How To Integrate ClamAV (Through mod_clamav) Into ProFTPd For Virus Scanning On Ubuntu 10.04

This tutorial explains how you can integrate ClamAV into ProFTPd for virus scanning on an Ubuntu 10.04 system. This is achieved through mod_clamav. In the end, whenever a file gets uploaded through ProFTPd, ClamAV will check the file and delete it if it is malware.

I do not issue any guarantee that this will work for you!


1 Preliminary Note

You should have a working ProFTPd setup on your Ubuntu 10.04 server.

Because we will run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su


2 Installing ClamAV

ClamAV can be installed as follows:

aptitude install clamav clamav-daemon libclamav-dev

Now we must reconfigure ClamAV so that Clamd uses TCP connections instead of a local Unix socket. It is highly recommended that Unix socket connections are avoided when using the Chroot feature of ProFTPd (DefaultRoot ~). The reason is that if mod_clamav needs to connect to Clamd, the Unix socket is not available in the chroot environment.


dpkg-reconfigure clamav-base

... and answer these questions as follows (accept the default values for all other questions):

Socket type: <-- TCP
TCP port clamd will listen on: <-- 3310
IP address clamd will listen on: <--

Then restart Clamd and freshclam:

/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

Now run

netstat -tap | grep clamd

... and you should see that Clamd is listening on localhost through TCP:

root@server1:~# netstat -tap | grep clamd
tcp        0      0 localhost.localdom:3310 *:*                     LISTEN      7911/clamd


3 Rebuilding ProFTPd

Unfortunately mod_clamav isn't part of ProFTPd by default, and there's no Ubuntu package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Ubuntu source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.

First we install all packages that are needed to rebuild ProFTPd:

aptitude build-dep proftpd-dfsg

We also need the following packages:

aptitude install libpam-dev dpkg-dev libmysqlclient-dev debhelper libpq-dev libldap2-dev libwrap0-dev libcap2-dev autotools-dev libncurses5-dev dpatch libacl1-dev libattr1-dev unixodbc-dev libsqlite3-dev

Now we download the ProFTPd source package to /usr/src:

cd /usr/src
apt-get source proftpd-dfsg

Next we download mod_clamav to /usr/src and unpack it:

wget --no-check-certificate
tar xzvf mod_clamav-0.11rc.tar.gz

Then we copy the mod_clamav-0.11rc/mod_clamav.* files to the proftpd-dfsg-1.3.2c/contrib directory...

cp mod_clamav-0.11rc/mod_clamav.* proftpd-dfsg-1.3.2c/contrib

... and patch the ProFTPd sources:

cd proftpd-dfsg-1.3.2c
patch -p1 < ../mod_clamav-0.11rc/proftpd.patch

Next we must edit debian/rules:

vi debian/rules

Search the CONF_ARGS section and add --with-modules=mod_clamav to it:

CONF_ARGS := --prefix=/usr \
             --with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \
             --mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \
             --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \
             --enable-ipv6 --enable-nls --with-modules=mod_clamav

Now we can rebuild ProFTPd:


Now we go one directory up, that's where the new .deb packages have been created:

cd ..

The command

ls -l

shows you the available packages:

root@server1:/usr/src# ls -l
total 7500
drwxr-xr-x 24 root root    4096 2010-04-29 14:00 linux-headers-2.6.32-21
drwxr-xr-x  7 root root    4096 2010-04-29 14:00 linux-headers-2.6.32-21-server
drwxr-xr-x  2  501  501    4096 2009-04-20 10:22 mod_clamav-0.11rc
-rw-r--r--  1 root src     5115 2010-10-04 17:21 mod_clamav-0.11rc.tar.gz
-rw-r--r--  1 root src   930578 2010-10-04 17:38 proftpd-basic_1.3.2c-1_amd64.deb
-rw-r--r--  1 root src   630168 2010-10-04 17:38 proftpd-dev_1.3.2c-1_amd64.deb
drwxr-xr-x 14 root root    4096 2010-10-04 17:37 proftpd-dfsg-1.3.2c
-rw-r--r--  1 root src     4522 2010-10-04 17:38 proftpd-dfsg_1.3.2c-1_amd64.changes
-rw-r--r--  1 root src    98674 2010-10-04 17:30 proftpd-dfsg_1.3.2c-1.diff.gz
-rw-r--r--  1 root src     1138 2010-10-04 17:30 proftpd-dfsg_1.3.2c-1.dsc
-rw-r--r--  1 root src  3018899 2009-12-22 07:05 proftpd-dfsg_1.3.2c.orig.tar.gz
-rw-r--r--  1 root src  1408070 2010-10-04 17:38 proftpd-doc_1.3.2c-1_all.deb
-rw-r--r--  1 root src   315326 2010-10-04 17:38 proftpd-mod-ldap_1.3.2c-1_amd64.deb
-rw-r--r--  1 root src   305076 2010-10-04 17:38 proftpd-mod-mysql_1.3.2c-1_amd64.deb
-rw-r--r--  1 root src   306848 2010-10-04 17:38 proftpd-mod-odbc_1.3.2c-1_amd64.deb
-rw-r--r--  1 root src   304762 2010-10-04 17:38 proftpd-mod-pgsql_1.3.2c-1_amd64.deb
-rw-r--r--  1 root src   304634 2010-10-04 17:38 proftpd-mod-sqlite_1.3.2c-1_amd64.deb

We can install the new ProFTPd .deb packages as follows:

dpkg -i proftpd*.deb


4 Configuring ProFTPd

Now we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...

vi /etc/proftpd/proftpd.conf

... and add the stanza

<IfModule mod_clamav.c>
   ClamAV on
   ClamPort 3310

somewhere, e.g. below the

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off


<IfModule mod_ctrls_admin.c>
AdminControlsEngine off

<IfModule mod_clamav.c>
   ClamAV on
   ClamPort 3310

# Alternative authentication frameworks
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

Restart ProFTPd:

/etc/init.d/proftpd restart

Now check if mod_clamav is loaded by running:

proftpd -vv

mod_clamav should be listed in the output:

root@server1:~# proftpd -vv
ProFTPD Version: 1.3.2c (maint)
  Scoreboard Version: 01040002
  Built: Mon Oct 4 17:34:10 CEST 2010

Loaded modules:

That's it! Now whenever someone tries to upload malware to your server through ProFTPd, the "bad" file(s) will be deleted. You can test that by downloading the Eicar test virus from; try to upload it to your ProFTPd server, and if all goes well, it should be deleted:


Share this page:

0 Comment(s)