HOWTO: clamav + FreeBSD + global scanning + unintrusive

[nihaopaul]

ok took long enough, but i've just got clamav setup on my plesk box scanning emails before they are eccepted for delivery, for FreeBSD.

what you need:

• clamav (i used the clamav-devel in ports)
• qsheff - http://www.enderunix.org/qsheff/index.php?sect=install&lang=en
• ripmime - http://www.pldaniels.com/ripmime/ripmime-1.4.dev.tar.gz

install clamav
setup clamav
update with freshclam
start clamd

install ripmime (follow instructions)
untar/gipz qsheff

cd qsheff-xxx

echo "/usr/local/psa/qmail" > conf-qmaildir
echo "qmail" > conf-qmailgroup

Type './install.sh'

now the wrapper is installed (i let it use the qmail-scanner so atleast the users with dr.web also have that ability to scan and also spamassasin runs after)

ee /usr/local/etc/qsheff.conf

my settings:

#
# EnderUNIX Sheff configuration file
#
# http://www.enderunix.org/qsheff
#
# -b$
#

WORKDIRPREFIX = /var/spool/qsheffq
TEMPDIRPREFIX = /var/tmp/qsheffq
LOGFILE = /var/log/qsheff.log
RULEFILE = /usr/local/etc/qsheff.rules
WBLISTFILE = /usr/local/etc/qsheff.wblist

# Don't reply
# Usefull for random generated sender's
enable_blackhole = 0;

# 0: Don't panic when any function doesnt work
# Just continue to finish job.
# 1: Spammer and antivirus must work.
# Condone other errors.
# 2: Don't forgive any error.
paronia_level = 0

# Save mails contain spam or antivirus for ISPs.
# (That is provide quarantine to customers)
# ATTENTION: This feature needs more disk area.
# Don't enable it, if you unsure.
enable_quarantine = 0

# Enable White/Black List Control
enable_wblist = 0

# Enable subject filter
enable_subject_filter = 0

# Enable/disable spam program
enable_spam_prog = 0

# Enable/disable virus program
enable_virus_prog = 1

MIME_PROG = "/usr/local/bin/ripmime -i mesg -e -d"
MIME_PROG_OK_RET = 0
MIME_PROG_ERR_RET = -1

SPAM_PROG = "/usr/local/bin/zabit -i -d"
SPAM_PROG_OK_RET = 0
SPAM_PROG_SPAM_RET = 1
SPAM_PROG_ERR_RET = 2

VIRUS_PROG = "/usr/local/bin/clamdscan --quiet"
VIRUS_PROG_OK_RET = 0
VIRUS_PROG_VIRUS_RET = 1
VIRUS_PROG_ERR_RET = 2

QUEUE_PROG = /usr/local/psa/qmail/bin/qmail-queue.orig



ee /usr/local/etc/qsheff.wblist

comment out everything with a #

then we're setup and blocking those nasty viruses at the server!

oh look for mrtg also on the qsheff site. also if you want to use qscanq, enjoy trying, its is compatible with the latest version of clamav and you dont need the patch. heres a note from the developer:

You can actually get by without the patch. The clamav people recommend setting the log file to /dev/stderr, instead of using my patch. This works on most (but not all) platforms; in particular it does work on Linux.


--Len.

 

[Xtreme-IT]

Wow, finally a working Clamav/FreeBSD install for Plesk!

I just tested this, just a 5 minute install. It works great!

Now I got this working, so tomorrow I'm going to test out the other config stuff for qsheff. For instance, dropping the infected mail instead of bouncing it. And some logging and graphing in lardd.

Great How-to!

 

[nihaopaul]

thanks, it'd be good to hear what your doing in lardd. and alternative configs. i'm also about to come up with a script to take from qsheff the ip address then grep the mail logs to see if we can match it to a user and if so email them with instructions on what to do.

i use mrtg for my graphing and i only graph the viruses it detected. https://chaos-studio.com/mrtg/virus.html

the cfg for mrtg is:

WorkDir: /usr/local/psa/home/vhosts/chaos-studio.com/httpsdocs/mrtg

#############################################################
Title[virus]: Misschaos: ClamAV + qsheff SMTP email scanner
MaxBytes[virus]: 10000
AbsMax[virus]: 20000
Options[virus]: gauge
Target[virus]: `/root/apps/qsheff-mrtg/qsheff-mrtg.sh`
PageTop[virus]: <B>VIRUS</B><br>
ShortLegend[virus]: email
YLegend[virus]: emails rejected
Legend1[virus]: Total viruses filtered&nbsp;
LegendI[virus]: virus caught:&nbsp;
LegendO[virus]: nothing:&nbsp;
WithPeak[virus]: ymwd
XSize[virus]: 450
YSize[virus]: 120

and then the qsheff-mrtg.sh

#!/bin/sh
#
# Produces mrtg values
#
# -b$, Fri Dec 3 14:25:05 EET 2004
#
dates=`date "+%Y/%m/%d"`
virus=`cat /var/log/qsheff.log | grep VIRUS | wc -l`
virus=`expr $virus + 0`
invc=0
invc=`expr $invc + 0`

cat /var/log/qsheff.log >> /var/log/qsheff.log.cumulative
echo -n > /var/log/qsheff.log

echo $virus # As MRTG out
echo $invc #
echo

 

[Xtreme-IT]

I have set blackhole to 1, this is much better for my load. Most of the virusmails have fake senderadresses so...

I'm not sure yet how I'm going to parse the logfile to larrd. I want to use logrotation on this logfile but I don't want to miss any larrd info. I might use the mrtg script to extract the usefull info for lardd.

 

[kevin@]

Since I set this up I've been noticing quite a few of these messages:

Jun 22 17:38:16 silver qmail-queue.orig: drweb-qmail[26442]: possible qmail-smtpd exited by timeout, reset connection or with "See http://pobox.com/~djb/docs/smtplf.html."
Jun 22 17:38:17 silver qmail-queue.orig: drweb-qmail[26447]: possible qmail-smtpd exited by timeout, reset connection or with "See http://pobox.com/~djb/docs/smtplf.html."

Are you experiencing the same? Any ideas?

 

[nihaopaul]

Originally posted by kevin
Since I set this up I've been noticing quite a few of these messages:

Jun 22 17:38:16 silver qmail-queue.orig: drweb-qmail[26442]: possible qmail-smtpd exited by timeout, reset connection or with "See http://pobox.com/~djb/docs/smtplf.html."

i thought the same thing, but if you check back in your log you will also see the same thing.

i even went as far as writing to the developer and he replied

i think it is related mail clients of your customers. Ask them what they use?
qsheff reads mail from stdin and writes file like qmail-queue. It doesn't modify mails except header. Please check mail clients, if the problem related with them.

i'm not saying its definatly not, just i am saying that the problem was long before qsheff was installed. you can use the uninstall.sh in /usr/local/qsheff and it will return your qmail-queue back to normal and leave your config files (back them up if you reinstall qsheff).

Paul

 

[Xtreme-IT]

I can not replicate this error on my machines, but I don't have drweb running. I have stopped the drweb daemons by stopping the drweb service and removed it from rc.d to prevent it from being started again on a reboot.
When you stop the drweb service it removes it's qmail-queue wrapper. So I think it is a better solution to stop drweb before you install qsheff. And I'm not shure looking at your logging it is such a good idea to use them next to eachother.

Good luck!

 

[speedracer05]

Thanks nihaopaul, qsheff has worked well for me. It's nice to see there is a FreeBSD port now:

/usr/ports/mail/qsheff

To install, just edit the Makefile:

QMAIL_DIR?= /usr/local/psa/qmail

Then run "make install clean".