Mod_Clamav : Virus scanning for ProFTPd

Overview

Thralling Penguin maintains an add-on module for the excellent ProFTPd FTP server which enables immediate virus scanning of newly uploaded files prior to allowing the file upload to complete. With Mod_Clamav you can ensure that your FTP sites do not contain virus ladened files which may be downloaded by your users and clients. The benefits of such a module are invaluable for those sites which run anonymous FTP and for companies which have strict IT requirements.


Latest Release

The current release requires Clamd from the ClamAV software. Mod_Clamav may be configured to either use Clamd via local unix sockets or TCP sockets. This allows one to combine ProFTPd with Mod_Clamav and Clamd on a system with local unix sockets for minimal administrative overhead and decent security; however, it also allows for a large scale deployment with many ProFTPd servers utilizing a separate Clamd host over TCP for scalability and lower administrative overhead.

Additional features include:

  • HiddenStore support
  • Chroot environments
  • Reporting a detected virus to the remote FTP client and ProFTPd logging
  • Clamd TCP socket support
  • Clamd Unix socket support
  • Automatic TCP/Unix socket reconnect support
  • Minimum and Maximum file sizes to scan
  • Additional debug logging when ProFTPd is configured for debugging level 4 or higher.
  • Simple configuration
  • Graceful failures - If any error condition happens (including a connection failure to Clamd,) Mod_Clamav always logs the problem and performs no scanning.

Source code and Downloads
https://github.com/jbenden/mod_clamav

Warning for Mod_Clamav 0.10 and higher!

It is highly recommended that unix socket connections (ClamLocalSocket)
are avoided, when using the Chroot feature of ProFTPd. 

The reason is quite simple, if Mod_Clamav needs to reconnect to Clamd 
for any reason, the actual unix socket will be unable within the 
chrooted environment.

Starting with version 0.10, Mod_Clamav no longer connects to Clamd at 
the start of the FTP session. Mod_Clamav now waits until a transfer 
is complete; then proceeds to connect. There are two primary reasons 
for this change:

1. Performance and scalability - In high load environments, it is 
   wasteful to keep the file descriptor open when it is not directly 
   in use.

2. To better support configuration directives (like IfUser and IfGroup)
   and properly merge configuration directives down.

ClamAV version 0.88

If you are using ClamAV version 0.88, there was an introduced hard-coded 5 second 
timeout for sessions, which caused this module to experience problems. The bug was
resolved on March 26, 2006 and appears in version 0.88.1 and newer, with a new
configuration directive for Clamd called ReadTimeout. The ReadTimeout value has a 
default of 120 in version 0.88.1, instead of the prior 5 second hard-coded value.


Installation

To install Mod_Clamav, download and unpack the Mod_Clamav source code.

wget http://www.thrallingpenguin.com/resources/mod_clamav-0.10.tar.gz
tar xzvf mod_clamav-0.10.tar.gz

Download the latest proftpd source code, and prepare it for building Mod_Clamav.

wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.1.tar.gz
tar xzvf proftpd-1.3.1.tar.gz
cp mod_clamav-0.10/mod_clamav.* proftpd-1.3.1/contrib

Apply the required patch:

cd proftpd-1.3.1
patch -p1 < ../mod_clamav-0.10/proftpd.patch

Now the usual steps for building ProFTPd, using third-party modules, apply. Additionally, you may change any configure arguments to meet your needs.

./configure --with-modules=mod_clamav
make
make install

Configuration

The following directives are available in ProFTPd when using Mod_Clamav.

ClamAV

Syntax: ClamAV boolean
Default: Off
Context: server config, <Limit>, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: 1.2.10 or newer

The ClamAV directive will configure if the Mod_Clamav's virus scanning and virus removal features are active. If no ClamAV directive is configured, then the module will do no virus scanning.

ClamLocalSocket

Syntax: ClamLocalSocket string
Default: None
Context: server config, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: 1.2.10 or newer

The ClamLocalSocket directive will configure the UNIX socket used to connect to the Clamd daemon process. If no ClamLocalSocket directive is configured, then the module will do no Unix local socket Clamd scanning.

ClamServer

Syntax: ClamServer string
Default: None
Context: server config, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.6 or newer

The ClamServer directive will configure the hostname/IP address used to connect to the Clamd daemon process. If no ClamServer directive is configured, then the module will do no TCP Clamd scanning.

ClamPort

Syntax: ClamPort integer
Default: 3310
Context: server config, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.6 or newer

The ClamPort directive will configure the TCP port used to connect to the Clamd daemon process. If no ClamPort directive is configured, then the module will use the Clamd default TCP port of 3310.

ClamMinSize

Syntax: ClamMinSize integer <units>
Default: 0
Context: server config, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.10 or newer

The ClamMinSize directive will configure the minimum file size for scanning. If the file size is smaller than this value, then the module will do no scanning.

The given integer (may be an unsigned long) is the number of bytes for the directive, and is followed by a units specifier of (case-insensitive) "Gb" (Gigabytes), "Mb" (Megabytes), "Kb" (Kilobytes), or "B" (Bytes). The given integer of bytes is multiplied by the appropriate factor. A value of zero (0) disables this directive.

ClamMaxSize

Syntax: ClamMaxSize integer <units>
Default: 0
Context: server config, <VirtualHost>, <Global>, <Directory>
Module: mod_clamav
Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.10 or newer

The ClamMaxSize directive will configure the maximum file size for scanning. If the file size is larger than this value, then the module will do no scanning.

The given integer (may be an unsigned long) is the number of bytes for the directive, and is followed by a units specifier of (case-insensitive) "Gb" (Gigabytes), "Mb" (Megabytes), "Kb" (Kilobytes), or "B" (Bytes). The given integer of bytes is multiplied by the appropriate factor. A value of zero (0) disables this directive.


Configuration Examples

Single system with both ProFTPd and Clamd utilizing Unix local sockets.

<IfModule mod_clamav.c>
   ClamAV on
   ClamLocalSocket /tmp/clamd
</IfModule>

Single system with both ProFTPd and Clamd utilizing TCP sockets.

<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
</IfModule>

Single system with both ProFTPd and Clamd utilizing TCP sockets. Additionally, only files who's size is less than 250MB will be scanned.

<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
   ClamMaxSize 250 Mb
</IfModule>

Prior Releases

Mod_Clamav version 0.5 was the first release to include Clamd support. It has been marked as a prior unsupported version, but is available below.

Mod_Clamav version 0.7 included partial support for HiddenStore and Chroot environments.


References

ClamAV
http://www.clamav.net/

ProFTPd
http://www.proftpd.org/

How-To: Using ProFTPd, Clamav, and Mod_Clamav with the DirectAdmin hosting platform
http://www.directadmin.com/forum/showthread.php?t=30855


About the Author

Joseph Benden, Sr. is the owner of Thralling Penguin LLC. Thralling Penguin designs, develops, and extends software technologies for the most demanding business applications, as well as offering VoIP Consulting services.