Install Linux Malware Detect
(LMD) in RHEL,CentOS and Fedora
Step 1: Downloading Linux
Malware Detect (LMD)
Downloading latest LMD package using following wget command.
# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Step 2: Installing LMD
Installation and Configuration of LMD is a bit easy task, just follow below
steps as root user.
# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh
Sample Output
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)
Step 3: Configuring LMD
By default all options are fully commented in
the configuration file, so configure it according to your needs. But before
making any changes let’s have a detailed review of each option below.
o
email_alert : If you would like to receive email alerts, then it should be
set to 1.
o
email_subj : Set your email subject here.
o
email_addr : Add your email address to receive malware alerts.
o
quar_hits : The default quarantine action for malware hits, it should be
set 1.
o
quar_clean : Cleaing detected malware injections, must set to 1.
o
quar_susp : The default suspend action for users wih hits, set it as per
your requirements.
o
quar_susp_minuid : Minimum userid that can be suspended.
Open file /usr/local/maldetect/conf.maldet and make changes according to your
needs.
# vi /usr/local/maldetect/conf.maldet
Sample Configuration
Here is the my sample configuration
file.
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1
# The subject line for email alerts
email_subj="maldet alert from $(hostname)"
# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="tecmint.com@gmail.com"
# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0
##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1
# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1
# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500
Step 4: Manual Scans and
Usage
If you would like to scan user’s Home directory, then simply issue following
command.
# maldet --scan-all /home
You performed a scan but failed to turn
on the quarantine option, don’t worry just use the following command to turn on
and quarantine all previous malware scan results.
# maldet --quarantine SCANID
OR
# maldet --clean SCANID
Step 5: Daily Scans
By default installation keeps LMD script
under /etc/cron.daily/maldet and it is used to perform a daily
scans, update of signatures, quarantine etc, and sends a daily report of
malware scan to your specified emails. If you need to add additional paths to
be scanned, then you should edit this file accordingly to your requirements.
# vi /etc/cron.daily/maldet
Thank You
No comments:
Post a Comment