CentOS: ClamAV Scanning on FTP Service

Scanning on FTP is really important in order to protect your server from the most popular file transferring method available to users. In my case, my boss wants to make sure every uploaded files via FTP is free from virus, trojan or malware.

In order to achieve this, I need to use PureFTPd as the FTP server because it supports calling script once uploaded. This feature will basically trigger a script which we will use to call anti virus process to do the file scanning.

I am using following variables:

OS: CentOS 6.2 64bit
FTP user: ryan
FTP password: Brr432$A
FTP home directory: /home/ryan
Antivirus: ClamAV
Script to scan: /root/scripts/clamav_scan
Quarantine directory: /root/quarantine

1. To make installation steps easier, we will use RPMforge repository configured to yum:

$ rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
$ rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

2. Install ClamAV and PureFTPD via yum:

$ yum install clamav pure-ftpd -y

3. Update ClamAV database:

$ freshclam

Note: By default, ClamAV will update the virus database on daily basis as you can see under /etc/cron.daily/freshclam.

4. Configure PureFTPD to suit our environment. Open the PureFTPD configuration file at /etc/pure-ftpd/pure-ftpd.conf via text editor and make sure following line is configured as below:

#PAMAuthentication           yes
UnixAuthentication           yes
CallUploadScript             yes

5. Create the home directory for user ryan and assign password:

$ useradd -m ryan
$ passwd ryan

6. Create the script to be used by PureFTPd to call ClamAV for file scanning. We will also create a quarantine folder for ClamAV to collect the suspected files. We will use a BASH script called clamav_scan under /root/scripts directory:

$ mkdir -p /root/quarantine
$ mkdir -p /root/scripts
$ vim /root/scripts/clamav_scan

And add following line:

#!/bin/bash
QUA_DIR=/root/quarantine
SUBJECT="Something detected by ClamAV"
EMAILTO="[email protected]"
EMAILMESSAGE="$QUA_DIR/scan.log"
DATE=`date`
 
# Scan the uploaded file. Move to quarantine if suspicious
/usr/bin/clamscan --move=$QUA_DIR --quiet --no-summary "$1"
 
# Send email if suspicious found
if [ "$(ls -A $QUA_DIR)" ]; then
     echo "Date: $DATE" > $EMAILMESSAGE
     /usr/bin/clamscan -i -r -l $EMAILMESSAGE $QUA_DIR
     /bin/mail -s "$SUBJECT" "$EMAILTO" < $EMAILMESSAGE
     rm -Rf $QUA_DIR/scan.log
fi

7.  Make the files executable and start the PureFTPd with auto startup after boot:

$ chmod 755 /root/scripts/clamav_scan
$ chkconfig pure-ftpd on
$ service pure-ftpd start

8. PureFTPd will required process pure-uploadscript to run separately once the pure-ftpd service started. This process will call the custom script which already created for scanning purposes:

$ pure-uploadscript -r /root/scripts/clamav_scan -B

We also need to put this script on /etc/rc.local to make sure it auto start after boot:

$ echo "/usr/sbin/pure-uploadscript -r /root/scripts/clamav_scan -B" >> /etc/rc.local

Done. Now lets try by uploading some files into the FTP directory. You can try to upload normal file and also try to upload the unwanted files like r57.php. You can see that this suspicious file will be moved to quarantine folder instead of Ryan’s home directory.

Related Posts

• CentOS: Restore/Recover from Amanda Backup
• Customize and Disable PHPmyAdmin ‘Export’ Menu
• Linux: Add New User and Group into .htpasswd
• CentOS: Install and Configure Amanda Backup Server
• Install OpenFiler from USB Drive
• MySQL: Live Backup using LVM Snapshots
• Basic MySQL Injection Cheat Sheet
• 10 Simple Mistakes that Webmasters Do
• Linux: Install and Configure Apache with SuPHP
• Apache: Create Fake PHPinfo