![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
Contents
VirusScan on Mail Server-Update
正常な状態
hotshot# cd /var/run/clamav hotshot# ll total 4 srw-rw-rw- 1 clamav clamav 0 Apr 22 09:18 clamd -rw-rw-r-- 1 clamav clamav 4 Apr 22 09:18 clamd.pid -rw-rw---- 1 clamav clamav 4 Apr 22 09:18 freshclam.pid
正常時のメールサーバの top (Virus scan 関連)
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 667 clamav 1 96 0 57056K 1636K select 0 0:02 0.00% perl5.8.8 974 clamav 1 96 0 58212K 36572K select 0 0:00 0.00% perl5.8.8 975 clamav 1 20 0 57948K 34044K lockf 1 0:00 0.00% perl5.8.8 676 clamav 1 4 0 75960K 0K accept 1 0:00 0.00% clamd 681 clamav 1 20 0 4280K 0K pause 0 0:00 0.00% freshclam
Jan 17 08:51:31 k222 kernel: Starting clamav_clamd. Jan 17 08:51:31 k222 kernel: LibClamAV Warning: *********************************************************** Jan 17 08:51:31 k222 kernel: LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** Jan 17 08:51:31 k222 kernel: LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** Jan 17 08:51:31 k222 kernel: LibClamAV Warning: *********************************************************** Jan 17 08:51:33 k222 kernel: Starting clamav_freshclam.
k222# pkg_info k222# portupgrade clamav-0.95.1_1
んで、何かの拍子に/var/amavis/*/ と、/var/virusmails のオーナーがvscan なんかに成ってしまっていたので、
# chown clamav:clamav /var/amavis/
等としておく。
起動時の(flora=マシン名)コンソールログに(cf: コンソール上のログを採取 )
Jan 21 04:34:46 flora amavis[877]: (00877-01) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory, retrying (2) Jan 21 04:34:52 flora amavis[877]: (00877-01) (!!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd (Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 113) line 309. Jan 21 04:34:52 flora amavis[877]: (00877-01) (!!)WARN: all primary virus scanners failed, considering backups
などという警告がでるので、
これを設定しておかないと/var/run/clamav/clamd が生成されずエラーとなるらしいので^^
/usr/local/etc/clamd.conf User clamav #User vscan LocalSocket /var/run/clamav/clamd #LocalSocket /var/run/clamav/clamd.sock
と設定し、
Jan 21 05:38:54 flora amavis[666]: Using primary internal av scanner code for ClamAV-clamd Jan 21 05:38:54 flora amavis[666]: Found secondary av scanner ClamAV-clamscan at /usr/local/bin/clamscan Jan 21 05:38:54 flora amavis[666]: Creating db in /var/amavis/db/; BerkeleyDB 0.36, libdb 4.1 Jan 21 05:38:57 flora kernel: Starting clamav_freshclam.
となりました。
使用ソフト:ClamAV, amavis-new
MTA : Postfix
OS : FreeBSD 6.2
http://www.google.co.jp/search?hl=ja&q=amavis+postfix+clamav+FreeBSD&lr=
http://www.google.co.jp/search?hl=ja&q=amavis+postfix+clamav+FreeBSD+6.2&lr=
http://clamav-jp.sourceforge.jp/
cd /usr/ports/security/clamav make install clean
===> Registering installation for clamav-0.91.2
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/clamd
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/clamav-milter
/usr/local/etc/rc.d/clamav-freshclam
/usr/local/etc/rc.d/clamav-clamd
/usr/local/etc/clamd.conf
LogFileMaxSize 3M LogVerbose yes
/etc/rc.conf
clamav_clamd_enable="YES" clamav_freshclam_enable="YES"
# cd /usr/ports/security/amavisd-new # make
# make install
*******************************************************************
To use amavisd-new, you need to install at least one virus scanner.
The following virus scanners are available in the FreeBSD ports
collection:
/usr/ports/security/vscan McAfee VirusScan
/usr/ports/security/clamav Clam Antivirus
/usr/ports/security/f-prot F-Prot Antivirus
/usr/ports/security/drweb DrWeb antivirus suite
Enable amavisd-new in /etc/rc.conf with the following line:
amavisd_enable="YES"
Optionally enable amavisd tmp ram disk with: (example 512k)
amavisd_ram="512m"
If you have installed and want to use the amavis sendmail milter interface,
you need the following additional line in /etc/rc.conf:
amavis_milter_enable="YES"
If you have installed and want to use the p0fanalyzer interface,
you need the following additional lines in /etc/rc.conf
(with modifications according to your needs):
amavis_p0fanalyzer_enable="YES"
amavis_p0fanalyzer_p0f_filter="tcp dst port 25"
You can pass another command line options to p0f daemon by setting
amavis_p0f_daemon_flags and to p0f-analyzer.pl by setting
amavis_p0fanalyzer_flags.
Configuration templates are available in /usr/local/etc
as amavisd.conf-dist, amavisd.conf-sample, amavisd.conf-default
and amavisd-custom.conf-dist.
Documentation is available in /usr/local/share/doc/amavisd-new.
*******************************************************************
===> Installing rc.d startup script(s)
===> Registering installation for amavisd-new-2.5.2,1
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/amavis-milter
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/amavis-milter
/usr/local/etc/rc.d/amavisd
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.ijs.si/software/amavisd/
のだそうであるが、ネット上のインストール記事をみると、どちらかといえば「Clam AV」のユーザを「amavisd-new」のユーザである vscan に合わせる方法が紹介されているものが多いようにおもわれた。ので
http://www.crimson-snow.net/hmsvr/bsd/maild/clamav.html
FreeBSD# vi /usr/local/etc/clamd.conf <= 設定ファイルの編集 User clamav ↓ User vscan <= 「amavisd-new」の実行ユーザに合わせる # chown -R vscan:vscan /var/run/clamav <= オーナの変更
これだけけだと、起動時に
ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permisskons!). ERROR: problem with internal logger. Please check the permissions on the /var/log/clamav/clamd.logfile.
と言うエラーが出る。
# chown -R vscan:vscan /var/log/clamav
とするだけでは、まだ、同様のエラーを吐くので、clamd.log のパーミッションを落とす。
また、freshclam.logには、
ERROR: Can't save PID to file /var/run/clamav/freshclam.pid: Permission denied
というエラーがあり、/var/run/clamavのパーミッションを落として拾ってみると、freshclam.pidのオーナは、clamavであった。どうしましょう?
srwxrwxrwx 1 vscan vscan 0 Sep 27 13:32 clamd -rw-rw---- 1 vscan vscan 3 Sep 27 13:32 clamd.pid -rw-rw---- 1 clamav vscan 3 Sep 27 13:32 freshclam.pid
コリャもう一度作り直した方が良いかも・・・ということで、
# cd /usr/ports/security/clamav # make CLAMAVUSER=vscan CLAMAVGROUP=vscan # make install install -o root -g wheel -m 555 -s .libs/clamconf /usr/local/bin/clamconf Making install in database /bin/sh ../mkinstalldirs /var/db/clamav mkdir /var/db/clamav chown: vscan: Invalid argument *** Error code 1 Stop in /usr/ports/security/clamav/work/clamav-0.91.2/database. *** Error code 1 Stop in /usr/ports/security/clamav/work/clamav-0.91.2. *** Error code 1 Stop in /usr/ports/security/clamav. *** Error code 1 Stop in /usr/ports/security/clamav.
ということで、あえなくエラー
元へ戻すか・・・
# cd /usr/ports/security/clamav # rm -R work # make rmconfig # make # make deinstall ===> Deinstalling for security/clamav ===> Deinstalling clamav-0.91.2 ==================================================== If you want remove clamav permanently from you system execute following commands: # rm -rf /var/log/clamav # rm -rf /var/run/clamav # rm -rf /var/db/clamav # pw userdel clamav ==================================================== # make install
として、いれなおし!
http://www.leafgreen.jp/freebsd/clamav.html
何も指定しないとvscanというユーザでAMAViSが動作するのですが、ClamAVを使用する場合、ClamAVとAMAViSのユーザを一致させる必要があります。ClamAVをvscanで動作させるのでもよいのですが、ClamAVをportupgradeなどで更新した場合、ClamAVが使用するディレクトリやファイルなどがclamavユーザとなってしまい、毎度ユーザを変更しなくてはなりません。(※何か方法がありそうですが・・・make.confとか?) なので、私はAMAViSをclamavユーザで動作させるようにしました。 "AMAVISUSER=clamav AMAVISGROUP=clamav"をmakeで指定します。
インストール portinstall security/amavisd-new
# cd /usr/ports/security/amavisd-new # make AMAVISUSER=clamav AMAVISGROUP=clamav # make install
どうやら、こちらの方がよさそうなので、
# cd /usr/ports/security/amavisd-new # rm -R work # make deinstall ===> Deinstalling for security/amavisd-new ===> Deinstalling amavisd-new-2.5.2,1 You should manually remove the "vscan" group. You should manually remove the "vscan" user. You should manually remove the "/var/amavis" directory. You should manually remove the "/var/virusmails" directory.
あらまぁ、面倒見がわるいこと・・・
# pw groupdel vscan # pw userdel vscan # rm -rf /var/amavis # rm -rf /var/virusmails # make rmconfig ===> Removing user-configured options for amavisd-new-2.5.2,1
として消去
# make AMAVISUSER=clamav AMAVISGROUP=clamav # make install
としたが、なぜかオーナがvscanのまま・・・・で、makeのオプションを無視される。
ので、
# cd /usr/ports/security/amavisd-new # cp Makefile Makefile-dist として待避 # vi Makefile --------------------------------- - AMAVISUSER?= vscan #この部分を - AMAVISGROUP?= vscan --------------------------------- + AMAVISUSER?= clamav #このように編集 + AMAVISGROUP?= clamav --------------------------------- #make #make install
としてインストール
インストールされた/var/amavisなどが望みのオーナかどうか確認する
# pwd /var/amavis # ll total 6 drwxr-x--- 2 clamav clamav 512 Sep 28 04:38 db drwxr-x--- 2 clamav clamav 512 Sep 28 04:38 tmp drwxr-x--- 2 clamav clamav 512 Sep 28 04:38 var
OK。
hotshot# cp /usr/Backups/hotshot/usr/local/etc/amavisd.conf /usr/local/etc/
デフォルトの状態では、ClamAVに関する部分はコメントになっているので外します。
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd; match the socket
# name (LocalSocket) in clamav.conf to the socket name in this entry
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
その他の設定は、こんな感じ。
$mydomain = 'your.domain'; #ドメイン名 $myhostname='host.your.domain'; #ホスト名 $notify_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[127.0.0.1]:10025'; #チェックした結果を戻す先 $final_virus_destiny = D_DISCARD; #最終的なウィルス付メールの扱い $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; #SPAMメールの最終的な扱い $final_bad_header_destiny = D_PASS;
amavisd_enable="YES"
というエラーがでていた
Dec 1 00:00:03 blackcube amavis[98844]: (98844-11) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd: 2, retrying (2) Dec 1 00:00:09 blackcube amavis[98844]: (98844-11) (!!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd (Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 103) line 325.
で、/var/run/clamav には、clamd ではなく、 clamd.sock となっているので /usr/local/etc/amavisd.conf
### http://www.clamav.net/
['ClamAV-clamd',
## \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
と変更。
#vi /usr/local/etc/postfix/main.cf content_filter = smtp-amavis:[127.0.0.1]:10024
の1行を追加。
#vi /usr/local/etc/postfix/master.cf smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
※“-o”で始まる行(2行目以降)の先頭には必ずTABやスペースを入れてください。
SPAMやウィルスメールを検出したときに通知されるエイリアスを設定
# vi /etc/mail/aliases virusalert: foo@your.domain spamalert: bar@your.domain # newaliases
mail server が動作緩慢になった。
top してみると
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 2118 vscan 1 129 0 41592K 39496K RUN 0:41 47.88% clamscan 2113 vscan 1 129 0 41776K 39680K RUN 0:45 47.60% clamscan 871 clamav 1 4 0 46392K 43844K accept 1:40 0.00% clamd
と・・・・@@
5.1.3. amavisd-new amavisd-newは、amavisdをもとにMark Martinecが書き直し、パフォーマンスの向上とSpamAssassinによるanti-spam機能を加えたものですが、anti-spamとanti-virusのどちらかを外して使用することもできます。他の商用アンチウイルス製品とclamavとを共用で2重に検査したり、また通常はclamdを使いclamdに問題が発生したときにはclamscanを代わりに使用して対処する、といったこともできます。amavisd.confを編集し、@av_scannersの項目でclamdを有効にして使います。
とのこと。 で、設定を変えた覚えはないけど、 /usr/local/etc/amavisd.conf 見てみたら、
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
辺りがコメントアウトになってますた。
変えた覚えないんだけどな~~~???
amavisnew のアップグレードした
# chown -R clamav:clamav /var/amavis/
/var/virusmails/ に、沢山のファイルがたまっているので、rm すると、
/bin/rm: Argument list too long.
といわれるので、
echo /var/virusmails/* | xargs rm
した。
amavisd-new.jpg
clamav.jpg
