Spamassassin/ClamAV on remote server

I configured Virtualmin to use Spamassassin and ClamAV on a remote server (called Spamserver) which works very well.

Two minor problems are left though:

  1. The Spam and Virus hits are now logged on Spamserver so I cant’t see it using the “System Statistics” page on my Virtualmin hosting server (called Hostingserver). Even though I can setup Virtualmin on its own on Spamserver and collect statistics there I rather want to keep that server clean by not installing all the usual hosting software like Postfix, Apache, MySQL etc.

What is the best way to configure Hostingserver to get the log files from Spamserver and feeding the statictics system with it?

First thing that come to mind is configuring Hostingserver as syslog server. Spamserver has to be configured to use Hostingserver for logging, at least for Spam and Virus. I’m not knowing syslog very well: Can I make syslog to log remote data to the same /var/log/mail.log as the local system will log to? If not, how to configure the statistics system to use different log files for Spam and Virus information?

Second way may be is the usage of NFS to mount the Spamserver’s /var/log on Hostingserver and get the information this way.

  1. Since the user database on Hostingserver is not known on Spamserver and also the $HOME directories are not existing Spamassassin may not save user related data like auto white list or does not have access to user customized data in $HOME/.spamassassin. To solve this I can simply NFS mount the /home partition from Hostingserver on Spamserver. Also the user database must be populated from Hostingserver to Spamserver using some simple rsync mechanism. NIS probably is overhead here.

Do you have any ideas about this problems?

First thing that come to mind is configuring Hostingserver as syslog server. Spamserver has to be configured to use Hostingserver for logging, at least for Spam and Virus. I'm not knowing syslog very well: Can I make syslog to log remote data to the same /var/log/mail.log as the local system will log to?

Heh, for someone who doesn’t know Syslog well, that’s actually a really good idea :slight_smile:

What I’d do is look in /etc/syslog.conf and “man syslog.conf” for some examples, but essentially, what you’d want is to add something like this to your syslog.conf on Spamserver:

mail.* @Hostingserver_addres

And then on Hostingserver, you’ll need to make sure that:

  1. Syslog is being started with the -r parameter (to enable remote logging), and

  2. Make sure port 514 UDP is open if you’re running firewall software on your machine, 514 UDP is what syslog listens on, and

  3. Consider using firewall software to only allow Spamserver to submit messages to Hostingsoftware

To solve this I can simply NFS mount the /home partition from Hostingserver on Spamserver.

ATM, I’m not sure what your best option is here – I’d love to hear from other folks who have set this up.

But, I’ll offer that NIS seems more complex that I think you’d need :slight_smile:
-Eric

Heh, for someone who doesn't know Syslog well, that's actually a really good idea :-)

Well, I just asked myself: how would you do programm that. Good to see others have done it yet :slight_smile:

I did enable syslogd -r on Hostingserver and I’m able to log something there from Spamserver using nc -w1 -u Hostingserver 514 <<< “logging from Spamserver”. It get logged to Hostingserver:/var/log/daemon.log

So far so good. I now added mail.* @Hostingserver to the mail section in Spamserver:/etc/syslogd.conf, restartet syslogd and spamassassin but nothing comes in at Hostingserver:/var/log/mail.log (or any other log file there).

Am I missing something?

Hm, looking again at Hostingserver:/var/log/mail.log it now works. Only thing I changed was to change the Hostingserver:/etc/hosts entry for Hostingserver from

xx.xx.xx.xx hostingserver

to

xx.xx.xx.xx hostingserver.domain.tld hostingserver

I also fiddled around with running syslogd with the -d flag to see what it does.

Don’t like this kind of mystery :slight_smile:

Configuring ClamAV to log remotely was also no big deal:

Added to Hostingserver:/etc/syslog.conf
local6.* /var/log/clamav/clamav.log

Note: The local ClamAV is not able to write to /var/log/clamav/clamav.log anymore because syslogd is changing the permissions to that file. So if you start ClamAV on Hostingserver again it may complain about that.

Added to Spamserver:/etc/syslog.conf
local6.* @hosting
local6.* /var/log/clamav/clamav.log

Changed Spamserver:/etc/clamav/clamd.conf
#LogFile /var/log/clamav/clamav.log
LogSyslog true
LogFacility LOG_LOCAL6

Restarted syslogd on Hostingserver and Spamserver, restarted clamav-daemon on Spamserver.

Regarding the question about how to access the remote user HOMEs: I solved it by NFS mounting the remote Hostingserver:/home on Spamserver and copying user entries only from the Hostingserver:/etc/passwd to Spamserver:/etc/passwd. If you want to set it up like I did follow this steps (on Ubuntu 8.04):

At Hostingserver:

  • aptitude install nfs-kernel-server nfs-common portmap
  • Add to /etc/exports:
    /home Spamserver(rw,async,no_root_squash,no_subtree_check)
  • /etc/init.d/nfs-kernel-server reload

At Spamserver:

  • aptitude install portmap nfs-common
  • Add to /etc/fstab:
    Hostingserver:/home /home nfs rsize=8192,wsize=8192,timeo=14,intr,soft,bg
  • mount /home

Skript for regularly copying user entries from Hostingserver to Spamserver. You may call it regularly using cron. I welcome your comments to this script!

[code:1]
#!/bin/sh

This script rebuilds your /etc/passwd by merging local system users

and standard users from a remote system. It will not copy entries

from the /etc/shadow or /etc/master.passwd file.

The remote system must be accessible by SSH using public key

authentication.

Modifying the /etc/passwd file sounds dangerous and it is dangerous.

This script will take care of different error conditions and will

stop immediately in such a case.

The author takes no responsibilty for any damage caused by this

script.

© 2009, Bernhard Fuerst <bernhard.fuerst@fuerstnet.de>

Define the remote user and host, divided by @ sign

REMOTE_USER_AND_HOST=‘root@Hostingserver’

Define the first and last UID which your system uses for standard users

Hard code the values here if your system does not know /etc/adduser.conf

#FIRST_UID=1000
#LAST_UID=29999

On Linux we load /etc/adduser.conf to get the first and last UID

[ -f /etc/adduser.conf ] && . /etc/adduser.conf

If your remote system is running a different UNIX/Linux flavour

you may edit the limits here

REMOTE_FIRST_UID=${FIRST_UID}
REMOTE_LAST_UID=${LAST_UID}

Save the local system users

awk -v FIRST_UID=${FIRST_UID} -v LAST_UID=${LAST_UID} -F: ‘($3<FIRST_UID) || ($3>LAST_UID)’ /etc/passwd > /etc/passwd_new
[ $? -ne 0 ] && exit

Get the remote standard users

ssh ${REMOTE_USER_AND_HOST} "awk -v FIRST_UID=${REMOTE_FIRST_UID} -v LAST_UID=${REMOTE_LAST_UID} -F: "’’($3>=FIRST_UID) && ($3<=LAST_UID)’’’ /etc/passwd’ >> /etc/passwd_new
[ $? -ne 0 ] && exit

Check if there is at least the root account set

[ egrep -c '^root:.*?:0' /etc/passwd_new -ne 1 ] && exit

Move the created file

mv /etc/passwd_new /etc/passwd
[/code:1]