[SOLVED] ClamAV scanning for Proxy - Having trouble getting working

[kyferez]

I've been hitting my head against a wall on trying to implement ICAP for AV scanning...

Here's the Howto I wrote after getting this all working: http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/

Been reading through a few guides... but it's a little confusing and some parts of the guides out there haven't worked so have gotten stuck.

Anyway, my end goad is to use CentOS 7 x64 for the ICAP/ClamAV system, and leave SQUID on OPNsense. Problem is most all the guides I've found talk about having SQUID with CLAM on the same box. Not sure how that will work with Squid on OPNsense... Also most of the guides have stuff that doesn't work and some I can figure out and fix some I haven't been able to yet. Would really like to get this working. I'll do a full write-up if we get it working, start to finish configuring the Proxy and AV system.

This guide seems to have gotten CLAM working ok: https://www.server-world.info/en/note?os=CentOS_7&p=clamav
This guide talks about setting up squidclamav but I'm not sure if I need to do that???: https://www.server-world.info/en/note?os=CentOS_7&p=squid&f=5

Here's a guide for setting up C-ICAP server, but I got stuck at the clamav service failing with an error that is not helpful. http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html

Anyway, anyone got this AV scanning fully working that would be willing to help me along with the above guides and what I need to follow to make this work? And then what do I need to do in OPNsense?

Thanks!

[fabian]

You are probably having an issue with your CentOS 7 firewall. You need to open the port (probably 1344). On CentOS 7, the tool is called firewallctl.

Kind regards

Fabian

[kyferez]

Thanks, but that's not it, I have the firewall disabled for testing. Also, I haven't gotten to that part. I can't get the c-icap service from the guide http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html to start.

I get this error:

Code: [Select]

[root@dev tgadmin]# /etc/rc.d/init.d/c-icap start
Starting c-icap (via systemctl):  Job for c-icap.service failed because the control process exited with error code. See "systemctl status c-icap.service" and "journalctl -xe" for details.
                                                           [FAILED]
[root@dev tgadmin]# systemctl status c-icap.service
● c-icap.service - SYSV: c-icap is an implementation of an ICAP server.
   Loaded: loaded (/etc/rc.d/init.d/c-icap; bad; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2017-03-06 09:54:59 EST; 8s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 18897 ExecStart=/etc/rc.d/init.d/c-icap start (code=exited, status=203/EXEC)

Mar 06 09:54:59 dev.tg.local systemd[1]: Starting SYSV: c-icap is an implementation of an ICAP server....
Mar 06 09:54:59 dev.tg.local systemd[1]: c-icap.service: control process exited, code=exited status=203
Mar 06 09:54:59 dev.tg.local systemd[1]: Failed to start SYSV: c-icap is an implementation of an ICAP server..
Mar 06 09:54:59 dev.tg.local systemd[1]: Unit c-icap.service entered failed state.
Mar 06 09:54:59 dev.tg.local systemd[1]: c-icap.service failed.

Also, even if I was able to get that guide to fully work, I don't yet know what to do to configure OPNsense to send data to it to get it to scan nor how to verify it's actually scanning and working (though I assume I could download a link to a test virus).

So my questions are:
1) Any idea on my error above?

2) In this guide that talks about setting up squidclamav, do I need to do that since squid is on OPNsesnse?: https://www.server-world.info/en/note?os=CentOS_7&p=squid&f=5

3) How do I configure OPNsense to talk to the AV scanner using ICAP?

[fabian]

First of all: Don't use /etc/init.d on CentOS 7 - you are working on a systemd distribution.
Services are managed via the systemctl command.

1. no, there is no error message. You can debug the output by running "c-icap -N" or "c-icap -N -d 9" on the command line. It should give an error message. Also a log like /var/log/c-icap can help.

2. yes. This is the (old) name of the antivirus module of c-icap. This module has nothing to do with squid except that squid is a possible client for this module.

3.
go to Proxy settings -> Forward Proxy -> ICAP Settings
and enter the two URLs of your service.

[kyferez]

Thank you, I am much further now. However, still some issues. Here's the OPNsense Proxy log, perhaps I just have the URLs wrong...? I wasn't real clear on what they should be...

I used these URLs:
Request Modify URL - cap://192.168.1.226:1344/squidclamav
Response Modify URL - icap://192.168.1.226:1344/squidclamav

I have now used just these two guides and deleted the rc.d/init/d/c-icap file from the other guide:
https://www.server-world.info/en/note?os=CentOS_7&p=clamav
https://www.server-world.info/en/note?os=CentOS_7&p=squid&f=5

Logs from OPNsense Proxy:

Code: [Select]

2017/03/07 11:57:04 kid1| suspending ICAP service for too many failures
2017/03/07 11:56:14 kid1| essential ICAP service is down after an options fetch failure: cap://192.168.1.226:1344/squidclamav [down,!valid]
2017/03/07 11:56:14 kid1| WARNING: Squid got an invalid ICAP OPTIONS response from service cap://192.168.1.226:1344/squidclamav; error: unsupported status code of OPTIONS response
c-icap and clamd@scan are running:

Code: [Select]

[root@dev log]# systemctl status c-icap
● c-icap.service - c-icap service
   Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-03-07 12:17:14 EST; 4min 20s ago
  Process: 22796 ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf (code=exited, status=0/SUCCESS)
 Main PID: 22797 (c-icap)
   CGroup: /system.slice/c-icap.service
           ├─22797 /usr/local/bin/c-icap -f /etc/c-icap.conf
           ├─22798 /usr/local/bin/c-icap -f /etc/c-icap.conf
           ├─22799 /usr/local/bin/c-icap -f /etc/c-icap.conf
           └─22800 /usr/local/bin/c-icap -f /etc/c-icap.conf

Mar 07 12:17:14 dev.tg.local systemd[1]: Starting c-icap service...
Mar 07 12:17:14 dev.tg.local systemd[1]: Started c-icap service.
[root@dev log]# systemctl status clamd@scan
● clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-03-03 23:58:39 EST; 3 days ago
 Main PID: 9736 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
           └─9736 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Mar 07 12:18:01 dev.tg.local clamd[9736]: SelfCheck: Database status OK.
Mar 07 12:18:01 dev.tg.local clamd[9736]: SelfCheck: Database status OK.
[root@dev log]#

icap is listening:

Code: [Select]

[root@dev log]# netstat -tal
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:icap            0.0.0.0:*               LISTEN

192.168.1.226 is my IP:

Code: [Select]

[root@dev log]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.226  netmask 255.255.255.0  broadcast 192.168.1.255

Thanks!

[kyferez]

So I did a trace. We see the server doesn't like the request and sends a 400... See images.

[fabian]

can you try "c-icap-client -s squidclamav -f eicar.com" from the host running c-icap?

Bad request sounds like an error inside your ICAP server because the request looks ok.

Is the module correctly lodad?

[kyferez]

Looks like you are onto something:

Code: [Select]

[root@dev tgadmin]# c-icap-client -s squidclamav -f eicar.com
Error connecting to host  '::a00:0:540:0%22032468': Invalid argument
Failed to connect to icap server.....

I get the same error if I just run "c-icap-client"

How do I check if the module is loaded successfully?

Thanks!

[fabian]

Code: [Select]

[root@dev tgadmin]# c-icap-client -s squidclamav -f eicar.com
Error connecting to host  '::a00:0:540:0%22032468': Invalid argument
Failed to connect to icap server.....


Your server is using a very strange address (not an IPv4 nor a valid IPv6 address (contains a % character)) - try  the option -i 127.0.0.1for testing purposes. Please note also that eicar.com ist the eicar antivirus test file (must exist).

[kyferez]

That gave much better results

Code: [Select]

[root@dev tgadmin]# c-icap-client -s squidclamav -f eicar.com -i 127.0.0.1
ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

also

Code: [Select]

[root@dev tgadmin]# c-icap-client -i 127.0.0.1
ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

OPTIONS:
        Allow 204: Yes
        Preview: 1024
        Keep alive: Yes

ICAP HEADERS:
        ICAP/1.0 200 OK
        Methods: RESPMOD, REQMOD
        Service: C-ICAP/0.4.2 server - Echo demo service
        ISTag: CI0001-XXXXXXXXX
        Transfer-Preview: *
        Options-TTL: 3600
        Date: Tue, 07 Mar 2017 21:16:43 GMT
        Preview: 1024
        Allow: 204
        X-Include: X-Authenticated-User, X-Authenticated-Groups
        Encapsulated: null-body=0
So it's detecting a weird address. How do I fix that? ifconfig shows proper IPv4 address on the server, I put that in an earlier post. And is that a server problem or a problem with the client program detecting the IP wrong?

[fabian]

Looks like your ICAP server is at least doing something.
Can you try icap://your-ip:1344/echo on your proxy?

[kyferez]

I assume you mean in OPNsense? That made no difference.

I then tried changing this in OPNsense:
Request Modify URL - cap://192.168.1.226:1344/squidclamav
Response Modify URL - icap://192.168.1.226:1344/squidclamav

To this (note the i added to the request URL icap):
Request Modify URL - icap://192.168.1.226:1344/squidclamav
Response Modify URL - icap://192.168.1.226:1344/squidclamav

And no more errors... Think I missed a character when copying and pasting the URL 

Just tested and YEAA!!! it is working!   

Thanks you Fabian!!! Complete how-to will be on the way.

Here's the Howto: http://www.tcptechs.com/opnsense-transparent-caching-filtering-proxy-with-virus-scanning/

EDIT: Updated the HowTo with a bug fix and 10th step.

[cwynd]

@kyferez thanks for a really good and detailed howto!

Just one suggestion: in your step 3.18:

Once the proxy is working, if you want to block anyone not using the proxy, then add a new firewall rule below the one you created earlier. This rule should be Deny traffic, Source: Interface net, Destination Address: ANY, Dst Port: 80. ...

Suggest to change 'Destination Address: ANY' to Destination Address: !This Firewall for this and the corresponding port 443 rule

I just locked myself out of the webgui when I was fiddling with icap server memory and couldn't get the c-icap service to start. The above change ensures that OPNsense does not try forward http(s) requests pointed exactly at OPNsense itself to c-icap. I had to get c-icap running again and responding before I could get into the OPNsense webgui.