Install Linux Malware Detect (LMD) in RHEL CentOS

1 December 2013 4:28 AM Centos 6, Linux, Security , , ,

Install Linux Malware Detect (LMD) in RHEL CentOS

What is Malware?

Malware is called malicious software, script or code which is created and used by hackers to retrieve information of private data or gain access to any private computer systems. Malware can be trojans, viruses, spyware, adware, rootkits or any other malicious programs which can be very harmful to any computer user.

What is Linux Malware Detect (LMD)?

Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments. For more information and features visit at http://www.rfxn.com/projects/linux-malware-detect/.

Features:

– MD5 file hash detection for quick threat identification
– HEX based pattern matching for identifying threat variants
– statistical analysis component for detection of obfuscated threats (e.g: base64)
– integrated detection of ClamAV to use as scanner engine for improved performance
– integrated signature update feature with -u|–update
– integrated version update feature with -d|–update-ver
– scan-recent option to scan only files that have been added/changed in X days
– scan-all option for full path based scanning
– checkout option to upload suspected malware to rfxn.com for review / hashing
– full reporting system to view current and previous scan results
– quarantine queue that stores threats in a safe fashion with no permissions
– quarantine batching option to quarantine the results of a current or past scans
– quarantine restore option to restore files to original path, owner and perms
– quarantine suspend account option to Cpanel suspend or shell revoke users
– cleaner rules to attempt removal of malware injected strings
– cleaner batching option to attempt cleaning of previous scan reports
– cleaner rules to remove base64 and gzinflate(base64 injected malware
– daily cron based scanning of all changes in last 24h in user homedirs
– daily cron script compatible with stock RH style systems, Cpanel & Ensim
– kernel based inotify real time file scanning of created/modified/moved files
– kernel inotify monitor that can take path data from STDIN or FILE
– kernel inotify monitor convenience feature to monitor system users
– kernel inotify monitor can be restricted to a configurable user html root
– kernel inotify monitor with dynamic sysctl limits for optimal performance
– kernel inotify alerting through daily and/or optional weekly reports
– e-mail alert reporting after every scan execution (manual & daily)
– path, extension and signature based ignore options
– background scanner option for unattended scan operations
– verbose logging & output of all actions

Step 1: Downloading Linux Malware Detect (LMD)

# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Step 2: Installing LMD

Installation and Configuration of LMD is a bit easy task, just follow below steps as root user.

# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh

Sample Output

Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks 
            (C) 2011, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)

Step 3: Configuring LMD

By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.

  1. email_alert : If you would like to receive email alerts, then it should be set to 1.
  2. email_subj : Set your email subject here.
  3. email_addr : Add your email address to receive malware alerts.
  4. quar_hits : The default quarantine action for malware hits, it should be set 1.
  5. quar_clean : Cleaing detected malware injections, must set to 1.
  6. quar_susp : The default suspend action for users wih hits, set it as per your requirements.
  7. quar_susp_minuid : Minimum userid that can be suspended.

Open file /usr/local/maldetect/conf.maldet and make changes according to your needs.

# vi /usr/local/maldetect/conf.maldet

Sample Configuration

Here is the my sample configuration file.

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="tecmint.com@gmail.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

Step 4: Manual Scans and Usage

If you would like to scan user’s Home directory, then simply issue following command.

# maldet --scan-all /home

You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.

# maldet --quarantine SCANID
OR
# maldet --clean SCANID

Step 5: Daily Scans

By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.

# vi /etc/cron.daily/maldet

If you like this article, please share with your friends and do leave comments.

 

More information: 

http://www.rfxn.com/projects/linux-malware-detect
http://www.tecmint.com/install-linux-malware-detect-lmd-in-rhel-centos-and-fedora/