Mod_Clamav : Virus scanning for ProFTPd

Overview

Thralling Penguin maintains an add-on module for the excellent ProFTPd FTP server which enables immediate virus scanning of newly uploaded files prior to allowing the file upload to complete. With Mod_Clamav you can ensure that your FTP sites do not contain virus ladened files which may be downloaded by your users and clients. The benefits of such a module are invaluable for those sites which run anonymous FTP and for companies which have strict IT requirements.

Latest Release

The current release requires Clamd from the ClamAV software. Mod_Clamav may be configured to either use Clamd via local unix sockets or TCP sockets. This allows one to combine ProFTPd with Mod_Clamav and Clamd on a system with local unix sockets for minimal administrative overhead and decent security; however, it also allows for a large scale deployment with many ProFTPd servers utilizing a separate Clamd host over TCP for scalability and lower administrative overhead.

Additional features include:

HiddenStore support
Chroot environments
Reporting a detected virus to the remote FTP client and ProFTPd logging
Clamd TCP socket support
Clamd Unix socket support
Simple configuration

Download Version 0.7
(tar.gz) MD5: b682da3dca4664d2fcb8e0b67a895d4b
(zip) MD5: a6a480d3d310a499bfe1073166bdc94d

ClamAV version 0.88

If you are using ClamAV version 0.88, there was an introduced hard-coded 5 second 
timeout for sessions, which caused this module to experience problems. The bug was
resolved on March 26, 2006 and appears in version 0.88.1 and newer, with a new
configuration directive for Clamd called ReadTimeout. The ReadTimeout value has a 
default of 120 in version 0.88.1, instead of the prior 5 second hard-coded value.

Installation

To install Mod_Clamav, download and unpack the Mod_Clamav source code.

wget http://www.thrallingpenguin.com/resources/mod_clamav-0.7.tar.gz
tar xzvf mod_clamav-0.7.tar.gz

Download the latest proftpd source code, and prepare it for building Mod_Clamav.

wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.1.tar.gz
tar xzvf proftpd-1.3.1.tar.gz
cp mod_clamav-0.7/mod_clamav.* proftpd-1.3.1/contrib

Apply the required patch:

cd proftpd-1.3.1
patch -p1 < ../mod_clamav-0.7/proftpd.patch

Now the usual steps for building ProFTPd, using third-party modules, apply. Additionally, you may change any configure arguments to meet your needs.

./configure --with-modules=mod_clamav
make
make install

Configuration

The following directives are available in ProFTPd when using Mod_Clamav.

ClamAV

Syntax: ClamAV boolean
Default: Off
Context: server config, <VirtualHost>, <Global>, <Anonymous>
Module: mod_clamav Compatibility: 1.2.10 or newer

The ClamAV directive will configure if the Mod_Clamav's virus scanning and virus removal features are active. If no ClamAV directive is configured, then the module will do no virus scanning.

ClamLocalSocket

Syntax: ClamLocalSocket string
Default: None
Context: server config, <Global>
Module: mod_clamav Compatibility: 1.2.10 or newer

The ClamLocalSocket directive will configure the UNIX socket used to connect to the Clamd daemon process. If no ClamLocalSocket directive is configured, then the module will do no Unix local socket Clamd scanning.

ClamServer

Syntax: ClamServer string
Default: None
Context: server config, <Global>
Module: mod_clamav Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.6 or newer

The ClamServer directive will configure the hostname/IP address used to connect to the Clamd daemon process. If no ClamServer directive is configured, then the module will do no TCP Clamd scanning.

ClamPort

Syntax: ClamPort integer
Default: 3310
Context: server config, <Global>
Module: mod_clamav Compatibility: ProFTPd 1.2.10 or newer, Mod_Clamav 0.6 or newer

The ClamPort directive will configure the TCP port used to connect to the Clamd daemon process. If no ClamPort directive is configured, then the module will use the Clamd default TCP port of 3310.

Configuration Examples

Single system with both ProFTPd and Clamd utilizing Unix local sockets.

<IfModule mod_clamav.c>
   ClamAV on
   ClamLocalSocket /tmp/clamd
</IfModule>

Single system with both ProFTPd and Clamd utilizing TCP sockets.

<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
</IfModule>

Prior Releases

Mod_Clamav version 0.5 was the first release to include Clamd support. It has been marked as a prior unsupported version, but is available below.

Download Version 0.5
(tar.gz) MD5: b11880ad55b771d742e2aaf52674144f
(zip) MD5: c2f029a1eed41b94597e07da8cc84243

Mod_Clamav version 0.3 utilized libclamav directly for scanning. It has been marked as a prior unsupported version, but is available below.

Download Version 0.3
(tar.gz) MD5: 062d37c43a9894c471dba70457a55628
(zip) MD5: 51264a661072586f2565f88055562eaa

Future To-Do's

Implement auto-reconnect for both Unix local sockets and TCP sockets
Implement min and max file sizes for scanning. (eg: To allow mammoth files to not be scanned.)

References

ClamAV
http://www.clamav.net/

ProFTPd
http://www.proftpd.org/

About the Author

Joseph Benden, Sr. is the owner of Thralling Penguin LLC. Thralling Penguin designs, develops, and extends software technologies for the most demanding business applications, as well as offering VoIP Consulting services.