■Vyatta付属のセキュリティ
snort/squid/squidGuardは、付属のセキュリティ設定を行う必要がある。
メールウイルス対策用のソフトは無いので、clamav+amavis+spamassassinを構築する。
■snort
$ dpkg -l | grep snort | grep ^ii | awk '{print $2}'
vyatta-snort
vyatta-snort-common
vyatta-snort-common-libraries
■squid/squidguard
$ dpkg -l | grep squid | grep ^ii | awk '{print $2}'
squid-langpack
squid3
squid3-common
squidclient
squidguard
■clamavの導入、定義ファイルの更新
基本的に以下と同じ。
Squeezeにclamavを導入。EICARチェック
http://d.hatena.ne.jp/labunix/20120423/
以下3つを追記するのも兼ねて簡単にコマンドで説明します。
・プロキシの設定
・参照ミラーサイトに国内ドメインを追加
・「Not loading PUA signatures.」対策
$ sudo apt-get install -y clamav-daemon
$ sudo cp -pi /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf.bak
$ sudo diff /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf.bak
28,29d27
< DatabaseMirror db.jp.clamav.net
< HTTPProxyServer 192.168.213.1:3128
$ su root -c '/etc/init.d/clamav-freshclam stop && \
freshclam && \
/etc/init.d/clamav-freshclam start'
$ sudo tail -f /var/log/clamav/freshclam.log | awk -F'>' '{pnt $2}'
--------------------------------------
freshclam daemon 0.97.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Sun Jul 29 11:26:09 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd is up to date (version: 15188, sigs: 239680, f-level: 63, builder: guitar)
bytecode.cvd is up to date (version: 188, sigs: 38, f-level: 63, builder: neo)
--------------------------------------
$ su root -c '/etc/init.d/clamav-freshclam stop && \
freshclam && \
/etc/init.d/clamav-freshclam start'
ClamAV update process started at Sun Jul 29 11:37:33 2012
Connecting via 192.168.213.1:3128
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Connecting via 192.168.213.1:3128
daily.cvd is up to date (version: 15188, sigs: 239680, f-level: 63, builder: guitar)
Connecting via 192.168.213.1:3128
bytecode.cvd is up to date (version: 188, sigs: 38, f-level: 63, builder: neo)
Starting ClamAV virus database updater: freshclam.
■clamavのログチェック
$ awk -F">" '{print $2}' /var/log/clamav/clamav.log | grep Not
Not loading PUA signatures.
$ sudo grep PUA /etc/clamav/clamd.conf
DetectPUA false
$ sudo vim /etc/clamav/clamd.conf
$ grep PUA /etc/clamav/clamd.conf
DetectPUA true
$ sudo /etc/init.d/clamav-daemon restart
$ sudo tail -f /var/log/clamav/clamav.log | awk -F">" '{print $2}'
+++ Started at Sun Jul 29 11:44:48 2012
clamd daemon 0.97.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Log file size limited to -1 bytes.
Reading databases from /var/lib/clamav
Bytecode: Security mode set to "TrustSigned".
Loaded 1284043 signatures.
LOCAL: Unix socket file /var/run/clamav/clamd.ctl
LOCAL: Setting connection queue length to 15
Limits: Global size limit set to 104857600 bytes.
Limits: File size limit set to 26214400 bytes.
Limits: Recursion level limit set to 16.
Limits: Files limit set to 10000.
Archive support enabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
HTML support enabled.
Self checking every 3600 seconds.
■amavisd-new/spamasassinの導入
※「Permission denied」は出なかったので対策も行っていない。
$ dpkg -l | grep amavis || apt-cache search amavisd-new
amavisd-new - Interface between MTA and virus scanner/content filters
horde-sam - spam module for Horde Framework
spampd - spamassassin based SMTP/LMTP proxy daemon
squeezeのclamavとpostfix連携(amavis)
http://d.hatena.ne.jp/labunix/20120430/
spamassassinでヘッダ情報に「X-Spam」を追加する
http://d.hatena.ne.jp/labunix/20120501/
clamavでPermission deniedが出る場合の対処(暫定)
http://d.hatena.ne.jp/labunix/20120511/
$ sudo apt-get install -y spamassassin amavisd-new
$ id amavis;id clamav
uid=114(amavis) gid=120(amavis) 所属グループ=120(amavis)
uid=113(clamav) gid=119(clamav) 所属グループ=119(clamav)
$ sudo adduser clamav amavis
$ id clamav
uid=113(clamav) gid=119(clamav) 所属グループ=119(clamav),120(amavis)
$ sudo /etc/init.d/amavis start
Starting amavisd: The value of variable $myhostname is "vyatta64", but should have been
a fully qualified domain name; perhaps uname(3) did not provide such.
You must explicitly assign a FQDN of this host to variable $myhostname
in /etc/amavis/conf.d/05-node_id, or fix what uname(3) provides as a host's
network name!
(failed).
■やはり「hostname -f」は大事。
$ grep "#vyatta" /etc/hosts
127.0.1.1 vyatta64.linux.in vyatta64
$ hostname -f
vyatta64.linux.in
$ sudo cp /etc/hosts /var/spool/postfix/etc/hosts
$ sudo /etc/init.d/amavis start
Starting amavisd: amavisd-new.
$ sudo /etc/init.d/postfix restart
$ netstat -an | grep 1002[45]
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
■「main.cf」の修正
$ sudo postconf -d | grep "^soft_bounce"
soft_bounce = no
$ sudo postconf -e "soft_bounce = yes"
$ sudo postconf -h "soft_bounce"
yes
■「master.cf」の修正(追加分)
$ tail -30 /etc/postfix/master.cf
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o lmtp_tls_note_starttls_offer=no
amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
$ sudo /etc/init.d/amavis restart
$ sudo postfix check && sudo /etc/init.d/postfix restart
$ sudo netstat -an --program | grep "1002[45]"
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 17023/amavisd (mast
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 17356/master
■postfix/amavis連携
$ sudo postconf -d | grep content_filter
content_filter =
$ sudo postconf -e "content_filter=amavisfeed:[127.0.0.1]:10024"
$ sudo postconf -h content_filter
amavisfeed:[127.0.0.1]:10024
$ sudo postfix check && sudo /etc/init.d/postfix restart
■チェック時のアクセス制御を有効にする
$ grep -A 1 "^@bypass" /etc/amavis/conf.d/15-content_filter_mode
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
--
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
■spamassassinを有効
$ sudo grep ENABLE /etc/default/spamassassin
ENABLED=1
■ひとまずprocmail経由でチェック
$ sudo apt-get install -y procmail
$ sudo dpkg-reconfigure postfix
$ cat /etc/procmailrc
LOGFILE=$HOME/.procmail.log
LOCKFILE=$HOME/.procmail.lock
MAILDIR=$HOME/
# X-Spam ヘッダが無ければspamassassinに渡す
:0fw
*!^X-Spam.*
|spamassassin
# X-Spam-StatusがYesなら~/spam/ に移動
:0
* ^X-Spam-Status: Yes
$MAILDIR/.spam/
■spamassassinのアップデート
$ sudo /etc/init.d/spamassassin start
$ sudo sa-update -D 2>&1 | tail -3
7月 29 12:57:03.612 [18586] dbg: generic: unlinking 20_uri_tests.cf
7月 29 12:57:03.612 [18586] dbg: generic: unlinking 25_asn.cf
7月 29 12:57:03.612 [18586] dbg: diag: updates complete, exiting with code 0
■関連デーモンの再起動
$ sudo /etc/init.d/spamassassin restart
$ sudo /etc/init.d/clamav-daemon restart
$ sudo /etc/init.d/amavis restart
$ sudo /etc/init.d/postfix restart
■メールの送信テスト
$ echo "test" | mail -s "test mail" labunix@vyatta64.labunix.in
$ mail
>N 1 labunix@vyatta64. Sun Jul 29 13:03 26/1134 test mail
Message 1:
From labunix@vyatta64.labunix.in Sun Jul 29 13:03:17 2012
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on vyatta64.linux.in
X-Spam-Level:
X-Spam-Status: No, score=0.2 required=5.0 tests=ALL_TRUSTED,DKIM_ADSP_NXDOMAIN,
NO_DNS_FOR_FROM autolearn=no version=3.3.1
X-Original-To: labunix@vyatta64.labunix.in
X-Virus-Scanned: Debian amavisd-new at vyatta64.labunix.in
To: labunix@vyatta64.labunix.in
Subject: test mail
Date: Sun, 29 Jul 2012 13:03:17 +0000 (GMT)
From: labunix@vyatta64.labunix.in
test
