Linux Malware Detect (LMD) or simply Maldet is a free malware scanner designed for Linux machines released under the GNU GPLv2. It is specially designed around the threats in the shared hosted environment. LMD uses threat data from network edge intrusion detection systems to get the actual malware that is used in attacks and generates a variety of signatures for detection.
In addition to these features, LMD threat data can also be extracted from user submissions with the checkout feature in LMD from malware resources. It uses signatures such as HEX pattern and MD5 file hashes. They can also be extracted from a variety of detection tools including ClamAV.
Before we start the installation process, this tutorial assumes that you have some basic knowledge of SSH. These instructions apply to users who deal with VPS (Virtual Private Servers) or Dedicated servers.
Let’s get started.
Special note: some of the top Linux hosting providers will offer VPS and dedicated hosting plans that will include Malware detection software and great Linux support.
Step 1: Updating the Packages
First, make sure the packages are up-to-date. To do so, run the command below:
$ yum -y update
Step 2: Installing Linux Malware Detect
Go to the official Linux Malware Detect page and download the software to your server:
$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Open the already downloaded Linux Malware file:
#tar xfz maldetect-current.tar.gz
You can change the current directory with the command below:
$ cd maldetect-*
Now run the file to install the script:
./install.sh
Once the installation process is complete, you should have the output below:
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service. Linux Malware Detect v1.6 (C) 2002-2017, R-fx Networks <proj@r-fx.org> (C) 2017, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(1344): {sigup} performing signature update check... maldet(1344): {sigup} local signature set is version 2017070716978 maldet(1344): {sigup} new signature set (2017080720059) available maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz maldet(1344): {sigup} verified md5sum of maldet-clean.tgz maldet(1344): {sigup} unpacked and installed maldet-clean.tgz maldet(1344): {sigup} signature set update completed maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
Step 3: Configuring LMD
Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet and it can be modified as per the requirements below:
$ vi /usr/local/maldetect/conf.maldet
The default file in your system should look like this:
# Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="igeek.web@gmail.com" # Use with ClamAV scan_clamscan="1" # Enable scanning for root owned files. Set 1 to disable. scan_ignore_root="0" # Move threats to quarantine quarantine_hits="1" # Clean string based malware injections quarantine_clean="1" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500"
Now change the settings below:
email_alert=1 – If you want to receive email alerts
email_addr=”user@yourdomain.tld” – Type the address where you want to receive the malware email alerts
quar_hits=1 t for malware hits
quar_clean=1 – Clears the detected malware injections
Step 4: Set CronJob for Auto Scanning
In the installation process, a cron job file is installed in /etc/cron.daily/maldet.
These files installed by LMD are useful in keeping the current session, performing daily updates of the signature files, temp, as well as store quarantine data for not more than two weeks or 14 days. It runs a daily scan of all recent files on the system.
To ensure these files are compatible with the structure of your server and those in the Cron file, check the control panel and make the necessary changes.
#!/bin/bash # clear quarantine/session/tmp data every 14 days /usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1 /usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1 # check for new release version /usr/local/maldetect/maldet -d >> /dev/null 2>&1 # check for new definition set /usr/local/maldetect/maldet -u >> /dev/null 2>&1 # if were running inotify monitoring, send daily hit summary if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1 else # scan the last 2 days of file changes if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then # ensim /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1 elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then # psa /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1 elif [ -d "/usr/local/directadmin" ]; then # DirectAdmin /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1 /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1 else # cpanel, interworx and other standard home/user/public_html setups /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1 fi fi
To active the email alerts once a malware is detected, open the Maldet configuration file that is found in /usr/local/maldetect/conf.maldet and type the following:
email_alert=1 email_subj="Maldet alert from $(hostname)" email_addr="email@domain.com
Step 5: Manual Scanning
To scan a directory you want to use, run the command below:
$ maldet -a /path/to/directory
To ensure Maldet is up-to-date, run the command below:
$ maldet -u
You can see the details of the options available by running the following command:
$ maldet - h
Now Linux Malware Detect (LMD) is successfully installed.
Conclusion
Congratulations, LMD is now installed in CentOS 7 system and ready for use. Follow these steps and make the necessary edits to configure LMD to your needs.
Check out these top 3 Linux hosting services
- Check the recommendations for the best VPS and get a suitable one.