#author("2018-08-29T15:13:38+09:00","","") #author("2018-08-29T15:15:41+09:00","","") [[CentOS7]] *プロキシサーバーでウイルスチェック(Squid+SquidClamAV+ClamAV) [#p2e1e6ad] プロキシサーバーでウイルスチェックを行う。ここでは、[[Squid>squidインストール]]+[[SquidClamAV>http://sourceforge.net/projects/squidclamav/]]+[[CalmAntiVirus>Clam AntiVirusインストール]]で構築したプロキシサーバーで、クライアントが当該プロキシサーバー経由でアクセスするページのウイルスチェックを行い、ウイルスを検出した場合はアクセスをブロックする。 &color(red){※[[Squid>squidインストール]]、[[CalmAntiVirus>Clam AntiVirusインストール]]、[[Apache>Apacheインストール]]が構築済であること}; *SquidClamAVインストール [#v80ebaba] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# yum -y install curl-devel &color(lime){← SquidClamAVインストールに必要なcurl-develインストール};| |[root@localhost ~]# wget http://nchc.dl.sourceforge.net/sourceforge/squidclamav/squidclamav-4.0.tar.gz &color(lime){← SquidClamAVダウンロード};| |&color(lightpink){※最新版のURLは[[ダウンロードページ>http://sourceforge.net/project/showfiles.php?group_id=222018&package_id=268243]]で確認すること};| |[root@localhost ~]# tar zxvf squidclamav-4.0.tar.gz &color(lime){← SquidClamAV展開};| |[root@localhost ~]# cd squidclamav-4.0 &color(lime){← SquidClamAV展開先ディレクトリへ移動};| |[root@localhost squidclamav-4.0]# ./configure && make && make install &color(lime){← SquidClamAVインストール};| |[root@localhost squidclamav-4.0]# cp squidclamav.conf.dist /etc/squidclamav.conf &color(lime){← SquidClamAV設定ファイルを所定のディレクトリへコピー};| |[root@localhost squidclamav-4.0]# cp clwarn.cgi /var/www/cgi-bin/ &color(lime){← ウイルス検出時のリダイレクト先スクリプトを所定のディレクトリへコピー};| |[root@localhost squidclamav-4.0]# cd &color(lime){← SquidClamAV展開先ディレクトリを抜ける};| |[root@localhost ~]# rm -rf squidclamav-4.0 &color(lime){← SquidClamAV展開先ディレクトリを削除};| |[root@localhost ~]# rm -f squidclamav-4.0.tar.gz &color(lime){← ダウンロードしたファイルを削除};| *SquidClamAV設定 [#ue5e81dc] **Squid設定 [#t29e3890] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/squid/squid.conf &color(lime){← Squid設定ファイル編集};| |# TAG: url_rewrite_program &br; # Specify the location of the executable for the URL rewriter. &br; # Since they can perform almost any function there isn't one included. &br; # &br; # For each requested URL rewriter will receive on line with the format &br; # &br; # URL client_ip "/" fqdn user method urlgroup &br; # &br; # And the rewriter may return a rewritten URL. The other components of &br; # the request line does not need to be returned (ignored if they are). &br; # &br; # The rewriter can also indicate that a client-side redirect should &br; # be performed to the new URL. This is done by prefixing the returned &br; # URL with "301:" (moved permanently) or 302: (moved temporarily). &br; # &br; # It can also return a "urlgroup" that can subsequently be matched &br; # in cache_peer_access and similar ACL driven rules. An urlgroup is &br; # returned by prefixing the returned url with "!urlgroup!" &br; # &br; # By default, a URL rewriter is not used. &br; # &br; #Default: &br; # none &br; url_rewrite_program /usr/local/bin/squidclamav &color(lime){← 追加}; &br; &br; # TAG: url_rewrite_children &br; # The number of redirector processes to spawn. If you start &br; # too few Squid will have to wait for them to process a backlog of &br; # URLs, slowing it down. If you start too many they will use RAM &br; # and other system resources. &br; # &br; #Default: &br; # url_rewrite_children 5 &br; url_rewrite_children 15 &color(lime){← 追加}; &br; &br; # TAG: url_rewrite_access &br; # If defined, this access list specifies which requests are &br; # sent to the redirector processes. By default all requests &br; # are sent. &br; # &br; #Default: &br; # none &br; url_rewrite_access deny localhost &color(lime){← 追加}; &br; &br; http_access deny to_localhost &color(lime){← 行頭の#を削除してコメント解除};| **ClamAV設定 [#j8ebf376] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/clamd.conf &color(lime){← clamd設定ファイル編集};| |# Path to a local socket file the daemon will listen on. &br; # Default: disabled (must be specified by a user) &br; LocalSocket /var/run/clamav/clamd.sock &color(lime){← clamdソケット名変更}; &br; &br; # TCP port address. &br; # Default: disabled &br; TCPSocket 3310 &br; &color(lime){''↓''}; &br; #TCPSocket 3310 &color(lime){← 行頭に#を追加してコメントアウト(clamdのTCP通信を無効化)};| |[root@localhost ~]# /etc/rc.d/init.d/clamd restart &color(lime){← clamd再起動}; &br; Stopping Clam AntiVirus Daemon: [ OK ] &br; Starting Clam AntiVirus Daemon: [ OK ]| **SquidClamAV設定 [#m1ec765c] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/squidclamav.conf &color(lime){← SquidClamAVファイル編集};| |proxy http://127.0.0.1:3128/ &br; logfile /var/log/squidclamav.log &br; redirect http://localhost/cgi-bin/clwarn.cgi &br; debug 0 &br; force 1 &br; clamd_local /var/run/clamav/clamd.sock &br; timeout 60 &br; abort ^.*\.gz$ &br; abort ^.*\.bz2$ &br; abort ^.*\.pdf$ &br; abort ^.*\.js$ &br; abort ^.*\.html$ &br; abort ^.*\.css$ &br; abort ^.*\.xml$ &br; abort ^.*\.xsl$ &br; abort ^.*\.js$ &br; abort ^.*\.ico$ &br; aborti ^.*\.gif$ &br; aborti ^.*\.png$ &br; aborti ^.*\.jpg$ &br; aborti ^.*\.swf$ &br; content ^.*application\/.*$| |[root@localhost ~]# touch /var/log/squidclamav.log &color(lime){← SquidClamAVログファイル作成};| |[root@localhost ~]# chown squid:squid /var/log/squidclamav.log &color(lime){← SquidClamAVログファイル所有者変更};| |[root@localhost ~]# vi /etc/logrotate.d/squidclamav &color(lime){← SquidClamAVログローテーション設定ファイル作成};| |/var/log/squidclamav.log { &br; missingok &br; notifempty &br; sharedscripts &br; postrotate &br; killall -HUP squidclamav > /dev/null 2>/dev/null || true &br; endscript &br; }| |/var/log/squidclamav.log { &br; missingok &br; notifempty &br; sharedscripts &br; postrotate &br; killall -HUP squidclamav > /dev/null 2>/dev/null || true &br; endscript &br; }| *SquidClamAV起動 [#t22f1dc7] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# /etc/rc.d/init.d/squid restart &color(lime){← Squid再起動};| |Stopping squid: [ OK ] &br; Starting squid: . [ OK ]| *SquidClamAV確認 [#a0e65d5a] [[テスト用ウイルス>http://www.eicar.org/download/eicar_com.zip]]へアクセスして以下のようなページが表示されてウイルスをダウンロードできないことを確認。 ----- SquidClamAv 3.5: Virus detection &br; &br; The requested URL http://www.eicar.org/download/eicar_com.zip &br; contains the virus: Eicar-Test-Signature &br; &br; This URL can not be downloaded. &br; &br; Origin: 192.168.1.10 / - &br; &br; Powered by SquidClamAv 3.5. &br; ----- *clwarn.cgi日本語化 [#o22e28ad] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /var/www/cgi-bin/clwarn.cgi &color(lime){← clwarn.cgi編集};| |my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; &br; &color(lime){''↓''}; &br; my $TITLE_VIRUS = "SquidClamAv $VERSION: ウイルス検出"; &color(lime){← 変更}; &br; &br; print $cgi->header(); &br; &color(lime){''↓''}; &br; print $cgi->header(-expires=>'+1m',-charset=>'UTF-8'); &color(lime){← 変更}; &br; &br; print $cgi->start_html(-title => $TITLE_VIRUS); &br; &color(lime){''↓''}; &br; print $cgi->start_html(-title => $TITLE_VIRUS,-lang =>'ja'); &color(lime){← 変更}; &br; &br; The requested URL $url <br> &br; contains the virus: $virus &br; &color(lime){''↓''}; &br; アクセスしたURL $url <br> &color(lime){← 変更}; &br; 検出ウイルス: $virus &color(lime){← 変更}; &br; &br; This URL can not be downloaded. &br; &color(lime){''↓''}; &br; このURLをダウンロードできません。 &color(lime){← 変更}; &br; &br; Origin: $source / $user &br; &color(lime){''↓''}; &br; アクセス元: $source / $user &color(lime){← 変更};| [[テスト用ウイルス>http://www.eicar.org/download/eicar_com.zip]]へアクセスして以下のようなページが表示されてウイルスをダウンロードできないことを確認。 ----- SquidClamAv 3.5: ウイルス検出 &br; &br; &br; アクセスしたURL http://www.eicar.org/download/eicar_com.zip &br; 検出ウイルス: Eicar-Test-Signature &br; &br; &br; このURLをダウンロードできません。 &br; &br; &br; アクセス元: 192.168.1.10 / - &br; &br; &br; Powered by SquidClamAv 3.5. &br; -----