{"id":620,"date":"2021-07-27T17:08:20","date_gmt":"2021-07-27T17:08:20","guid":{"rendered":"http:\/\/www.webhostingchennai.co.in\/blog\/?p=620"},"modified":"2021-07-27T13:43:31","modified_gmt":"2021-07-27T13:43:31","slug":"installation-linux-malware-detect-maldet-centos","status":"publish","type":"post","link":"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/","title":{"rendered":"Installation Linux Malware Detect (Maldet) On CentOS"},"content":{"rendered":"<p><span style=\"text-decoration: underline;\"><strong>Linux Malware Detect (LMD) :<\/strong><\/span> is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.<\/p>\n<p>Additionally, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_69_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#Installation\" title=\"Installation:\">Installation:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#Configuring_LMD\" title=\"Configuring LMD:\">Configuring LMD:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#Configuring_Cronjob_for_automated_scan\" title=\"Configuring Cronjob for automated scan:\">Configuring Cronjob for automated scan:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#iNotify_Monitoring\" title=\"iNotify Monitoring:\">iNotify Monitoring:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#Usage\" title=\"Usage:\">Usage:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#Ignore_Files\" title=\"Ignore Files:\">Ignore Files:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#ignore_paths\" title=\"ignore_paths:\">ignore_paths:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/bestunixhosting.in\/blog\/installation-linux-malware-detect-maldet-centos\/#ignore_sigs\" title=\"ignore_sigs:\">ignore_sigs:<\/a><\/li><\/ul><\/nav><\/div>\n<h4><span class=\"ez-toc-section\" id=\"Installation\"><\/span><span style=\"text-decoration: underline;\">Installation:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Now, we can proceed with downloading and installing the LMD.<\/p>\n<pre># cd \/usr\/local\/src\r\n# wget http:\/\/www.rfxn.com\/downloads\/maldetect-current.tar.gz\r\n# tar -zxvf maldetect-current.tar.gz\r\n# cd maldetect-1.4.2\r\n# .\/install.sh<\/pre>\n<p>After the installation has been completed successfully, you will be presented with the following output.<\/p>\n<pre>Linux Malware Detect v1.4.2\r\n(C) 2002-2011, R-fx Networks\r\n(C) 2011, Ryan MacDonald\r\ninotifywait (C) 2007, Rohan McGovern\r\nThis program may be freely redistributed under the terms of the GNU GPL\r\n\r\ninstallation completed to \/usr\/local\/maldetect\r\nconfig file: \/usr\/local\/maldetect\/conf.maldet\r\nexec file: \/usr\/local\/maldetect\/maldet\r\nexec link: \/usr\/local\/sbin\/maldet\r\nexec link: \/usr\/local\/sbin\/lmd\r\ncron.daily: \/etc\/cron.daily\/maldet\r\n\r\nmaldet(6073): {sigup} performing signature update check...\r\nmaldet(6073): {sigup} local signature set is version 2013102428301\r\nmaldet(6073): {sigup} new signature set (2013102428301) available\r\nmaldet(6073): {sigup} downloaded http:\/\/www.rfxn.com\/downloads\/md5.dat\r\nmaldet(6073): {sigup} downloaded http:\/\/www.rfxn.com\/downloads\/hex.dat\r\nmaldet(6073): {sigup} downloaded http:\/\/www.rfxn.com\/downloads\/rfxn.ndb\r\nmaldet(6073): {sigup} downloaded http:\/\/www.rfxn.com\/downloads\/rfxn.hdb\r\nmaldet(6073): {sigup} downloaded http:\/\/www.rfxn.com\/downloads\/maldet-clean.tgz\r\nmaldet(6073): {sigup} signature set update completed\r\nmaldet(6073): {sigup} 10849 signatures (8981 MD5 \/ 1868 HEX)<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Configuring_LMD\"><\/span><span style=\"text-decoration: underline;\">Configuring LMD:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Maldet can be configured by editing the file below:<\/p>\n<pre># nano \/usr\/local\/maldetect\/conf.maldet<\/pre>\n<pre>The default file looks as follows:\r\n\r\n# [ EMAIL ALERTS ]\r\n##\r\n# The default email alert toggle\r\n# [0 = disabled, 1 = enabled]\r\nemail_alert=1\r\n\r\n# The subject line for email alerts\r\nemail_subj=\"maldet alert from $(hostname)\"\r\n\r\n# The destination addresses for email alerts\r\n# [ values are comma (,) spaced ]\r\nemail_addr=\"youremail@yourdomain.com\"\r\n\r\n# Ignore e-mail alerts for reports in which all hits have been cleaned.\r\n# This is ideal on very busy servers where cleaned hits can drown out\r\n# other more actionable reports.\r\nemail_ignore_clean=0\r\n\r\n##\r\n# [ QUARANTINE OPTIONS ]\r\n##\r\n# The default quarantine action for malware hits\r\n# [0 = alert only, 1 = move to quarantine &amp; alert]\r\nquar_hits=1\r\n\r\n# Try to clean string based malware injections\r\n# [NOTE: quar_hits=1 required]\r\n# [0 = disabled, 1 = clean]\r\nquar_clean=1\r\n\r\n# The default suspend action for users wih hits\r\n# Cpanel suspend or set shell \/bin\/false on non-Cpanel\r\n# [NOTE: quar_hits=1 required]\r\n# [0 = disabled, 1 = suspend account]\r\nquar_susp=0\r\n# minimum userid that can be suspended\r\nquar_susp_minuid=500\r\n<\/pre>\n<p>You may edit the following values to configure Maldet to your needs<\/p>\n<ul>\n<li>email_alert : If you would like to receive email alerts, then it should be set to 1.<\/li>\n<li>email_subj : Set your email subject here.<\/li>\n<li>email_addr : Add your email address to receive malware alerts.<\/li>\n<li>quar_hits : The default quarantine action for malware hits, it should be set 1.<\/li>\n<li>quar_clean : Cleaing detected malware injections, must set to 1.<\/li>\n<li>quar_susp : The default suspend action for users wih hits, set it as per your requirements.<\/li>\n<li>quar_susp_minuid : Minimum userid that can be suspended.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"Configuring_Cronjob_for_automated_scan\"><\/span><span style=\"text-decoration: underline;\">Configuring Cronjob for automated scan:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>During installation, a daily cron job script is installed in <code>\/etc\/cron.daily\/maldet<\/code>.<\/p>\n<p>The cronjob installed by LMD is used to perform daily update of signature files, keep the session, temp and quarantine data to no more than 14 days old and it runs a daily scan of recent file system changes. If inotify-based real time monitoring is enabled, the daily cron job also scans the recently updated\/created files for malware. The folder structures for the most popular control panel configurations: Ensim, Plesk, DirectAdmin, Cpanel, Interworx, have been included.<\/p>\n<p>You should ensure compatibility with your server&#8217;s structure of\u00a0 home dirs and make sure it corresponds with this cron file. Take special note of the control panel specific sections in this cron file.<\/p>\n<pre>#!\/bin\/bash\r\n\r\n# clear quarantine\/session\/tmp data every 14 days\r\n\/usr\/sbin\/tmpwatch 336 \/usr\/local\/maldetect\/tmp &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/sbin\/tmpwatch 336 \/usr\/local\/maldetect\/sess &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/sbin\/tmpwatch 336 \/usr\/local\/maldetect\/quarantine &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/sbin\/tmpwatch 336 \/usr\/local\/maldetect\/pub\/*\/ &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\r\n# check for new release version\r\n\/usr\/local\/maldetect\/maldet -d &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\r\n# check for new definition set\r\n\/usr\/local\/maldetect\/maldet -u &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\r\n# if were running inotify monitoring, send daily hit summary\r\nif [ \"$(ps -A --user root -o \"comm\" | grep inotifywait)\" ]; then\r\n\/usr\/local\/maldetect\/maldet --alert-daily &gt;&gt; \/dev\/null 2&gt;&amp;1\r\nelse\r\n# scan the last 2 days of file changes\r\nif [ -d \"\/home\/virtual\" ] &amp;&amp; [ -d \"\/usr\/lib\/opcenter\" ]; then\r\n# ensim\r\n\/usr\/local\/maldetect\/maldet -b -r \/home\/virtual\/?\/fst\/var\/www\/html 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/local\/maldetect\/maldet -b -r \/home\/virtual\/?\/fst\/home\/?\/public_html 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\nelseif [ -d \"\/etc\/psa\" ] &amp;&amp; [ -d \"\/var\/lib\/psa\" ]; then\r\n# psa\r\n\/usr\/local\/maldetect\/maldet -b -r \/var\/www\/vhosts\/?\/httpdocs 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/local\/maldetect\/maldet -b -r \/var\/www\/vhosts\/?\/subdomains\/?\/httpdocs 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\nelseif [ -d \"\/usr\/local\/directadmin\" ]; then\r\n# DirectAdmin\r\n\/usr\/local\/maldetect\/maldet -b -r \/var\/www\/html\/?\/ 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\n\/usr\/local\/maldetect\/maldet -b -r \/home?\/?\/domains\/?\/public_html 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\nelse\r\n# cpanel, interworx and other standard home\/user\/public_html setups\r\n\/usr\/local\/maldetect\/maldet -b -r \/home?\/?\/public_html 2 &gt;&gt; \/dev\/null 2&gt;&amp;1\r\nfi\r\nfi\r\n<\/pre>\n<p>In order to activate email alerts when malware is detected, you need to open the Maldet configuration file, which is located at:<\/p>\n<pre># \/usr\/local\/maldetect\/conf.maldet<\/pre>\n<pre>email_alert=1\r\nemail_subj=\"Maldet alert from $(hostname)\"\r\nemail_addr=\"email@domain.com\"<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"iNotify_Monitoring\"><\/span><span style=\"text-decoration: underline;\">iNotify Monitoring:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>The inotify monitoring feature is designed to monitor users in real-time for file creation\/modify\/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS\/RHEL 6 by default.<\/p>\n<p>There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.<\/p>\n<ul>\n<li>e.g: maldet &#8211;monitor users<\/li>\n<li>e.g: maldet &#8211;monitor \/root\/monitor_paths<\/li>\n<li>e.g: maldet &#8211;monitor \/home\/webhost,\/home\/chennai<\/li>\n<\/ul>\n<p>The options break down as follows:<\/p>\n<ul>\n<li><strong>USERS<\/strong> &#8211; The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.<\/li>\n<li><strong>PATHS<\/strong> &#8211; A comma spaced list of paths to monitor<\/li>\n<li><strong>FILE<\/strong> &#8211; A line spaced file list of paths to monitor<\/li>\n<\/ul>\n<p>you can run maldet as a daemon as follows. The example below displays the syntax for a comma spaced list of paths to monitor.<\/p>\n<pre># maldet -m \/var ,\/home<\/pre>\n<pre>maldet(5330): {mon} set inotify max_user_instances to 128\r\nmaldet(5330): {mon} set inotify max_user_watches to 61440\r\nmaldet(5330): {mon} added \/var to inotify monitoring array\r\nmaldet(5330): {mon} added \/home\/xmodulo to inotify monitoring array\r\nmaldet(5330): {mon} starting inotify process on 1 paths, this might take awhile...\r\nmaldet(5330): {mon} inotify startup successful (pid: 4154)\r\nmaldet(5330): {mon} inotify monitoring log: \/usr\/local\/maldetect\/inotify\/inotify_log<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Usage\"><\/span><span style=\"text-decoration: underline;\">Usage:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>To scan a folder, for example \/home you should enter:<\/p>\n<pre># maldet -a \/home.<\/pre>\n<p>You can examine the malware scan report by running the following command and appending the scan report ID.<\/p>\n<pre># maldet --report number-xxxx.xxxxx<\/pre>\n<p>To quarantine the infected files, run the following command with the scan report ID. The infected files will then be quarantined for cleaning.<\/p>\n<pre># maldet -q SCAN ID\r\n# maldet \u2013quarantine SCANID<\/pre>\n<p>Clean all malware results from a previous scan<\/p>\n<pre># maldet -n SCAN ID\r\n# maldet --clean SCAN ID<\/pre>\n<p>Restore a file that you have already quarantined<\/p>\n<pre># maldet -s FILENAME\r\n# maldet --restore FILENAME<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Ignore_Files\"><\/span><span style=\"text-decoration: underline;\">Ignore Files:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>There are three ignore files available in Linux Malware Detect. These can be used to exclude files from daily malware scans.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"ignore_paths\"><\/span><span style=\"text-decoration: underline;\">ignore_paths:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>This is a line spaced file for paths that are to be excluded from search results<\/p>\n<pre># \/usr\/local\/maldetect\/ignore_paths<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"ignore_sigs\"><\/span><span style=\"text-decoration: underline;\">ignore_sigs:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>This is a line spaced file for signatures that should be removed from file scanning<\/p>\n<pre>#\u00a0\/usr\/local\/maldetect\/ignore_sigs<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Linux Malware Detect (LMD) : is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Additionally, threat [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":956,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[27,56,23],"tags":[53,54,55],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/posts\/620"}],"collection":[{"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/comments?post=620"}],"version-history":[{"count":1,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/posts\/620\/revisions"}],"predecessor-version":[{"id":1222,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/posts\/620\/revisions\/1222"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/media?parent=620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/categories?post=620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bestunixhosting.in\/blog\/wp-json\/wp\/v2\/tags?post=620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}