LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-20-2006, 05:50 AM   #1
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Rep: Reputation: 0
Gateway Antivirus Scanning


Running Debian Etch with 3 nics installed and am trying to setup a gateway appliance for windows active directory network. I have in in a test environment now with a windows xp sp2 laptop as client. The debian box is issuing ip addresses correctly and the xp laptop can access the internet. I have shorewall installed and configured for firewall purposes. Bind running for DNS purposes. Installed squid and played around with it for a while but decided to remove. Will probably at some point put email and web server on this debian box. I have search everywhere trying to find an antivirus software program that will scan for virus/spyware/etc at the gateway eth0 and stop these from filtering into the network and onto the windows side. I have installed a copy of Pandasoftware's commandlinesecure and am running in resident mode, but it does not detect/clean/delete the eicar test viruses. I can manually run the ./pavcl command to scan the downloads folder and it finds it. Anyway, has anybody had any luck with this type of install? I know there are appliances you can purchase that will do this and are running some disto of linux. And the cost of the appliance does not scare me, it's the annual fees that are causing me to try and "build" my own. Any help on software/solutions for gateway scanning this way would be great.
 
Old 11-20-2006, 02:31 PM   #2
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
IPcop http://www.ipcop.org/ is a dediacted firewall distro, it dose pritty much everything you want out the box except anti-virus but the copfilter http://copfilter.org/ plugin will do that, I don't know much about setting it up though.

Also you can't easily run a web or email server but running one of those on you're firewall is just asking for trouble.
 
Old 11-20-2006, 04:01 PM   #3
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
I've tried IPCOP w/copfilter a few installs ago. I have deleted and installed so many different distro on this computer not sure why I did not go with IPCOP anymore.

I have just contacted Panda Technical support and found that the commandlinesecure product is a file/folder scanner only. It does not do packet scanning. They told me to use DesktopSecure for Linux. So, I'm in the process of downloading and installing this product. Not sure if it's available as a free download or not, since I'm already a corporate client I can download it. Commandlinesecure is a free download. I will check to see if Desktopsecure is available for free.
 
Old 11-20-2006, 06:07 PM   #4
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
Trying to install panda desktop secure for linux I continue to get the following error. Any idea on what I'm still needing.

You haven't installed the compiler for your kernel
You haven't installed the correct kernel headers
You haven't installed the necessary development tools
 
Old 11-21-2006, 02:10 PM   #5
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
Well the problem is clear, you need to install dependencies before desktopsecure. But it dosn't say what dependencies you are missing, check the desktop secure docs or ask their tech suport. Although I somewhat doubt its designed for a gateway, its called desktopsecure after all.
 
Old 11-21-2006, 06:43 PM   #6
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
Ok talking with tech support and reading some different posts I find that if I recompile the kernel with dazuko I can install desktopsecure without these errors. Or another virus scanner with "resident live scanning" like clamav.

So, I got dazuko-2.3.1.tar.gz extracted it and tried ./config and got the following.

Quote:
verifying capabilities are not built-in... built-in
error: capabilities are built-in to the kernel:
you will need to recompile a kernel with capabilities
as a kernel module
So I try recompile of kernel by doing the following.

apt-get install linux-source-2.6.17
tar xjf linux-source-2.6.17.tar.bz2
cd linux-2.6.11.7/
make-kpkg clean
fakeroot make-kpkg --initrd --revision=custom.1.0 kernel_image
make menuconfig
Security Options --->
<*> Default Linux Capabilities (changed to M)
<M> Default Linux Capabilities
Saved new kernel configuration then
cd ../
dpkg -i linux-image-2.6.17_custom.1.0_i386.deb

Then rebooted and ran
uname -a
Linux scrapper 2.6.17-2-686 #1 SMP Wed Sep 13 16:34:10 UTC 2006 i686 GNU/Linux

To be honest I did not know how to go about recompiling the kernel without some help from http://www.howtoforge.com/forums/showthread.php?t=21. So then I try ./configure of dazuko and still get the capabilities built-in error again.

Pretty new to linux so any help here would be great. If I need to repost this error into another thread let me know. Thanks.
 
Old 11-22-2006, 08:09 AM   #7
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
Ok, not like anybody else is replying or even reading this thread, but in my previous post I forgot to load my current config from /boot/config-2.6.17 while in menuconfig. After loading my current config I then changed the default linux capabilities to "m" then recompiled and it worked. Well, I just think it worked. Now I cannot seem to get dazuko module to load before capability module upon boot. I can however run:

sudo rmmod capability
sudo modprobe dazuko
sudo modprobe capability

And this installs dazuko. But upon reboot I have to run this again. So I tried the following from this website.
http://allyourtech.com/content/artic...untu_linux.php

Quote:
sudo gedit /etc/modprobe.d/dazuko

Copy and paste the following code into the blank document and save it.

install dazuko modprobe -r capability;\
modprobe -i dazuko; \
modprobe -i capability

While still running gedit as root, open the modules file, located in /etc directory. Add the word dazuko to the end of the list. Save the file.
After reboot still no dazuko. Any help?
 
Old 11-22-2006, 09:51 AM   #8
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
Well, as stated above not much help here, but was able to figure out what the problem was. Hopefully this thread can help others who run into this same problem. After creating the dazuko file in /etc/modprobe.d/ and adding the dazuko line in /etc/modules file, I had to copy the dazuko.ko file into /lib/modules/2.6.17/kernel/security. Rebooted and upon running cat /proc/modules both dazuko and capability are running. Started up panda desktopsecure installation and do not get the errors.

Quote:
Originally Posted by tortanick
Although I somewhat doubt its designed for a gateway, its called desktopsecure after all.
Good point. And as a client/user of panda's windows based antivirus I know for a fact their products are memory hogs. So, I may go with a less hoggy antivirus, since I should now be able to run resident virus scanning.
 
Old 11-22-2006, 03:43 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
As far as doing real-time scanning of network traffic for every protocol, I'm only aware of the major firewall vendors supporting this, such as Juniper, Checkpoint, Fortinet, etc... To get enough speed in the AV process to get anywhere close to wire-speed, they implement a lot of the logic in hardware and even then, I know that Juniper at least only uses a very small set of the most common virus signatures, so you're not even covered for every known virus.

I'm not aware of any Linux distro that can do such real-time scanning. I notice that Astaro advertizes AV on their firewalls, but if you look closely it only does Anti-Virus for e-mail messages and web downloads.
 
Old 12-05-2006, 01:57 PM   #10
hinklejb
LQ Newbie
 
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks chort, unfortunately I have found this out the hard way. But, if your willing to spend some money which I may, F-Secure makes a pretty cool product I am currently evaluating. It's called Internet Gatekeeper for Linux. http://www.f-secure.com/small_busine...ts/fsigkl.html

It seems to do everything I want. But as chort states, I am curious to see how many users I can put behind this box before I start having issues. For now it's just a single laptop and internet gatekeeper is working great. I am hopefully in the near future going to test this linux UTM on a more taxing network and see how she stands up. By the way a 1yr subscription to f-secure internet gateway with 50 users runs approx $650.00. That's with a 20% end of year discount. Each additional year looks to be $7 - $8 per user per year.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
setting up gateway antivirus zamri Linux - Security 3 10-01-2006 09:01 PM
F-prot antivirus not scanning attachments for viruses rhea Linux - Newbie 1 01-23-2006 12:30 PM
gateway antivirus Skunk_Face Linux - Security 3 04-13-2004 09:50 PM
Mail server - Content Scanning - Antivirus Solution?? Dr Solomon Linux - Networking 3 02-12-2002 12:29 PM
Mail server - Content Scanning - Antivirus Solution?? Dr Solomon Linux - General 1 02-10-2002 01:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration