Linux Solution – Linux上無毒信箱的建立

作者：衡山飛狐

出處：HappyLinux,Just for fun!

本 著作 係採用 Creative Commons 授權條款授權.

一、【前言】

e-mail已成為網路上非常便利的通訊方式，但是隨著愈來愈多的電子郵件往來，更造就了『電子郵件病毒(e-mail virus)』的猖獗肆虐。根據統計；電子郵件已躍升為電腦病毒最主要的傳播媒介。據總部位於英國的企業防毒保護廠商Sophos的統計，2002年十大電腦病毒的前九名都是以大量擴散電子郵件的Windows 32病蟲為主，而有高達87%的電腦病毒是透過電子郵件散播。因此建立一個無毒的電子郵件環境，可有效阻絕個人和企業遭受大部份電腦病毒的侵襲。

由於大部份Server端的掃毒方案多有版權或授權上的問題，此篇介紹的MailScanner+Clamav整體效能相當不錯；而採用的Clamav病毒碼資料庫為OpenAntiVirus的GPL授權，且能自動線上更新，算是相當不錯的Server端的掃毒方案。

二、【軟體】

clamav：http://aleron.dl.sourceforge.net/sourceforge/clamav/clamav-0.60.tar.gz

MailScanner：

http://www.sng.ecs.soton.ac.uk/mailscanner/

三、【軟體說明】

clamav：

為一Virus Scanner 病毒掃瞄程式，Multi-thread，以 C 寫成，使用來自於OpenAntiVirus 的病毒碼，授權方式為GPL。

http://clamav.elektrapro.com/

MailScanner：

為一個功能強大且免費的郵件病毒及廣告信過濾器，授權方式為GPL。

http://www.mailscanner.info/

四、【環境】

RedHat 9.0 (shrike)

sendmail-8.12.8-5.90

五、【安裝】

(1).安裝clamav

1.下載clamav-0.60.tar.gz

2.[root@virtualage clamav]#tar zxvf clamav-0.60.tar.gz

[root@virtualage clamav]#cd clamav-0.60

[root@virtualage clamav-0.60]#groupadd clamav

[root@virtualage clamav-0.60]#useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav

[root@virtualage clamav-0.60]#./configure

[root@virtualage clamav-0.60]#make

[root@virtualage clamav-0.60]#make install

3.修改clamav.conf設定：

[root@virtualage clamav-0.60]#vi /etc/clamav.conf

找到如下部份(第7,8行)，並將其內容：

—————–/etc/clamav.conf——————–

# Comment or remove the line below.

Example

———————————————————-

改成

—————–/etc/clamav.conf——————–

# Comment or remove the line below.

# Example

———————————————————-

4.測試clamav是否work；

[root@virtualage clamav-0.60]#clamscan ./

會得到如下結果：

//FAQ: OK

//BUGS: OK

//NEWS: OK

//TODO: OK

//depcomp: OK

//aclocal.m4: OK

//README: OK

//ltmain.sh: OK

//configure: OK

//configure.in: OK

//config.guess: OK

//install-sh: OK

//config.sub: OK

//missing: OK

//mkinstalldirs: OK

//Makefile.am: OK

//Makefile.in: OK

//acinclude.m4: OK

//AUTHORS: OK

//INSTALL: OK

//ChangeLog: OK

//COPYING: OK

//config.log: OK

//target.h: OK

//config.status: OK

//Makefile: OK

//libtool: OK

———– SCAN SUMMARY ———–

Known viruses: 9567

Scanned directories: 1

Scanned files: 27

Infected files: 0

Data scanned: 1.12 Mb

I/O buffer size: 131072 bytes

Time: 1.605 sec (0 m 1 s)

如果沒出現錯誤訊息，代表clamav已可正常work了，由於本篇主要探討與MailScanner之間的配合，詳細的clamav用法請參考：

http://www.clamav.net/doc/0.80rc2/clamdoc.pdf

(2).安裝MailScanner

1.下載MailScanner-4.23-11.rpm.tar.gz

2.[root@virtualage MailScanner]#tar zxvf MailScanner-4.23-11.rpm.tar.gz

[root@virtualage MailScanner]#cd MailScanner-4.23-11

[root@virtualage MailScanner-4.23-11]#./install.sh

安裝程式可能會要求您先執行Update-MakeMaker.sh

[root@virtualage MailScanner-4.23-11]#./Update-MakeMaker.sh

然後再執行一次install.sh

[root@virtualage MailScanner-4.23-11]#./install.sh

靜待程式安裝完畢即完成安裝。

3.修改MailScanner.conf設定：

[root@virtualage MailScanner-4.23-11]#cd /etc/MailScanner

[root@virtualage MailScanner]#cp MailScanner.conf MailScanner.conf.000

[root@virtualage MailScanner]#vi MailScanner.conf

找到如下部份，並將其內容：

——————–/etc/MailScanner/MailScanner.conf—————–

%org-name% = yoursite 改成 %org-name% = virtualage(舉例)

Virus Scanners = none 改成 Virus Scanners = clamav(指定用clamav為掃毒引擎)

———————————————————————-

●註：本版MailScanner支援下列掃毒引擎：

—————-/etc/MailScanner/virus.scanners.conf—————————–

# This is a list of the names of the virus scanning engines, along with the

# filename of the command or script to run to invoke each one.

antivir /usr/lib/MailScanner/antivir-wrapper /usr/lib/AntiVir

bitdefender /usr/lib/MailScanner/bitdefender-wrapper /usr/local/bd7

clamav /usr/lib/MailScanner/clamav-wrapper /usr/local

command /usr/lib/MailScanner/command-wrapper /usr

etrust /usr/lib/MailScanner/etrust-wrapper /opt/eTrustAntivirus

f-prot /usr/lib/MailScanner/f-prot-wrapper /usr/local/f-prot

f-secure /usr/lib/MailScanner/f-secure-wrapper /opt/f-secure/fsav

inoculan /usr/lib/MailScanner/inoculan-wrapper /usr/local/inoculan

inoculate /usr/lib/MailScanner/inoculate-wrapper /usr/local/av

kaspersky /usr/lib/MailScanner/kaspersky-wrapper /opt/AVP

kavdaemonclient /usr/lib/MailScanner/kavdaemonclient-wrapper /usr/local

mcafee /usr/lib/MailScanner/mcafee-wrapper /usr/local/uvscan

nod32-1.99 /usr/lib/MailScanner/nod32-wrapper /usr/local/nod32

nod32 /usr/lib/MailScanner/nod32-wrapper /usr/local/nod32

none /bin/false /tmp

panda /usr/lib/MailScanner/panda-wrapper /usr

rav /usr/lib/MailScanner/rav-wrapper /usr/local/rav8

sophos /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos

sophossavi /bin/false /tmp

trend /usr/lib/MailScanner/trend-wrapper /pack/trend

———–end of /etc/MailScanner/virus.scanners.conf—————————–

六、【e-mail掃毒機制啟用】

1.先停止sendmail

service sendmail stop

2.手動啟動Mailscanner

service MailScanner start

or /etc/rc.d/init.d/MailScanner start

●註：安裝完MailScanner後，MailScanner會於開機時自動執行。

執行 grep “MailScanner” /var/log/maillog 應該會看到下列訊息：

Sep 6 04:25:08 virtualage MailScanner[6600]: MailScanner E-Mail Virus Scanner v

ersion 4.23-11 starting…

Sep 6 04:25:08 virtualage MailScanner[6600]: Using locktype = flock

Sep 6 04:30:10 virtualage MailScanner[6560]: New Batch: Found 2 messages waitin

g

Sep 6 04:30:10 virtualage MailScanner[6560]: New Batch: Scanning 1 messages, 12

16 bytes

Sep 6 04:30:12 virtualage MailScanner[2878]: New Batch: Found 2 messages waitin

g

Sep 6 04:30:12 virtualage MailScanner[2878]: New Batch: Scanning 1 messages, 13

57 bytes

Sep 6 04:30:16 virtualage MailScanner[2878]: Virus and Content Scanning: Starti

ng

Sep 6 04:30:17 virtualage MailScanner[2878]: Uninfected: Delivered 1 messages

代表MailScanner已經開始發揮作用了。

七、【clamav病毒碼線上更新】

clamav提供一個線上更新病毒碼的工具程式freshclam；有兩種方式可定時自動更新病毒碼：

首先先產生一個紀錄檔：

# touch /var/log/clam-update.log

# chmod 600 /var/log/clam-update.log

# chown clamav /var/log/clam-update.log

(1)daemon：# freshclam -d -c 2 -l /var/log/clam-update.log

將之寫進/etc/rc.d/rc.local於開機後自動以daemon方式一天檢查兩次。

(2)crontab：

0 8 * * * /usr/local/bin/freshclam –quiet -l /var/log/clam-update.log

每天八點執行檢查。

八、【病毒攔截驗證】

[d]〔圖一〕MailScanner攔截到病毒信件[/d]

[d]〔圖二〕MailScanner於病毒信件的內容加註警告及說明[/d]

——————-附件中VirusWarning.txt的內容—————————-

This is a message from the MailScanner E-Mail Virus Protection Service

———————————————————————-

The original e-mail attachment "movie0045.pif"

was believed to be infected by a virus and has been replaced by this warning

message.

If you wish to receive a copy of the *infected* attachment, please

e-mail helpdesk and include the whole of this message

in your request. Alternatively, you can call them, with

the contents of this message to hand when you call.

At Sat Sep 6 10:58:01 2003 the virus scanner said:

ClamAV: movie0045.pif contains Worm.Sobig.F <<==ClamAV掃描到Sobig病毒

MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (movie0045.pif)

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20030906 (message h862vj0F011226).

–

Postmaster

Mailscanner thanks transtec Computers for their support

[d]〔圖三〕主機上每封e-mail的進出均有MailScanner把關[/d]

[d]〔圖四〕一攔截到病毒信，MailScanner亦會通知管理者[/d]

作者：衡山飛狐 flyfox@gen2.homeip.net

寄件者：衡山飛狐 (flyfox@bbs.openfind.com.tw)

主旨：Linux Solution – Linux上無毒信箱的建立

網上論壇：tw.bbs.comp.linux

日期：2003-09-07 18:53:22 PST