On Tue, Nov 20, 2012 at 3:07 PM, Greg Folkert <[email protected]> wrote:
> Warning, this is longer than I intended. and "updates.blah.com" is a > replacement for my real machine name. > > I am trying to use a local ClamAV-DB mirror, I've put in place the > clamdownloader.pl, which works a treat, once I added a couple CPAN > modules to my machine. > > I've also got a local webserver, responding to "updates.blah.com" with > all the proper files in the DocumentRoot: > > [public]# ls -l *cvd *cdiff *txt > -rw-r--r-- 1 root root 59212 Nov 16 12:15 bytecode.cvd > -rw-r--r-- 1 root root 901 Nov 17 15:41 daily-15587.cdiff > -rw-r--r-- 1 root root 1308 Nov 17 17:58 daily-15588.cdiff > -rw-r--r-- 1 root root 776 Nov 17 19:22 daily-15589.cdiff > -rw-r--r-- 1 root root 776 Nov 17 19:38 daily-15590.cdiff > -rw-r--r-- 1 root root 777 Nov 17 20:19 daily-15591.cdiff > -rw-r--r-- 1 root root 774 Nov 17 20:39 daily-15592.cdiff > -rw-r--r-- 1 root root 1303 Nov 17 22:04 daily-15593.cdiff > -rw-r--r-- 1 root root 1077 Nov 18 13:07 daily-15594.cdiff > -rw-r--r-- 1 root root 897 Nov 18 14:47 daily-15595.cdiff > -rw-r--r-- 1 root root 1505 Nov 18 18:41 daily-15596.cdiff > -rw-r--r-- 1 root root 1086 Nov 18 21:19 daily-15597.cdiff > -rw-r--r-- 1 root root 5773 Nov 19 07:25 daily-15598.cdiff > -rw-r--r-- 1 root root 1139 Nov 19 11:42 daily-15599.cdiff > -rw-r--r-- 1 root root 977 Nov 19 12:26 daily-15600.cdiff > -rw-r--r-- 1 root root 1104 Nov 19 12:49 daily-15601.cdiff > -rw-r--r-- 1 root root 1251 Nov 19 14:29 daily-15602.cdiff > -rw-r--r-- 1 root root 1150 Nov 19 19:30 daily-15603.cdiff > -rw-r--r-- 1 root root 6823485 Nov 19 19:30 daily.cvd > -rw-r--r-- 1 root root 41 Nov 20 07:52 dns.txt > -rw-r--r-- 1 root root 30750647 Oct 11 2011 main.cvd > > I can do a "curl" or "wget" of all these files WITHOUT issue. I can also > look at the DocumentRoot Automatic Index provided by Apache. I should > also mention this same vhost operates as my local mirrors for > CentOSv4/v5/v6 and RPMForge for el4/el5/el6, does so without ANY issue. > > Rrunning "Freshclam" to get daily.cvd and bytecode.cvd: > > [clamav]# pwd > /var/clamav > [clamav]# freshclam > ClamAV update process started at Tue Nov 20 12:07:56 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > WARNING: Can't download daily.cvd from updates.blah.com > Trying again in 5 secs... > ClamAV update process started at Tue Nov 20 12:08:01 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > WARNING: Can't download daily.cvd from updates.blah.com > Trying again in 5 secs... > ClamAV update process started at Tue Nov 20 12:08:06 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > ERROR: Can't download daily.cvd from updates.blah.com > Giving up on updates.blah.com > Update failed. Your network may be down or none of the mirrors listed in > /etc/freshclam.conf is working. Check > http://www.clamav.net/support/mirror-problem for possible reasons. > > > Now I can very easily make a script that just brute forces the updates > shortly after I update the local mirror. I'd prefer not to, since that > defeats the automaticness of things. > > The problems are, that I do not even see the http requests from > Freshclam in the logs or in tcpdump to the machine I am hosting the > "webserver" on. I DO see the requests using either curl or wget, so > accessing the files is not the issue. > > Currently I run ClamAV/ClamD on CentOS v4/v5/v6 machines without issues > and they are all on current versions, getting updates from the public > mirrors. I am currently being forced to mirror all updates and external > data on a local system, due to PCI Compliance auditing and need to get > this working. > > Here are the versions being run, I'm running multiples of these, but > have only chosen one machine of each version to get this working: > > CentOSv4: > clamav-db-0.97.6-1.el4.rf > clamd-0.97.6-1.el4.rf > clamav-0.97.6-1.el4.rf > > CentOSv5: > clamav-db-0.97.6-1.el5.rf > clamav-0.97.6-1.el5.rf > clamd-0.97.6-1.el5.rf > > CentOSv6: > clamd-0.97.6-1.el6.rf > clamav-db-0.97.6-1.el6.rf > clamav-0.97.6-1.el6.rf > > Now, in my freshclam.conf on the clients I need to be locally updated, > I've tried: > DatabaseMirror updates.blah.com > ScriptedUpdates no > > And All I get are errors similar to this in the automated cron run > setup: > > ClamAV update process started at Tue Nov 20 04:02:07 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: Incremental update failed, trying to download daily.cvd > WARNING: Can't download daily.cvd from updates.blah.com > Trying again in 5 secs... > ClamAV update process started at Tue Nov 20 04:02:13 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: Incremental update failed, trying to download daily.cvd > WARNING: Can't download daily.cvd from updates.blah.com > Trying again in 5 secs... > ClamAV update process started at Tue Nov 20 04:02:19 2012 > main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: > sven) > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: getpatch: Can't download daily-15603.cdiff from updates.blah.com > ERROR: getpatch: Can't download daily-15603.cdiff from updates.blah.com > WARNING: Incremental update failed, trying to download daily.cvd > ERROR: Can't download daily.cvd from updates.blah.com > Giving up on updates.blah.com... > Update failed. Your network may be down or none of the mirrors listed in > /etc/freshclam.conf is working. Check > http://www.clamav.net/support/mirror-problem for possible reasons. > > > > Again, I'm not even seeing freshclam http requests going to my local > webserver. > > Pointer to the fix or a pointer to the exact location in TFM would be > great. > > Cheers and Thanks! > -- > greg folkert - systems administration and support > web: donor.com > email: [email protected] > phone: 877-751-3300 x416 > direct: 616-328-6449 (direct dial and fax) > "It takes a great man to be a good listener." > -- Calvin Coolidge > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > I assume you are intentionally trying to set up your own mirror without setting PrivateMirror to yes. The fact that your server is not seeing any get requests is concerning, and I cannot help if you have any networking issues so YMMV. Here are two things I can pass on: 1) Run freshclam with --verbose to get more information on just what it is doing and where it is going wrong. With verbose, you should see it tell you exactly what URL it is trying to fetch, a line like "Retrieving http://updates.blah.com/main.cvd"; 2) "ScriptedUpdates no" should suppress any attempts to retrieve the cdiff files. Your last log must have been without ScriptedUpdates set to no. Could it be getting a different configuration file? Good luck, Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team [email protected] _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
