We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[HowTo] Install and use (LMD) Linux Malware Detect, ClamAV with VestaCP on CentOS 7 / RHEL 7
[HowTo] Install and use (LMD) Linux Malware Detect, ClamAV with VestaCP on CentOS 7 / RHEL 7
Many people get upset with getting hacked and they think this is a problem with vestacp only well no this is not VESTACP fault this is your fault because you are the one who is not able to secure your server. Enough of blaming you guys lol let's get this fixed.
Download the latest version of LMD using the following command.
Unpack the tarball and get into the extracted directory.
Run the installation script install.sh present in the extracted directory.
Installation Output:
The main configuration file of LMD is /usr/local/maldetect/conf.maldet and you can modify it according to your requirements.
Below are some of the important settings you should have it on your system for successful detection and deletion of threats.
Skip to scanning for malware if you do not want to use LMD with ClamAV. ClamAV comes pre-installed with VestaCP so if you are using VestaCP You can ignore steps below with somehow if you have removed ClamAV from your VestaCP vps or not using VestaCP then use steps below to install ClamAV.
LMD with ClamAV
LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.
ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.
Install ClamAV using YUM command.
Now, update the ClamAV virus databases using the following command.
No additional configuration is required with LMD as the use of ClamAV with LMD is enabled by default.
Test LMD
Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.
Now, scan the directory for malware.
Output:
From the output, you can see that LMD is using ClamAV scanner engine to perform the scan and resulted in finding two malware hits.
LMD Scan Report
LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.
Output:
You can see that both files are now quarantined.
Extra Commands & Details
You can then remove all quarantined files with:
Or use command below to clean with maldet
Since maldet needs to be integrated with cron, you need to set the following variables in root’s crontab (type crontab -e as root and hit the Enter key) in case that you notice that LMD is not running correctly on a daily basis:
You can add cronjob via VestaCP also.
To check email report from LMD use this command.
Perform a scan for specific file extention only:
Get a list of all reports:
Scan files that have been created/modified in the last X days.
5 = the last days.
Restore files from the quarantine directory.
Enable monitoring of a directory.
Check the monitor log file:
Use the following command to update your LMD.
To update LMD signatures, run:
LMD is not available on CentOS official repositories as a pre-built package, but it is available as a tarball from the LMD project web site.
Download the latest version of LMD using the following command.
Code: Select all
cd /tmp/
curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz
Code: Select all
tar -zxvf maldetect-current.tar.gz
cd maldetect*
Code: Select all
bash install.sh
Code: Select all
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
(C) 2002-2017, R-fx Networks <[email protected]>
(C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
Code: Select all
nano /usr/local/maldetect/conf.maldet
Code: Select all
# Enable Email Alerting
email_alert="1"
# Email Address in which you want to receive scan reports
email_addr="[email protected]"
# Use with ClamAV
scan_clamscan="1"
# Enable scanning for root owned files. Set 1 to disable.
scan_ignore_root="0"
# Move threats to quarantine
quarantine_hits="1"
# Clean string based malware injections
quarantine_clean="1"
# Suspend user if malware found.
quarantine_suspend_user="1"
# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"
LMD with ClamAV
LMD performs better in scanning large file sets with ClamAV. ClamAV (Clam Antivirus) is an open source antivirus solution to detect virus, malware, trojans and other malicious programs.
ClamAV is available on EPEL repository, so configure it on your CentOS / RHEL machine.
Code: Select all
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Code: Select all
yum -y install clamav clamav-devel clamav-update inotify-tools
Code: Select all
freshclam
Test LMD
Let us test the functionality of LMD using test virus. Download virus signature from EICAR website.
Code: Select all
cd /tmp
wget http://www.eicar.org/download/eicar_com.zip
wget http://www.eicar.org/download/eicarcom2.zip
Code: Select all
maldet -a /tmp
Code: Select all
Linux Malware Detect v1.6.2
(C) 2002-2017, R-fx Networks <[email protected]>
(C) 2017, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(2004): {scan} signatures loaded: 15215 (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)
maldet(2004): {scan} building file list for /tmp, this might take awhile...
maldet(2004): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2004): {scan} file list completed in 0s, found 74 files...
maldet(2004): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(2004): {scan} scan of /tmp (74 files) in progress...
maldet(2004): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(2004): {scan} scan completed on /tmp: files 74, malware hits 2, cleaned hits 0, time 11s
maldet(2004): {scan} scan report saved, to view run: maldet --report 180814-1254.2018
maldet(2004): {alert} sent scan report to [email protected]
LMD Scan Report
LMD stores scan reports under /usr/local/maldetect/sess/. Use the maldet command with SCAN ID to see the detailed scanning report.
Code: Select all
maldet --report 170808-1035.18497
Code: Select all
SUBJECT: maldet alert from server.root.local
HOST: lmddd
SCAN ID: 180814-1254.2018
STARTED: Aug 14 2018 10:58:20 +0000
COMPLETED: Aug 14 2018 13:02:31 +0000
ELAPSED: 11s [find: 0s]
PATH: /tmp
TOTAL FILES: 74
TOTAL HITS: 2
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}EICAR.TEST.10 : /tmp/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.215484128
{HEX}EICAR.TEST.10 : /tmp/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.534568742
===============================================
Linux Malware Detect v1.6.2 < [email protected] >
Extra Commands & Details
You can then remove all quarantined files with:
Code: Select all
rm -rf /usr/local/maldetect/quarantine/*
Code: Select all
maldet --clean SCANID
Code: Select all
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash
To check email report from LMD use this command.
Code: Select all
tail -f /var/mail/root
Code: Select all
maldet -a /var/www/html/*.php
Code: Select all
maldet -e list
Code: Select all
maldet -r /var/www/html/ 5
Restore files from the quarantine directory.
Code: Select all
maldet -s SCANID
Code: Select all
maldet -m /var/www/html/
Code: Select all
tail -f /usr/local/maldetect/logs/inotify_log
Code: Select all
maldet -d
Code: Select all
maldet -u