How do I configure cxs to scan and quarantine suspicious files on ftp upload? Print

  • 0

You should be comfortable logging into ssh as root and running Linux commands to follow these instructions. You must be using pure-ftpd on your server. Cxs does not work with pro-ftpd.

1. Create your quarantine directory if you have not already done so. For example, create a directory called /home/quarantine/. Make sure to chmod it 1777.

mkdir /home/quarantine/
chmod 1777 /home/quarantine/

Note that your quarantine directory must be in a location with world write access. So for example, do not put it in a location that only root can read, like the /root/ directory. You could put it somewhere in /var/ or /usr/, if you don't want it in /home/.

2. Edit the file /etc/pure-ftpd.conf and uncomment the line that reads:

# CallUploadScript yes

so it looks like this:

CallUploadScript yes

3. Restart the pure-uploadscript daemon:

/etc/init.d/pure-uploadscript restart

4. Edit the file /etc/cxs/cxsftp.sh and modify the command line to suit your requirements. For example, to use the default cxs scan options and quarantine any suspicious files, if your quarantine directory is in /home/quarantine/, your command line in cxsftp.sh might look like this:

/usr/sbin/cxs --quiet --ftp --mail root \
        --quarantine /home/quarantine/ "$1"

(Note: The backslash (\) allows you to split a long command line onto two lines.)

If you want to only scan ftp uploads with specific scan options you can add --options. For example, this command line would scan for and quarantine regex pattern match, fingerprint match, suspicious files, suspected exploit files, Linux executables, and Windows executables:

/usr/sbin/cxs --quiet --ftp --options mMfhex --mail root \
        --quarantine /home/quarantine/ "$1"

Make sure that the email address set up as the root forwarder is a working and monitored email address, so you will receive the cxs alert emails.

Make sure that you have only one uncommented cxs command line in your cxsftp.sh file.


¿Fue útil la respuesta?
Back