建立内网Linux防病毒系统
ClamAV本来是为了Postfix邮件网关而开发的防毒软件,主要目的是对邮件队列里面的邮件进行病毒查杀。然后,这个防毒模块独立出来成为一个提供病毒、恶意软件、蠕虫的查杀能力的开源软件,成为了Linux环境下实现文件安全的主要选择。�
部署ClamAV
- 添加EPEL源
# ClamAV的RHEL/CentOS源是直接用epel来发布的 yum cleanall yum makecache yum install -y git python3-pip yum install -y epel-release # 添加华为云源 sed -i "s/#baseurl/baseurl/g" /etc/yum.repos.d/epel.repo sed -i "s/metalink/#metalink/g" /etc/yum.repos.d/epel.repo sed -i "s@https\?://download.example/pub@https://repo.huaweicloud.com@g" /etc/yum.repos.d/epel.repo yum makecache yum upgrade -y
- 安装ClamAV
yum install -y clamav clamav-update clamd
- 启动服务
# 刷新服务列表 systemctl daemon-reload # 启动自动更新病毒库,默认更新周期是每月一次 systemctl enable clamav-freshclam.service # 启动扫描服务 systemctl enable clamd@scan.service
建立内部病毒特征库
- 部署cvdupdate
# 安装Nginx # 配置站点目录为/var/www yum install -y nginx mkdir -p /var/www chown nginx:nginx /var/www # cvdupdate是思科公司(这个思科就是那个思科)开发的一个ClamAV病毒库镜像工具 pip3 install cvdupdate # 执行病毒库存储位置 cvd config set --dbdir /var/www # 修改官方源为亚马逊的S3镜像 sed -i "s@https://database.clamav.net@https://pivotal-clamav-mirror.s3.amazonaws.com@g" ~/.cvdupdate/config.json cvd update 2021-07-09 17:28:06 cvdupdate-1.0.2 INFO main.cvd is up-to-date. Version: 59 2021-07-09 17:28:06 cvdupdate-1.0.2 INFO daily.cvd is up-to-date. Version: 26225 2021-07-09 17:28:06 cvdupdate-1.0.2 INFO bytecode.cvd is up-to-date. Version: 333
配置CLamAV
- 添加内网更新源
# 默认使用https,若使用http协议需要写明http://xxx.yyy.zzz,否则则不需要 sed -i "s@database.clamav.net@http://192.168.248.150/clamav@g" /etc/freshclam.conf [root@elasticnode1 ~]# freshclam ClamAV update process started at Fri Jul 9 18:29:37 2021 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.103.2 Recommended version: 0.103.3 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav daily database available for download (remote version: 26225) Time: 0.5s, ETA: 0.0s [========================>] 102.43MiB/102.43MiB Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-4cfdfa4231c3496ffee7793166ed2602.tmp-daily.cvd' ... Database test passed. daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder: raynman) main database available for download (remote version: 59) Time: 0.5s, ETA: 0.0s [========================>] 112.40MiB/112.40MiB Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-cf8d5312f458ec6b897d0fbb3af11892.tmp-main.cvd' ... Database test passed. main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) bytecode database available for download (remote version: 333) Time: 0.0s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB Testing database: '/var/lib/clamav/tmp.b9aed6d81b/clamav-e205410803d9f55beb3855e58f5ec7d2.tmp-bytecode.cvd' ... Database test passed. bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2) # 启动更新服务 systemctl start clamav-freshclam.service
- 配置ClamAV服务
# 创建日志文件 touch /var/log/clamd.scan # 修改clamd配置文件 sed -i 's/#LogFile \/var/LogFile \/var/g' /etc/clamd.d/scan.conf sed -i 's/#LocalSocket \/run/LocalSocket \/run/g' /etc/clamd.d/scan.conf sed -i 's/#LocalSocketMode/LocalSocketMode/g' /etc/clamd.d/scan.conf # 启动服务 systemctl start clamd@scan.service
- 功能测试
# 下载测试病毒包 wget http://www.eicar.org/download/eicar.com # 手动查杀 clamscan --infected --remove --recursive . # 结果 /root/eicar.com: Win.Test.EICAR_HDB-1 FOUND /root/eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 8543862 Engine version: 0.103.2 Scanned directories: 1 Scanned files: 9 Infected files: 1 Data scanned: 0.02 MB Data read: 0.01 MB (ratio 2.00:1) Time: 17.424 sec (0 m 17 s) Start Date: 2021:07:09 18:45:02 End Date: 2021:07:09 18:45:19
与Wazuh结合
安装Wazuh Agent
Wazuh默认自带clamav的规则和解码器,所以只要安装wazuh-agent即可。
Kibana展示
All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.