Install havp (HTTP Antivirus Proxy) in FreeBSD 7.1

Published in Step By Step/Unix / Work - on Dec 11, 2008 - Comment Off

Many of us still using internet explorer as main browser due to many factor, but much more related to our worksheet display. It’s in progress to make it more compliance to other browser such firefox and opera.

Another problem came up when spyware and virus spread more easier using IE. To prevent it from spread to other host I decide to install havp in junction with installed squid.

Squid already run in port 3128 and I want to install havp in recent FreeBSD 7.1 RC1

Here’s my steps :

1.  Update ports to latest version using csup and install havp

cd /usr/ports/www/havp && make install

2. Install clamav

/usr/ports/security/clamav && make install

3. Edit rc.conf, add these lines :

clamav_freshclam_enable=”YES”

clamav_clamd_enable=”YES”

havp_enable=”YES”

4. Edit havp.config, My config :

USER havp
GROUP havp
DAEMON true

PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 30
MAXSERVERS 100

ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log

LOG_OKS false

FORWARDED_IP true

X_FORWARDED_FOR true

PORT 8080

TEMPLATEPATH /usr/local/etc/havp/en

WHITELISTFIRST true

WHITELIST /usr/local/etc/havp/whitelist

BLACKLIST /usr/local/etc/havp/blacklist

SCANIMAGES false

ENABLECLAMLIB true
CLAMDBDIR /var/db/clamav
CLAMBLOCKMAX false
CLAMMAXFILES 1000
CLAMMAXFILESIZE 10
CLAMMAXRECURSION 8
CLAMMAXRATIO 250

ENABLECLAMD false

5. Copy havp english templates

mv  /usr/ports/www/havp/work/havp-0.88/etc/havp/templates/en \

/usr/local/etc/havp

6. Update clamav, like this post.

7. Start havp

proxy# /usr/local/etc/rc.d/havp start
Starting havp.
Starting HAVP Version: 0.88
Mandatory locking disabled! KEEPBACK settings not used!
proxy#

8. Checking  havp.log

proxy# tail -f /var/log/havp/havp.log
11/12/2008 16:07:50 Process ID: 16837
11/12/2008 16:28:10 === Starting HAVP Version: 0.88
11/12/2008 16:28:10 === Mandatory locking disabled! KEEPBACK settings not used!
11/12/2008 16:28:10 Running as user: havp, group: havp
11/12/2008 16:28:10 — Initializing ClamAV Library Scanner
11/12/2008 16:28:10 ClamAV: Using database directory: /var/db/clamav
11/12/2008 16:28:13 ClamAV: Loaded 469940 signatures (engine 0.94.2)
11/12/2008 16:28:13 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
11/12/2008 16:28:13 — All scanners initialized
11/12/2008 16:28:13 Process ID: 19707

9. Checking access.log

proxy# tail -f /var/log/havp/access.log
11/12/2008 16:07:39 172.88.1.89 GET 304 http://kompas.com/data/images/kradio_top.gif 199+0 OK
11/12/2008 16:07:39 172.88.1.89 GET 304 http://kompas.com/data/images/rss_icon.gif 253+0 OK
11/12/2008 16:07:39 172.88.1.89 GET 304 http://kompas.com/data/images/kradio_mid.gif 252+0 OK
11/12/2008 16:07:39 172.88.1.89 GET 304 http://kompas.com/data/images/kradio_bot.gif 199+0 OK
11/12/2008 16:07:39 172.88.1.89 GET 304 http://kompas.com/data/images/logo_kg.gif 253+0 OK
11/12/2008 16:07:44 172.88.1.89 GET 200 http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_30561-30720;30563,30565,30567-30573,30575-30576,30578-30579,30581,30583-30592,30595,30600,30605-30606,30609-30611,30615-30621,30623-30625,30627,30629-30631,30634,30636-30638,30641,30643,30646-30647,30649-30650,30652,30654,30659,30661,30663,30665-30668,30670-30672,30676-30679,30682-30684,30686,30690,30692-30701,30703-30706,30708-30709,30713,30716-30717,30719-30720;30561-30562,30564,30566,30574,30577,30580,30582,30593-30594,30596… 262+15212 OK
11/12/2008 16:07:47 172.88.1.89 GET 200 http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_30721-30880;30725,30727,30732,30736-30739,30747,30750,30752-30754,30757,30759-30760,30763,30765,30767,30769-30770,30776,30778,30780,30782-30789,30791-30792,30794-30796,30798,30800,30803-30804,30808-30810,30812,30814-30815,30817-30819,30821-30823,30827-30828,30831-30834,30837-30839,30843-30848,30850-30853,30855-30856,30859,30861-30862,30865-30867,30871,30873,30875-30879;30721-30724,30726,30728-30731,30733-30735,30740-30746,30748… 262+14985 OK
11/12/2008 16:08:01 172.88.1.72 GET 200 http://www.eicar.org/download/eicarcom2.zip 403+308 VIRUS ClamAV: Eicar-Test-Signature
11/12/2008 16:08:33 172.88.1.72 GET 200 http://www.eicar.org/download/eicar.com.txt 358+68 VIRUS ClamAV: Eicar-Test-Signature
11/12/2008 16:17:21 172.88.1.72 GET 200 http://www.eicar.org/download/eicar.com.txt 358+68 VIRUS ClamAV: Eicar-Test-Signature

10. Integrate havp with existing  squid, just put this line :

cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default

11. Restart  squid and test to open sample virus from Eicar.

virus

Great, seem work well with my Linux Mint Desktop.

Tags:

you might also like