Install Linux Malware Detect (LMD) On CentOS
Version 1.0
Author: Eladio Martinez <eladio@mafecs.com>
http://twitter.com/mafecsllc
In this tutorial I will show you how to install and configure a great malware detector software called LMD (Linux Malware Detect) in your CentOS server.
What is Linux Malware Detect (LMD)?
Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments.
Preliminary Notes
I’m running all these commands as root, currently running CentOS 6.3 for this configuration, but this tutorial will work on any compatible system like RHEL and Fedora.
1 Downloading and Installing Linux Malware Detect (LMD)
Download the latest LMD package to the /tmp directory.
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Extract, and install LMD with:
tar zxvf maldetect-current.tar.gz
cd cd maldetect-*
./install.sh
This is a Sample Output of what you will get:
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)
2 Configuring LMD files
By default all options are fully commented in the configuration file, just change the parameters according to your needs. But before making any changes let’s have a look at each option below.
·1 email_alert –- If you would like to receive email alerts, then it should be set to 1.
·2 email_subj –- Set your email subject here.
·3 email_addr — Add your email address to receive malware alerts.
·4 quar_hits –- The default quarantine action for malware hits, it should be set 1.
·5 quar_clean –- Cleaing detected malware injections, must set to 1.
·6 quar_susp — The default suspend action for users wih hits, set it as per your requirements.
·7 quar_susp_minuid –- Minimum userid that can be suspended.
Edit the file /usr/local/maldetect/conf.maldet and make changes according to your needs.
vi /usr/local/maldetect/conf.maldet
This is the my sample configuration file:
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1
# The subject line for email alerts
email_subj="maldet alert from $ (hostname)"
# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="eladio@mafecs.com"
# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0
##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1
# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1
# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500
3 Manual Scans
If you would like to scan user’s home directory, then simply issue following command:
maldet –scan-all /home
You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.
maldet –quarantine SCANID
OR
maldet –clean SCANID
4 Daily Scans
By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.
vi /etc/cron.daily/maldet
5 Links
http://www.rfxn.com/projects/linux-malware-detect/ — For more information and features on Linux Malware Detect.
Install Linux Malware Detect (LMD) On CentOS
Install Linux Malware Detect (LMD) On CentOS