Hi System: perfect set up Fedora Core 6 & IspConfig I have been using mod_security with the modsec-clamscan.pl script that comes with it, which ties the post payload scanning in to clamav. It works very well accept.... that once i try to upload a file larger than 350M it rejects it. I would like to be able to upload files up to 2GB using this method. If i disable the directive #SecUploadApproveScript /full/path/to/the/modsec-clamscan.pl which basically disables the virus scanning, I can load files up to 2GB no problem. So I guess Its the clamav part, or the script needs something adding in? Is it possible to do with mod_security and clamav? The modsec-clamscan.pl can be found here Cheers
Hi Falko Thanks for your response. I am trying to put together a file upload site similar to yousendit.com and i have a php script that provides the functionality. This uses the standard browser http. I have been experimenting with the security side of things thanks to your excellent guides and have got as far as mod_security scanning the files on upload but with this problem of it now rejecting files over 350M. So if i can get this to work on larger files, i would be almost there...I might need to get someone with more programming skills than myself involved , I realise that. thanks for any help in advance.
Hi Falko Thanks again, I can't see anything in my modsec-clamscan.pl. Which lines are causing the restriction? Cheers Tony.
Hi Falko Here is the contents of my modsec-clamscan.pl as requested. #!/usr/bin/perl # # modsec-clamscan.pl # ModSecurity for Apache (http://www.modsecurity.org) # Copyright (c) 2002-2005 Thinking Stone (http://www.thinkingstone.com) # # $Id: modsec-clamscan.pl,v 1.1.2.1 2005/12/19 20:39:51 ivanr Exp $ # # This script is an interface between mod_security and its # ability to intercept files being uploaded through the # web server, and ClamAV # by default use the command-line version of ClamAV, # which is slower but more likely to work out of the # box $CLAMSCAN = "/usr/bin/clamscan"; # using ClamAV in daemon mode is faster since the # anti-virus engine is already running, but you also # need to configure file permissions to allow ClamAV, # usually running as a user other than the one Apache # is running as, to access the files # $CLAMSCAN = "/usr/bin/clamdscan"; if (@ARGV != 1) { print "Usage: modsec-clamscan.pl <filename>\n"; exit; } my ($FILE) = @ARGV; $cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; $input = `$cmd`; $input =~ m/^(.+)/; $error_message = $1; $output = "0 Unable to parse clamscan output [$1]"; if ($error_message =~ m/: Empty file\.?$/) { $output = "1 empty file"; } elsif ($error_message =~ m/: (.+) ERROR$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: (.+) FOUND$/) { $output = "0 clamscan: $1"; } elsif ($error_message =~ m/: OK$/) { $output = "1 clamscan: OK"; } print "$output\n"; many thanks Tony.
Thanks again, I have looked through the "man clamscan" and have found these bits of information that may or may not help. Options: --block-max Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.Exceed- edFilesLimit) if max-files, max-space, or max-recursion is reached. --max-files=#n Extract first #n files from each archive. This option protects your system against DoS attacks (default: 500) --max-space=#n Extract first #n kilobytes from each archive. You may give the number in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 10 MB) --max-recursion=#n Set archive recursion level limit. This option protects your system against DoS attacks (default: 8). This is provided as an example (3) Load database from selected file and limit disk usage to 50 Mb: clamscan -d /tmp/newclamdb --max-space=50m -r /tmp This does look like it may provide the answer, but I am not sure how to go about it. cheers Tony
You can now modify the line Code: $cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; in modsec-clamscan.pl with this information.
Hi Falko I have not had much luck with adding in the clamscan variables, it seems to cause an error when it trys to launch the script. While testing and waiting for files to upload.....I have been reading the mod security manual in more detail and I have noticed a line that says there is a hard limit of 1G for post payload scanning, which i missed before. I started testing again without scanning for viruses and mod security is indeed rejecting files over 1G. It seems i have more problems than I thought, sorry! Is it possible for mod security to only post scan up to 1G but still let pass up to 2G files, if a clever rule was written (can anyone help with that) I have read your recent howto on scanning files on upload using clamav, but you specify platforms and Federo Core 6 is not one of them. Is there a reason for that as this might be the best way to go. Thanks again Tony
Yes, that package is available only for Debian and Ubuntu. But this is a similar library that might work for you: http://trickie.org/code/phplibclamav.php If not, you can still invoke ClamAV with PHP's exec() function.
