To help protect your server, you may want to scan your users FTP uploads. Here is a great way of doing this, if you are using Pure-FTP and ClamAV. Pure-FTP has an option to run a file after an upload, called the pure-uploadscript. What you do, is tie the virus scanner into this script, so that when a file gets uploaded, it will get scanned. As long as you have your virus scanner up to date, this will pick up most of the main stream virii, as well as the dreaded php shell scripts.
Here is how we do it. We first need to ssh into our server, and then switch user to root. Now, execute the following from the command line:
echo \#\!/bin/sh > /etc/pure-ftpd/upload-check.sh
This command will create a file called upload-check.sh, and place an interpreter call on the first line. Next, we add the action line to the file, by executing this command:
echo /usr/bin/clamdscan –move=/root/badfiles/ –quiet –no-summary –log=/var/log/clamscan.log “\$1” >> /etc/pure-ftpd/upload-check.sh
This will insert the second line in the upload-check script. This line calls the virus scanner, clamdscan, and passes some information to it. The first one, tells the scanner to move the file, if it has found a problem with it. I always find it usefull to see what people are trying to upload, instead of just deleting the file as soon as its scanned. The other important parameter here, is the log value. We are telling the scanner to log all activity to the clamscan.log file, which is usefull to view every so often, to see if anyone was trying to upload something nasty. Now, chmod the script:
chmod 700 /etc/pure-ftpd/upload-check.sh
The next step, is to ensure that when your server starts up, that the pure-uploadscript binary is running, using the newly created upload-check.sh script:
echo /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-check.sh >> /etc/rc.d/rc.local
This places a line at the bottom of your rc.local file, telling it to run the pure-uploadscript, with the parameters you have assigned to it.
Next, we tell pure-ftpd to use the upload scanner, use what ever editor you prefer:
vi /etc/pure-ftpd.conf
Search for – CallUploadScript, and uncomment the line. Save your changes, and exit.
Now, all we need to do, is start the pure-uploadscript daemon, and restart pure-ftpd:
/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-check.sh
service pure-ftpd restart
Once done, you should now be scanning all files uploaded through ftp. To check if you have found any virii, you can check the log file, running this command only displays the lines that have reported a virus:
tail -n 1000 /var/log/clamscan.log | grep FOUND
The files found to have virii’s, will also have been moved to /root/badfiles, so that you can take a look at them, and if it is a false positive, move the file back to the users directory.
Hi, gr8 post thanks for posting. Information is useful!
Can’t seem to get this working.
Any additional tips?
Thanks
Okay got it working.
Works with FTP and FTPS but not SFTP.
Any thoughts about that?
One other thing that would be nice is if an email could be sent when a file is moved from a user account.
It will not work through SFTP because it is not using the ftp server, it is using the ssh protocol. Are you looking for an email alert once a virus has been found/removed?
Thanks Chris.
Yes on the email question.
My FTP service as gone down. When I disabled CallUploadScript in ftp conf it started again. Any idea?
Hi there, can you tell me what OS you are using and what version of pure-ftp you have?
Hello Chris, sorry for the late reply. I am using CentOS release 5.2. and pure-ftpd v1.0.21 cpanel control panel is installed in the server. When I enable CallUploadScript, FTP service is going down.
Hi Don,
Are you making sure that you are starting the upload check script prior to restarting the ftp server? Also, if you have made changes to the upload script, you will have to kill all processes of it currently running, and then re-run the start up script:
/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-check.sh
Really Good Articles/posts that you have on this site. Thanks
Here’s a comment. Great advice =) Thanks
Great article! I bet a lot of work went into this post.
Being a complete newbie, all I can say is thanks for sharing this.
Thanks for sharing this helpful info!
I love it!