You should be comfortable logging into ssh as root and running Linux commands to follow these instructions. You must be using pure-ftpd on your server. Cxs does not work with pro-ftpd.
1. Create your quarantine directory if you have not already done so. For example, create a directory called /home/quarantine/. Make sure to chmod it 1777.
mkdir /home/quarantine/ chmod 1777 /home/quarantine/
Note that your quarantine directory must be in a location with world write access. So for example, do not put it in a location that only root can read, like the /root/ directory. You could put it somewhere in /var/ or /usr/, if you don't want it in /home/.
2. Edit the file /etc/pure-ftpd.conf and uncomment the line that reads:
# CallUploadScript yes
so it looks like this:
CallUploadScript yes
3. Restart the pure-uploadscript daemon:
/etc/init.d/pure-uploadscript restart
4. Edit the file /etc/cxs/cxsftp.sh and modify the command line to suit your requirements. For example, to use the default cxs scan options and quarantine any suspicious files, if your quarantine directory is in /home/quarantine/, your command line in cxsftp.sh might look like this:
/usr/sbin/cxs --quiet --ftp --mail root \
--quarantine /home/quarantine/ "$1"
(Note: The backslash (\) allows you to split a long command line onto two lines.)
If you want to only scan ftp uploads with specific scan options you can add --options. For example, this command line would scan for and quarantine regex pattern match, fingerprint match, suspicious files, suspected exploit files, Linux executables, and Windows executables:
/usr/sbin/cxs --quiet --ftp --options mMfhex --mail root \
--quarantine /home/quarantine/ "$1"
Make sure that the email address set up as the root forwarder is a working and monitored email address, so you will receive the cxs alert emails.
Make sure that you have only one uncommented cxs command line in your cxsftp.sh file.
