Installation Linux Malware Detect (Maldet)

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

Installation

Installation is very straightforward. Ensure to change the version number below to the one you have actually downloaded:

After the installation has been completed succesfully, you will be presented with the following output.

 

Configuration

Maldet can be configured by editing the file below:

The default file looks as follows:

You may edit the following values to configure Maldet to your needs

  • email_alert : If you would like to receive email alerts, then it should be set to 1.
  • email_subj : Set your email subject here.
  • email_addr : Add your email address to receive malware alerts.
  • quar_hits : The default quarantine action for malware hits, it should be set 1.
  • quar_clean : Cleaing detected malware injections, must set to 1.
  • quar_susp : The default suspend action for users wih hits, set it as per your requirements.
  • quar_susp_minuid : Minimum userid that can be suspended.

 

Cronjob for automated scan

During installation, a daily cron job script is installed in /etc/cron.daily/maldet.

The cronjob installed by LMD is used to perform daily update of signature files, keep the session, temp and quarantine data to no more than 14 days old and it runs a daily scan of recent file system changes. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated/created files for malware. The folder structures for the most popular control panel configurations: Ensim, Plesk, DirectAdmin, Cpanel, Interworx, have been imcluded.

You should ensure compatibility with your servers’ structure of homedirs and make sure it corresponds with this cron file. Take special note of the control panel specific sections in this cron file.

In order to activate email alerts when malware is detected, you need to open the Maldet configuration file, which is located at:
/usr/local/maldetect/conf.maldet .

 

iNotify Monitoring

The inotify monitoring feature is designed to monitor users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with: http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

  • e.g: maldet –monitor users
  • e.g: maldet –monitor /root/monitor_paths
  • e.g: maldet –monitor /home/mike,/home/ashton

The options break down as follows:

  • USERS – The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
  • PATHS – A comma spaced list of paths to monitor
  • FILE – A line spaced file list of paths to monitor

you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor

 

Usage

To scan a folder, for example /home you should enter:

you can examine the malware scan report by running the following command and appending the scan report ID.

To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.

Clean all malware results from a previous scan

Restore a file that you have already quarantined

 

Ignore Files

There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.

ignore_paths

This is a line spaced file for paths that are to be execluded from search results

ignore_sigs

This is a line spaced file for signatures that should be removed from file scanning

ignore_inotify

This is a line spaced file for paths that are to be excluded from inotify monitoring

 

Sevebilirsin...

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir