How To Increase server security using Linux Malware Detect ( LMD )

Introduction

LMD or the Linux Malware detect is yet another useful software application form RfxNetworks , it has been prepared keeping the specific share hosting requirements and malware scenario in mind.

RfxNetworks Defines is at follows :

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

The author of LMD declares the limited availability of existing open source free tools for Linux system that focus on malware detection as the driving force behind making this software.

The shared hosting environment has its own dynamics and LMD targets this specific environment considering the specific features of shared hosting.

There are so many new malware coming every day and these reside mostly in user level files which are not checked by most of the common antivirus software that mainly focus on server level vulnerabilities.

Installation and Configuration

In this article we will look into its installation and some basic configurations and usage details. Lets start with the installation.


wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

After running the install script , the installation will complete with in seconds and you will be provided with successful installation output, in this information some of the main configuration and usage related information provided is   below :


...
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
...

As you can see from above output the main configuration file for malware detect is located at below path :

/usr/local/maldetect/conf.maldet

The main cron is located at /etc/cron.daily/maldet

Before we move on to look into usage of this binary, LMD provide some ignore options that provide you a better control on what you want to do accordingly to your specific environment.

There are three ignore files available in LMD , below are their paths and usage details :


/usr/local/maldetect/ignore_paths
This is a line spaced file for paths that are to be execluded from search results

 

/usr/local/maldetect/ignore_sigs
This is a line spaced file for signatures that should be removed from file scanning

 

/usr/local/maldetect/ignore_inotify
This is a line spaced file for paths that are to be excluded from inotify monitoring

The main configuration file is fully commented so you can easily make setup most options by looking at the comments, below are some main options that you should set  :

email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.

email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.

quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.

Manual Scan and real-time monitoring

For complete details of commands you can check the command help using below :

maldet –help

If you are looking to scan all the public_html directories for all the users on the server then you can achieve this using below command  :

maldet –scan-all /home?/?/public_html

Note : Please note that LMD use ‘?’ as wild card instead of ‘*’ , thus the use of  ’?’ in above command.

There are more options like –scan-recent which you can use to scan only recent files/changes and you have the option to mention number of days at the end of command which helps you scan for a recent time period.

Also there are other option parameters related to quarantine and cleanup, however please note that the quarantine option is disabled with default installation of LMD , if you want you can enable it from the main config.

There is also a real-time monitoring supported by LMD , however it will not work with CentOS4/RHEL4 as it requires inotify kernel parameter which is available in CentOS5/RHEL5 only.

Below is the help section related to real-time monitoring :

-m, –monitor USERS|PATHS|FILE

Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID's > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike,/home/ashton

You can initiate to monitoring for any user account as follows :

maldet –monitor /home/mike

And the monitoring will continue to run in background and the resultant logs will be reported in below log file :

/usr/local/maldetect/inotify/inotify_log

The daily scans through cron

The cronjob which is installed by LMD is located at path /etc/cron.daily/maldet as I mentioned earlier in the post and this cron is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.

The above information should be enough to get your started !

You can find more details on the official site for this RfxNetwork project at below link :

http://www.rfxn.com/projects/linux-malware-detect/

Have a Happy Malware Hunting !

This entry was posted in Technical Tips. Bookmark the permalink.