file uploads with mod-security & clamav

Discussion in 'Technical' started by tsmaudio, Jan 23, 2007.

  1. tsmaudio

    tsmaudio Member

    Hi

    System: perfect set up Fedora Core 6 & IspConfig

    I have been using mod_security with the modsec-clamscan.pl script that comes with it, which ties the post payload scanning in to clamav. It works very well accept.... that once i try to upload a file larger than 350M it rejects it.

    I would like to be able to upload files up to 2GB using this method.

    If i disable the directive
    #SecUploadApproveScript /full/path/to/the/modsec-clamscan.pl
    which basically disables the virus scanning, I can load files up to 2GB no problem.

    So I guess Its the clamav part, or the script needs something adding in?

    Is it possible to do with mod_security and clamav?

    The modsec-clamscan.pl can be found here

    Cheers
    :)
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Do you upload large files using http? Why don't you use ftp or scp for it?
     
  3. tsmaudio

    tsmaudio Member

    Hi Falko
    Thanks for your response.

    I am trying to put together a file upload site similar to yousendit.com and i have a php script that provides the functionality. This uses the standard browser http. I have been experimenting with the security side of things thanks to your excellent guides and have got as far as mod_security scanning the files on upload but with this problem of it now rejecting files over 350M.

    So if i can get this to work on larger files, i would be almost there...I might need to get someone with more programming skills than myself involved , I realise that.

    thanks for any help in advance.
     
  4. falko

    falko Super Moderator Howtoforge Staff

    Did you check the contents of modsec-clamscan.pl? It seems there is a file size restriction in it.
     
  5. tsmaudio

    tsmaudio Member

    Hi Falko
    Thanks again, I can't see anything in my modsec-clamscan.pl. Which lines are causing the restriction?

    Cheers
    Tony.
     
  6. falko

    falko Super Moderator Howtoforge Staff

    Please post the contents of that file here (if it isn't too long).
     
  7. tsmaudio

    tsmaudio Member

    Hi Falko
    Here is the contents of my modsec-clamscan.pl as requested.

    #!/usr/bin/perl
    #
    # modsec-clamscan.pl
    # ModSecurity for Apache (http://www.modsecurity.org)
    # Copyright (c) 2002-2005 Thinking Stone (http://www.thinkingstone.com)
    #
    # $Id: modsec-clamscan.pl,v 1.1.2.1 2005/12/19 20:39:51 ivanr Exp $
    #
    # This script is an interface between mod_security and its
    # ability to intercept files being uploaded through the
    # web server, and ClamAV
    # by default use the command-line version of ClamAV,
    # which is slower but more likely to work out of the
    # box
    $CLAMSCAN = "/usr/bin/clamscan";
    # using ClamAV in daemon mode is faster since the
    # anti-virus engine is already running, but you also
    # need to configure file permissions to allow ClamAV,
    # usually running as a user other than the one Apache
    # is running as, to access the files
    # $CLAMSCAN = "/usr/bin/clamdscan";

    if (@ARGV != 1) {
    print "Usage: modsec-clamscan.pl <filename>\n";
    exit;
    }
    my ($FILE) = @ARGV;
    $cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
    $input = `$cmd`;
    $input =~ m/^(.+)/;
    $error_message = $1;
    $output = "0 Unable to parse clamscan output [$1]";
    if ($error_message =~ m/: Empty file\.?$/) {
    $output = "1 empty file";
    }
    elsif ($error_message =~ m/: (.+) ERROR$/) {
    $output = "0 clamscan: $1";
    }
    elsif ($error_message =~ m/: (.+) FOUND$/) {
    $output = "0 clamscan: $1";
    }
    elsif ($error_message =~ m/: OK$/) {
    $output = "1 clamscan: OK";
    }
    print "$output\n";



    many thanks
    Tony.
     
  8. falko

    falko Super Moderator Howtoforge Staff

    Does
    Code:
    man clamscan
    say anything about a file size restriction?
     
  9. tsmaudio

    tsmaudio Member

    Thanks again,
    I have looked through the "man clamscan" and have found these bits of information that may or may not help.

    Options:

    --block-max
    Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.Exceed-
    edFilesLimit) if max-files, max-space, or max-recursion is
    reached.

    --max-files=#n
    Extract first #n files from each archive. This option protects
    your system against DoS attacks (default: 500)

    --max-space=#n
    Extract first #n kilobytes from each archive. You may give the
    number in megabytes in format xM or xm, where x is a number.
    This option protects your system against DoS attacks (default:
    10 MB)

    --max-recursion=#n
    Set archive recursion level limit. This option protects your
    system against DoS attacks (default: 8).


    This is provided as an example

    (3) Load database from selected file and limit disk usage to 50 Mb:
    clamscan -d /tmp/newclamdb --max-space=50m -r /tmp


    This does look like it may provide the answer, but I am not sure how to go about it.

    cheers

    Tony
     
  10. falko

    falko Super Moderator Howtoforge Staff

    You can now modify the line
    Code:
    $cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
    in modsec-clamscan.pl with this information.
     
  11. tsmaudio

    tsmaudio Member

    Hi Falko

    I have not had much luck with adding in the clamscan variables, it seems to cause an error when it trys to launch the script.

    While testing and waiting for files to upload.....I have been reading the mod security manual in more detail and I have noticed a line that says there is a hard limit of 1G for post payload scanning, which i missed before. I started testing again without scanning for viruses and mod security is indeed rejecting files over 1G.

    It seems i have more problems than I thought, sorry!

    Is it possible for mod security to only post scan up to 1G but still let pass up to 2G files, if a clever rule was written :) (can anyone help with that)


    I have read your recent howto on scanning files on upload using clamav, but you specify platforms and Federo Core 6 is not one of them. Is there a reason for that as this might be the best way to go.

    Thanks again
    Tony
     
  12. falko

    falko Super Moderator Howtoforge Staff

    Yes, that package is available only for Debian and Ubuntu.
    But this is a similar library that might work for you: http://trickie.org/code/phplibclamav.php

    If not, you can still invoke ClamAV with PHP's exec() function.
     
  13. tsmaudio

    tsmaudio Member

    Thanks Falko again for your help
    I will try that instead.

    Cheers
    Tony.
     

Share This Page