jbenden / mod_clamav

Mod_Clamav for ProFTPd

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

doesn't work with mod_sftp, no loging, do not work with clamav drop privileges

george2asenov opened this issue · comments

It appears that this module do not work at all when mod_sftp is loaded and sftp connection is used.
It appear as loaded module but in debug log it doesn't show anything connected to mod_clamav.

Also when it work with ftp connection it doesn't log in xfer log if the file is deleted because of virus found.

And if clamav is set to drop privileges it work only with stream. This is because the other way clamav do not have permission to access the file. Probably there is no solution here but...

CentOS 6.9

ProFTPD Version: 1.3.5d (maint)
Scoreboard Version: 01040003
Built: Fri Mar 17 2017 21:52:01 CDT

Loaded modules:
mod_clamav/0.14rc2
mod_sftp/0.9.9
mod_vroot/0.9.2
mod_lang/1.0
mod_ctrls/0.9.5
mod_cap/1.1
mod_tls/2.6
mod_auth_pam/1.2
mod_readme/1.0
mod_ident/1.0
mod_dso/0.5
mod_facts/0.4
mod_delay/0.7
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/1.0
mod_auth_unix.c
mod_rlimit/1.0
mod_xfer.c
mod_core.c

Could you provide the full proftpd.conf that you're using? In particular, I am wondering if you are encountering an issue similar to this one reported on the ProFTPD forums...

Hello,
Yes, that fixed it for the sftp attempt to scan but there is new issue.
mod_clamav/0.14rc2: Successfully reconnected to Clamd.
2017-05-23 07:20:23,774 v6.trafficplanethosting.com proftpd[32677] 0.0.0.0 (208.100.3.216[208.100.3.216]): mod_clamav/0.14rc2: Cannot open file '/shelove.zip' errno=2.
2017-05-23 07:20:23,774 v6.trafficplanethosting.com proftpd[32677] 0.0.0.0 (208.100.3.216[208.100.3.216]): mod_clamav/0.14rc2: removing failed upload of filename = '/home/update-wpx/shelove.zip' with relative filename = '/shelove.zip'.
it try to send relative filename to clamd. I faced the same problem with clean FTP but change:
line 228:
<<fd = fopen(rel_filename, "r");

fd = fopen(abs_filename, "r");
did the trick fort the classic FTP but now I have the same issue with the SFTP!

Also what about a good log in the xfer log when virus is detected?
And proper status to prevent FTP clients to retry uploading files with viruses like FileZilla?

what I have discovered is that the mentioned above line that we have changed brake the scan for SFTP but fixed it for FTP ...
So for SFTP it should be:
fd = fopen(rel_filename, "r");
For FTP should be:
fd = fopen(abs_filename, "r");
That is a bit strange

Here is the full proftpd config:

LoadModule mod_vroot.c
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
VRootEngine on
DefaultRoot ~ !adm
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User nobody
Group nobody
MaxInstances 50
UseSendfile off
LogFormat default "%h %l %u %t "%r" %s %b"
LogFormat auth "%v [%P] %h %t "%r" %s"
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
<IfDefine DYNAMIC_BAN_LISTS>
LoadModule mod_ban.c
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
BanOnEvent MaxLoginAttempts 100/00:10:00 01:00:00
BanMessage "Host %a has been banned for 1 hour due to too many attempts with wrong username/password"
BanControlsACLs all allow user ftpadm
</IfDefine>
<Global>
Umask 022
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
ListOptions "-a"
MaxClients 20
MaxClientsPerUser 10
MaxLoginAttempts 50
</Global>
TimeoutNoTransfer 60
<IfDefine ANONYMOUS_FTP>
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
UserAlias anonymous ftp
MaxClients 10 "Sorry, max %m users -- try again later"
DisplayLogin /welcome.msg
DisplayChdir .message
DisplayReadme README*
DirFakeUser on ftp
DirFakeGroup on ftp
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
WtmpLog off
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
</Anonymous>
</IfDefine>
<IfModule mod_dso.c>
LoadModule mod_clamav.c
</IfModule>
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamStream on
ClamPort 3310
</IfModule>
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
ServerName "TPH SFTP Server"
SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log
DefaultRoot ~
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthMethods password
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
SFTPTrafficPolicy none
# Enable compression
SFTPCompression delayed
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamStream on
ClamPort 3310
</IfModule>
</VirtualHost>
</IfModule>

Would it be helpful to stream the content to Clamd instead?

Also was wondering if this ticket is still active or is old... Please advise and sorry about the delay, did not notice it until now... :(