How To Integrate ClamAV (Through mod_clamav) Into ProFTPd For Virus Scanning On Debian Lenny

This tutorial exists for these OS versions

    On this page

    1. 1 Preliminary Note
    2. 2 Installing ClamAV
    3. 3 Rebuilding ProFTPd
    4. 4 Configuring ProFTPd
    5. 5 Links

    This tutorial explains how you can integrate ClamAV into ProFTPd for virus scanning on a Debian Lenny system. This is achieved through mod_clamav. In the end, whenever a file gets uploaded through ProFTPd, ClamAV will check the file and delete it if it is malware.

    I do not issue any guarantee that this will work for you!


    1 Preliminary Note

    You should have a working ProFTPd setup on your Debian Lenny server.


    2 Installing ClamAV

    ClamAV can be installed as follows:

    aptitude install clamav clamav-daemon libclamav-dev

    Now we must reconfigure ClamAV so that Clamd uses TCP connections instead of a local Unix socket. It is highly recommended that Unix socket connections are avoided when using the Chroot feature of ProFTPd (DefaultRoot ~). The reason is that if mod_clamav needs to connect to Clamd, the Unix socket is not available in the chroot environment.


    dpkg-reconfigure clamav-base

    ... and answer these questions as follows (accept the default values for all other questions):

    Socket type: <-- TCP
    TCP port clamd will listen on: <-- 3310
    IP address clamd will listen on: <--

    Then restart Clamd and freshclam:

    /etc/init.d/clamav-daemon restart
    /etc/init.d/clamav-freshclam restart

    Now run

    netstat -tap | grep clamd

    ... and you should see that Clamd is listening on localhost through TCP:

    server1:~# netstat -tap | grep clamd
    tcp        0      0 localhost.localdom:3310 *:*                     LISTEN      29430/clamd


    3 Rebuilding ProFTPd

    Unfortunately mod_clamav isn't part of ProFTPd by default, and there's no Debian package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Debian source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.

    First we install all packages that are needed to rebuild ProFTPd:

    aptitude build-dep proftpd

    We also need the following package (which doesn't get installed by the previous command for some reason...):

    aptitude install libpam-dev

    Now we download the ProFTPd source package to /usr/src:

    cd /usr/src
    apt-get source proftpd

    Next we download mod_clamav to /usr/src and unpack it:

    wget --no-check-certificate
    tar xzvf mod_clamav-0.11rc.tar.gz

    Then we copy the mod_clamav-0.11rc/mod_clamav.* files to the proftpd-dfsg-1.3.1/contrib directory...

    cp mod_clamav-0.11rc/mod_clamav.* proftpd-dfsg-1.3.1/contrib

    ... and patch the ProFTPd sources:

    cd proftpd-dfsg-1.3.1
    patch -p1 < ../mod_clamav-0.11rc/proftpd.patch

    Next we must edit debian/rules:

    vi debian/rules

    Search the CONF_ARGS section and add --with-modules=mod_clamav to it:

    CONF_ARGS := --prefix=/usr \
                 --with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \
                 --mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \
                 --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \
                 --enable-ipv6 --enable-nls --with-modules=mod_clamav

    Now we can rebuild ProFTPd:


    Now we go one directory up, that's where the new .deb packages have been created:

    cd ..

    The command

    ls -l

    shows you the available packages:

    server1:/usr/src# ls -l
    total 5472
    drwxr-xr-x  2  501  501    4096 2009-04-20 10:22 mod_clamav-0.11rc
    -rw-r--r--  1 root src     5115 2010-10-01 03:28 mod_clamav-0.11rc.tar.gz
    -rw-r--r--  1 root src   195066 2010-10-01 03:32 proftpd_1.3.1-17lenny4_all.deb
    -rw-r--r--  1 root src   690228 2010-10-01 03:32 proftpd-basic_1.3.1-17lenny4_i386.deb
    drwxr-xr-x 13 root root    4096 2010-10-01 03:32 proftpd-dfsg-1.3.1
    -rw-r--r--  1 root src   107998 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.diff.gz
    -rw-r--r--  1 root src     1103 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.dsc
    -rw-r--r--  1 root src     3305 2010-10-01 03:32 proftpd-dfsg_1.3.1-17lenny4_i386.changes
    -rw-r--r--  1 root src  2662056 2007-10-16 01:02 proftpd-dfsg_1.3.1.orig.tar.gz
    -rw-r--r--  1 root src  1255660 2010-10-01 03:32 proftpd-doc_1.3.1-17lenny4_all.deb
    -rw-r--r--  1 root src   213004 2010-10-01 03:32 proftpd-mod-ldap_1.3.1-17lenny4_i386.deb
    -rw-r--r--  1 root src   203562 2010-10-01 03:32 proftpd-mod-mysql_1.3.1-17lenny4_i386.deb
    -rw-r--r--  1 root src   203512 2010-10-01 03:32 proftpd-mod-pgsql_1.3.1-17lenny4_i386.deb

    We can install the new ProFTPd .deb packages as follows:

    dpkg -i proftpd*.deb


    4 Configuring ProFTPd

    Now we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...

    vi /etc/proftpd/proftpd.conf

    ... and add the stanza

    <IfModule mod_clamav.c>
       ClamAV on
       ClamPort 3310

    somewhere, e.g. below the

    <IfModule mod_ctrls_admin.c>
    AdminControlsEngine off


    <IfModule mod_ctrls_admin.c>
    AdminControlsEngine off
    <IfModule mod_clamav.c>
       ClamAV on
       ClamPort 3310
    # Alternative authentication frameworks
    #Include /etc/proftpd/ldap.conf
    Include /etc/proftpd/sql.conf

    Restart ProFTPd:

    /etc/init.d/proftpd restart

    Now check if mod_clamav is loaded by running:

    proftpd -vv

    mod_clamav should be listed in the output:

    server1:~# proftpd -vv
     - ProFTPD Version: 1.3.1 (stable)
     -   Scoreboard Version: 01040002
     -   Built: Fri Oct 1 03:31:03 CEST 2010
     -     Module: mod_core.c
     -     Module: mod_xfer.c
     -     Module: mod_auth_unix.c
     -     Module: mod_auth_file/0.8.3
     -     Module: mod_auth.c
     -     Module: mod_ls.c
     -     Module: mod_log.c
     -     Module: mod_site.c
     -     Module: mod_delay/0.6
     -     Module: mod_dso/0.4
     -     Module: mod_auth_pam/1.0.1
     -     Module: mod_clamav.c
     -     Module: mod_cap/1.0
     -     Module: mod_ctrls/0.9.4
     -     Module: mod_lang/0.8

    That's it! Now whenever someone tries to upload malware to your server through ProFTPd, the "bad" file(s) will be deleted. You can test that by downloading the Eicar test virus from; try to upload it to your ProFTPd server, and if all goes well, it should be deleted:


    Share this page:

    0 Comment(s)

    Add comment