Scanning on FTP is really important in order to protect your server from the most popular file transferring method available to users. In my case, my boss wants to make sure every uploaded files via FTP is free from virus, trojan or malware.
In order to achieve this, I need to use PureFTPd as the FTP server because it supports calling script once uploaded. This feature will basically trigger a script which we will use to call anti virus process to do the file scanning.
I am using following variables:
OS: CentOS 6.2 64bit
FTP user: ryan
FTP password: Brr432$A
FTP home directory: /home/ryan
Script to scan: /root/scripts/clamav_scan
Quarantine directory: /root/quarantine
1. To make installation steps easier, we will use RPMforge repository configured to yum:
$ rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt $ rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
2. Install ClamAV and PureFTPD via yum:
$ yum install clamav pure-ftpd -y
3. Update ClamAV database:
Note: By default, ClamAV will update the virus database on daily basis as you can see under /etc/cron.daily/freshclam.
4. Configure PureFTPD to suit our environment. Open the PureFTPD configuration file at /etc/pure-ftpd/pure-ftpd.conf via text editor and make sure following line is configured as below:
#PAMAuthentication yes UnixAuthentication yes CallUploadScript yes
5. Create the home directory for user ryan and assign password:
$ useradd -m ryan $ passwd ryan
6. Create the script to be used by PureFTPd to call ClamAV for file scanning. We will also create a quarantine folder for ClamAV to collect the suspected files. We will use a BASH script called clamav_scan under /root/scripts directory:
$ mkdir -p /root/quarantine $ mkdir -p /root/scripts $ vim /root/scripts/clamav_scan
And add following line:
#!/bin/bash QUA_DIR=/root/quarantine SUBJECT="Something detected by ClamAV" EMAILTO="[email protected]" EMAILMESSAGE="$QUA_DIR/scan.log" DATE=`date` # Scan the uploaded file. Move to quarantine if suspicious /usr/bin/clamscan --move=$QUA_DIR --quiet --no-summary "$1" # Send email if suspicious found if [ "$(ls -A $QUA_DIR)" ]; then echo "Date: $DATE" > $EMAILMESSAGE /usr/bin/clamscan -i -r -l $EMAILMESSAGE $QUA_DIR /bin/mail -s "$SUBJECT" "$EMAILTO" < $EMAILMESSAGE rm -Rf $QUA_DIR/scan.log fi
7. Make the files executable and start the PureFTPd with auto startup after boot:
$ chmod 755 /root/scripts/clamav_scan $ chkconfig pure-ftpd on $ service pure-ftpd start
8. PureFTPd will required process pure-uploadscript to run separately once the pure-ftpd service started. This process will call the custom script which already created for scanning purposes:
$ pure-uploadscript -r /root/scripts/clamav_scan -B
We also need to put this script on /etc/rc.local to make sure it auto start after boot:
$ echo "/usr/sbin/pure-uploadscript -r /root/scripts/clamav_scan -B" >> /etc/rc.local
Done. Now lets try by uploading some files into the FTP directory. You can try to upload normal file and also try to upload the unwanted files like r57.php. You can see that this suspicious file will be moved to quarantine folder instead of Ryan’s home directory.