Installing Linux Malware Detect on a CentOS 6 VPS

What is Malware?

OK – let’s start at the beginning.  I’m assuming that most of you will have at least heard of the term malware but what is it?

Malware is short for “malicious software”.  Software (programs) that have been written for the purpose of doing some malicious on a computer.

That could be as annoying as defacing your homepage or a nefarious as syphoning off credit card and billing information.

Malware can be written by anyone from a teenager in their bedroom to state-sponsored terrorism (NSA reading your emails for example).  ”Hi there NSA! – thanks for reading along.” :-P

There are various methods of deployment to get the malware on your machines, but I’m not going to go into those.  This post is going to show you how you can scan for and detect malware.

What is Linux Malware Detect?

Linux Malware Detect (LMD) is an open-source malware scanner that runs under various flavours of Linux, distributed under the GPL2 license.

It scans the computer for known malware threats and can quarantine suspicious files and/or simply alert you to their presence.

LMS is specifically designed to seek out threats that would target shared hosting systems so if you have cPanel installed and are using your VPS to host several accounts, LMD will help keep your environment clean.

Installing LMD

The following install and setup method was performed on a CentOS 6 VPS but should work fine on RHEL 6.x and Fedora 12+.

You will need to have SSH root access to your VPS.

Step 1 – Download LMD

From your SSH download the latest LMD package using the wget command in the the temp folder of your VPS.

cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Step 2 – Installing LMD

Install and configure LMD using the following commands.

tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
The first command unpacks the archive.  The second changes the folder to the unpacked archive and the third command runs the install script.
You may come across a "permission denied" message when running the install script.
If this happens do the following
chmod +x ./install.sh
su root ./install.sh

This adds execution privs to the install script and runs it explicitly under the root user.

The install script will only take a few seconds to run.  Here’s a sample of what you will see in your bash shell.

Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks
            (C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

Step 3 – Configuring LMD

From the installation output you can see that LMD has been installed into the folder /usr/local/maldetect and that’s where the conf.maldet configuration file exists, so go there and edit the file using the VI editor.

cd /usr/local/maldetect
vi conf.maldet

The settings are pretty straight forward and well commented.

The first setting you’ll want to change is the email alert address email_alert to your own address.

There are also options to automatically quarantine suspicious files and suspect cPanel account which contain detected malicous code.

Here’s a sample of settings from the configuration file:


 
# [ EMAIL ALERTS ]


##


# The default email alert toggle


# [0 = disabled, 1 = enabled]


email_alert=1


 


# The subject line for email alerts


email_subj="maldet alert from $(hostname)"


 


# The destination addresses for email alerts


# [ values are comma (,) spaced ]


email_addr="webmaster@mydomain.com"


 


# Ignore e-mail alerts for reports in which all hits have been cleaned.


# This is ideal on very busy servers where cleaned hits can drown out


# other more actionable reports.


email_ignore_clean=0


 


##


# [ QUARANTINE OPTIONS ]


##


# The default quarantine action for malware hits


# [0 = alert only, 1 = move to quarantine & alert]


quar_hits=1


 


# Try to clean string based malware injections


# [NOTE: quar_hits=1 required]


# [0 = disabled, 1 = clean]


quar_clean=1


 


# The default suspend action for users wih hits


# Cpanel suspend or set shell /bin/false on non-Cpanel


# [NOTE: quar_hits=1 required]


# [0 = disabled, 1 = suspend account]


quar_susp=0


# minimum userid that can be suspended


quar_susp_minuid=500

view rawconf.maldet hosted with ❤ by GitHub


Step 4 – Run a manual scan

Now that LMD is installed on your VPS it’s probably a good idea to run a manual scan to see if there are any issues.

 maldet --scan-all /home

Execution time for the scan will of course depend on how many files you have on your VPS and at the end you will receive a report telling you how many files were scanned, issues detected and files quarantined.

This is also a good time to check that you received the email alert.

Here’s a sample output from the script.

SCAN ID: 092213-0752.4491
TIME: Sep 22 09:03:12 +0100
PATH: /home
TOTAL FILES: 41244
TOTAL HITS: 3
TOTAL CLEANED: 0

If you hadn’t turned on quarantining and your script detected issues, you can still quarantine those files using the SCAN ID associated with the report.

maldet --quarantine SCANID
OR
maldet --clean SCANID

Step 5 – Daily Scans

The installation script creates a daily cron job file maldet in the /etc/cron.daily folder.

This daily cron job scans the computer, installs updates and malware signatures, quarantines suspicious files and sends out the email alert.

If you need any additional folders to be scanned, add them into this cron job script

vi /etc/cron.daily/maldet

Success!  You’re VPS is not a lot more secure than it was before you installed LMD.

Source : http://www.limecanvas.com/