How To Integrate ClamAV Into PureFTPd For Virus Scanning On Fedora 14

This tutorial explains how you can integrate ClamAV into PureFTPd for virus scanning on a Fedora 14 system. In the end, whenever a file gets uploaded through PureFTPd, ClamAV will check the file and delete it if it is malware.

I do not issue any guarantee that this will work for you!

You should have a working PureFTPd setup on your Fedora 14 server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Fedora 14.

ClamAV can be installed as follows:

yum install amavisd-new clamav clamav-data clamav-server clamav-update clamav-scanner

Clamdscan expects the configuration file /etc/clamd.conf which doesn't exist - therefore we create a symlink from /etc/clamd.conf to /etc/clamd.d/amavisd.conf:

ln -s /etc/clamd.d/amavisd.conf /etc/clamd.conf

Next we create the system startup links for clamd and start it:

chkconfig --levels 235 clamd.amavisd on
/etc/init.d/clamd.amavisd start

First we open /etc/pure-ftpd/pure-ftpd.conf and set CallUploadScript to yes :

vi /etc/pure-ftpd/pure-ftpd.conf

[...]# If your pure-ftpd has been compiled with pure-uploadscript support,# this will make pure-ftpd write info about new uploads to# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and# spawn a script to handle the upload.CallUploadScript yes[...]

Next we create the file /etc/pure-ftpd/clamav_check.sh (which will call /usr/bin/clamdscan whenever a file is uploaded through PureFTPd)...

vi /etc/pure-ftpd/clamav_check.sh

#!/bin/sh/usr/bin/clamdscan --remove --quiet --no-summary "$1"

... and make it executable:

chmod 755 /etc/pure-ftpd/clamav_check.sh

Now we start the pure-uploadscript program as a daemon - it will call our /etc/pure-ftpd/clamav_check.sh script whenever a file is uploaded through PureFTPd:

pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh

Of course, you don't want to start the daemon manually each time you boot the system - therefore we open /etc/rc.local...

vi /etc/rc.local

... and add the line /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh to it - e.g. as follows:

#!/bin/sh## This script will be executed *after* all the other init scripts.# You can put your own initialization stuff in here if you don't# want to do the full Sys V style init stuff./usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.shtouch /var/lock/subsys/local

Finally we restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it! Now whenever someone tries to upload malware to your server through PureFTPd, the "bad" file(s) will be silently deleted.

How To Install A (Canon) Printer On Debian And Debian-Like Systems

This tutorial will cover how to install the well-known CUPS printing system, and optionally tell you how to have your Canon printer work. There are extra details about where to find Canon drivers and how to install the "Print to PDF" feature.

If you didn't check any option at the Debian network installation, you will need to download and install a few packages.

Run the following command as root:

# apt-get install cups cups-client "foomatic-db*"

This will install CUPS and download a database of printer drivers.

As the Debian distribution installs a secure Linux system on your computer, most of the permissions involved by installing packages are "opt-in". This means you have to explicitly grant permission to users so that they can print.

This is done by adding them to the lpadmin group:

# adduser YOUR_NORMAL_ACCOUNT lpadmin

Power on and plug your printer, and then browse to http://localhost:631/

Go to the Administration tab and click Add printer. At that point you will be required to type your normal user and password (not root).

CUPS will look for printers available on the network or attached to your computer.

Choose your printer in the Local printers section.

Fill the form if you want to, then see if your printer driver is in the list.
NB: Your exact model number is probably not in the list, however if you've got a 3030 printer, the 3000 driver is the one you need.

If you don't find your printer in the list, either the driver just doesn't exist for non-Windows OS / Mac OS, or it is proprietary (non-free).

If you bought a Brother or HP printer, you're lucky because all of their current printers are provided with an opensource driver. Install the hplip package for Hewlett Packard printers.

You can't find Canon drivers on non-free repositories. You have to go to the Canon website and download them.

Go to www.canon.com, select your country and language, then go to the Support page, find your printer (in category "Printer" or "Multifunction").
Choose "Linux" as your operating system. Let the language setting as it is. (Because maybe the drivers could be hidden if the included manual doesn't exist in your language).

Download that UFR II driver file.

You'll end up with a zip file / archive.

Open your Terminal again, change to your Downloads directory, and unzip that file:

$ unzip *ufr2*.zip

The unzipped directory is the language you choose, e.g. "english" or "italiano". cd to that directory, then open the "driver" directory corresponding to your architecture (32 or 64 bits), and finally open the RPM folder.

As you may know, RPM is the "Red Hat Package Manager", but Debian uses APT. RPM files have the ".rpm" extension and Debian packages get a ".deb" extension.

So, we will have to convert them.

For that purpose, install a program called alien. And I'd advice to install fakeroot as well. (Fakeroot allows you to work on Debian packaging without root privileges, which are not needed until the installation part.)

# apt-get install alien fakeroot

Then convert the packages:

 $ fakeroot alien --to-deb *.rpm

Finally you can now install them as usual:

# dpkg -i *.deb

Reload the "Add printer" page on the CUPS web interface, and this time you should be able to find your printer model in the list. (You can also press "Choose another ...." and go back to "Canon" again.)

You should not need to restart cups, but if you want to, just to be sure, do the following as root:

# service cups restart

Voilà ! You've successfully installed your printer!

Here is a trick that could be helpful. If you're using an application that doesn't provide an "Export to PDF" function, you can simply print as normally and select a special "PDF printer."

In order to do that, you have to install the "cups-pdf" package:

# apt-get install cups-pdf

Your "PDF printed" documents will be put in a folder called "PDF" in your home directory, i.e. ~/PDF/

You may have to create this directory yourself if you have issues with the cups PDF printer.

The CUPS web user interface is the place to go whether you need to manage your printers and printing jobs, and find the reasons of printing issues. You can pause or cancel a job and even re-print a document.

Note you have to modify your /etc/cups/cupsd.conf configuration file if you want the interface to be accessible from other computers in your network.

How To Set Up Centralized Security Policy Management Across Multiple Remote Proxy Servers With SafeSquid

Enterprises with multiple geographically distributed locations, face challenges in enforcing a universal Internet Access Policy across the enterprise. Usually, each location deploy their own preferred  content filtering solution, and hence can not synchronize the Corporate Internet Access Policy (CIAP) globally. SafeSquid's Multi-Proxy or Master-Slave feature allows you to enforce your CIAP universally across the enterprise, irrespective of the geographical location of a remote office. Master-Slave configuration ensures that policies are enforced globally, and that any changes made to the policies on the Master SafeSquid server, get synchronized to all the Slave servers across the Enterprise, in real-time, thereby greatly reducing an Administrators management overheads. SafeSquid's Master-Slave feature is so granular, that you can define unique user authentication mechanism for each location, unique access policies for a specific location, exclude or include locations a policy should apply to, create granular access policies based on the group a user belongs to, and much more. Master-Slave can be implemented, irrespective of whether the Enterprise has a common Internet Gateway or a distributed one.

Master-Slave in a central gateway scenario

Master-Slave in a distributed gateway scenario

A Master server can be set up in the normal way you would set up a stand alone server, and you do not have to do anything extra during the installation, except ensure that the Slave servers are able to access SafeSquid interface, either on a private internal connection, or via the Internet. For allowing access to SafeSquid Interface via Internet, you will have to make the Master server listen on a static (live) internet IP. Next, you need to make the Master server listen on an additional port on which to allow access only to the SafeSquid interface, other than the port on which it will server the users. Then create entries in the Access Restrictions section, to allow the slave servers to access the interface. If the remote locations have static internet IPs too, it would help in securing access to the Interface based on the IP of the locations, and not from anywhere else.

Suppose the Master SafeSquid is listening on port 8080 (default). Now, you need to make it to listen on port 8081 too, and allow access only to the web interface on this port. To make SafeSquid listen on port 8081, go to Config > Network settings and create the following entry -

Next, click on 'Save settings' in the Top Menu of the interface, save the settings, and restart SafeSquid service. When SafeSquid starts this time, it will listen on both, port 8080 and 8081. Next, you need to create an entry under Access Restrictions, to allow access only to the SafeSquid interface, on port 8081.

The above entry means that the proxy will accept requests on the specified interface (IP=152.23.163.10 which is supposed to be the static IP, and PORT=8081) from the specified source 'IP Address' (from any source IP if left blank) and allow them access to the web interface (Access=config). It will additionally apply a profile 'SLAVES' to such requests.

Note: The entries in Access Restrictions are applied from top-to-bottom hierarchy. The first entry that matches is applied, and the rest are ignored. Hence, all IP based entries should precede non-IP based rules, else the entry will never be applied.

At each of the remote locations, while installing SafeSquid, you will need to define the IP:PORT of the Master server, from where the Slave can fetch the configuration file, for synchronization. based on the above example, this would be 152.23.163.10:8081, the IP and port that is configured on the Master server to allow access to Slave servers.

Master Proxy Configuration Section in SafeSquid for Windows Installation

Synchronization Time Setting in SafeSquid for Windows

Master Proxy Configuration Section in SafeSquid for Linux Installation

Synchronization Time Setting in SafeSquid for Linux

By default, these values are a blank in both SafeSquid for Windows and Linux. You need to change this to 152.23.163.10:8081. The polling interval in seconds, at which the Slave should request configuration updates from the Master server, is by default set to 60 seconds. You can change it to any acceptable value.

Another point to note during the installation, is to define a unique HOSTNAME for each SafeSquid Slave. You can either specify the HOSTNAME during the installation, or leave it blank, and later specify it from the SafeSquid Interface > General Section. Specifying a unique HOSTNAME will help you later, for defining granular policies based on these hostnames.

Once done, when the SafeSquid Slave server starts, it will fetch the configuration file from the Master Server, and then update itself again every 60 seconds. You can verify if the Slave is properly synchronizing with the Master, from the 'View log entries' in the Slave web interface. You should find entries similar to the below screen shot -

You can use the unique HOSTNAME of a Slave server, to create granular polices, that should apply to specific Slave servers. For example, if you would like a Slave server, with hostname PROXY3, to authenticate users from an LDAP / Active Directory Server within its network, all you need to do is specify the hostname of slave server in the entry that you create in the LDAP Configuration section, with its local authenticating server details. This way, you can configure a unique authenticating server for each slave server. 

Similarly, you can create unique profiles too, that should apply to specific slave servers, by defining their hostname, in the 'Proxy host' field. This field supports regular expressions, so you can create a profile to cover multiple slave servers, e.g. (PROXY3|PROXY5|PROXY8)

You can then use the profiles so created, in any of the filtering sections; like URL Filtering, Mime Filter, Keyword Filter, etc. for defining granular access policies.

Download: You can download SafeSquid free editions from here.

Also see: Other SafeSquid howtos 

VBoxHeadless - Running Virtual Machines With VirtualBox 4.0 On A Headless Ubuntu 11.04 Server

Version 1.0
Author: Falko Timme
Follow me on Twitter
Last edited 05/09/2011

This guide explains how you can run virtual machines with VirtualBox 4.0 on a headless Ubuntu 11.04 server. Normally you use the VirtualBox GUI to manage your virtual machines, but a server does not have a desktop environment. Fortunately, VirtualBox comes with a tool called VBoxHeadless that allows you to connect to the virtual machines over a remote desktop connection, so there's no need for the VirtualBox GUI.

I do not issue any guarantee that this will work for you!

I have tested this on an Ubuntu 11.04 server (host system) with the IP address 192.168.0.100 where I'm logged in as a normal user (user name administrator in this example) instead of as root.

To install VirtualBox 4.0 on our Ubuntu 11.04 server, we open /etc/apt/sources.list...

sudo vi /etc/apt/sources.list

... and add the following line to it:

[...]deb http://download.virtualbox.org/virtualbox/debian natty contrib

Then we download the VirtualBox public key...

wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

... and update our package database:

sudo apt-get update

Afterwards, we install VirtualBox 4.0 as follows:

sudo apt-get install linux-headers-$(uname -r) build-essential virtualbox-4.0 dkms

(The dkms package ensures that the VirtualBox host kernel modules are properly updated if the Linux kernel version changes.)

Starting with version 4.0, VirtualBox has introduced so called "extension packs" and has outsourced some functionality like remote desktop connection support (VRDP) that was part of VirtualBox packages before version 4.0 into these extension packs. Because we need remote desktop connections to control our virtual machines, we need to install the appropriate extension pack now. Go to http://www.virtualbox.org/wiki/Downloads, and you will find a link to the following extension pack:

VirtualBox 4.0.6 Oracle VM VirtualBox Extension Pack
Support for USB 2.0 devices, VirtualBox RDP and PXE boot for Intel cards.

Download and install the extension pack as follows:

cd /tmp
wget http://download.virtualbox.org/virtualbox/4.0.6/Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack
sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack

(Make sure you grab the latest version from the VirtualBox web site.)

(Make sure you run the last command with sudo - sudo VBoxManage extpack install ... - because otherwise you will get an error like this:

administrator@server1:/tmp$ VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack
0%...
Progress state: NS_ERROR_FAILURE
VBoxManage: error: Failed to install "/tmp/Oracle_VM_VirtualBox_Extension_Pack-4.0.6-71344.vbox-extpack": The installer failed with exit code 127: Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address
administrator@server1:/tmp$

)

Now we must add the user that will run VirtualBox (administrator in this example) to the vboxusers group:

sudo adduser administrator vboxusers

VirtualBox is now installed and ready to be used.

To create a VM on the command line, we can use the VBoxManage command. See

VBoxManage --help

for a list of available switches and (highly recommended!) take a look at http://www.virtualbox.org/manual/ch08.html.

I will now create an Ubuntu 11.04 Server VM with 512MB memory and a 10GB hard drive from the Ubuntu 11.04 Server iso image (which I have stored in /home/ubuntu-11.04-server-amd64.iso):

VBoxManage createvm --name "Ubuntu 11.04 Server" --register
VBoxManage modifyvm "Ubuntu 11.04 Server" --memory 512 --acpi on --boot1 dvd --nic1 bridged --bridgeadapter1 eth0
VBoxManage createhd --filename Ubuntu_11_04_Server.vdi --size 10000
VBoxManage storagectl "Ubuntu 11.04 Server" --name "IDE Controller" --add ide
VBoxManage storageattach "Ubuntu 11.04 Server" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium Ubuntu_11_04_Server.vdi
VBoxManage storageattach "Ubuntu 11.04 Server" --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium /home/ubuntu-11.04-server-amd64.iso

Let's assume you have a VM called examplevm that you want to reuse on this host. On the old host, you should have a directory Machines/examplevm in the VirtualBox directory; Machines/examplevm should contain the examplevm.xml file. Copy the examplevm directory (including the examplevm.xml file) to your new Machines directory (if your user name is administrator, this is /home/administrator/.VirtualBox/Machines - the result should be /home/administrator/.VirtualBox/Machines/examplevm/examplevm.xml).

In addition to that copy the examplevm.vdi file from the old VDI directory to the new one (e.g. /home/administrator/.VirtualBox/VDI/examplevm.vdi).

Afterwards, you must register the imported VM:

VBoxManage registervm Machines/examplevm/examplevm.xml

Regardless of if you create a new VM or import an old one, you can start it with the command:

VBoxHeadless --startvm "Ubuntu 11.04 Server"

(Replace Ubuntu 11.04 Server with the name of your VM.)

VBoxHeadless will start the VM and a VRDP (VirtualBox Remote Desktop Protocol) server which allows you to see the VM's output remotely on another machine.

To stop a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" poweroff

To pause a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" pause

To reset a VM, run

VBoxManage controlvm "Ubuntu 11.04 Server" reset

To learn more about VBoxHeadless, take a look at

VBoxHeadless --help

and at http://www.virtualbox.org/manual/ch07.html#vboxheadless.

VBoxHeadless - Running Virtual Machines With VirtualBox 4.0 On A Headless Ubuntu 11.04 Server - Page 2

The Perfect Desktop - Ubuntu Studio 11.04

This tutorial shows how you can set up an Ubuntu Studio 11.04 desktop that is a full-fledged replacement for a Windows desktop, i.e. that has all the software that people need to do the things they do on their Windows desktops. The advantages are clear: you get a secure system without DRM restrictions that works even on old hardware, and the best thing is: all software comes free of charge.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

To fully replace a Windows desktop, I want the Ubuntu Studio desktop to have the following software installed:

The GIMP - free software replacement for Adobe Photoshop Shotwell Photo Manager - full-featured personal photo management application for the GNOME desktopGoogle Picasa - application for organizing and editing digital photosFirefoxOperaChromium - Google's open-source browser Flash Player 10 FileZilla - multithreaded FTP client Thunderbird - email and news clientEvolution - combines e-mail, calendar, address book, and task list management functionsaMule - P2P file sharing applicationTransmission BitTorrent Client - Bittorrent client Vuze - Java Bittorrent client Empathy IM Client - multi-platform instant messaging clientSkypeGoogle EarthXchat IRC - IRC client Gwibber Social Client - open-source microblogging client (Twitter, Facebook, etc.)LibreOffice Writer - replacement for Microsoft Word LibreOffice Calc - replacement for Microsoft Excel Adobe ReaderGnuCash - double-entry book-keeping personal finance system, similar to Quicken Scribus - open source desktop publishing (DTP) applicationAmarok - audio player Audacity - free, open source, cross platform digital audio editorBanshee - audio player, can encode/decode various formats and synchronize music with Apple iPods MPlayer - media player (video/audio), supports WMA Rhythmbox Music Player - audio player, similar to Apple's iTunes, with support for iPods gtkPod - software similar to Apple's iTunes, supports iPod, iPod nano, iPod shuffle, iPod photo, and iPod miniXMMS - audio player similar to Winampdvd::rip - full featured DVD copy programKino - free digital video editorSound Juicer CD Extractor - CD ripping tool, supports various audio codecsVLC Media Player - media player (video/audio)RealPlayer - media player (available for i386 systems only)Totem - media player (video/audio)Xine - media player, supports various formats; can play DVDs Brasero - CD/DVD burning program K3B - CD/DVD burning programMultimedia CodecsKompoZer - WYSIWYG HTML editor, similar to Macromedia Dreamweaver, but not as feature-rich (yet)Bluefish - text editor, suitable for many programming and markup languagesQuanta Plus - web development environment, including a WYSIWYG editorVirtualBox OSE- lets you run your old Windows desktop as a virtual machine under your Linux desktop, so you don't have to entirely abandon Windows TrueType fontsJavaRead-/Write support for NTFS partitions

Lots of our desired applications are available in the Ubuntu repositories, and some of these applications have been contributed by the Ubuntu community.

As you might have noticed, a few applications are redundant, for example there are two CD/DVD burning applications in my list (Brasero, K3B). If you know which one you like best, you obviously don't need to install the other applications, however if you like choice, then of course you can install both. The same goes for music players like Amarok, Banshee, Rhythmbox, XMMS or browsers (Firefox, Opera, Chromium).

I will use the username falko in this tutorial. Please replace it with your own username.

The installation of the base system is easy as 1-2-3 because the Ubuntu Studio installer doesn't offer a lot of options to choose from, so you cannot go wrong.

Download the Ubuntu Studio iso image from http://ubuntustudio.org/downloads, burn it onto a DVD, and boot your computer from it. Select your language:

Then select Install Ubuntu Studio:

Choose your language again (?):

Then select your location:

If you've selected an uncommon combination of language and location (like English as the language and Germany as the location, as in my case), the installer might tell you that there is no locale defined for this combination; in this case you have to select the locale manually. I select en_US.UTF-8 here:

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

You can accept the default hostname or specify your own one:

Please check if the installer detected your time zone correctly. If so, select Yes, otherwise No:

Now you have to partition your hard disk. For simplicity's sake I will create one big partition (with the mount point /) and a little swap partition so I select Guided - use entire disk (of course, the partitioning is totally up to you - if you like, you can create more than just one big partition, and you can also use LVM):

Select the disk that you want to partition:

When you're finished, hit Yes when you're asked Write the changes to disks?:

Afterwards, your new partitions are being created and formatted.

The Perfect Desktop - Ubuntu Studio 11.04 - Page 2

Installing Apache2 With PHP5 And MySQL Support On Ubuntu 11.04 (LAMP)

LAMP is short for Linux, Apache, MySQL, PHP. This tutorial shows how you can install an Apache2 webserver on an Ubuntu 11.04 server with PHP5 support (mod_php) and MySQL support.

I do not issue any guarantee that this will work for you!

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:

sudo su

First we install MySQL 5 like this:

apt-get install mysql-server mysql-client

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

Apache2 is available as an Ubuntu package, therefore we can install it like this:

apt-get install apache2

Now direct your browser to http://192.168.0.100, and you should see the Apache2 placeholder page (It works!):

Apache's default document root is /var/www on Ubuntu, and the configuration file is /etc/apache2/apache2.conf. Additional configurations are stored in subdirectories of the /etc/apache2 directory such as /etc/apache2/mods-enabled (for Apache modules), /etc/apache2/sites-enabled (for virtual hosts), and /etc/apache2/conf.d.

We can install PHP5 and the Apache PHP5 module as follows:

apt-get install php5 libapache2-mod-php5

We must restart Apache afterwards:

/etc/init.d/apache2 restart

The document root of the default web site is /var/www. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.

vi /var/www/info.php

Now we call that file in a browser (e.g. http://192.168.0.100/info.php):

As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.

To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:

apt-cache search php5

Pick the ones you need and install them like this:

apt-get install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Now restart Apache2:

/etc/init.d/apache2 restart

Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:

phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good idea to install it:

apt-get install phpmyadmin

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Afterwards, you can access phpMyAdmin under http://192.168.0.100/phpmyadmin/: