On 07/23/2011 07:03 AM, Nathan Gibbs wrote: >>> Does clamd support tcpwrappers? >> >> It looks like clamav-milter does, but not clamd itself. > > H'mm, for now it looks like firewalls are the only defense when you bind > clamd to an IP address.
I think that a very simple way of limiting which machines have access to clamd is via an SSH tunnel. You bind clamd to localhost on the server, and each client does SSH port forwarding to get access: autossh -fN -M 40000 -L localhost:3310:localhost:3310 youruser@clamdserverip And if you don't trust the users on either of the machines you can forward the Unix sockets [*] CLAMD_FORWARDED_SOCKET=/var/run/clamd-forwarded.socket REMOTE_CLAMD_SOCKET=/var/run/clamd.socket umask 007 socat UNIX-LISTEN:$CLAMD_FORWARDED_SOCKET,unlink-early,su=clamav,fork EXEC:"ssh youruser@clamdserverip socat STDIO UNIX-CONNECT\:$REMOTE_CLAMD_SOCKET" And then use Unix permissions to control access to the CLAMD_FORWARDED_SOCKET (i.e. clamav group). You should also probably use ssh-agent otherwise this'll prompt for the ssh key password everytime someone connects [*] Idea based on http://www.debian-administration.org/users/dkg/weblog/68 Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
