Announcement

Collapse
No announcement yet.

Real-time Malware Scanning with Linux Malware Detect for Virtualmin

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Real-time Malware Scanning with Linux Malware Detect for Virtualmin

    Install and configure Linux Malware Detect (LMD or maldet) to protect your Virtualmin powered VPS against malware infections.

    One of the biggest challenges of maintaining a web server is keeping it safe from all the hackers out there. Although we can implement many security features on our VPS, hackers sometimes find their way through them due to poorly coded or outdated web applications. But you can still protect your VPS in such situations by enabling real-time malware scanning for Virtualmin and your VPS.

    Linux Malware Detect (LMD) is a malware scanner for Linux based systems. We can use it to protect our Ubuntu 16.04 VPS against commonly known malware. In this tutorial, we’ll configure Linux Malware Detect with ClamAV antivirus and inotify to enable real-time protection against malware.


    Before you start, make sure you have Virtualmin up and running.

    Install Linux Malware Detect (LMD) on Ubuntu 16.04 VPS

    As the subtitle hints, this section has nothing to do with Virtualmin. This is how anyone would go about installing Linux Malware Detect on a Ubuntu 16.04 VPS. You need to be logged in as root user for this whole tutorial. Let’s install latest version of maldet on Ubuntu 16.04 VPS.

    Navigate to opt directory,
    Code:
    cd /opt

    Download latest version of Linux Malware Detect,
    Code:
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

    Extract downloaded file,
    Code:
    tar -xzvf maldetect-current.tar.gz

    Navigate to extracted directory,
    Code:
    cd maldetect-*

    Install maldet
    Code:
    ./install.sh

    This installs maldet on your Ubuntu 16.04 VPS and updates the signatures database. Next, there are few settings we need to adjust in maldet.

    Configure Linux Malware Detect (LMD) on Ubuntu 16.04 VPS

    Open maldet main configuration file with nano text editor,
    Code:
    nano /usr/local/maldetect/conf.maldet

    The configuration file is well commented. You can go ahead and read about each and every option. For me in most cases, I only make following changes.
    Code:
    # Enable Email Alerting
    email_alert="1"
    
    # Email Address in which you want to receive scan reports
    email_addr="name@domain.com"
    
    # Disable daily cron
    cron_daily_scan="0"
    
    # Move threats to quarantine
    quarantine_hits="1"
    
    # Clean string based malware injections
    quarantine_clean="1"
    
    # Suspend user if malware found. 
    quarantine_suspend_user="1"
    
    # Minimum userid value that be suspended
    quarantine_suspend_user_minuid="500"

    Above configuration requires you to have ClamAV installed. It should be already installed if you’ve built your Ubuntu 16.04 VPS with Virtualmin. But if you don’t have it for whatever reason, you can install ClamAV with following command.
    Code:
    apt install clamav clamav-daemon

    Enable Linux Malware Detect (LMD) Monitoring Mode

    At this point, maldet does nothing. Because we’ve disabled daily scans with above configuration. But that’s okay, we’ll now enable real-time malware scanning for Virtualmin with Linux Malware Detect. To do that, we need inotify-tools. Let’s install it.
    Code:
    apt install inotify-tools

    Now we can use maldet in monitoring mode. What we need to monitor are public_html directories. Virtualmin creates a public_html directory inside each user’s home directory. And public_html for sub servers are inside Domains directory, which is also a subdirectory of user home directory. So monitoring user home directories makes sense for us. Because, virtual server owners don’t have access outside of their respective home directories. There is a simple way to do this with maldet.
    Code:
    maldet --monitor /home

    Above command will start maldet in monitoring mode. It’ll scan files as they are being modified or uploaded in the home directories. But since maldet isn’t a service, it won’t automatically start on system reboots. You’ll have to execute above command after each reboot. Which can be annoying, if you have to do it yourself. So we’ll automate this with a cronjob. Open crontab with following command,
    Code:
    crontab -e

    Paste following line at the bottom,
    Code:
    @reboot /usr/local/sbin/maldet --monitor /home

    Save & close the file. You’ve successfully enabled real-time malware scanning for Virtualmin with maldet and ClamAV. You can monitor maldet detections and actions by viewing maldet events_log. Following command will open events_log with nano text editor.
    Code:
    nano /usr/local/maldetect/logs/event_log

    That concludes the instructions to enable real-time malware scanning for Virtualmin with Linux Malware Detect.
Working...
X