Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Programming/Scripts

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 5th February 2011, 21:02
LightVision LightVision is offline
Junior Member
 
Join Date: Mar 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to LightVision
Default proftpd - Scan incoming files without mod_clamav

I have the following problem: how to scan incoming ftp files without using proftpd mod_clamav in Debian Lenny.
Why? The reason is simple. I use Debian for my servers due it's stability and compiling my self proftpd to support mod_clamav leads to problems I could not manage in time, like recompiling every time there are a security bug, etc.

A script running, let's say every minute, from a cron-job, should be fine.

So I have a solution, but I don't know how to implement, because I don't know bash.
If there is anybody who know bash and he/she's willing to help me, this is what should be implement it:

ProFTPD write the transfer log in /var/log/proftpd/xferlog.
Here is an example:
Sat Feb 5 19:14:12 2011 0 vip-srv1.grupnet.ro 68 /home/vhost/template/template.tld/public_html/eicar.com.txt a _ i r marius@template.tld ftp 0 * c

a_i means ascii incoming;
/home/vhost/template/template.tld/public_html/eicar.com.txt is the full path to uploaded file

The bash script (scan_incomming_ftp.sh) should check if in the last xx seconds from current time there was the following records in xferlog: a _ i or b _ i, that's meaning upload.
If that is true then should extract from the log the names of the uploaded files and create a string with all matches (let's say the string is incoming_files).
At the end the script should call clamdscan with incoming_files as parameter + --remove.

A more elaborated version could mail the administrator to let him know the user who done bad things.

Thank You very much in advance.
Reply With Quote
Sponsored Links
  #2  
Old 6th February 2011, 22:49
LightVision LightVision is offline
Junior Member
 
Join Date: Mar 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via Yahoo to LightVision
 
Default I give a partial answer my self

Here is a partial answer; the script is written in php


PHP Code:
#!/usr/bin/php
<?php
/**
 * Scan Incoming ProFTPd files
 * @copyright Marius Ionel <webmaster@grupnet.ro>
 */


// We need to initialize variables
$CheckInterval 60// check interval in seconds; 1 minute should be enough
$PathToLog '/var/log/proftpd/xferlog'// path to log file, including file
$FilesToScan ''// Files need to be checked by antivirus

// Let's rock'n'roll

// get current time
$EndCheckTime time();

// compute the interval to check
$StartCheckTime $EndCheckTime $CheckInterval;

// get the log file as array in reversed order
$ArrayLog array_reverse(file($PathToLog));

// parse the array log to find a mathc in date and file operation
$ParseLog=TRUE;
$LogCounter=0;
while (
$ParseLog==TRUE){
    
// get the current line of the log
    
$CurrentLogLine explode(' '$ArrayLog[$LogCounter]);

    
// get date from the current log line
    
$LogLineDate=  strtotime($CurrentLogLine[0] . ' '
            
$CurrentLogLine[1] . ' '
            
$CurrentLogLine[2] . ' ' 
            
$CurrentLogLine[3] . ' '
            
$CurrentLogLine[4] . ' '
            
$CurrentLogLine[5]);

    
    
// Check the date from the current log line
    
if($LogLineDate >=$StartCheckTime) {
        
// curent line is in interval, but it is a realy upload?
        
$CurrentLogOperation=$CurrentLogLine[10] . $CurrentLogLine[11] . $CurrentLogLine[12];
        
        if(
$CurrentLogOperation=='a_i' || $CurrentLogOperation=='b_i'){
            
// upload
            
$FilesToScan=$FilesToScan $CurrentLogLine[9] . ' ';
        }

        
// increment the counter to check another line
        
$LogCounter++;
        
    } else {

        
// nothing to check in the current interval
        
$ParseLog=FALSE;
        break;
    }
}

// Let's check if we have files to scan
if($FilesToScan<>'') {
     
// call the antivirus with $FilesToScan as parameter.
     // Obviosly we delete the virused files!
     // clamdscan ...
}

// get the current time again
$ExecutionTime time();

// We should run as a daemon, so sleep until we should run again
time_sleep_until($ExecutionTime $CheckInterval);
// we should call it's self
?>
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 17:26
Debian 5.0 'hangs' GHz Installation/Configuration 5 1st October 2009 12:57
The system is currently updating the configuration files. warlock General 8 21st February 2009 18:15
Network questions regarding Ubuntu Server lubod Installation/Configuration 7 3rd January 2007 18:53
Im thinking about throwing proftpd to the trashcan danf.1979 Installation/Configuration 2 23rd December 2005 09:27


All times are GMT +2. The time now is 03:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.