Malware on a server makes for a very bad day. The good news is that with Linux Malware Detect (LMD) and ClamAV you can avoid such headaches with not that much work!
It only takes a single malware incident on your linux server to have you vow against such an outage in the future. The good news is that you can install Linux Malware Detect (LMD) on your Debian or Ubuntu server for free.
What is Linux Malware Detect?
Linux Malware Detect is a malware scanner released under the GNU GPLv2 license. LMD is updated by community resources and other methods. LMD ups the malware detection game by not just discovering threats at the OS level (trojans, rootkits, etc) but also at the user account level which is a growing issue in shared hosting environments.
Main Site: https://www.rfxn.com/projects/linux-malware-detect/
From the rfxn.com site: “The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.”
1. Install Inotify Tools on Debian
Inotify is used to monitor and act on filesystem events. You’ll need this for Linux Malware Detect. Inotify is available from Debian’s official repositories.
apt-get install inotify-tools2. Download Linux Malware Detect (LMD)
To download maldet or LMD simply go to your server command line and type the following. The first will download LMD and the second will extract the files.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz3. Install Maldet
You’ll need to change to the downloaded directory and run the installation script. Change the directory path name to match the version of maldet you extracted. For example, at the time of writing the current version is 1.6.4. So that would be cd maldetect-1.6.4.
cd maldetect-1.6.4
./install.sh4. Edit Linux Malware Detect Config
The configuration file is stored in /usr/local/maldetect/conf.maldet. Open this file in a text editor and set the following values:
email_alert="1"
email_ignore_clean="0"
email_addr="yo**@em***.com"
cron_daily_scan="1"
scan_clamscan="1"
quarantine_hits="1"
quarantine_clean="1"5. Install ClamAV®
Clam AntiVirus is an open source antivirus engine designed to detect trojans, viruses, malware and other nasties on your linux server. When you install this scanning engine, LMD will work with ClamAV for improved scan performance and also increased detection capabilities.
apt-get install clamav6. Perform a Scan
To do a manual scan, use maldet –help to see the options. For example, to scan everything in the /var/www/ folder you would type:
maldet -a /var/www7. Update Linux Malware Detect
To update LMD use the following commands:
maldet -u
maldet -dThe first command updates the signatures from rfxn.com and the second updates the version.
8. Automatic Scans
When you install Linux Malware Detect it will add a file to the /etc/cron.daily folder called maldet. This file downloads definitions and performs daily basic scans. However, I personally add cron jobs to do the updates along with some specific scans on my servers.
crontab -eThis will open up an editor (you might have to select your preferred editor of choice. I always us Nano). I then add commands to update definitions, LMD version and run two different scans:
5 1 * * * maldet -u
15 1 * * * maldet -d
30 1 * * * maldet -a /var/www
30 2 * * * maldet -a /var/libCrontab works beginning with the minute, hour, day of month, the month, day of week and then the actual command to run. The wild cards will not limit. So using a wild card for day of month will make the command run every day.
Once you save this file, you should see it show up under the user you used to create it in /var/spool/cron/crontabs.
9. That’s A Wrap.
Your debian server is going to run a little safer now! A huge thank you to the people behind LMD and ClamAV. You can make a donation to LMD on their main page: https://www.rfxn.com/projects/linux-malware-detect/
