Email Server/ClamAv
Views:
Part of the Email Server documentation
Contents |
Dependancies
We need the GNU Mathematics Precision library and to make sure it shows up when the compiler tries to link clamav to it.
# yum install gmp # yum install gmp-devel # ldconfig
Installation
Create a user and group for ClamAV
# useradd -rmd /var/lib/clamav clamav -s /sbin/nologin
download the clamav source code from the http:://www.clamav.org/ web site and place it in /usr/local/src, now upack, configure, compile and install it
$ cd /usr/local/src $ wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.93.tar.gz $ tar zxvf clamav-0.93.tar.gz $ cd clamav-0.93 $ ./configure --localstatedir=/var/lib/clamav $ make $ su # make install
Configuration
/usr/local/etc/clamd.conf contains a good set of default options and plenty of informative comments, here is an example file with some variation from the default settings.
The important change is to enable "AllowSupplementaryGroups", which will let us use clamav with other processes - particularly Amavisd-new
# Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamd.log # Log time with each message. # Default: no LogTime yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamd.pid # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory /var/lib/clamav # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/lib/clamd.socket # Maximum number of threads running at the same time. # Default: 10 MaxThreads 20 # Maximum depth directories are scanned at. # Default: 15 MaxDirectoryRecursion 20 # Perform a database check. # Default: 1800 (30 min) SelfCheck 600
/usr/local/etc/freshclam.conf contains a good set of default options and plenty of informative comments, here is an example file with some variation from the default settings.
DatabaseDirectory /var/lib/clamav UpdateLogFile /var/log/freshclam.log LogTime yes PidFile /var/run/freshclam/freshclam.pid DatabaseOwner clamav AllowSupplementaryGroups yes DatabaseMirror database.clamav.net
Init Script
Copy the init script from the source code to the init.d folder, here is a copy of it: /etc/rc.d/init.d/clamd
#! /bin/bash
#
# crond Start/Stop the clam antivirus daemon.
#
# chkconfig: 2345 70 41
# description: clamd is a standard Linux/UNIX program that scans for Viruses.
# processname: clamd
# config: /usr/local/etc/clamd.conf
# pidfile: /var/lock/subsys/clamd
# Source function library.
. /etc/init.d/functions
RETVAL=0
# See how we were called.
prog="clamd"
progdir="/usr/local/sbin"
# Source configuration
if [ -f /etc/sysconfig/$prog ] ; then
. /etc/sysconfig/$prog
fi
start() {
echo -n $"Starting $prog: "
# Don't allow files larger than 20M to be created, to limit DoS
# Needs to be large enough to extract the signature files
ulimit -f 20000
LANG= daemon $progdir/$prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
# Would be better to send QUIT first, then killproc if that fails
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd
return $RETVAL
}
rhstatus() {
status clamd
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading clam daemon configuration: "
killproc clamd -HUP
retval=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/clamd ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
# chmod +x /etc/rc.d/init.d/clamd
Now we need to set up freshclam to run as a daemon. No script is provided with the source code, so I wrote one based on the clamd script. Copy up to /etc/rc.d/init.d/freshclam.
Make sure that the progdir variable in the freshclam script is set correctly.
/etc/rc.d/init.d/freshclam
#! /bin/bash
#
# crond Start/Stop the freshclam updater for the clam antivirus daemon.
#
# chkconfig: 2345 70 41
# description: freshclam is a standard Linux/UNIX program that updated the virus definitions for clam.
# processname: freshclam
# config: /usr/local/etc/freshclam.conf
# pidfile: /var/lock/subsys/freshclam
# Source function library.
. /etc/init.d/functions
RETVAL=0
# See how we were called.
prog="freshclam"
progdir="/usr/local/bin"
progargs="-d -p /var/run/freshclam/freshclam.pid"
# Source configuration
if [ -f /etc/sysconfig/$prog ] ; then
. /etc/sysconfig/$prog
fi
start() {
echo -n $"Starting $prog: "
# Don't allow files larger than 20M to be created, to limit DoS
# Needs to be large enough to extract the signature files
ulimit -f 20000
LANG= daemon "$progdir/$prog $progargs"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/freshclam
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
# Would be better to send QUIT first, then killproc if that fails
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/freshclam
return $RETVAL
}
rhstatus() {
status freshclam
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading freshclam daemon configuration: "
killproc freshclam -HUP
retval=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/freshclam ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
# chmod +x /etc/rc.d/init.d/freshclam # chmod +x /etc/rc.d/init.d/clamd
Once every thing is inplace, start the services and configure them to start automatically
# service freshclam start # service clamd start # chkconfig freshclam on # chkconfig freshclam on
Filesystem Permissions
Lock down the home directory for clamav
# chown -R clamav:clamav /var/lib/clamav # chmod -R 0755 /var/lib/clamav
