マルチでウイルスや不正プログラムなどを検知しませんと知らず知らずのうちにクライアントが感染してしまいます。
オープンソースで主流となるsquidですが、これにもウイルスチェックプログラムを加味する事ができます。
それが弊社で導入を推進しているsquidclamavとc-icapの組み合わせです。
ということで、半年ぶりぐらいですが、Proxyのウイルスチェックのサービスをバージョンアップしました。(パターンは日々自動更新されています。)
squidやclamav自体は、YaSTで簡単にアップできるので、すぐ対応しているのですが、squidclamavとc-icapは、YaSTのリストに無いので、いつも後手に回っております。
os:openSUSE 12.2 (cat /etc/SuSE-release)
squid 3.1.23 (squid -v)
apache 2.2.22 (apache2ctl -v)
clamav 0.97.6 (clamd -V)
squid-graph 3.2 http://squid-graph.sourceforge.net/
(今回インストール方法は書いてませんが、全くバージョンアップしていない代物なので、ネットで検索すれば出てきます。)
今回の主役は以下の2つ。
squidclamav 6.9 ⇒ 6.10 http://squidclamav.darold.net
c-icap 0.2.2 ⇒ 0.2.5 http://c-icap.sourceforge.net/
実際のコマンドやコンフィグサンプルは下記を参照。
[c-icap]
cd /home/niriakot/ダウンロード (このフォルダにsquidclamav,c-icapをアップする。)
tar xvzf c_icap-0.2.5.tar.gz
cd c_icap-0.2.5
./configure --prefix=/usr/local/c-icap --enable-large-files
(make clean)
make
make install
①以前のままです。
vi /usr/local/c-icap/etc/c-icap.conf
---e.g.---start---※以前のまま---
PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
ServerAdmin webmaster@example.jp
ServerName sq.example.jp
TmpDir /var/tmp
MaxMemObject 131072
# TAG: DebugLevel
# Format: DebugLevel level
# Description:
# The level of debugging information to be logged.
# The acceptable range of levels is between 0 and 10.
# Default:
# DebugLevel 1
DebugLevel 1
ModulesDir /usr/local/c-icap/lib64/c_icap
ServicesDir /usr/local/c-icap/lib64/c_icap
#TemplateDir /usr/local/c-icap/share/c_icap/templates/
#TemplateDefaultLanguage en
LoadMagicFile /usr/local/c-icap/etc/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
LogFormat myFormat "%tl, %a %la %>a %<A %im %iu %is %I %O %Ib %Ob %{10}bph"
ServerLog /usr/local/c-icap/var/log/server.log
AccessLog /usr/local/c-icap/var/log/access.log myFormat
Service echo srv_echo.so
Service squidclamav squidclamav.so
---e.g.---end---
②以前のままです。
vi /etc/init.d/c-icap
---e.g.---start---※以前のまま---
#!/bin/sh
#
# /etc/init.d/c-icap
# and its symbolic link
# /usr/sbin/rcc-icap
#
### BEGIN INIT INFO
# Provides: c-icap
# Required-Start: $syslog $remote_fs
# Should-Start:
# Required-Stop: $syslog $remote_fs
# Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: c-icap redirector for squid and clamav
# Description: Start c-icap to provide clamav virus
# scanner interface for Squid.
### END INIT INFO
CICAP_BIN=/usr/local/c-icap/bin/c-icap
test -x $CICAP_BIN || { echo "$CICAP_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
CICAP_CONFIG=/etc/sysconfig/c-icap
test -r $CICAP_CONFIG || { echo "$CICAP_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
. $CICAP_CONFIG
if [ "$USE_CICAP" == "no" ]; then
echo "c-icap disabled in $CICAP_CONFIG. To enable c-icap, set USE_CICAP=\"yes\" in $CICAP_CONFIG"
exit 6
fi
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting c-icap "
/sbin/startproc $CICAP_BIN
rc_status -v
;;
stop)
echo -n "Shutting down c-icap "
/sbin/killproc -TERM $CICAP_BIN
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
$0 start
rc_status
;;
force-reload)
echo -n "Reload service c-icap "
/sbin/killproc -HUP $CICAP_BIN
rc_status -v
;;
reload)
echo -n "Reload service c-icap "
/sbin/killproc -HUP $CICAP_BIN
rc_status -v
;;
status)
echo -n "Checking for service c-icap "
/sbin/checkproc $CICAP_BIN
rc_status -v
;;
probe)
test /usr/local/c-icap/etc/c-icap.conf -nt /var/run/c-icap/c-icap.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
---e.g.---end---
③以前のままです。
chmod 755 /etc/init.d/c-icap
④以前のままです。
vi /etc/sysconfig/c-icap
---e.q.---start---※以前のまま---
## Path: Network/WWW/Proxy/c-icap
## Description: c-icap configuration
## Type: yesno
## Default: yes
## ServiceReload: c-icap
## ServiceRestart: c-icap
#
# Set USE_CICAP to yes, if you want to use the proxy virus scanning
# facility c-icap within squid3 and clamav.
#
USE_CICAP="yes"
---e.q.---end---
⑤以下は、最初の設定時にだけ必要です。
※アップデートの場合は、特に必要でありません。
touch /usr/local/c-icap/var/log/server.log
touch /usr/local/c-icap/var/log/access.log
logrotate -dv /etc/logrotate.d/c-icap
chgrp root /usr/local/c-icap/var/log (nogroup -> root)
以上でc-icapの部分は完了。
[squidclamav]
cd /home/niriakot/ダウンロード
tar xvzf squidclamav-6.10.tar.gz
cd squidclamav-6.10
./configure --with-c-icap=/usr/local/c-icap/
(make clean)
make
make install
①以前のままです
vi /etc/squidclamav.conf
---e.g.---start---※以前のまま---
#-----------------------------------------------------------------------------
# SquidClamav v6.x default configuration file
#
# To know to customize your configuration file, see squidclamav manpage
# or go to http://squidclamav.darold.net/
#
#-----------------------------------------------------------------------------
#
# Global configuration
#
squid_ip 127.0.0.1
squid_port 3128
trust_cache 0
# Maximum size of a file that may be scanned. Any file bigger that this value
# will not be scanned.
maxsize 256000000
# When a virus is found then redirect the user to this URL
redirect http://192.168.10.110/cgi-bin/clwarn.cgi
# Path to the squiGuard binary if you want URL filtering
#squidguard /usr/local/squidGuard/bin/squidGuard
# Path to the clamd socket, use clamd_local if you use Unix socket or if clamd
# is listening on an Inet socket, comment clamd_local and set the clamd_ip and
# clamd_port to the corresponding value.
#clamd_local /tmp/clamd
clamd_local /var/lib/clamav/clamd-socket
clamd_ip 192.168.10.110,127.0.0.1
clamd_port 3310
# Set the timeout for clamd connection. Default is 1 second, this is a good
# value but if you have slow service you can increase up to 3.
timeout 1
# Force SquidClamav to log all virus detection or squiguard block redirection
# to the c-icap log file.
logredir 0
# Enable / disable DNS lookup of client ip address. Default is enabled '1' to
# preserve backward compatibility but you must desactivate this feature if you
# don't use trustclient with hostname in the regexp or if you don't have a DNS
# on your network. Disabling it will also speed up squidclamav.
dnslookup 1
#
# Here is some defaut regex pattern to have a high speed proxy on system
# with low resources.
#
# Do not scan images
#abort ^.*\.(ico|gif|png|jpg)$
#abortcontent ^image\/.*$
# Do not scan text files
#abort ^.*\.(css|xml|xsl|js|html|jsp)$
#abortcontent ^text\/.*$
#abortcontent ^application\/x-javascript$
# Do not scan streamed videos
abortcontent ^video\/x-flv$
abortcontent ^video\/mp4$
#abort ^.*\.wmv$
# Do not scan flash files
abort ^.*\.swf$
abortcontent ^application\/x-shockwave-flash$
# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
#abortcontent ^application\/x-mms-framed$
# White list some sites
# whitelist .*\.clamav.net
whitelist .*\.gomplayer\.jp
whitelist .*\.gomlab\.com
whitelist .*\.sony\.jp
whitelist .*\.ati\.com
whitelist .*\.lg\.com
whitelist .*\.symantec\.com
whitelist .*\.norton\.com
whitelist .*\.liveupdate\.symantecliveupdate\.com
whitelist .*\.slysoft\.com
whitelist .*\.epson\.jp
whitelist .*\.microsoft\.com
whitelist .*\.iodata\.jp
whitelist .*\.sun\.com
whitelist .*\.paragon-software\.com
whitelist .*\.jra-van\.ne\.jp
whitelist .*\.real\.com
whitelist .*\.turbine\.com
# See also 'trustuser' and 'trustclient' configuration directives
#trustclient 192.168.10.160
# Do not scan m4a (itunes)
abort ^.*\.m4a$
abortcontent ^video\/x-ms-asf$
# exclude others
abort ^.*vista_win7_32-64_.*$
abort ^.*GOMENCODERSETUP_JPN\.EXE$
abort ^.*Joomla.*$
#abortcontent ^application\/octet-stream$
# -> eicar file type
---e.g.---end---
②変更の可能性があるので、下記は実行して下さい。
cp -p /usr/local/lib/squidclamav/* /srv/www/cgi-bin/
③以前のままです
vi /etc/squid/squid.conf
---e.g.---start---※以前のまま---
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Safe_ports port 12093 # bitcomet
acl Safe_ports port 20820 # eMule
acl Safe_ports port 1090 # PNA
acl Safe_ports port 554 # RTSP
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# allow localhost always proxy functionality
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 50000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpe?g|ico|tif?f|bmp)$ 10080 90% 43200 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpe?g|swf|flv|x-flv|mpg|ra?m|mwv|mov|mid)$ 43200 90% 432000 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|class|pdf)$ 10080 90% 43200 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 10080 90% 43200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 40% 40320
cache_mem 256 MB
maximum_object_size_in_memory 256 MB
maximum_object_size 1024 MB
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
#squidclamav
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=on routing=off ipv6=off icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=on routing=off ipv6=off icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
http_port 3128
#SSL squidclamav
#http_port 3128 ssl-bump cert=/etc/ssl/sq.pem key=/etc/ssl/sq-key.pem
#ssl_bump allow all
#always_direct allow all
forwarded_for off
---e.g.---end---
④restartさせます。
/etc/init.d/c-icap stop
/etc/init.d/c-icap start
/etc/init.d/squid restart
【最終確認】
①サービスの起動確認
ps -ef | grep c-icap | grep -v grep
②eicarサイトでダウンロードしてみる。(SSLは除く。)
http://www.eicar.org/85-0-Download.html
③上記をダウンロードすると下記のような画面が表示されます。
④その後、ウイルスが見つかった場合、下記のコマンドでログをチェック。
cat /usr/local/c-icap/var/log/server.log | grep "FOUND"
url=アクセス先
source=IPアドレス
が表示されます。
これ以外にエラーやワーニングが出ていなければ、完了です。
これ以外でも、弊社では各種サーバーをオープンソースで、作成し、運用を致しますので、
御用命は、
webmaster@niriakot.jp
までどうぞ。
※初めてのお客様には、運用費用3か月は無料にします。(構築費は頂きます。)
3か月運用任せて、もしダメだなと感じましたら、運用契約は無しで結構です。
3か月運用任せて、もしダメだなと感じましたら、運用契約は無しで結構です。
0 件のコメント:
コメントを投稿