Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy"
(→Setting up the virus scanner ClamAV) |
m (remove outdated status message) |
||
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{| summary="Navigation header" width="100%" | {| summary="Navigation header" width="100%" | ||
− | ! colspan="3" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up | + | ! colspan="3" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy|Advanced Topics - Setting Up a HTTP Anti Virus Proxy]] |
|- | |- | ||
− | | width="20%" align="left" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up Remote | + | | width="20%" align="left" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up Backup to Remote Server|Prev]] |
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]] | ! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]] | ||
| width="20%" align="right" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Modifying initrd.lrp|Next]] | | width="20%" align="right" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Modifying initrd.lrp|Next]] | ||
|} | |} | ||
---- | ---- | ||
− | |||
=== Preface === | === Preface === | ||
The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner [http://www.clamav.net/lang/en/ ClamAV] is used, as proxy [http://www.server-side.de HAVP]. | The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner [http://www.clamav.net/lang/en/ ClamAV] is used, as proxy [http://www.server-side.de HAVP]. | ||
− | <code class="filename">havp</code> can be used with <code class="filename">squid</code> or standalone, but only the standalone version is described here. <code class="filename">havp</code> provides no content caching, therefor you'll need <code class="filename">squid.lrp</code>, it supports multiple virus scanners, but only clamav is provided as lrp | + | <code class="filename">havp</code> can be used with <code class="filename">squid</code> or standalone, but only the standalone version is described here. <code class="filename">havp</code> provides no content caching, therefor you'll need <code class="filename">squid.lrp</code>, it supports multiple virus scanners, but only clamav is provided as lrp Package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages. |
Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot. | Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot. | ||
Line 28: | Line 27: | ||
If you haven't already installed <code class="filename">virtualbox</code>, you can download it from the [https://www.virtualbox.org/wiki/Downloads Virtualbox download page], and read the [https://www.virtualbox.org/manual/UserManual.html User Manual] to become familiar with it. | If you haven't already installed <code class="filename">virtualbox</code>, you can download it from the [https://www.virtualbox.org/wiki/Downloads Virtualbox download page], and read the [https://www.virtualbox.org/manual/UserManual.html User Manual] to become familiar with it. | ||
− | To run LEAF Bering-uClibc in a | + | To run LEAF Bering-uClibc in a virtualized enviroment, you'll the need the image <code class="filename">Bering-uClibc_4.x_i686_isolinux_vga.iso</code> and a virtual floppy image. |
To create the second, run | To create the second, run | ||
Line 70: | Line 69: | ||
Reboot the VM. If everything went well, the command <tt>df -h</tt> will show a size of 400MB for <code class="filename">/tmp</code>. | Reboot the VM. If everything went well, the command <tt>df -h</tt> will show a size of 400MB for <code class="filename">/tmp</code>. | ||
+ | |||
+ | === Basic preparations === | ||
+ | For the following steps access from the VM to the internet is needed. So before you start, the nameserver settings has to be checked and the firewall should permit traffic from and to the VM. | ||
+ | |||
+ | ==== Nameserver ==== | ||
+ | Set ip address for <tt>nameserver</tt> in <code class="filename">/etc/resolv.conf</code> accordingly. | ||
+ | By default it is set to 192.168.1.254; change this if your nameserver has a different one. | ||
+ | |||
+ | ==== Shorewall setup ==== | ||
+ | The virtualized proxy guest is, like the VM host, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa. | ||
+ | |||
+ | The changes are made in <code class="filename">/etc/shorewall/policy</code> on the virtualized LEAF box: | ||
+ | net fw ACCEPT | ||
+ | fw net ACCEPT | ||
+ | You may adjust your shorewall setup more seriously, if you use the box in production. | ||
+ | You don't need to change anything on your main router/firewall. | ||
+ | |||
+ | Restart shorewall. | ||
+ | |||
+ | ==== Installing additional modules ==== | ||
+ | We do need later support for an ext3 filesystem, therefor install from the modules tarball <code class="filename">modules.tgz</code> on the iso image: | ||
+ | |||
+ | * kernel/fs/mbcache.ko | ||
+ | * kernel/fs/jbd/jbd.ko | ||
+ | * kernel/fs/ext3/ext3.ko | ||
+ | |||
+ | Don't forget to save the modules and add the to <code class="filename">/etc/modules.conf</code>, so they'll be loaded, if you reboot. | ||
=== Setting up the virus scanner ClamAV === | === Setting up the virus scanner ClamAV === | ||
− | |||
==== Requirements ==== | ==== Requirements ==== | ||
To install ClamAV on a Bering-uClibc based system the following Packages are required: | To install ClamAV on a Bering-uClibc based system the following Packages are required: | ||
* <code class="filename">clamav.lrp</code> | * <code class="filename">clamav.lrp</code> | ||
− | |||
* <code class="filename">libz.lrp</code> | * <code class="filename">libz.lrp</code> | ||
* <code class="filename">libm.lrp</code> | * <code class="filename">libm.lrp</code> | ||
* <code class="filename">lpthread.lrp</code> | * <code class="filename">lpthread.lrp</code> | ||
+ | |||
==== Configuration ==== | ==== Configuration ==== | ||
Edit <code class="filename">/etc/clamav/freshclam.conf</code> and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data). | Edit <code class="filename">/etc/clamav/freshclam.conf</code> and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data). | ||
Line 93: | Line 118: | ||
LogVerbose yes | LogVerbose yes | ||
− | + | ==== Retrieving the database ==== | |
+ | Before <code class="filename">clamd</code> can be started, the database with virus signatures, and the latest updates for it, has to be downloaded from <code class="filename">database.clamav.net</code>. To accomplish this task, start | ||
+ | freshclam -v | ||
+ | If all goes well, you'll see a message like | ||
+ | Downloading main.cvd [20%] | ||
+ | The updates will be added afterwards automatically. | ||
+ | Once the task is finished your ready to start clamd | ||
− | === | + | ==== Starting clamd==== |
− | + | Start <code class="filename">clamd</code> (this may take a few seconds): | |
− | + | /etc/init.d/clamd start | |
− | + | Clamd initiated | |
+ | You may want to check the logfile for more verbose output. | ||
− | + | === Setting up the antivirus proxy HVAP === | |
− | + | ==== Requirements ==== | |
− | + | To install HAVP on a Bering-uClibc based system the following Packages are required: | |
− | + | * <code class="filename">havp.lrp</code> | |
− | You | + | * <code class="filename">libcxx.lrp</code> |
+ | * <code class="filename">hdsupp.lrp</code> | ||
+ | |||
+ | ==== Create a diskimage for havp ==== | ||
+ | <code class="filename">havp</code> needs a seperate disk image. Create this in a new directory <code class="filename">/share</code> and format with ext3 filesystem. | ||
+ | mkdir /share | ||
+ | cd /share | ||
+ | dd if=/dev/zero of=havp.img bs=10240 count=512 | ||
+ | mkfs.ext3 -F -q -m0 havp.img | ||
+ | |||
+ | Mount the image to /<code class="filename">share/havp</code> | ||
+ | /sbin/losetup /dev/loop0 /share/havp.img | ||
+ | mkdir /share/havp | ||
+ | mount -o mand /dev/loop0 /share/havp | ||
+ | |||
+ | '''Note:''' The switch <tt>-o mand</tt> is important, because havp needs the image with support for ''mandatory'' locking. | ||
+ | |||
+ | ==== Start havp ==== | ||
+ | /etc/init.d/havp.sh start | ||
+ | |||
+ | You may want to check <code class="filename">/var/log/havp/error.log</code>, if something went wrong. In case you have success, you'll see a message, that announces a connection to <code class="filename">clamd</code> and the <code class="filename">eicar virus</code> has been passed to <code class="filename">clamd</code> and finally | ||
+ | |||
+ | --- All scanners initialized | ||
+ | |||
+ | The http antivirus proxy is ready for testing. | ||
=== Testing the setup === | === Testing the setup === | ||
− | + | If you worked through the chapter so far, you'll be ready to test the proxy. | |
+ | Change the proxy configuration for your browser and enable 127.0.0.1 as address and 8088 as port (we've added port forwarding for this above). | ||
+ | |||
+ | You may also take a look at the <code class="filename">acccess.log</code> of <code class="filename">havp</code> on the LEAF VM box. | ||
+ | |||
+ | tail -f /var/log/havp/access.log | ||
+ | |||
+ | and/or the <code class="filename">/tmp/clamd.log</code>. | ||
+ | |||
+ | A good page to test can be found at [http://eicar.org/85-0-Download.html eicar.org]. Her eyou can download the eicar test virus, which is harmless. If you try to download <code class="filename">eicar.com</code> using the standard protocol http you'll get a message from HAVP instead (''HAVP Access Denied''). If you use the ''secure, SSL enabled protocol https'', you'll be offered to save the file. This is expected, because HAVP does not scan ssl/https connections, and a good sign, because ssl/https is not blocked by the proxy. | ||
+ | |||
+ | If you like the solution and want to install it permanently, you may want to use a (virtual) harddisk and mount it to <code class="filename">/share</code> to store the <code class="filename">clamav</code> database, <code class="filename">clamav</code> daily updates and the <code class="filename">havp.img</code>. (Don't forget to adjust the value for the <code class="filename">DataBaseDirectory</code> in <code class="filename">/etc/clamav/freshclam.conf</code> and <code class="filename">/etc/clamav/clamav.conf</code> .) | ||
=== Additional reading and acknowledgment === | === Additional reading and acknowledgment === | ||
Line 126: | Line 193: | ||
---- | ---- | ||
{| summary="Navigation footer" width="100%" | {| summary="Navigation footer" width="100%" | ||
− | | width="40%" align="left" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up Remote | + | | width="40%" align="left" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up Backup to Remote Server|Prev]] |
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics|Up]] | | width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics|Up]] | ||
| width="40%" align="right" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Modifying initrd.lrp|Next]] | | width="40%" align="right" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Modifying initrd.lrp|Next]] |
Latest revision as of 10:19, 27 January 2013
Advanced Topics - Setting Up a HTTP Anti Virus Proxy | ||
---|---|---|
Prev | Bering-uClibc 4.x - User Guide | Next |
Contents
Preface
The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner ClamAV is used, as proxy HAVP.
havp
can be used with squid
or standalone, but only the standalone version is described here. havp
provides no content caching, therefor you'll need squid.lrp
, it supports multiple virus scanners, but only clamav is provided as lrp Package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages.
Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot.
Most of the resources are needed for clamav
, which requires at least 100MB RAM to start, and 100MB for the virus database plus daily updates. havp
requires a minimum of 5MB fixed storage or RAM for a virtual disk.
If you add a content-caching proxy like squid
, even more is needed.
But with a virtualized LEAF box RAM, and even more disk space, is cheap, so I used a Bering-uClibc 4.x i686-isoimage as virtualbox guest with 768MB RAM and no harddisk as testbed. You may want to change it, to use a (virtual) harddisk as permament storage, that way you can virtualize a LEAF-based http anti-virus proxy.
Note: The setup given here is mainly targeted for home usage and testing, for a more advanced usage a decent hardware and a configuration with squid
is recommended. Also the way ssl-protected pages are tunneled is not as efficient, as you may like to have it in a professional environment.
Also keep in mind, that I describe a testing environment only - therefor I'll change pathes in the configurations to get it "just working", as well as I'll change the shorewall configuration in an "unsecure manner" for the same reason. Hope you'll get the idea to move further.
Setting up LEAF Bering-uClibc in a Virtualbox environment
If you haven't already installed virtualbox
, you can download it from the Virtualbox download page, and read the User Manual to become familiar with it.
To run LEAF Bering-uClibc in a virtualized enviroment, you'll the need the image Bering-uClibc_4.x_i686_isolinux_vga.iso
and a virtual floppy image.
To create the second, run
mkfs.vfat -C "floppy.img" 1440
on the host machine and make shure, it's writable for the user who starts virtualbox
.
virtualbox
supports creating a guest environment with a wizard, where you can set the amount of RAM for the guest system, 512MB or more are recommended for our task.
Once this is done you'll need to adjust a few settings for the virtual machine:
- On the System page activate PAE/NX for the CPU
- On the Storage page add the Bering-uClibc isoimage to IDE-Controller, add a Floppydisk-Controller and attach the virtual floppy disk created before.
- On the Network Settingspage choose Advanced, and Port Forwarding. In the new window add two new rules:
Name | Protocol | Host-IP | Host-Port | Guest-IP | Guest-Port |
---|---|---|---|---|---|
Rule 1 | TCP | 127.0.0.1 | 8088 | empty | 8080 |
Rule 2 | TCP | 127.0.0.1 | 443 | empty | 8080 |
That's all and you are ready to start you new virtual machine.
Make the additional RAM available
After you have bootet the VM, you still have only size of 8MB for /tmp.
To change this the value for tmp_size
in leaf.cfg
has to be altered and leaf.cfg
has to be saved to the virtual floppy.
mount /dev/sr0 /mnt cp /mnt/leaf.cfg . umount /mnt
Edit leaf.cfg
and set tmp_size
to 400MB. Then push it to the floppy disk.
mount /dev/fd0 /mnt cp leaf.cfg /mnt umount /mnt
Reboot the VM. If everything went well, the command df -h will show a size of 400MB for /tmp
.
Basic preparations
For the following steps access from the VM to the internet is needed. So before you start, the nameserver settings has to be checked and the firewall should permit traffic from and to the VM.
Nameserver
Set ip address for nameserver in /etc/resolv.conf
accordingly.
By default it is set to 192.168.1.254; change this if your nameserver has a different one.
Shorewall setup
The virtualized proxy guest is, like the VM host, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa.
The changes are made in /etc/shorewall/policy
on the virtualized LEAF box:
net fw ACCEPT fw net ACCEPT
You may adjust your shorewall setup more seriously, if you use the box in production. You don't need to change anything on your main router/firewall.
Restart shorewall.
Installing additional modules
We do need later support for an ext3 filesystem, therefor install from the modules tarball modules.tgz
on the iso image:
- kernel/fs/mbcache.ko
- kernel/fs/jbd/jbd.ko
- kernel/fs/ext3/ext3.ko
Don't forget to save the modules and add the to /etc/modules.conf
, so they'll be loaded, if you reboot.
Setting up the virus scanner ClamAV
Requirements
To install ClamAV on a Bering-uClibc based system the following Packages are required:
-
clamav.lrp
-
libz.lrp
-
libm.lrp
-
lpthread.lrp
Configuration
Edit /etc/clamav/freshclam.conf
and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data).
DatabaseDirectory /tmp
Edit /etc/clamav/clamav.conf
and change the DatabaseDirectory to the same value as for /etc/clamav/freshclam.conf
:
DatabaseDirectory /tmp
It's also good idea to enable logging in /etc/clamav/clamav.conf
.
Logfile /tmp/clamd LogVerbose yes
Retrieving the database
Before clamd
can be started, the database with virus signatures, and the latest updates for it, has to be downloaded from database.clamav.net
. To accomplish this task, start
freshclam -v
If all goes well, you'll see a message like
Downloading main.cvd [20%]
The updates will be added afterwards automatically. Once the task is finished your ready to start clamd
Starting clamd
Start clamd
(this may take a few seconds):
/etc/init.d/clamd start Clamd initiated
You may want to check the logfile for more verbose output.
Setting up the antivirus proxy HVAP
Requirements
To install HAVP on a Bering-uClibc based system the following Packages are required:
-
havp.lrp
-
libcxx.lrp
-
hdsupp.lrp
Create a diskimage for havp
havp
needs a seperate disk image. Create this in a new directory /share
and format with ext3 filesystem.
mkdir /share cd /share dd if=/dev/zero of=havp.img bs=10240 count=512 mkfs.ext3 -F -q -m0 havp.img
Mount the image to /share/havp
/sbin/losetup /dev/loop0 /share/havp.img mkdir /share/havp mount -o mand /dev/loop0 /share/havp
Note: The switch -o mand is important, because havp needs the image with support for mandatory locking.
Start havp
/etc/init.d/havp.sh start
You may want to check /var/log/havp/error.log
, if something went wrong. In case you have success, you'll see a message, that announces a connection to clamd
and the eicar virus
has been passed to clamd
and finally
--- All scanners initialized
The http antivirus proxy is ready for testing.
Testing the setup
If you worked through the chapter so far, you'll be ready to test the proxy. Change the proxy configuration for your browser and enable 127.0.0.1 as address and 8088 as port (we've added port forwarding for this above).
You may also take a look at the acccess.log
of havp
on the LEAF VM box.
tail -f /var/log/havp/access.log
and/or the /tmp/clamd.log
.
A good page to test can be found at eicar.org. Her eyou can download the eicar test virus, which is harmless. If you try to download eicar.com
using the standard protocol http you'll get a message from HAVP instead (HAVP Access Denied). If you use the secure, SSL enabled protocol https, you'll be offered to save the file. This is expected, because HAVP does not scan ssl/https connections, and a good sign, because ssl/https is not blocked by the proxy.
If you like the solution and want to install it permanently, you may want to use a (virtual) harddisk and mount it to /share
to store the clamav
database, clamav
daily updates and the havp.img
. (Don't forget to adjust the value for the DataBaseDirectory
in /etc/clamav/freshclam.conf
and /etc/clamav/clamav.conf
.)
Additional reading and acknowledgment
Useful clamav links:
Useful havp links:
How to use havp with squid as caching proxy (though it's based on an outdated squid version).
The original packages for havp.lrp
and clamav.lrp
have been contributed by Alejandro Dguez for LEAF Bering-uClibc 3.x. Based on his work it was easy, to adjust the buildtool setup for LEAF Bering-uClibc 4.x.
Prev | Up | Next |