Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy
Advanced Topics - Setting Up a HTTP Anti Virus Proxy | ||
---|---|---|
Prev | Bering-uClibc 6.x - User Guide | Next |
Contents
Preface
The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner ClamAV is used, as proxy HAVP.
havp
can be used with squid
or standalone, but only the standalone version is described here. havp
provides no content caching, therefor you'll need squid.lrp
, it supports multiple virus scanners, but only clamav is provided as lrp Package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages.
Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot.
Most of the resources are needed for clamav
, which requires at least 100MB RAM to start, and 100MB for the virus database plus daily updates. havp
requires a minimum of 5MB fixed storage or RAM for a virtual disk.
If you add a content-caching proxy like squid
, even more is needed.
But with a virtualized LEAF box RAM, and even more disk space, is cheap, so I used a Bering-uClibc 4.x i686-isoimage as virtualbox guest with 768MB RAM and no harddisk as testbed. You may want to change it, to use a (virtual) harddisk as permament storage, that way you can virtualize a LEAF-based http anti-virus proxy.
Note: The setup given here is mainly targeted for home usage and testing, for a more advanced usage a decent hardware and a configuration with squid
is recommended. Also the way ssl-protected pages are tunneled is not as efficient, as you may like to have it in a professional environment.
Also keep in mind, that I describe a testing environment only - therefor I'll change pathes in the configurations to get it "just working", as well as I'll change the shorewall configuration in an "unsecure manner" for the same reason. Hope you'll get the idea to move further.
Setting up LEAF Bering-uClibc in a Virtualbox environment
If you haven't already installed virtualbox
, you can download it from the Virtualbox download page, and read the User Manual to become familiar with it.
To run LEAF Bering-uClibc in a virtualized enviroment, you'll the need the image Bering-uClibc_6.x.x_i686_isolinux_vga.iso
and a virtual floppy image.
To create the second, run
mkfs.vfat -C "floppy.img" 1440
on the host machine and make shure, it's writable for the user who starts virtualbox
.
virtualbox
supports creating a guest environment with a wizard, where you can set the amount of RAM for the guest system, 512MB or more are recommended for our task.
Once this is done you'll need to adjust a few settings for the virtual machine:
- On the System page activate PAE/NX for the CPU
- On the Storage page add the Bering-uClibc isoimage to IDE-Controller, add a Floppydisk-Controller and attach the virtual floppy disk created before.
- On the Network Settingspage choose Advanced, and Port Forwarding. In the new window add two new rules:
Name | Protocol | Host-IP | Host-Port | Guest-IP | Guest-Port |
---|---|---|---|---|---|
Rule 1 | TCP | 127.0.0.1 | 8088 | empty | 8080 |
Rule 2 | TCP | 127.0.0.1 | 443 | empty | 8080 |
That's all and you are ready to start you new virtual machine.
Make the additional RAM available
After you have bootet the VM, you still have only size of 8MB for /tmp.
To change this the value for tmp_size
in leaf.cfg
has to be altered and leaf.cfg
has to be saved to the virtual floppy.
mount /dev/sr0 /mnt cp /mnt/leaf.cfg . umount /mnt
Edit leaf.cfg
and set tmp_size
to 400MB. Then push it to the floppy disk.
mount /dev/fd0 /mnt cp leaf.cfg /mnt umount /mnt
Reboot the VM. If everything went well, the command df -h will show a size of 400MB for /tmp
.
Basic preparations
For the following steps access from the VM to the internet is needed. So before you start, the nameserver settings has to be checked and the firewall should permit traffic from and to the VM.
Nameserver
Set ip address for nameserver in /etc/resolv.conf
accordingly.
By default it is set to 192.168.1.254; change this if your nameserver has a different one.
Shorewall setup
The virtualized proxy guest is, like the VM host, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa.
The changes are made in /etc/shorewall/policy
on the virtualized LEAF box:
net fw ACCEPT fw net ACCEPT
You may adjust your shorewall setup more seriously, if you use the box in production. You don't need to change anything on your main router/firewall.
Restart shorewall.
Installing additional modules
We do need later support for an ext4 filesystem, therefor install from the modules tarball modules.tgz
on the iso image:
- kernel/fs/mbcache.ko.gz
- kernel/fs/jbd/jbd.ko.gz
- kernel/fs/ext4/ext4.ko.gz
Don't forget to save the modules and add the to /etc/modules.conf
, so they'll be loaded, if you reboot.
Setting up the virus scanner ClamAV
Requirements
To install ClamAV on a Bering-uClibc based system the following Packages are required:
-
clamav.lrp
-
libz.lrp
Configuration
Edit /etc/clamav/freshclam.conf
and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data).
DatabaseDirectory /tmp
Edit /etc/clamav/clamav.conf
and change the DatabaseDirectory to the same value as for /etc/clamav/freshclam.conf
:
DatabaseDirectory /tmp
It's also good idea to enable logging in /etc/clamav/clamav.conf
.
Logfile /tmp/clamd LogVerbose yes
Retrieving the database
Before clamd
can be started, the database with virus signatures, and the latest updates for it, has to be downloaded from database.clamav.net
. To accomplish this task, start
freshclam -v
If all goes well, you'll see a message like
Downloading main.cvd [20%]
The updates will be added afterwards automatically. Once the task is finished your ready to start clamd
Starting clamd
Start clamd
(this may take a few seconds):
/etc/init.d/clamd start Clamd initiated
You may want to check the logfile for more verbose output.
Setting up the antivirus proxy HVAP
Requirements
To install HAVP on a Bering-uClibc based system the following Packages are required:
-
havp.lrp
-
libcxx.lrp
-
hdsupp.lrp
Create a diskimage for havp
havp
needs a seperate disk image. Create this in a new directory /share
and format with ext4 filesystem.
mkdir /share cd /share dd if=/dev/zero of=havp.img bs=10240 count=512 mkfs.ext4 -F -q -m0 havp.img
Mount the image to /share/havp
/sbin/losetup /dev/loop0 /share/havp.img mkdir /share/havp mount -o mand /dev/loop0 /share/havp
Note: The switch -o mand is important, because havp needs the image with support for mandatory locking.
Start havp
/etc/init.d/havp.sh start
You may want to check /var/log/havp/error.log
, if something went wrong. In case you have success, you'll see a message, that announces a connection to clamd
and the eicar virus
has been passed to clamd
and finally
--- All scanners initialized
The http antivirus proxy is ready for testing.
Testing the setup
If you worked through the chapter so far, you'll be ready to test the proxy. Change the proxy configuration for your browser and enable 127.0.0.1 as address and 8088 as port (we've added port forwarding for this above).
You may also take a look at the acccess.log
of havp
on the LEAF VM box.
tail -f /var/log/havp/access.log
and/or the /tmp/clamd.log
.
A good page to test can be found at eicar.org. Her eyou can download the eicar test virus, which is harmless. If you try to download eicar.com
using the standard protocol http you'll get a message from HAVP instead (HAVP Access Denied). If you use the secure, SSL enabled protocol https, you'll be offered to save the file. This is expected, because HAVP does not scan ssl/https connections, and a good sign, because ssl/https is not blocked by the proxy.
If you like the solution and want to install it permanently, you may want to use a (virtual) harddisk and mount it to /share
to store the clamav
database, clamav
daily updates and the havp.img
. (Don't forget to adjust the value for the DataBaseDirectory
in /etc/clamav/freshclam.conf
and /etc/clamav/clamav.conf
.)
Additional reading and acknowledgment
Useful clamav links:
Useful havp links:
How to use havp with squid as caching proxy (though it's based on an outdated squid version).
The original Packages for havp.lrp
and clamav.lrp
have been contributed by Alejandro Dguez for LEAF Bering-uClibc 3.x. Based on his work it was easy, to adjust the buildtool setup for LEAF Bering-uClibc 4.x and later.
Prev | Up | Next |