Arquivo mensal 31 de outubro de 2022

porplague70

How to Install Linux Malware Detect on Debian

Malware on a server makes for a very bad day. The good news is that with Linux Malware Detect (LMD) and ClamAV you can avoid such headaches with not that much work!

FacebookTwitterLinkedInEmail

It only takes a single malware incident on your linux server to have you vow against such an outage in the future. The good news is that you can install Linux Malware Detect (LMD) on your Debian or Ubuntu server for free.

What is Linux Malware Detect?

Linux Malware Detect is a malware scanner released under the GNU GPLv2 license. LMD is updated by community resources and other methods. LMD ups the malware detection game by not just discovering threats at the OS level (trojans, rootkits, etc) but also at the user account level which is a growing issue in shared hosting environments.

Main Site: https://www.rfxn.com/projects/linux-malware-detect/

From the rfxn.com site: “The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.”

1. Install Inotify Tools on Debian

Inotify is used to monitor and act on filesystem events. You’ll need this for Linux Malware Detect. Inotify is available from Debian’s official repositories.

apt-get install inotify-tools

2. Download Linux Malware Detect (LMD)

To download maldet or LMD simply go to your server command line and type the following. The first will download LMD and the second will extract the files.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz

3. Install Maldet

You’ll need to change to the downloaded directory and run the installation script. Change the directory path name to match the version of maldet you extracted. For example, at the time of writing the current version is 1.6.4. So that would be cd maldetect-1.6.4.

cd maldetect-1.6.4
./install.sh

4. Edit Linux Malware Detect Config

The configuration file is stored in /usr/local/maldetect/conf.maldet. Open this file in a text editor and set the following values:

email_alert="1"
email_ignore_clean="0"
email_addr="[email protected]"
cron_daily_scan="1"
scan_clamscan="1"
quarantine_hits="1"
quarantine_clean="1"

5. Install ClamAV®

Clam AntiVirus is an open source antivirus engine designed to detect trojans, viruses, malware and other nasties on your linux server. When you install this scanning engine, LMD will work with ClamAV for improved scan performance and also increased detection capabilities.

apt-get install clamav

6. Perform a Scan

To do a manual scan, use maldet –help to see the options. For example, to scan everything in the /var/www/ folder you would type:

maldet -a /var/www

7. Update Linux Malware Detect

To update LMD use the following commands:

maldet -u
maldet -d

The first command updates the signatures from rfxn.com and the second updates the version.

8. Automatic Scans

When you install Linux Malware Detect it will add a file to the /etc/cron.daily folder called maldet. This file downloads definitions and performs daily basic scans. However, I personally add cron jobs to do the updates along with some specific scans on my servers.

crontab -e

This will open up an editor (you might have to select your preferred editor of choice. I always us Nano). I then add commands to update definitions, LMD version and run two different scans:

5 1 * * * maldet -u
15 1 * * * maldet -d
30 1 * * * maldet -a /var/www
30 2 * * * maldet -a /var/lib

Crontab works beginning with the minute, hour, day of month, the month, day of week and then the actual command to run. The wild cards will not limit. So using a wild card for day of month will make the command run every day.

Once you save this file, you should see it show up under the user you used to create it in /var/spool/cron/crontabs.

9. That’s A Wrap.

Your debian server is going to run a little safer now! A huge thank you to the people behind LMD and ClamAV. You can make a donation to LMD on their main page: https://www.rfxn.com/projects/linux-malware-detect/

porplague70

PfSense – Re0 Watchdog Timeout Error

A few weeks ago my Internet started to have problems. The connection was dropping every 2-3 days and it couldn’t recover itself . The simpler solution found was to reset the pfSense Firewall.

At the beginning I thought that is only an isolated case but the problem seemed to become something permanent. So I decided to spend some time to check and try to fix this issue.

Step One – Check Error

So in order to check the issue, we have to ssh to the pfSense and then start shell with option 8. My network interface is called re0. You will get this information once connected to ssh.

After that, run the command bellow to check the issue:

dmesg | grep re0 | more

As you can see, we found the error is – re0: watchdog timeout and we also noticed that the interface is going up and down. If you ping the IP address of the interface 192.168.1.1, you will get a response, but if you ping another host on this network, you will get a request timed out.

As I mentioned, the simpler, but temporary solution is to reboot pfSense. After reboot, everything is back to normal. I found that I can reproduce the error if I’m running a speed test. Download test is working fine, but at the upload test you will get this error and the pfsense stops working again.

For the permanent solution we need some more patience.

Step Two – Check NIC (Network Interface Card) And Find A Driver

The next step would be to check the NIC and see what chipset it has. If we issue this command, we’ll get what we need:

pciconf -lv

So it seems we are having a RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller.
On the Netgate forum I found a post with info about the Realtek driver. You can download the new driver from here using this command:

curl https://forum.netgate.com/assets/uploads/files/1537813753467-if_re.zip -o if_re.zip

Step Three – Install Driver

After downloading the driver, unzip the archive, change the permissions and copy it to /boot/kernel.

Step Four – Update /Boot/Loader.Conf

In this step, we have to add the line if_re_load=”YES” in /boot/loader.conf file.

Step Five – Reboot PfSense

We’ve finished doing all the configurations, now we can reboot the firewall.

Step Six – Check If Fix Applied Works

After reboot, I’m checking if Realtek driver was properly loading. This looks good.

Now run a new speed test on the web interface and check if the issue is gone. The test went successfully, the interface re0 is still up. Good job!

Conclusion

I started to have this issue only after my Internet provider changed the cable modem. My Internet speed should have a speed up to 200 Mbps, but before changing the modem I was only reaching 70-80Mbps.
Now, after changing the modem I finally could reach 210-220Mbps. This was the point when pfSense started to have problems.

So if your Internet is running with speeds over 200Mbps, it’s possible to notice that problem. The solution applied seems to work very good for me, I didn’t have any more issues in the last 5 days.