CentOS: ClamAV Scanning on FTP Service

Scanning on FTP is really important in order to protect your server from the most popular file transferring method available to users. In my case, my boss wants to make sure every uploaded files via FTP is free from virus, trojan or malware.

In order to achieve this, I need to use PureFTPd as the FTP server because it supports calling script once uploaded. This feature will basically trigger a script which we will use to call anti virus process to do the file scanning.

I am using following variables:

OS: CentOS 6.2 64bit
FTP user: ryan
FTP password: Brr432$A
FTP home directory: /home/ryan
Antivirus: ClamAV
Script to scan: /root/scripts/clamav_scan
Quarantine directory: /root/quarantine

1. To make installation steps easier, we will use RPMforge repository configured to yum:

$ rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
$ rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

2. Install ClamAV and PureFTPD via yum:

$ yum install clamav pure-ftpd -y

3. Update ClamAV database:

$ freshclam

Note: By default, ClamAV will update the virus database on daily basis as you can see under /etc/cron.daily/freshclam.

4. Configure PureFTPD to suit our environment. Open the PureFTPD configuration file at /etc/pure-ftpd/pure-ftpd.conf via text editor and make sure following line is configured as below:

#PAMAuthentication           yes
UnixAuthentication           yes
CallUploadScript             yes

5. Create the home directory for user ryan and assign password:

$ useradd -m ryan
$ passwd ryan

6. Create the script to be used by PureFTPd to call ClamAV for file scanning. We will also create a quarantine folder for ClamAV to collect the suspected files. We will use a BASH script called clamav_scan under /root/scripts directory:

$ mkdir -p /root/quarantine
$ mkdir -p /root/scripts
$ vim /root/scripts/clamav_scan

And add following line:

#!/bin/bash
QUA_DIR=/root/quarantine
SUBJECT="Something detected by ClamAV"
EMAILTO="[email protected]"
EMAILMESSAGE="$QUA_DIR/scan.log"
DATE=`date`
 
# Scan the uploaded file. Move to quarantine if suspicious
/usr/bin/clamscan --move=$QUA_DIR --quiet --no-summary "$1"
 
# Send email if suspicious found
if [ "$(ls -A $QUA_DIR)" ]; then
     echo "Date: $DATE" > $EMAILMESSAGE
     /usr/bin/clamscan -i -r -l $EMAILMESSAGE $QUA_DIR
     /bin/mail -s "$SUBJECT" "$EMAILTO" < $EMAILMESSAGE
     rm -Rf $QUA_DIR/scan.log
fi

7.  Make the files executable and start the PureFTPd with auto startup after boot:

$ chmod 755 /root/scripts/clamav_scan
$ chkconfig pure-ftpd on
$ service pure-ftpd start

8. PureFTPd will required process pure-uploadscript to run separately once the pure-ftpd service started. This process will call the custom script which already created for scanning purposes:

$ pure-uploadscript -r /root/scripts/clamav_scan -B

We also need to put this script on /etc/rc.local to make sure it auto start after boot:

$ echo "/usr/sbin/pure-uploadscript -r /root/scripts/clamav_scan -B" >> /etc/rc.local

Done. Now lets try by uploading some files into the FTP directory. You can try to upload normal file and also try to upload the unwanted files like r57.php. You can see that this suspicious file will be moved to quarantine folder instead of Ryan’s home directory.

3 thoughts on “CentOS: ClamAV Scanning on FTP Service

    1. Are you sure you have the script saved in any place? If you follow the steps, you should able to execute the file by running:
      /root/scripts/clamav_scan
      or
      sh /root/scripts/clamav_scan

      Reply

      1. Check this:

        [[email protected] /]# sh /root/scripts/clamav_scan
        No such file or directory
        [[email protected] /]# cat /root/scripts/clamav_scan
        #!/bin/bash
        QUA_DIR=/root/quarantine
        SUBJECT=”Something detected by ClamAV”
        EMAILTO=”[email protected]
        EMAILMESSAGE=”$QUA_DIR/scan.log”
        DATE=`date`

        # Scan the uploaded file. Move to quarantine if suspicious
        /usr/bin/clamscan –move=$QUA_DIR –quiet –no-summary “$1”

        # Send email if suspicious found
        if [ “$(ls -A $QUA_DIR)” ]; then
        echo “Data: $DATE” > $EMAILMESSAGE
        /usr/bin/clamscan -i -r -l $EMAILMESSAGE $QUA_DIR
        /bin/mail -s “$SUBJECT” “$EMAILTO” < $EMAILMESSAGE
        rm -Rf $QUA_DIR/scan.log
        fi

        I've also found that when there are more than one user on FTP there then the second user is unable to upload anything. Can you check this out ?

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *