Tag Archives: Linux How to

Unix Similar multi-user operating systems based on the Linux kernel and essentially on GNU software. Like CentOS, Debian, Ubuntu Fedora.

ClamAV ERROR downloadFile Unexpected response

ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily-26440.cdiff
ERROR: getpatch: Can’t download daily-26440.cdiff from https://database.clamav.net/daily-26440.cdiff
ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd
ERROR: getcvd: Can’t download daily.cvd from https://database.clamav.net/daily.cvd
ERROR: Update failed for database: daily
ERROR: Database update process failed: HTTP GET failed (11)
ERROR: Update failed.

If you receive these error messages from ClamAV, you may need to update ClamAV.

Running ClamAV Update on Debian Linux

$ apt update
$ apt upgrade clamav

ClamAV Versions Check.

$ clamd --version
ClamAV 0.103.5/26441/Wed Feb 2 10:22:13 2022

Run ClamAV Update on CentOS Linux

$ yum update clamav

ClamAV updates are downloaded and installed.

Updated:
  clamav.x86_64 0:0.103.5-1.el7

Dependency Updated:
  clamav-filesystem.noarch 0:0.103.5-1.el7 clamav-lib.x86_64 0:0.103.5-1.el7 clamav-update.x86_64 0:0.103.5-1.el7 clamd.x86_64 0:0.103.5-1.el7

Complete!

After updating ClamAV, update the database.

$ freshclam
ClamAV update process started at Wed Feb 2 10:24:33 2022
daily database available for update (local version: 26439, remote version: 26440)
Current database is 1 version behind.
Downloading database patch # 26440...
Time: 0.2s, ETA: 0.0s [=============================>] 14.13KiB/14.13KiB
Testing database: '/var/lib/clamav/tmp.b7d0e4b52b/clamav-3a8a649f76dca0722c7acef0385a1cc2.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 26440, sigs: 1973273, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 2m 04s, ETA: 0.0s [=============================>] 162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.b7d0e4b52b/clamav-a0387032c1bad0a864db82c1039625eb.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Check ClamAV version.

$ clamd --version
ClamAV 0.103.5/26440/Tue Feb 1 10:22:16 2022
$ freshclam --version
ClamAV 0.103.5/26440/Tue Feb 1 10:22:32 2022

GeoIP Firewall Configuration on Debian and Ubuntu

More security with GeoIP lockout for Debian and Ubuntu server

In this Turorial, the deployment and application of GeoIP with the kernel firewall of Debian 10 (buster) and Debian 11 (bullseye) or Ubuntu 20.04 LTS is applied. In addition to TLS connections and 2FA authentication, another instance is a firewall that can regulate the data traffic. Based on the public IP address, it is quite easy to determine from which city or from which region the access is currently taking place.

In addition, further considerations should be made whether the accessibility of websites and services from countries far away from local languages is at all appropriate, and relations may not be maintained with distant regions, such as to South Pacific. When tracking the sources of brute force and DDoS attacks, the sources are often found in the Far East and Russia.

A geolocation system is used to determine the location of systems. On the Internet, an IP address can be assigned to a country, a city or an organization in order to then determine the location.

Installation

The installation of the required services and libraries for GeoIP on Debian and Ubuntu is done as root with “su -” or “sudo su -“.

$ apt update && apt upgrade
$ apt -y install curl unzip perl iptables-dev xtables-addons-common libtext-csv-xs-perl libmoosex-types-netaddr-ip-perl pkg-config

The GeoIP database must be downloaded from the MaxMind website, with the following URL: https://www.maxmind.com. MaxMind is a Massachusetts-based digital mapping company that provides location data for IP addresses.

MaxMind requires you to register for the Free Account with a valid email. After logging in, go to My Account and Download Databases.

The GeoIP database must be downloaded from the Maxmind website

Under GeoIP2 and GeoIP Legacy Databases – GeoLite2-Country-CSV Format with Download ZIP download the file.

GeoIP2 and GeoIP Legacy Databases

  If you want to perform the download using Permalink, you need a license key, which you can generate under “My Account – Manage License Keys”, the download did not work here at this time (401 Unauthorized).

The contents of the GeoLite2-Country-CSV_20220125.zip ZIP file

GeoLite2 country CSV_20220125.zip

Create a new directory on the host and switch to it.

$ mkdir -p /usr/share/xt_geoip/
$ cd /usr/share/xt_geoip

Upload the downloaded country-CSV_20220125.zip file to the Debian or Ubuntu server using ftp or scp, xt_geoip to the directory path /usr/share/and and unzip it.

$ unzip GeoLite2-Country-CSV_20220125.zip
$ cd GeoLite2 country CSV_20220125
$ /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv

The CSV data is converted using the MaxMind CSV database converter to binary for xt_geoip. The output appears similar to the following, here in abbreviated form.

729578 entries total
    0 IPv6 ranges for
   16 IPv4 ranges for
362309 IPv6 ranges for 0 0
365215 IPv4 ranges for 0 0
    0 IPv6 ranges for 1 0
   28 IPv4 ranges for 1 0
    0 IPv6 ranges for AD Andorra
    8 IPv4 ranges for AD Andorra
...

The module xt_geoip load into memory with subsequent testing.

$ modprobe xt_geoip
$ lsmod | grep ^xt_geoip

The output should be similar to this.

xt_geoip 16384 34

The GeoIP integration for iptable is now complete, commands can now be executed with the following syntax.


iptables -m geoip –src-cc country[,country] -dst-cc country[,country]

For example, traffic from Russia and China should be blocked.

$ iptables -A INPUT -m geoip --src-cc RU,CN -j DROP

Example block accesses that do NOT come from Germany.

$ iptables -A INPUT -m geoip ! --src-cc EN -j DROP

It can also block the outgoing traffic, here to India.

$ iptables -A OUTPUT -m geoip -dst-cc IN -j DROP

  Helpful iptables commands.

$ iptables -vnL
$ iptables -L INPUT --line-numbers -vn

The output might look something like the following.

Chain INPUT (policy DROP 259 packets, 13704 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    68011   14M f2b-apache-auth  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
2     155K   41M f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
3     272K   12M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country RU,CN
5       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country BY,CY

This example swipe row 5.

$ iptables -D INPUT 5

Query ISO Country Code of an IP address.

$ apt install geoip-bin

Example query with geoiplookup.

$ geoiplookup 61.219.11.151
GeoIP Country Edition: TW, Taiwan

Example with iptables and GeoIP

An example with ISO codes for countries that are classified as obscure or as known suspicious havens and are explicitly blocked, the ISO codes of the DACH countries should be approved.

$ iptables -P INPUT DROP
$ iptables -A INPUT -m geoip --src-cc AT,CH,DE -j ACCEPT
$ iptables -N DROP_GEOIP
$ iptables -A DROP_GEOIP -m geoip --src-cc ID -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc KP -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TJ -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TM -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TR -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc UA -j DROP
$ iptables -A DROP_GEOIP -m geoip ! --src-cc AT,CH,DE -j DROP
$ iptables -A INPUT -j DROP_GEOIP

  The (!) argument inverts the passed values, which excludes ISO (AT,CH,DE) from jump to DROP.

Check the iptables INPUT chain with line-numbers, the output as follows for this example.

$ iptables -L INPUT --line-numbers -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     273K   12M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2     273K   12M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3     273K   12M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country RU,CN
5       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country BY,CY
6       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country HK,KP
7       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country KG,KZ
8       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country UA,VN
9       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country MD,GE
10      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country TW,TM
11    102  5329 DROP_GEOIP all  --  *      *       0.0.0.0/0            0.0.0.0/0
12     90  4827 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip ! --source-country AT,CH,DE

iptables-persistent

Reactivate the iptables chains after a restart, to do this iptables-persistent is installed.

$ apt install iptables-persistent

Confirm with yes to back up the iptables during installation.

Install iptables-persistent

The iptables chains can be backed up with iptables-save to restore them at a later time.

$ iptables-save > /etc/iptables/rules.v4
$ ip6tables-save > /etc/iptables/rules.v6

Recovery with iptables-restore.

$ iptables-restore < /etc/iptables/rules.v4
$ ip6tables-restore < /etc/iptables/rules.v6