As a prelude to my upcoming WordPress Sydney meetup talk on WordPress Security I’m going to show you how you can beef up security on your Virtual Private Server (VPS) by installing a piece of software called Linux Malware Detect or LMD.
What is Malware?
OK – let’s start at the beginning. I’m assuming that most of you will have at least heard of the term malware but what is it?
Malware is short for “malicious software”. Software (programs) that have been written for the purpose of doing some malicious on a computer.
That could be as annoying as defacing your homepage or a nefarious as
Malware can be written by anyone from a teenager in their bedroom to state-sponsored terrorism (NSA reading your emails for example). “Hi there NSA! – thanks for reading along.”
There are various methods of deployment to get the malware on your machines, but I’m not going to go into those. This post is going to show you how you can scan for and detect malware.
What is Linux Malware Detect?
Linux Malware Detect (LMD) is an open-source malware scanner that runs under various
It scans the computer for known malware threats and can quarantine suspicious files and/or simply alert you to their presence.
LMS is specifically designed to seek out threats that would target shared hosting systems so if you have cPanel installed and are using your VPS to host several accounts, LMD will help keep your environment clean.
The following install and setup method was performed on a CentOS 6 VPS but should work fine on RHEL 6.x and Fedora 12+.
You will need to have SSH root access to your VPS.
Step 1 – Download LMD
From your SSH download the latest LMD package using the
[codelet]cd /tmp[/codelet] [codelet]wget http://www.rfxn.com/downloads/maldetect-current.tar.gz[/codelet]
Step 2 – Installing LMD
Install and configure LMD using the following commands.
[codelet]tar xfz maldetect-current.tar.gz[/codelet] [codelet]cd maldetect-*[/codelet] [codelet]./install.sh[/codelet] The first command unpacks the archive. The second changes the folder to the unpacked archive and the third command runs the install script. You may come across a "permission denied" message when running the install script. If this happens do the following [codelet]chmod +x ./install.sh[/codelet] [codelet]su root ./install.sh[/codelet]
This adds execution
The install script will only take a few seconds to run. Here’s a sample of what you will see in your bash shell.
Linux Malware Detect v1.4.1 (C) 2002-2011, R-fx Networks (C) 2011, Ryan MacDonald inotifywait (C) 2007, Rohan McGovern This program may be freely redistributed under the terms of the GNU GPL installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet
Step 3 – Configuring LMD
From the installation
[codelet]cd /usr/local/maldetect[/codelet] [codelet]vi conf.maldet[/codelet]
The settings are pretty straight forward and well commented.
The first setting you’ll want to change is the email alert address email_alert to your own address.
There are also options to automatically quarantine suspicious files and suspect cPanel account which contain detected
Here’s a sample of settings from the configuration file:
Step 4 – Run a manual scan
Now that LMD is installed on your VPS it’s probably a good idea to run a manual scan to see if there are any issues.
[codelet] maldet --scan-all /home[/codelet]
Execution time for the scan will of course depend on how many files you have on your VPS and at the end you will receive a report telling you how many files were scanned, issues detected and files quarantined.
This is also a good time to check that you received the email alert.
Here’s a sample output from the script.
SCAN ID: 092213-0752.4491 TIME: Sep 22 09:03:12 +0100 PATH: /home TOTAL FILES: 41244 TOTAL HITS: 3 TOTAL CLEANED: 0
If you hadn’t turned on quarantining and your script detected issues, you can still quarantine those files using the SCAN ID associated with the report.
[codelet]maldet --quarantine SCANID[/codelet] OR [codelet]maldet --clean SCANID[/codelet]
Step 5 – Daily Scans
The installation script creates a daily
If you need any additional folders to be scanned, add them into this
Success! You’re VPS is not a lot more secure than it was before you installed LMD.