Installing and Configuring ICAP on ClamAV: Difference between revisions
No edit summary |
No edit summary |
||
(29 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems. | |||
Overview of c-icap and ClamAV Integration | |||
* '''c-icap''' | |||
: It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers. | |||
* '''ClamAV''' | |||
: ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass. | |||
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo | |||
= Procedure = | = Procedure = | ||
Line 9: | Line 23: | ||
2) run dnf | 2) run dnf | ||
<nowiki>dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm | <nowiki>dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm</nowiki> | ||
3) Install Clamav packages | 3) Install Clamav packages | ||
dnf -y install clamav clamav-data clamav-devel clamav- | dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd | ||
4) Install C-ICAP packages | 4) Install C-ICAP packages | ||
dnf install c-icap c-icap-libs c-icap-modules | dnf -y install c-icap c-icap-libs c-icap-modules | ||
== Clamav Server == | |||
== | === Update Virus definition === | ||
Check install with update virus definition | |||
freshclam | freshclam | ||
Enable as service | |||
systemctl enable clamav-freshclam.service | |||
systemctl start clamav-freshclam.service | |||
Check status | |||
systemctl status clamav-freshclam.service | |||
=== Configure clamav === | |||
1) Backup default ICAP server configuration file: | |||
cd /etc/clamd.d | |||
mv scan.conf scan.conf_original | |||
2) Create a scan.conf and add the following content: | |||
<nowiki> | |||
LogFile /var/log/clamd.scan.log | |||
LogFileMaxSize 10M | |||
LogTime yes | |||
LogClean yes | |||
LogVerbose yes | |||
LogRotate yes | |||
TCPSocket 3310 | |||
PidFile /run/clamd.scan/clamd.pid | |||
LocalSocket /run/clamd.scan/clamd.sock | |||
User clamscan | |||
</nowiki> | |||
Save and exit the file | |||
=== Start the Clamav Server === | |||
systemctl enable clamd@scan.service' | |||
systemctl start [email protected] | |||
== Configure ICAP Server == | |||
1) Backup default ICAP server configuration file: | |||
cd /etc/c-icap | |||
mv c-icap.conf c-icap.conf_original | |||
mv virus_scan.conf virus_scan.conf_original | |||
mv clamd_mod.conf clamd_mod.conf_original | |||
=== c-icap.conf === | |||
Create a c-icap.conf and add the following content: | |||
<nowiki> | |||
Include virus_scan.conf | |||
Include srv_content_filtering.conf | |||
PidFile /run/c-icap/c-icap.pid | |||
CommandsSocket /run/c-icap/c-icap.ctl | |||
Timeout 300 | |||
MaxKeepAliveRequests 100 | |||
KeepAliveTimeout 600 | |||
StartServers 3 | |||
MaxServers 10 | |||
MinSpareThreads 10 | |||
MaxSpareThreads 20 | |||
ThreadsPerChild 10 | |||
MaxRequestsPerChild 0 | |||
Port 1344 | |||
ServerAdmin [email protected] | |||
ServerName YourServerName | |||
TmpDir /var/tmp | |||
MaxMemObject 131072 | |||
DebugLevel 1 | |||
Pipelining on | |||
SupportBuggyClients off | |||
ModulesDir /usr/lib64/c_icap | |||
ServicesDir /usr/lib64/c_icap | |||
TemplateDir /usr/share/c_icap/templates/ | |||
TemplateDefaultLanguage en | |||
LoadMagicFile /etc/c-icap/c-icap.magic | |||
RemoteProxyUsers off | |||
RemoteProxyUserHeader X-Authenticated-User | |||
RemoteProxyUserHeaderEncoded on | |||
acl all src 0.0.0.0/0.0.0.0 | |||
acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS | |||
icap_access allow all PERMIT_REQUESTS | |||
ServerLog /var/log/c-icap/server.log | |||
AccessLog /var/log/c-icap/access.log | |||
Service echo srv_echo.so | |||
</nowiki> | |||
Save and exit the file | |||
=== virus_scan.conf === | |||
Create a virus_scan.conf and add the following content: | |||
<nowiki> | |||
Service antivirus_module virus_scan.so | |||
ServiceAlias srv_clamav virus_scan | |||
ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple | |||
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE | |||
virus_scan.SendPercentData 5 | |||
virus_scan.StartSendPercentDataAfter 2M | |||
virus_scan.MaxObjectSize 5M | |||
virus_scan.DefaultEngine clamd | |||
Include clamd_mod.conf | |||
</nowiki> | |||
=== clamd_mod.conf === | |||
Create a clamd_mod.conf and add the following content: | |||
<nowiki> | |||
Module common clamd_mod.so | |||
clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock | |||
</nowiki> | |||
Save and exit the file | |||
=== srv_content_filtering.conf === | |||
Create a new file srv_content_filtering.conf and add the following content: | |||
<nowiki> | |||
Service srv_cfg_filter srv_content_filtering.so | |||
srv_content_filtering.RequireContentLength off | |||
srv_content_filtering.MaxBodyData 5M | |||
srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200 | |||
srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/ | |||
srv_content_filtering.Action block score{demoScore>5} | |||
srv_content_filtering.Action block score{badHeader} | |||
</nowiki> | |||
Save and exit the file | |||
=== Start the ICAP Server === | |||
systemctl enable c-icap.service | |||
systemctl start c-icap.service | |||
== Verify Configuration == | |||
1) Testing your instalation | |||
To test your c-icap server you can use the c-icap-client utility which included in c-icap package. | |||
c-icap-client | |||
Sample result: | |||
<small><nowiki>c-icap-client | |||
ICAP server:localhost, ip:127.0.0.1, port:1344 | |||
OPTIONS: | |||
Allow 204: Yes | |||
Allow 206: No | |||
Preview: 1024 | |||
Keep alive: Yes | |||
1 | ICAP HEADERS: | ||
ICAP/1.0 200 OK | |||
Methods: RESPMOD, REQMOD | |||
Service: C-ICAP/0.6.2 server - Echo demo service | |||
ISTag: "CI0001-XXXXXXXXX" | |||
Transfer-Preview: * | |||
Options-TTL: 3600 | |||
Date: Mon, 30 Sep 2024 19:49:43 GMT | |||
Preview: 1024 | |||
Allow: 204 | |||
X-Include: X-Authenticated-User, X-Authenticated-Groups | |||
Encapsulated: null-body=0 | |||
</nowiki></small> | |||
2) Ensure there are no errors in the log file | 2) Ensure there are no errors in the log file | ||
tail -f /var/log/ | tail -f /var/log/c-icap/server.log | ||
tail -f /var/log/c-icap/access.log | |||
== Know Problems == | |||
=== C-ICAP: Cannot connect to clamd server === | |||
In /var/log/c-icap/server.log, I had the following error: | |||
<small><nowiki>Tue Oct 1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock! | |||
Tue Oct 1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server | |||
Tue Oct 1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!</nowiki></small> | |||
To fix, change permissions of clamd.scan directory: | |||
chmod g+rx,o+rx /run/clamd.scan | |||
== Ver também == | == Ver também == |
Latest revision as of 19:48, 1 October 2024
The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems.
Overview of c-icap and ClamAV Integration
- c-icap
- It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers.
- ClamAV
- ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass.
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo
Procedure
Install Packages on RHEL 9
1) Install EPEL Repository in RHEL 9
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
2) run dnf
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
3) Install Clamav packages
dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd
4) Install C-ICAP packages
dnf -y install c-icap c-icap-libs c-icap-modules
Clamav Server
Update Virus definition
Check install with update virus definition
freshclam
Enable as service
systemctl enable clamav-freshclam.service systemctl start clamav-freshclam.service
Check status
systemctl status clamav-freshclam.service
Configure clamav
1) Backup default ICAP server configuration file:
cd /etc/clamd.d mv scan.conf scan.conf_original
2) Create a scan.conf and add the following content:
LogFile /var/log/clamd.scan.log LogFileMaxSize 10M LogTime yes LogClean yes LogVerbose yes LogRotate yes TCPSocket 3310 PidFile /run/clamd.scan/clamd.pid LocalSocket /run/clamd.scan/clamd.sock User clamscan
Save and exit the file
Start the Clamav Server
systemctl enable [email protected]' systemctl start [email protected]
Configure ICAP Server
1) Backup default ICAP server configuration file:
cd /etc/c-icap mv c-icap.conf c-icap.conf_original mv virus_scan.conf virus_scan.conf_original mv clamd_mod.conf clamd_mod.conf_original
c-icap.conf
Create a c-icap.conf and add the following content:
Include virus_scan.conf Include srv_content_filtering.conf PidFile /run/c-icap/c-icap.pid CommandsSocket /run/c-icap/c-icap.ctl Timeout 300 MaxKeepAliveRequests 100 KeepAliveTimeout 600 StartServers 3 MaxServers 10 MinSpareThreads 10 MaxSpareThreads 20 ThreadsPerChild 10 MaxRequestsPerChild 0 Port 1344 ServerAdmin [email protected] ServerName YourServerName TmpDir /var/tmp MaxMemObject 131072 DebugLevel 1 Pipelining on SupportBuggyClients off ModulesDir /usr/lib64/c_icap ServicesDir /usr/lib64/c_icap TemplateDir /usr/share/c_icap/templates/ TemplateDefaultLanguage en LoadMagicFile /etc/c-icap/c-icap.magic RemoteProxyUsers off RemoteProxyUserHeader X-Authenticated-User RemoteProxyUserHeaderEncoded on acl all src 0.0.0.0/0.0.0.0 acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS icap_access allow all PERMIT_REQUESTS ServerLog /var/log/c-icap/server.log AccessLog /var/log/c-icap/access.log Service echo srv_echo.so
Save and exit the file
virus_scan.conf
Create a virus_scan.conf and add the following content:
Service antivirus_module virus_scan.so ServiceAlias srv_clamav virus_scan ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE virus_scan.SendPercentData 5 virus_scan.StartSendPercentDataAfter 2M virus_scan.MaxObjectSize 5M virus_scan.DefaultEngine clamd Include clamd_mod.conf
clamd_mod.conf
Create a clamd_mod.conf and add the following content:
Module common clamd_mod.so clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock
Save and exit the file
srv_content_filtering.conf
Create a new file srv_content_filtering.conf and add the following content:
Service srv_cfg_filter srv_content_filtering.so srv_content_filtering.RequireContentLength off srv_content_filtering.MaxBodyData 5M srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200 srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/ srv_content_filtering.Action block score{demoScore>5} srv_content_filtering.Action block score{badHeader}
Save and exit the file
Start the ICAP Server
systemctl enable c-icap.service systemctl start c-icap.service
Verify Configuration
1) Testing your instalation
To test your c-icap server you can use the c-icap-client utility which included in c-icap package.
c-icap-client
Sample result:
c-icap-client ICAP server:localhost, ip:127.0.0.1, port:1344 OPTIONS: Allow 204: Yes Allow 206: No Preview: 1024 Keep alive: Yes ICAP HEADERS: ICAP/1.0 200 OK Methods: RESPMOD, REQMOD Service: C-ICAP/0.6.2 server - Echo demo service ISTag: "CI0001-XXXXXXXXX" Transfer-Preview: * Options-TTL: 3600 Date: Mon, 30 Sep 2024 19:49:43 GMT Preview: 1024 Allow: 204 X-Include: X-Authenticated-User, X-Authenticated-Groups Encapsulated: null-body=0
2) Ensure there are no errors in the log file
tail -f /var/log/c-icap/server.log
tail -f /var/log/c-icap/access.log
Know Problems
C-ICAP: Cannot connect to clamd server
In /var/log/c-icap/server.log, I had the following error:
Tue Oct 1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock! Tue Oct 1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server Tue Oct 1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!
To fix, change permissions of clamd.scan directory:
chmod g+rx,o+rx /run/clamd.scan
Ver também
- ASSP:Automatizando o Rebuild.pl
- Configurando o Postfix com SmartHost do ASSP
- Linux: Configurando DHCP e BIND com DNS Dinamico
- Linux e Unix: Ferramentas de Monitoracao e Performance