Re: [clamav-users] Clamd network access control
On 07/23/2011 07:03 AM, Nathan Gibbs wrote: Does clamd support tcpwrappers? It looks like clamav-milter does, but not clamd itself. H'mm, for now it looks like firewalls are the only defense when you bind clamd to an IP address. I think that a very simple way of limiting which machines have access to clamd is via an SSH tunnel. You bind clamd to localhost on the server, and each client does SSH port forwarding to get access: autossh -fN -M 4 -L localhost:3310:localhost:3310 youruser@clamdserverip And if you don't trust the users on either of the machines you can forward the Unix sockets [*] CLAMD_FORWARDED_SOCKET=/var/run/clamd-forwarded.socket REMOTE_CLAMD_SOCKET=/var/run/clamd.socket umask 007 socat UNIX-LISTEN:$CLAMD_FORWARDED_SOCKET,unlink-early,su=clamav,fork EXEC:ssh youruser@clamdserverip socat STDIO UNIX-CONNECT\:$REMOTE_CLAMD_SOCKET And then use Unix permissions to control access to the CLAMD_FORWARDED_SOCKET (i.e. clamav group). You should also probably use ssh-agent otherwise this'll prompt for the ssh key password everytime someone connects [*] Idea based on http://www.debian-administration.org/users/dkg/weblog/68 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] CLAMAV-MILTER, sighup
On 07/23/2011 05:40 AM, Steve Fatula wrote: It would appear that sighup, in clamav 0.97.1, should re-open the log files when it receives a sighup. In our case, it simply ends clamav-milter, no message logged anywhere I can find. Do I read this correctly, that is what SHOULD happen (reload)? There's no signal handling done in clamav-milter, it is done by libmilter. Looking at libmilter sources it intercepts SIGHUP, SIGTERM, SIGINT in its own thread, and blocks the signals in all other threads, so clamav-milter can't intercept SIGHUP even if it wanted to. If you want a signal to reopen log files it has to be a different one from the above three, but can't you just restart the milter process? Restarting should be very fast, it doesn't need to load the database or anything that takes time. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] CLAMAV-MILTER, sighup
I can restart the service. I just don't like the impact of anything that happens to be using the milter when it is being restarted. Sounds like the best I can do though. Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] CLAMAV-MILTER, sighup
Hi there, On Sat, 23 Jul 2011 Steve Fatula wrote: ...I can restart the service. I just don't like the impact of anything that happens to be using the milter when it is being restarted. Sounds like the best I can do though. Log via syslog? -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamd network access control
On 7/23/2011 3:32 AM, Török Edwin wrote: I think that a very simple way of limiting which machines have access to clamd is via an SSH tunnel. You bind clamd to localhost on the server, and each client does SSH port forwarding to get access: autossh -fN -M 4 -L localhost:3310:localhost:3310 youruser@clamdserverip And if you don't trust the users on either of the machines you can forward the Unix sockets [*] CLAMD_FORWARDED_SOCKET=/var/run/clamd-forwarded.socket REMOTE_CLAMD_SOCKET=/var/run/clamd.socket umask 007 socat UNIX-LISTEN:$CLAMD_FORWARDED_SOCKET,unlink-early,su=clamav,fork EXEC:ssh youruser@clamdserverip socat STDIO UNIX-CONNECT\:$REMOTE_CLAMD_SOCKET And then use Unix permissions to control access to the CLAMD_FORWARDED_SOCKET (i.e. clamav group). You should also probably use ssh-agent otherwise this'll prompt for the ssh key password everytime someone connects [*] Idea based on http://www.debian-administration.org/users/dkg/weblog/68 LOL I thought you said simple. :-) I understand what you just said, but a 5 years back, my eyes would have glazed over, and you would have lost me. :-) However, even then I understood that open access to a network service was a potential problem. Consider my typical clamd installation. Clamd's bound to IPs. Clamav-milter load balancing between all the clamds. Clamdscan doing daily system scans on each host. Why clamdscan instead of clamscan? Because clamd already has the DBs loaded. Current scan time is 1-8 hours depending on host resources, and amount of data to be scanned. Now scale this up to lets say a 16 node scanning cluster. If/when clamdscan supports load balancing like the milter, I'm sure scan times would go down. Which would be really cool. However, if taking down the scanning cluster is as trivial as properly using it, that's not so cool. The client to utilize a Clamav scanning cluster isn't here yet. When that shows up, people will start hooking the clamd's to the network to improve efficiency, add redundancy, etc. Doing so is trivial. The ability to build a scanning cluster is here. The ability to hose a scanning cluster is here. That is definitely not so cool. I tested it in our shop last night with clambake. It took less than a minute to make the mess, and more than 5 minutes to fix it. Scale that up to network size proportions. :-0 -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Clam Bake 0.2 Released
A tool for enumerating, stress testing, and/or shutting down instances of the Clam Antivirus service on a network. Download Freely. Enjoy thoroughly. Use Responsibly. http://www.cmpublishers.com/oss/#clambake -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] CLUES -- CLamAv Unified Event System 0.3 Release
http://www.cmpublishers.com/oss/#clues Enjoy. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Reporting infected spam
Looking for the correct way to handle this. I've been receiving a lot of infected email lately supposedly bounced messages infected with the MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way to report these to the offending ISP? I can find who the admin and tech contacts are by telneting to whois.ra.net and inputting the ASN which will give me those then I can telnet to whois.ripe.net or apnic or radb or whoever to give me the name(s) of these contacts and email address. Then send them an email with the message headers to show the sender IP. Is that the correct way? I also have a script that will report these in conjunction with SA Learn which reports these but it sends the whole message including the infected attachment, I don't believe this is the correct way. Thanks Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11°N 97.89°W (Elev. 1092 ft) 19:00:22 up 171 days, 40 min, 2 users, load average: 0.60, 0.56, 0.40 signature.asc Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Reporting infected spam
On 7/23/11 5:07 PM, Chris cpoll...@embarqmail.com wrote: Looking for the correct way to handle this. I've been receiving a lot of infected email lately supposedly bounced messages infected with the MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way to report these to the offending ISP? I can find who the admin and tech contacts are by telneting to whois.ra.net and inputting the ASN which will give me those then I can telnet to whois.ripe.net or apnic or radb or whoever to give me the name(s) of these contacts and email address. Then send them an email with the message headers to show the sender IP. Is that the correct way? I also have a script that will report these in conjunction with SA Learn which reports these but it sends the whole message including the infected attachment, I don't believe this is the correct way. You might want to check out SpamCop http://www.spamcop.net/ to help you locate the offending ISP. Their database is often able to cut through attempts to disguise the true sender using your techniques, but somewhat faster. Another tip for sending infected emails is to compress them with a password before sending as intermediary mail handlers often scan and remove attachments that are recognized malware. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Reporting infected spam
On Sat, 2011-07-23 at 19:43 -0700, Al Varnell wrote: On 7/23/11 5:07 PM, Chris cpoll...@embarqmail.com wrote: Looking for the correct way to handle this. I've been receiving a lot of infected email lately supposedly bounced messages infected with the MyDoom worm or Suspect.DoubleExtension-zippwd-9. What is the correct way to report these to the offending ISP? I can find who the admin and tech contacts are by telneting to whois.ra.net and inputting the ASN which will give me those then I can telnet to whois.ripe.net or apnic or radb or whoever to give me the name(s) of these contacts and email address. Then send them an email with the message headers to show the sender IP. Is that the correct way? I also have a script that will report these in conjunction with SA Learn which reports these but it sends the whole message including the infected attachment, I don't believe this is the correct way. You might want to check out SpamCop http://www.spamcop.net/ to help you locate the offending ISP. Their database is often able to cut through attempts to disguise the true sender using your techniques, but somewhat faster. Another tip for sending infected emails is to compress them with a password before sending as intermediary mail handlers often scan and remove attachments that are recognized malware. -Al- Thanks Al, I do use spamcop, that does sound like an easy way to find the real offender, never really thought of that, guess I've been doing it the hard way. Never thought of your second solution either, I assume that I should put the password for the attachment in the message with that I send with the infected email, which would make sense. Thanks Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11°N 97.89°W (Elev. 1092 ft) 21:55:19 up 171 days, 3:35, 1 user, load average: 0.26, 0.19, 0.19 signature.asc Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml