Malware refers to any computing system intended to interfere with or disrupt the normal operation of the software program. Although several of the most notorious malware such as viruses, spyware and adware, but their attempts to harm caused by different: some steal private information, delete some personal data, while others are somewhere in between; and malware another common use is to control the system, and then use the system to launch the zombie network, a so-called denial of service (DoS) attacks or distributed denial of service (DDoS) attacks.
In other words, we must not have this idea "because I do not store any sensitive data or critical data, so do not need to protect their systems from malicious software," because those data are not the only targets of malicious software.
For this reason, we will introduce in this article when RHEL 7.0 / 6.x (x is the version number), CentOS 7.0 / 6.x and Fedora 21-12, how to install and configure Linux malware detection tool (also known as MalDet or simply LMD) and ClamAV (antivirus engines).
This is the use of a malware scanning tool GPL v2 license issued specifically for hosting environments. However, you will soon realize that they face no matter what kind of environment will benefit from MalDet.
The LMD install RHEL / CentOS 7.0 / 6.x and Fedora 21-12 on
LMD not available from the online repository, but in packaged form document distribution from the project website. Package file containing the latest version of the source code is always available from the following link at the download can use the following command:
# Wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Then, we need to extract the packed files and enter the extract / unzip directory contents. Since the current version is 1.4.2, directory maldetect-1.4.2. We will find the installation script install.sh in the directory.
# Tar -xvf maldetect-current.tar.gz
# Ls -l | grep maldetect
Download Linux malware detection tool
If we examine the installation script that length of only 75 lines (including comments), you will find it not only to install the tool, also performs pre-test to see the default installation directory (/ usr / local / maldetect) Have exist. If it does not exist, the script will create the installation directory, and then the next step.
Finally, after the installation is complete, simply cron.daily script (see figure) placed in /etc/cron.daily, can be scheduled to run daily via cron (scheduled tasks) of. The helper script has many features, including emptying the old temporary data, check for new versions of LMD, and scan default Apache Web control panel (such as CPanel and DirectAdmin, etc.) the default data directory.
Having said that, still run as usual by the installation script:
Installing Linux malware detection tools in Linux
Configuring Linux malware detection tool
LDM configuration work by /usr/local/maldetect/conf.maldet to deal with, so the options were fully comment, it is fairly easy to configure. In case where you get stuck, you can also see /usr/local/src/maldetect-1.4.2/README, for further instructions.
In the configuration file, you'll find the square brackets following sections:
EMAIL ALERTS (Email Alert)
QUARANTINE OPTIONS (isolation option)
SCAN OPTIONS (Scan Options)
STATISTICAL ANALYSIS (statistical analysis)
MONITORING OPTIONS (monitoring options)
This Each section contains several variables, LMD will show how to run, what features can be used.
If you want to be notified of the results of email malware detection, is set email_alert = 1. For brevity, we will only forward mail to local users of the system, but you can also explore other options, such as e-mail alert will be sent to external users.
If you have set before you email_alert = 1, set email_subj = "Your subject here" and email_addr = username @ localhost.
As quar_hits, that is, for the default isolation Malware attacks (0 = only remind, 1 = turn isolation and remind), you tell LMD what actions after detecting malware.
quar_clean will let you decide want to clean up a string-based malware injection. Keep this in mind: In itself, the string is characterized by "continuous sequence of bytes, it is possible to match with many variants of malicious software family."
quar_susp, namely attacks against default of the user to take a pause operation, so you can disable it to your file has been identified as attacks account.
clamav_scan = 1 tells LMD trying to detect the presence or absence ClamAV binaries, and used as the default scanner engine. You can get up to four times faster scanning performance and outstanding hexadecimal analysis. Use this option only as a scanner ClamAV engine, LMD feature remains the basis of the detected threat.
Note: quar_clean and quar_susp need quar_hits is enabled (= 1).
In short, /usr/local/maldetect/conf.maldet, there are rows of these variables should look as follows:
email_alert = 1
email_addr = gacanepa @ localhost
email_subj = "Malware alerts for $ HOSTNAME - $ (date +% Y-% m-% d)"
quar_hits = 1
quar_clean = 1
quar_susp = 1
clam_av = 1
The ClamAV install RHEL / CentOS 7.0 / 6.x and Fedora 21-12 on
I want to install ClamAV to take full advantage clamav_scan setting, follow these steps:
Create a software library file /etc/yum.repos.d/dag.repo:
name = Dag RPM RepositoryforRedHatEnterpriseLinux
baseurl = http: //apt.sw.be/RedHat/el$releasever/en/$basearch/dag/
gpgcheck = 1
gpgkey = http: //dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled = 1
Then run the command:
# Yum update && yum install clamd
Note: These are just basic instructions to install ClamAV so that it will integrate with the LMD. We will not be described in detail in terms of setting ClamAV, because, as previously described, LMD feature remains the basis to detect and remove threats.
Test Linux malware detection tool
We can now detect newly installed LMD / ClamAV up. Instead of using the actual malware, we will use the EICAR test file (http://www.eicar.org/86-0-Intended-use.html), these files are available for download from the EICAR website.
# Cd / var / www / html
# Wget http://www.eicar.org/download/eicar.com
# Wget http://www.eicar.org/download/eicar.com.txt
# Wget http://www.eicar.org/download/eicar_com.zip
# Wget http://www.eicar.org/download/eicarcom2.zip
At this time, you can wait for the next run a cron task to be performed manually own maldet. We will use the second method:
# Maldet --scan-all / var / www /
LMD also accepts wildcards, so if you want to scan only certain types of files (for example zip file), you can do this:
# Maldet --scan-all /var/www/*.zip
Linux malware scanning
After the scan is complete, you can consult LMD sent by e-mail, you can also view the report with the following command:
# Maldet --report 021015-1051.3559
Linux malware scanning report
Wherein 021015-1051.3559 is SCANID (SCANID with your actual results will be slightly different).
IMPORTANT: Please note: Due to eicar.com file downloaded twice (thus resulting eicar.com and eicar.com.1), LMD found five times the attack.
If you check the quarantine folder (I just left a file, remove the remaining files), we will see the following results:
# Ls -l
Linux malware detection tool quarantined files
You can then delete all quarantined files with the following command:
# Rm -rf / usr / local / maldetect / quarantine / *
In case that,
# Maldet --clean SCANID
Since maldet need to integrate with cron, you need to set the following variables in root's crontab (in as root, type crontab -e, and press Enter), you may notice the LMD does not run properly every day:
PATH = / sbin: / bin: / usr / sbin: / usr / bin
MAILTO = root
HOME = /
SHELL = / bin / bash
This will help to provide the necessary debugging information.
We discuss how to install and configure Linux and ClamAV malware detection tool this powerful partner in this article. With these two tools to detect malicious software should be fairly easy task.
However, you should do yourself a favor, before the familiar interpretation of the README file, so you can be sure your system is fully supported and managed properly.
If you have any comments or questions, please feel free to leave a message.