From d32197e3cf75fa1e957f5b8aee0b2d4e52411280 Mon Sep 17 00:00:00 2001 From: Alexey Berezhok Date: Thu, 4 Apr 2024 21:47:16 +0300 Subject: [PATCH] Added clamav installation --- install/hst-install-rhel.sh | 10 +- install/rpm/clamav/clamd.conf | 2 +- install/rpm/clamav/freshclam.conf | 213 ++---------------------------- 3 files changed, 19 insertions(+), 206 deletions(-) diff --git a/install/hst-install-rhel.sh b/install/hst-install-rhel.sh index 392caf1..88208ce 100755 --- a/install/hst-install-rhel.sh +++ b/install/hst-install-rhel.sh @@ -63,7 +63,7 @@ software="nginx mysql.${arch} mysql-common mysql-server postgresql-server postgresql sqlite.${arch} vsftpd proftpd bind - exim clamd spamassassin dovecot dovecot-pigeonhole + exim clamd clamav spamassassin dovecot dovecot-pigeonhole hestia hestia-nginx hestia-php rrdtool quota e2fsprogs fail2ban dnsutils util-linux cronie expect perl-Mail-DKIM unrar vim acl sysstat rsyslog openssh-clients util-linux ipset zstd systemd-timesyncd jq awstats perl-Switch net-tools mc flex @@ -837,11 +837,13 @@ if [ "$exim" = 'no' ]; then software=$(echo "$software" | sed -e "s/exim//") software=$(echo "$software" | sed -e "s/dovecot//") software=$(echo "$software" | sed -e "s/clamd//") + software=$(echo "$software" | sed -e "s/clamav//") software=$(echo "$software" | sed -e "s/spamassassin//") software=$(echo "$software" | sed -e "s/dovecot-pigeonhole//") fi if [ "$clamd" = 'no' ]; then software=$(echo "$software" | sed -e "s/clamd//") + software=$(echo "$software" | sed -e "s/clamav//") fi if [ "$spamd" = 'no' ]; then software=$(echo "$software" | sed -e "s/spamassassin//") @@ -1665,10 +1667,16 @@ fi #----------------------------------------------------------# if [ "$clamd" = 'yes' ]; then + useradd clamav -m -d /var/lib/clamavnew -r -s /sbin/nologin gpasswd -a clamav mail > /dev/null 2>&1 gpasswd -a clamav exim > /dev/null 2>&1 cp -f $HESTIA_INSTALL_DIR/clamav/clamd.conf /etc/clamd.d/daemon.conf cp -f $HESTIA_INSTALL_DIR/clamav/clamd.tmpfiles /etc/tmpfiles.d/clamav.conf + cp -f $HESTIA_INSTALL_DIR/clamav/freshclam.conf /etc/freshclam.conf + touch /var/log/freshclam.log + chown clamav:clamav /var/log/freshclam.log + rm -f /var/lib/clamav/freshclam.dat + mkdir -p /var/log/clamav systemd-tmpfiles --create echo -ne "[ * ] Installing ClamAV anti-virus definitions... " diff --git a/install/rpm/clamav/clamd.conf b/install/rpm/clamav/clamd.conf index 048a0ad..4820e8a 100644 --- a/install/rpm/clamav/clamd.conf +++ b/install/rpm/clamav/clamd.conf @@ -23,7 +23,7 @@ LogFacility LOG_LOCAL6 LogClean false LogVerbose true PidFile /run/clamav/clamd.pid -DatabaseDirectory /var/lib/clamav +DatabaseDirectory /var/lib/clamavnew SelfCheck 3600 Foreground false Debug false diff --git a/install/rpm/clamav/freshclam.conf b/install/rpm/clamav/freshclam.conf index 0f8fc4a..66ed1bd 100644 --- a/install/rpm/clamav/freshclam.conf +++ b/install/rpm/clamav/freshclam.conf @@ -1,210 +1,15 @@ -## -## Example config file for freshclam -## Please read the freshclam.conf(5) manual before editing this file. -## - - -# Comment or remove the line below. -#Example - -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# Default: hardcoded (depends on installation options) -#DatabaseDirectory /var/lib/clamav - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -#UpdateLogFile /var/log/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, -# log rotation (the LogRotate option) will always be enabled. -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# Default: no -#LogTime yes - -# Enable verbose logging. -# Default: no +UpdateLogFile /var/log/freshclam.log +PrivateMirror https://clamav-mirror.ru/ +PrivateMirror http://mirror.truenetwork.ru/clamav/ +ScriptedUpdates no +LogFileMaxSize 80M +LogTime yes #LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows you to save the process identifier of the daemon -# Default: disabled -#PidFile /run/freshclam.pid +LogRotate yes +#PidFile /var/run/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) DatabaseOwner clamav - -# Use DNS to verify virus database version. Freshclam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# database.clamav.net is now the primary domain name to be used world-wide. -# Now that CloudFlare is being used as our Content Delivery Network (CDN), -# this one domain name works world-wide to direct freshclam to the closest -# geographic endpoint. -# If the old db.XY.clamav.net domains are set, freshclam will automatically -# use database.clamav.net instead. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# With this option you can provide custom sources for database files. -# This option can be used multiple times. Support for: -# http(s)://, ftp(s)://, or file:// -# Default: no custom URLs -#DatabaseCustomURL http://myserver.example.com/mysigs.ndb -#DatabaseCustomURL https://myserver.example.com/mysigs.ndb -#DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb -#DatabaseCustomURL ftp://myserver.example.com/example.ldb -#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb -#DatabaseCustomURL file:///mnt/nfs/local.hdb - -# This option allows you to easily point freshclam to private mirrors. -# If PrivateMirror is set, freshclam does not attempt to use DNS -# to determine whether its databases are out-of-date, instead it will -# use the If-Modified-Since request or directly check the headers of the -# remote database files. For each database, freshclam first attempts -# to download the CLD file. If that fails, it tries to download the -# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo -# and ScriptedUpdates. It can be used multiple times to provide -# fall-back mirrors. -# Default: disabled -#PrivateMirror mirror1.example.com -#PrivateMirror mirror2.example.com - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind -# of proxy is used. -# http:// HTTP Proxy. Default when no scheme or proxy type is specified. -# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS) -# socks4:// SOCKS4 Proxy. -# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname. -# socks5:// SOCKS5 Proxy. -# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname. -# Default: disabled -#HTTPProxyServer https://proxy.example.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# Default: clamav/version_number -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. -# Default: 0 -#ReceiveTimeout 1800 - -# With this option enabled, freshclam will attempt to load new -# databases into memory to make sure they are properly handled -# by libclamav before replacing the old ones. -# Default: yes -#TestDatabases yes - -# This option enables support for Google Safe Browsing. When activated for -# the first time, freshclam will download a new database file -# (safebrowsing.cvd) which will be automatically loaded by clamd and -# clamscan during the next reload, provided that the heuristic phishing -# detection is turned on. This database includes information about websites -# that may be phishing sites or possible sources of malware. When using this -# option, it's mandatory to run freshclam at least every 30 minutes. -# Freshclam uses the ClamAV's mirror infrastructure to distribute the -# database and its updates but all the contents are provided under Google's -# terms of use. -# See https://transparencyreport.google.com/safe-browsing/overview -# and https://www.clamav.net/documents/safebrowsing for more information. -# Default: no -#SafeBrowsing yes - -# This option enables downloading of bytecode.cvd, which includes additional -# detection mechanisms and improvements to the ClamAV engine. -# Default: yes -#Bytecode no - -# Include an optional signature databases (opt-in). -# This option can be used multiple times. -#ExtraDatabase dbname1 -#ExtraDatabase dbname2 - -# Exclude a standard signature database (opt-out). -# This option can be used multiple times. -#ExcludeDatabase dbname1 -#ExcludeDatabase dbname2 +DatabaseDirectory /var/lib/clamavnew