Bering-uClibc 5.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy

From bering-uClibc
Jump to: navigation, search
Advanced Topics - Setting Up a HTTP Anti Virus Proxy
Prev Bering-uClibc 5.x - User Guide Next

Preface

The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner ClamAV is used, as proxy HAVP.

havp can be used with squid or standalone, but only the standalone version is described here. havp provides no content caching, therefor you'll need squid.lrp, it supports multiple virus scanners, but only clamav is provided as lrp Package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages.

Running a http anti-virus proxy is beyond the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot.

Most of the resources are needed for clamav, which requires at least 100MB RAM to start, and 100MB for the virus database plus daily updates. havp requires a minimum of 5MB fixed storage or RAM for a virtual disk. If you add a content-caching proxy like squid, even more is needed.

But with a virtualized LEAF box RAM, and even more disk space, is cheap, so I used a Bering-uClibc 4.x i686-isoimage as virtualbox guest with 768MB RAM and no harddisk as testbed. You may want to change it, to use a (virtual) harddisk as permament storage, that way you can virtualize a LEAF-based http anti-virus proxy.

Note: The setup given here is mainly targeted for home usage and testing, for a more advanced usage a decent hardware and a configuration with squid is recommended. Also the way ssl-protected pages are tunneled is not as efficient, as you may like to have it in a professional environment.

Also keep in mind, that I describe a testing environment only - therefor I'll change pathes in the configurations to get it "just working", as well as I'll change the shorewall configuration in an "unsecure manner" for the same reason. Hope you'll get the idea to move further.

Setting up LEAF Bering-uClibc in a Virtualbox environment

If you haven't already installed virtualbox, you can download it from the Virtualbox download page, and read the User Manual to become familiar with it.

To run LEAF Bering-uClibc in a virtualized enviroment, you'll the need the image Bering-uClibc_5.x_i686_isolinux_vga.iso and a virtual floppy image.

To create the second, run

 mkfs.vfat -C "floppy.img" 1440

on the host machine and make shure, it's writable for the user who starts virtualbox.

virtualbox supports creating a guest environment with a wizard, where you can set the amount of RAM for the guest system, 512MB or more are recommended for our task. Once this is done you'll need to adjust a few settings for the virtual machine:

  • On the System page activate PAE/NX for the CPU
  • On the Storage page add the Bering-uClibc isoimage to IDE-Controller, add a Floppydisk-Controller and attach the virtual floppy disk created before.
  • On the Network Settingspage choose Advanced, and Port Forwarding. In the new window add two new rules:


Name Protocol Host-IP Host-Port Guest-IP Guest-Port
Rule 1 TCP 127.0.0.1 8088 empty 8080
Rule 2 TCP 127.0.0.1 443 empty 8080


That's all and you are ready to start you new virtual machine.

Make the additional RAM available

After you have bootet the VM, you still have only size of 8MB for /tmp. To change this the value for tmp_size in leaf.cfg has to be altered and leaf.cfg has to be saved to the virtual floppy.

mount /dev/sr0 /mnt
cp /mnt/leaf.cfg .
umount /mnt

Edit leaf.cfg and set tmp_size to 400MB. Then push it to the floppy disk.

mount /dev/fd0 /mnt
cp leaf.cfg /mnt
umount /mnt

Reboot the VM. If everything went well, the command df -h will show a size of 400MB for /tmp.

Basic preparations

For the following steps access from the VM to the internet is needed. So before you start, the nameserver settings has to be checked and the firewall should permit traffic from and to the VM.

Nameserver

Set ip address for nameserver in /etc/resolv.conf accordingly. By default it is set to 192.168.1.254; change this if your nameserver has a different one.

Shorewall setup

The virtualized proxy guest is, like the VM host, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa.

The changes are made in /etc/shorewall/policy on the virtualized LEAF box:

net       fw     ACCEPT
fw        net    ACCEPT

You may adjust your shorewall setup more seriously, if you use the box in production. You don't need to change anything on your main router/firewall.

Restart shorewall.

Installing additional modules

We do need later support for an ext3 filesystem, therefor install from the modules tarball modules.tgz on the iso image:

  • kernel/fs/mbcache.ko.gz
  • kernel/fs/jbd/jbd.ko.gz
  • kernel/fs/ext3/ext3.ko.gz

Don't forget to save the modules and add the to /etc/modules.conf, so they'll be loaded, if you reboot.

Setting up the virus scanner ClamAV

Requirements

To install ClamAV on a Bering-uClibc based system the following Packages are required:

  • clamav.lrp
  • libz.lrp

Configuration

Edit /etc/clamav/freshclam.conf and set the path for the DatabaseDirectory (use /tmp, because with an approx. size 400MB RAM size, it's big enough to hold the data).

DatabaseDirectory /tmp 

Edit /etc/clamav/clamav.conf and change the DatabaseDirectory to the same value as for /etc/clamav/freshclam.conf:

DatabaseDirectory /tmp 

It's also good idea to enable logging in /etc/clamav/clamav.conf.

Logfile /tmp/clamd
LogVerbose yes

Retrieving the database

Before clamd can be started, the database with virus signatures, and the latest updates for it, has to be downloaded from database.clamav.net. To accomplish this task, start

freshclam -v

If all goes well, you'll see a message like

Downloading main.cvd [20%]

The updates will be added afterwards automatically. Once the task is finished your ready to start clamd

Starting clamd

Start clamd (this may take a few seconds):

/etc/init.d/clamd start
Clamd initiated

You may want to check the logfile for more verbose output.

Setting up the antivirus proxy HVAP

Requirements

To install HAVP on a Bering-uClibc based system the following Packages are required:

  • havp.lrp
  • libcxx.lrp
  • hdsupp.lrp

Create a diskimage for havp

havp needs a seperate disk image. Create this in a new directory /share and format with ext3 filesystem.

mkdir /share
cd /share
dd if=/dev/zero of=havp.img bs=10240 count=512
mkfs.ext3 -F -q -m0 havp.img

Mount the image to /share/havp

/sbin/losetup /dev/loop0 /share/havp.img
mkdir /share/havp
mount -o mand /dev/loop0 /share/havp

Note: The switch -o mand is important, because havp needs the image with support for mandatory locking.

Start havp

/etc/init.d/havp.sh start

You may want to check /var/log/havp/error.log, if something went wrong. In case you have success, you'll see a message, that announces a connection to clamd and the eicar virus has been passed to clamd and finally

--- All scanners initialized

The http antivirus proxy is ready for testing.

Testing the setup

If you worked through the chapter so far, you'll be ready to test the proxy. Change the proxy configuration for your browser and enable 127.0.0.1 as address and 8088 as port (we've added port forwarding for this above).

You may also take a look at the acccess.log of havp on the LEAF VM box.

tail -f /var/log/havp/access.log

and/or the /tmp/clamd.log.

A good page to test can be found at eicar.org. Her eyou can download the eicar test virus, which is harmless. If you try to download eicar.com using the standard protocol http you'll get a message from HAVP instead (HAVP Access Denied). If you use the secure, SSL enabled protocol https, you'll be offered to save the file. This is expected, because HAVP does not scan ssl/https connections, and a good sign, because ssl/https is not blocked by the proxy.

If you like the solution and want to install it permanently, you may want to use a (virtual) harddisk and mount it to /share to store the clamav database, clamav daily updates and the havp.img. (Don't forget to adjust the value for the DataBaseDirectory in /etc/clamav/freshclam.conf and /etc/clamav/clamav.conf .)

Additional reading and acknowledgment

Useful clamav links:

ClamAV main page

Useful havp links:

havp main page

How to use havp with squid as caching proxy (though it's based on an outdated squid version).

squid-cache main page

The original Packages for havp.lrp and clamav.lrp have been contributed by Alejandro Dguez for LEAF Bering-uClibc 3.x. Based on his work it was easy, to adjust the buildtool setup for LEAF Bering-uClibc 4.x and later.


Prev Up Next