Malware on a server makes for a very bad day. The good news is that with Linux Malware Detect (LMD) and ClamAV you can avoid such headaches with not that much work!
It only takes a single malware incident on your linux server to have you vow against such an outage in the future. The good news is that you can install Linux Malware Detect (LMD) on your Debian or Ubuntu server for free.
Linux Malware Detect is a malware scanner released under the GNU GPLv2 license. LMD is updated by community resources and other methods. LMD ups the malware detection game by not just discovering threats at the OS level (trojans, rootkits, etc) but also at the user account level which is a growing issue in shared hosting environments.
Inotify is used to monitor and act on filesystem events. You’ll need this for Linux Malware Detect. Inotify is available from Debian’s official repositories.
apt-get install inotify-tools
To download maldet or LMD simply go to your server command line and type the following. The first will download LMD and the second will extract the files.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxvf maldetect-current.tar.gz
You’ll need to change to the downloaded directory and run the installation script. Change the directory path name to match the version of maldet you extracted. For example, at the time of writing the current version is 1.6.4. So that would be cd maldetect-1.6.4.
cd maldetect-1.6.4 ./install.sh
The configuration file is stored in /usr/local/maldetect/conf.maldet. Open this file in a text editor and set the following values:
email_alert="1" email_ignore_clean="0" email_addr="email@example.com" cron_daily_scan="1" scan_clamscan="1" quarantine_hits="1" quarantine_clean="1" scan_max_filesize="2048k"
Clam AntiVirus is an open source antivirus engine designed to detect trojans, viruses, malware and other nasties on your linux server. When you install this scanning engine, LMD will work with ClamAV for improved scan performance and also increased detection capabilities.
apt-get install clamav
To do a manual scan, use maldet –help to see the options. For example, to scan everything in the /var/www/ folder you would type:
maldet -a /var/www
To update LMD use the following commands:
maldet -u maldet -d
The first command updates the signatures from rfxn.com and the second updates the version.
When you install Linux Malware Detect it will add a file to the /etc/cron.daily folder called maldet. This file downloads definitions and performs daily basic scans. However, I personally add cron jobs to do the updates along with some specific scans on my servers.
This will open up an editor (you might have to select your preferred editor of choice. I always us Nano). I then add commands to update definitions, LMD version and run two different scans:
5 1 * * * maldet -u 15 1 * * * maldet -d 30 1 * * * maldet -a /var/www 30 2 * * * maldet -a /var/lib
Crontab works beginning with the minute, hour, day of month, the month, day of week and then the actual command to run. The wild cards will not limit. So using a wild card for day of month will make the command run every day.
Once you save this file, you should see it show up under the user you used to create it in /var/spool/cron/crontabs.
Your debian server is going to run a little safer now! A huge thank you to the people behind LMD and ClamAV. You can make a donation to LMD on their main page: https://www.rfxn.com/projects/linux-malware-detect/