Linux Malware Detect (https://github.com/rfxn/linux-malware-detect) is a great tool allowing to scan and clean Linux servers from malware. Whether you run Drupal, WordPress or Joomla, it runs in the background and monitors all traffic by system users, blocking malicious patterns. It is incredibly useful if your website is spamming.
In a more recent post, Drupal ClamAV module vs maldet to eliminate malware in uploaded files, I outlined using Drupal ClamAV module with ClamAV to scan uploaded files for malware and virus.
In addition to the normal user monitoring, it could be plugged into mod_security and provide great WAF (Web Application Firewall) protection. Whenever a file is getting uploaded to your server, maldet scans it for known malware and blocks all attempts to upload files that contain malware. Whether an infected file is uploaded via a known vulnerability in your application, maldet ensures such file is not stored in the filesystem.
If your server has ClamAV installed, maldet automatically detects it’s availability and uses ClamAV engine to scan files and monitor user traffic in addition to its own.
In my experience working with clean or compromised servers, adding maldet helps to stop the compromise immediately and buys you some time to clean the compromised files.
How to install maldet
Whether you have CentOS, Ubuntu or Debian, maldet is very easy to install. I will be covering installation of maldet in CentOS 7.x system
SSH into your server as root and execute:
Installing required repositories and packages first
yum -y install epel-release
Ensure maldet can send email notifications:
yum -y install mailx
Now we could download and install maldet
cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzvf maldetect-current.tar.gz
Based on the current version (1.5 at the time of writing this article), the command may require navigating to a different folder
cd maldetect-1.5 ./install.sh
At this point, ou should have maldet installed. It creates a daily cronjob to update itself and malware signatures, however, to ensure it starts on server reboot, add this to your crontab:
crontab -e
Add this line to the end of the file:
@reboot /usr/local/sbin/maldet --monitor users
To configure maldet to send email notifications:
cd /usr/local/maldetect/ vim conf.maldet
Enable email alerting:
email_alert="1"
Enable ClamAV: scan_clamscan="1"
Run your first malware scan with maldet
maldet -a /var/www/html
or
maldet -a /home/
When the scan is complete, maldet will provide you with the report ID which you could review by executing
maldet --report [report-id]
Monitoring directories with maldet
To monitor a directory with maldet, execute
maldet -m /var/www/html/
Monitoring all users with maldet
If you prefer to monitor all user activity on your server, rather than folder monitoring, execute
maldet -m users
Enable all file uploads scan with maldet
Enable user access to the maldet scanner.
vim /usr/local/maldetect/conf.maldet # Set scan_user_access to 1 to enable ModSecurity upload scanner to work. scan_user_access="0"
To ensure any file loaded to your server is scanned for malware, let’s create a ModSecurity rule and add it to the Apache web server. This will create basic high-performance WAF to protect your entire server (and all websites running) from malware uploads.
Install ModSecurity
yum --enablerepo=epel install mod_security -y
If you manage a cPanel server, you have to install mod_security via EasyApache.
Next, let’s create a ModSecurity rule that uses maldet to scan all files uploaded to your server. Based on your setup the path below may differ.
vim /etc/httpd/modsecurity.d/00_maldet.conf
Copy and paste the following content into the 00_maldet.conf file:
SecRequestBodyAccess On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99,msg:'Malware found'"
Test your Apache configuration
apachectl -t
If Apache configuration has no errors, restart Apache webserver
systemctl restart httpd
To monitor maldet activity blocking malware, tail the log file
tail -f /var/log/httpd/modsec_audit.log
At this point you have your entire server protected by maldet Malware Detection engine.
Enjoy!!!
Pingback: Drupal ClamAV module vs maldet to eliminate malware in uploaded files | Ivan Grynenko