As a prelude to my upcoming WordPress Sydney meetup on WordPress Security, I’m going to show you how you can beef up security on your Virtual Private Server (VPS) by installing a piece of software called Linux Malware Detect or LMD.
What is Malware?
OK – let’s start at the beginning. I’m assuming that most of you will have at least heard of the term malware but what is it?
Malware is short for “malicious software”. Software (programs) that have been written for the purpose of doing some malicious on a computer.
That could be as annoying as defacing your homepage or a nefarious as syphoning off a credit card and billing information.
Malware can be written by anyone from a teenager in their bedroom to state-sponsored terrorism (NSA reading your emails for example). “Hi there NSA! – thanks for reading along.” 😛
There are various methods of deployment to get the malware on your machines, but I’m not going to go into those. This post is going to show you how you can scan for and detect malware.
What is Linux Malware Detect?
Linux Malware Detect (LMD) is an open-source malware scanner that runs under various flavours of Linux, distributed under the GPL2 license.
It scans the computer for known malware threats and can quarantine suspicious files and/or simply alert you to their presence.
LMS is specifically designed to seek out threats that would target shared hosting systems so if you have cPanel installed and are using your VPS to host several accounts, LMD will help keep your environment clean.
Installing LMD
The following install and setup method was performed on a CentOS 6 VPS but should work fine on RHEL 6.x and Fedora 12+.
You will need to have SSH root access to your VPS.
Step 1 – Download LMD
From your SSH download the latest LMD package using the wget command in the temp folder of your VPS.
cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Step 2 – Installing LMD
Install and configure LMD using the following commands.
tar xfz maldetect-current.tar.gz cd maldetect-* ./install.sh The first command unpacks the archive. The second changes the folder to the unpacked archive and the third command runs the install script. You may come across a "permission denied" message when running the install script. If this happens do the following chmod +x ./install.sh su root ./install.sh
This adds execution privileges to the install script and runs it explicitly under the root user.
The install script will only take a few seconds to run. Here’s a sample of what you will see in your bash shell.
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
Step 3 – Configuring LMD
From the installation output, you can see that LMD has been installed into the folder /usr/local/maldetect and that’s where the conf.maldet configuration file exists, so go there and edit the file using the VI editor.
cd /usr/local/maldetect vi conf.maldet
The settings are pretty straight forward and well commented.
The first setting you’ll want to change is the email alert address email_alert to your own address.
There are also options to automatically quarantine suspicious files and suspect cPanel account which contains detected malicious code.
Here’s a sample of settings from the configuration file:
[gist id=8142489]
Step 4 – Run a manual scan
Now that LMD is installed on your VPS it’s probably a good idea to run a manual scan to see if there are any issues.
maldet --scan-all /home
Execution time for the scan will, of course, depend on how many files you have on your VPS and at the end, you will receive a report telling you how many files were scanned, issues detected and files quarantined.
This is also a good time to check that you received the email alert.
Here’s sample output from the script.
SCAN ID: 092213-0752.4491 TIME: Sep 22 09:03:12 +0100 PATH: /home TOTAL FILES: 41244 TOTAL HITS: 3 TOTAL CLEANED: 0
If you hadn’t turned on quarantining and your script detected issues, you can still quarantine those files using the SCAN ID associated with the report.
maldet --quarantine SCANID OR maldet --clean SCANID
Step 5 – Daily Scans
The installation script creates a daily cron job file maldet in the /etc/cron.daily folder.
This daily cron job scans the computer, installs updates and malware signatures, quarantines suspicious files and sends out the email alert.
If you need any additional folders to be scanned, add them into this cron job script
vi /etc/cron.daily/maldet
Success! You’re VPS is not a lot more secure than it was before you installed LMD.
Thanks for the very well-thought-out instructions. These instructions worked perfectly for me. Do you have any “recommended settings” you would suggest we change?
Success! You’re VPS is not a lot more secure than it was before you installed LMD. ??
Is this ok for Plesk vps too?