/etc/apparmor.d/usr.bin.freshclam
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@ubuntu.com>
# Last Modified: Sun Aug 3 09:39:03 2008
#include <tunables/global>
/usr/bin/freshclam {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setgid,
capability setuid,
@{PROC}/filesystems r,
owner @{PROC}/[0-9]*/status r,
/etc/clamav/clamd.conf r,
/etc/clamav/freshclam.conf r,
/etc/clamav/onerrorexecute.d/* mr,
/etc/clamav/onupdateexecute.d/* mr,
/etc/clamav/virusevent.d/* mr,
owner @{HOME}/.clamtk/db/ rw,
owner @{HOME}/.clamtk/db/** rwk,
owner @{HOME}/.klamav/database/ rw,
owner @{HOME}/.klamav/database/** rwk,
/usr/bin/freshclam mr,
/var/lib/clamav/ r,
/var/lib/clamav/** krw,
/var/log/clamav/* krw,
/{,var/}run/clamav/freshclam.pid w,
/{,var/}run/clamav/clamd.ctl rw,
deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwkl,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.freshclam>
---------- Forwarded message ---------
Från: Birger Birger <birger.solna@gmail.com>
Date: tis 3 sep. 2019 kl 15:12
Subject: Re: [clamav-users] Fwd: Fwd: freshclam incremental update
To: ClamAV users ML <clamav-users@lists.clamav.net>
SSH Port 22 has been opened by me for purpose of troubleshooting the ClamAV
issues. Will ask for a specific IP from the Zentyal support. Closing it
now.
Den tis 3 sep. 2019 14:48Gene Heskett via clamav-users <
clamav-users@lists.clamav.net> skrev:
> On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
> wrote:
>
> > Hi there,
> >
> > On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
> > > Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
> > > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
> > > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
> > > RES=0x00 ACK FIN URGP=0 MARK=0x1
> >
> > That's a Cloudflare destination IP. You see it in your freshclam log.
> > Cloudflare delivers the ClamAV data and you're dropping packets sent
> > to it from 192.168.1.30. I guess that's your immediate problem.
> >
> > Another question about "Ubuntu Syslog".
> >
> > > Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
> > > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
> > > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
> > > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
> > > UR$
> >
> > The IP address 112.85.42.229 appears to be in Shanghai, and it appears
> > that it's trying to make SSH connections to 192.168.1.30. If that
> > were my router, I would not let these attempts through it.
> >
> That router is passing stuff that should never get past it UNLESS you
> have set a Port Forward NAT. If you have NOT set that up, it will get
> you hacked, so apply a hammer to "take it out of the gene pool" and
> deposit the remains in the outgoing trash forthwith and replace it with
> something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
> you don't specifically allow, and has stood guard here for nearly 20
> years now. Unlike guard dogs, it never sleeps.
>
> > I repeat that I sugggest you upgrade ClamAV to the latest version.
>
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> If we desire respect for the law, we must first make the law respectable.
> - Louis D. Brandeis
> Genes Web page <http://geneslinuxbox.net:6309/gene>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@ubuntu.com>
# Last Modified: Sun Aug 3 09:39:03 2008
#include <tunables/global>
/usr/bin/freshclam {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setgid,
capability setuid,
@{PROC}/filesystems r,
owner @{PROC}/[0-9]*/status r,
/etc/clamav/clamd.conf r,
/etc/clamav/freshclam.conf r,
/etc/clamav/onerrorexecute.d/* mr,
/etc/clamav/onupdateexecute.d/* mr,
/etc/clamav/virusevent.d/* mr,
owner @{HOME}/.clamtk/db/ rw,
owner @{HOME}/.clamtk/db/** rwk,
owner @{HOME}/.klamav/database/ rw,
owner @{HOME}/.klamav/database/** rwk,
/usr/bin/freshclam mr,
/var/lib/clamav/ r,
/var/lib/clamav/** krw,
/var/log/clamav/* krw,
/{,var/}run/clamav/freshclam.pid w,
/{,var/}run/clamav/clamd.ctl rw,
deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwkl,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.freshclam>
---------- Forwarded message ---------
Från: Birger Birger <birger.solna@gmail.com>
Date: tis 3 sep. 2019 kl 15:12
Subject: Re: [clamav-users] Fwd: Fwd: freshclam incremental update
To: ClamAV users ML <clamav-users@lists.clamav.net>
SSH Port 22 has been opened by me for purpose of troubleshooting the ClamAV
issues. Will ask for a specific IP from the Zentyal support. Closing it
now.
Den tis 3 sep. 2019 14:48Gene Heskett via clamav-users <
clamav-users@lists.clamav.net> skrev:
> On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
> wrote:
>
> > Hi there,
> >
> > On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
> > > Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
> > > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
> > > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
> > > RES=0x00 ACK FIN URGP=0 MARK=0x1
> >
> > That's a Cloudflare destination IP. You see it in your freshclam log.
> > Cloudflare delivers the ClamAV data and you're dropping packets sent
> > to it from 192.168.1.30. I guess that's your immediate problem.
> >
> > Another question about "Ubuntu Syslog".
> >
> > > Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
> > > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
> > > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
> > > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
> > > UR$
> >
> > The IP address 112.85.42.229 appears to be in Shanghai, and it appears
> > that it's trying to make SSH connections to 192.168.1.30. If that
> > were my router, I would not let these attempts through it.
> >
> That router is passing stuff that should never get past it UNLESS you
> have set a Port Forward NAT. If you have NOT set that up, it will get
> you hacked, so apply a hammer to "take it out of the gene pool" and
> deposit the remains in the outgoing trash forthwith and replace it with
> something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
> you don't specifically allow, and has stood guard here for nearly 20
> years now. Unlike guard dogs, it never sleeps.
>
> > I repeat that I sugggest you upgrade ClamAV to the latest version.
>
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> If we desire respect for the law, we must first make the law respectable.
> - Louis D. Brandeis
> Genes Web page <http://geneslinuxbox.net:6309/gene>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>