How To Integrate ClamAV Into PureFTPd For Virus Scanning On CentOS 6.2

This tutorial explains how you can integrate ClamAV into PureFTPd for virus scanning on a CentOS 6.2 system. In the end, whenever a file gets uploaded through PureFTPd, ClamAV will check the file and delete it if it is malware.

1 Preliminary Note

You should have a working PureFTPd setup on your CentOS 6.2 server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On CentOS 6.2.

2 Installing ClamAV

ClamAV is not available in the official CentOS repositories, therefore we enable the EPEL repository (if you haven't done so already, for example in the Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On CentOS 6.2 tutorial):

rpm --import https://fedoraproject.org/static/0608B895.txt
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
rpm -ivh epel-release-6-5.noarch.rpm

yum install yum-priorities

Edit /etc/yum.repos.d/epel.repo...

vi /etc/yum.repos.d/epel.repo

... and add the line priority=10 to the [epel] section:

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[...]

Afterwards we can install ClamAV as follows:

yum install clamav clamd

Next we create the system startup links for clamd and start it:

chkconfig --levels 235 clamd on
/usr/bin/freshclam

/etc/init.d/clamd start

3 Configuring PureFTPd

First we open /etc/pure-ftpd/pure-ftpd.conf and set CallUploadScript to yes :

vi /etc/pure-ftpd/pure-ftpd.conf

[...]
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.

CallUploadScript yes
[...]

Next we create the file /etc/pure-ftpd/clamav_check.sh (which will call /usr/bin/clamdscan whenever a file is uploaded through PureFTPd)...

vi /etc/pure-ftpd/clamav_check.sh

#!/bin/sh
/usr/bin/clamdscan --remove --quiet --no-summary "$1"

... and make it executable:

chmod 755 /etc/pure-ftpd/clamav_check.sh

Now we start the pure-uploadscript program as a daemon - it will call our /etc/pure-ftpd/clamav_check.sh script whenever a file is uploaded through PureFTPd:

pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh

Of course, you don't want to start the daemon manually each time you boot the system - therefore we open /etc/rc.local...

vi /etc/rc.local

... and add the line /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh to it - e.g. as follows:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh
touch /var/lock/subsys/local

Finally we restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it! Now whenever someone tries to upload malware to your server through PureFTPd, the "bad" file(s) will be silently deleted.

4 Links

• PureFTPD: http://www.pureftpd.org/
• ClamAV: http://www.clamav.net/
• CentOS: http://www.centos.org/