket /run/clamd.scan/clamd.sock User clamscan
Save and exit the file
Start the Clamav Server
systemctl enable [email protected]' systemctl start [email protected]
Configure ICAP Server
1) Backup default ICAP server configuration file:
cd /etc/c-icap mv c-icap.conf c-icap.conf_original mv virus_scan.conf virus_scan.conf_original mv clamd_mod.conf clamd_mod.conf_original
c-icap.conf
Create a c-icap.conf and add the following content:
Include virus_scan.conf Include srv_content_filtering.conf PidFile /run/c-icap/c-icap.pid CommandsSocket /run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 1344 ServerAdmin [email protected] ServerName YourServerName TmpDir /var/tmp MaxMemObject 131072 DebugLevel 1 Pipelining on SupportBuggyClients off ModulesDir /usr/lib64/c_icap ServicesDir /usr/lib64/c_icap TemplateDir /usr/share/c_icap/templates/ TemplateDefaultLanguage en LoadMagicFile /etc/c-icap/c-icap.magic RemoteProxyUsers off RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeaderEncoded on acl all src 0.0.0.0/0.0.0.0 acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS icap_access allow all PERMIT_REQUESTS ServerLog /var/log/c-icap/server.log AccessLog /var/log/c-icap/access.log Service echo srv_echo.so
Save and exit the file
virus_scan.conf
Create a virus_scan.conf and add the following content:
Service antivirus_module virus_scan.so ServiceAlias srv_clamav virus_scan ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE virus_scan.SendPercentData 5 virus_scan.StartSendPercentDataAfter 2M virus_scan.MaxObjectSize 5M virus_scan.DefaultEngine clamd Include clamd_mod.conf
clamd_mod.conf
Create a clamd_mod.conf and add the following content:
Module common clamd_mod.so clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock
Save and exit the file
srv_content_filtering.conf
Create a new file srv_content_filtering.conf and add the following content:
Service srv_cfg_filter srv_content_filtering.so srv_content_filtering.RequireContentLength off srv_content_filtering.MaxBodyData 5M srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200 srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/ srv_content_filtering.Action block score{demoScore>5} srv_content_filtering.Action block score{badHeader}
Save and exit the file
Start the ICAP Server
systemctl enable c-icap.service systemctl start c-icap.service
Verify Configuration
1) Testing your instalation
To test your c-icap server you can use the c-icap-client utility which included in c-icap package.
c-icap-client
Sample result:
c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Allow 206: No Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK Methods: RESPMOD, REQMOD Service: C-ICAP/0.6.2 server - Echo demo service ISTag: "CI0001-XXXXXXXXX" Transfer-Preview: * Options-TTL: 3600 Date: Mon, 30 Sep 2024 19:49:43 GMT Preview: 1024 Allow: 204 X-Include: X-Authenticated-User, X-Authenticated-Groups Encapsulated: null-body=0
2) Ensure there are no errors in the log file
tail -f /var/log/c-icap/server.log
tail -f /var/log/c-icap/access.log
Know Problems
C-ICAP: Cannot connect to clamd server
In /var/log/c-icap/server.log, I had the following error:
Tue Oct 1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock! Tue Oct 1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server Tue Oct 1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!
To fix, change permissions of clamd.scan directory:
chmod g+rx,o+rx /run/clamd.scan
Ver também
- ASSP:Automatizando o Rebuild.pl
- Configurando o Postfix com SmartHost do ASSP
- Linux: Configurando DHCP e BIND com DNS Dinamico
- Linux e Unix: Ferramentas de Monitoracao e Performance