понедельник, 6 сентября 2010 г.

Установка Clamfs для защиты samba от вирусов

Задача такая: есть сервер на Ubuntu Server, на нем работает Samba. Нужно настроить антивирусную проверку “на лету” ресурсов Samba.

Для начала установим пакеты:
sudo apt-get install clamav clamav-daemon clamfs

Запустим обновление баз:
freshclam

Стартуем антивирус:
/etc/init.d/clamav-daemon start

Создаем директории:
mkdir /home/alex/test tests infected
mkdir /etc/clamfs
и создадим файл в директории /etc/clamfs/ под названием samba.xml
touch samba.xml


Листинг самого файла:
<?xml version="1.0" encoding="UTF-8"?>
<!-- Only three options are mandatory:
<clamd socket="" />
<filesystem root="" />
<filesystem mountpoint="" />

All other can be removed, but this will disable related subsystem.
For example removing <cache ... /> will disable caching completly. -->

<clamfs>
<!-- Clamd socket -->
<clamd socket="/var/run/clamav/clamd.ctl" />

<!-- File system settings
root - real directory to attach as our root
mountpoint - where to attach our root
public - limit access to process owner only or make
file system publicly available for all users
nonempty - allow mount to directory which contains
files or sub-directories -->
<filesystem root="/home/alex/test" mountpoint="/home/alex/tests" public="yes" nonempty="yes" />


<!-- Maximal file size (in bytes).
This option can speed up access to large files, as they will be
never scanned. On the other hand attacker can append long portion
of junk at the end of file to make it big enough to be omitted. -->
<file maximal-size="10485760" /> <!-- 10M2 -->

<!-- Whitelisted files are never scanned.
This can speed up access to some files, but be careful with this,
some data files like JPEG, RIFF or WMF can be prepared to cause
problems (like buffers overflows) in applications and thus execute
malicious code even not being executable itself. Finally even text
files can have "modeline" causing problems in some buggy editors. -->
<whitelist>
<exclude extension="txt" /> <!-- text files -->
<exclude extension="dbx" /> <!-- form ClamWin -->
<exclude extension="tbb" /> <!-- form ClamWin -->
<exclude extension="pst" /> <!-- form ClamWin -->
<exclude extension="dat" /> <!-- form ClamWin -->
<exclude extension="log" /> <!-- form ClamWin -->
<exclude extension="nsf" /> <!-- form ClamWin -->
<exclude extension="ntf" /> <!-- form ClamWin -->
</whitelist>

<!-- Blacklisted files are scanned regardless of their sizes -->
<blacklist>
<include extension="exe" /> <!-- executable file -->
<include extension="com" /> <!-- executable file -->
<include extension="dll" /> <!-- library -->
<include extension="sys" /> <!-- system file / driver -->
<include extension="vbs" /> <!-- Visual Basic Script -->
<include extension="bat" /> <!-- DOS Batch file -->
<include extension="cmd" /> <!-- Windows Command file -->
</blacklist>

<!-- How many entries to keep in cache and for how long (in ms) -->
<cache entries="16384" expire="10800000" /> <!-- 3h -->

<!-- Logging method (stdout, syslog or file) -->
<!-- <log method="stdout" verbose="no" /> -->
<!-- <log method="syslog" /> -->
<log method="file" filename="/var/log/clamav/clamfs.log" verbose="no" />

<!-- Debug settings -->
<!-- <debug threads="no" fork="no" /> -->
</clamfs>

Запуск при загрузке системы я решил путем прописывания строки в /etc/rc.local вида:
clamfs /etc/clamfs/samba.xml
Или врукопашную запускать при каждом старте:
clamfs /etc/clamfs/samba.xml

Проверка каждый день по cron:
In /etc/crontab scan in 6 hour everyday:
0 6 * * * root /usr/bin/clamscan -r /home/alex/test --move=/home/alex/infected

Для поддержки RAR архивов нужно установить пакет:
apt-get install libclamunrar6

В самбе публиковать директорию /home/alex/tests

На этом настройка окончена.

Комментариев нет:

Отправить комментарий