Wednesday, April 15, 2015

SquidClamav Proxy Scanner on A Raspberry Pi Model B

This shows how to set up a Raspberry Pi model B as an antivirus proxy for scanning everything except SSL-encrypted network traffic.

Firstly being a proxy configuration a static IP is needed.  Either make the IP static on a router or Edit /etc/network/interfaces and make the necessary changes:

auto lo
auto eth0
allow-hotplug eth0
iface lo init loopback
iface eth0 inet static
address 192.168.7.9
netmask 255.255.255.0
gateway 192.168.7.254
Install squid3 and c-icap:

$ apt-get install squid3 c-icap

c-icap is required for communication between the Squid proxy and SquidClamav.

To enable the c-icap daemon to start on boot, edit /etc/default/c-icap and set START=yes

This is the squid configuration that is needed to allow communication with both c-icap and SquidClamav.

Edit /etc/squid3.conf to look like the following save for any obvious changes:

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
#change this to the required network
acl localnet src 192.168.7.0/24
#http_access deny to_localhost
http_access allow localnet
#Proxy port
http_port 3128 intercept
#Maximum size of cached
maximum_object_size 512000 KB
#Sets a cache size of 7000MB
cache_dir ufs /var/spool/squid3 7000 16 256
logfile_rotate 10

Edit /etc/c-icap/c-icap.conf to the following:

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
User c-icap
Group nogroup
ServerAdmin you@your.address
ServerName Anti-Virus-Proxy
TmpDir /tmp
MaxMemObject 1048576
DebugLevel 0
ModulesDir /usr/lib/c_icap
ServicesDir /usr/lib/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
Service squidclamav squidclamav.so

Next the SquidClamav module needs to be installed in order to pass objects to ClamAv for scanning.

Before compiling squidclamav the c-icap development files are needed:
$ apt-get install libicapapi-dev

Download the source from http://sourceforge.net/projects/squidclamav/ and enter the directory and compile.

$ ./configure
$ make
$ make install

In order to show a warning message upon detection a webserver will need to be installed:
$ apt-get install apache2

To use the premade template edit /etc/c-icap/squidclamav.conf and change the redirect line to:

redirect http://192.168.7.9/cgi-bin/clwarn.cgi

Then run:

$ cp /usr/local/libexec/squidclamav/clwarn.cgi /usr/lib/cgi-bin/clwarn.cgi

The B has 512MB of RAM and functions well for this setup provided that a small amount of swap space be created on the SD card.  This is primarily required for the ClamAv daemon which needs to load its definitions into memory. Without the swap the daemon will load into all available memory and then fail.  However, as shown in the image below a very small amount of swap is consumed under normal operation. The image shows resource usage while scanning a webpage; idle resource usage is negligible.



To add/increase available swap to the Pi edit the file /etc/dphys-swapfile to:

CONF_SWAPSIZE=512

Lower values of RAM are completely fine as >20MB is being used currently on my setup. It does need to be higher than 100MB as is the default.  The only consideration being the size of Clamav's definition database may increase over time.

Now that the clamav daemon will start correctly install it:

$ apt-get install clamav-daemon


































The end result:

No comments:

Post a Comment