Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy"

From bering-uClibc
Jump to: navigation, search
(add modules)
(Setting up the antivirus proxy HVAP)
Line 150: Line 150:
 
  /sbin/losetup /dev/loop0 /share/havp.img
 
  /sbin/losetup /dev/loop0 /share/havp.img
 
  mkdir /share/havp
 
  mkdir /share/havp
 +
mount -o mand /dev/loop0 /share/havp
 +
 +
'''Note:''' The switch <tt>-o mand</tt> is important, because havp needs the image with support for ''mandatory'' locking.
 +
 +
==== Start havp ====
 +
/etc/init.d/havp.sh start
 +
 +
You may want to check <code class="filename">/var/log/havp/error.log</code>, if something went wrong. In case you have success, you'll see a message, that announces a connection to <code class="filename">clamd</code> and the <code class="filename">eicar virus</code> has been passed to <code class="filename">clamd</code> and finally
 +
 +
--- All scanners initialized
 +
 +
The http antivirus proxy is ready to testing.
  
 
=== Testing the setup ===
 
=== Testing the setup ===

Revision as of 15:19, 30 October 2011

Advanced Topics - Setting Up Backup to Remote Server
Prev Bering-uClibc 4.x - User Guide Next

Status: The packages clamav.lrp and havp.lrp are already committed to git and will be available with Bering-uClibc 4.1.

Preface

The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner ClamAV is used, as proxy HAVP.

havp can be used with squid or standalone, but only the standalone version is described here. havp provides no content caching, therefor you'll need squid.lrp, it supports multiple virus scanners, but only clamav is provided as lrp package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages.

Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot.

Most of the resources are needed for clamav, which requires at least 100MB RAM to start, and 100MB for the virus database plus daily updates. havp requires a minimum of 5MB fixed storage or RAM for a virtual disk. If you add a content-caching proxy like squid, even more is needed.

But with a virtualized LEAF box RAM, and even more disk space, is cheap, so I used a Bering-uClibc 4.x i686-isoimage as virtualbox guest with 768MB RAM and no harddisk as testbed. You may want to change it, to use a (virtual) harddisk as permament storage, that way you can virtualize a LEAF-based http anti-virus proxy.

Note: The setup given here is mainly targeted for home usage and testing, for a more advanced usage a decent hardware and a configuration with squid is recommended. Also the way ssl-protected pages are tunneled is not as efficient, as you may like to have it in a professional environment.

Also keep in mind, that I describe a testing environment only - therefor I'll change pathes in the configurations to get it "just working", as well as I'll change the shorewall configuration in an "unsecure manner" for the same reason. Hope you'll get the idea to move further.

Setting up LEAF Bering-uClibc in a Virtualbox environment

If you haven't already installed virtualbox, you can download it from the Virtualbox download page, and read the User Manual to become familiar with it.

To run LEAF Bering-uClibc in a virualized enviroment, you'll the need the image Bering-uClibc_4.x_i686_isolinux_vga.iso and a virtual floppy image.

To create the second, run

 mkfs.vfat -C "floppy.img" 1440

on the host machine and make shure, it's writable for the user who starts virtualbox.

virtualbox supports creating a guest environment with a wizard, where you can set the amount of RAM for the guest system, 512MB or more are recommended for our task. Once this is done you'll need to adjust a few settings for the virtual machine:

  • On the System page activate PAE/NX for the CPU
  • On the Storage page add the Bering-uClibc isoimage to IDE-Controller, add a Floppydisk-Controller and attach the virtual floppy disk created before.
  • On the Network Settingspage choose Advanced, and Port Forwarding. In the new window add two new rules:


Name Protocol Host-IP Host-Port Guest-IP Guest-Port
Rule 1 TCP 127.0.0.1 8088 empty 8080
Rule 2 TCP 127.0.0.1 443 empty 8080


That's all and you are ready to start you new virtual machine.

Make the additional RAM available

After you have bootet the VM, you still have only size of 8MB for /tmp. To change this the value for tmp_size in leaf.cfg has to be altered and leaf.cfg has to be saved to the virtual floppy.

mount /dev/sr0 /mnt
cp /mnt/leaf.cfg .
umount /mnt

Edit leaf.cfg and set tmp_size to 400MB. Then push it to the floppy disk.

mount /dev/fd0 /mnt
cp leaf.cfg /mnt
umount /mnt

Reboot the VM. If everything went well, the command df -h will show a size of 400MB for /tmp.

Basic preparations

For the following steps access from the VM to the internet is needed. So before you start, the nameserver settings has to be checked and the firewall should permit traffic from and to the VM.

Nameserver

Set ip address for nameserver in /etc/resolv.conf accordingly. By default it is set to 192.168.1.254; change this if your nameserver has a different one.

Shorewall setup

The virtualized proxy guest is, like the VM host, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa.

The changes are made in /etc/shorewall/policy on the virtualized LEAF box:

net       fw     ACCEPT
fw        net    ACCEPT

You may adjust your shorewall setup more seriously, if you use the box in production. You don't need to change anything on your main router/firewall.

Restart shorewall.

Installing additional modules

We do need later support for an ext3 filesystem, therefor install from the modules tarball modules.tgz on the iso image:

  • kernel/fs/mbcache.ko
  • kernel/fs/jbd/jbd.ko
  • kernel/fs/ext3/ext3.ko

Don't forget to save the modules and add the to /etc/modules.conf, so they'll be loaded, if you reboot.

Setting up the virus scanner ClamAV

Requirements

To install ClamAV on a Bering-uClibc based system the following Packages are required:

  • clamav.lrp
  • libz.lrp
  • libm.lrp
  • lpthread.lrp

Configuration

Edit /etc/clamav/freshclam.conf and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data).

DatabaseDirectory /tmp 

Edit /etc/clamav/clamav.conf and change the DatabaseDirectory to the same value as for /etc/clamav/freshclam.conf:

DatabaseDirectory /tmp 

It's also good idea to enable logging in /etc/clamav/clamav.conf.

Logfile /tmp/clamd
LogVerbose yes

Retrieving the database

Before clamd can be started, the database with virus signatures, and the latest updates for it, has to be downloaded from database.clamav.net. To accomplish this task, start

freshclam -v

If all goes well, you'll see a message like

Downloading main.cvd [20%]

The updates will be added afterwards automatically. Once the task is finished your ready to start clamd

Starting clamd

Start clamd (this may take a few seconds):

/etc/init.d/clamd start
Clamd initiated

You may want to check the logfile for more verbose output.

Setting up the antivirus proxy HVAP

Requirements

To install HAVP on a Bering-uClibc based system the following Packages are required:

  • havp.lrp
  • libcxx.lrp
  • hdsupp.lrp

Create a diskimage for havp

havp needs a seperate disk image. Create this in a new directory /share and format with ext3 filesystem.

mkdir /share
cd /share
dd if=/dev/zero of=havp.img bs=10240 count=512
mkfs.ext3 -F -q -m0 havp.img

Mount the image to /share/havp

/sbin/losetup /dev/loop0 /share/havp.img
mkdir /share/havp
mount -o mand /dev/loop0 /share/havp

Note: The switch -o mand is important, because havp needs the image with support for mandatory locking.

Start havp

/etc/init.d/havp.sh start

You may want to check /var/log/havp/error.log, if something went wrong. In case you have success, you'll see a message, that announces a connection to clamd and the eicar virus has been passed to clamd and finally

--- All scanners initialized

The http antivirus proxy is ready to testing.

Testing the setup

tbd

Additional reading and acknowledgment

Useful clamav links:

ClamAV main page

Useful havp links:

havp main page

How to use havp with squid as caching proxy (though it's based on an outdated squid version).

squid-cache main page

The original packages for havp.lrp and clamav.lrp have been contributed by Alejandro Dguez for LEAF Bering-uClibc 3.x. Based on his work it was easy, to adjust the buildtool setup for LEAF Bering-uClibc 4.x.


Prev Up Next