Install Linux Malware Detect (LMD) in RHEL, CentOS and Fedora

In my earlier article I’ve explained you all about how to protect Apache server fromMalicious and DOS attacks
using mod_security
and mod_evasive. Now again I have come up with another great topic on Malware detector called LMD (Linux Malware Detect). In this
article I will show you how to install and configure LMD in RHEL
6.3/6.2/6.1/6/5.8,CentOS 6.3/6.2/6.1/6/5.8 and Fedora
17,16,15,14,13,12 systems using source code.







Linux Malware Detect

Read Also : Install
Suricata – A Intrusion Detection and Prevention Engine

What is Malware?

Malware is called malicious software, script or code which is created and used by hackers to retrieve information
of private data or gain access to any private computer systems. Malware can be trojans, viruses, spyware, adware, rootkits or any other malicious programs which can be very harmful to any computer user.

What is Linux Malware Detect (LMD)?

Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based
operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments. For more information and features visit athttp://www.rfxn.com/projects/linux-malware-detect/.

Install
Linux Malware Detect (LMD) in RHEL 6.3/6.2/6.1/6/5.8,CentOS
6.3/6.2/6.1/6/5.8 and Fedora 12,13,14,15,16,17

Installing Linux Malware Detect (LMD) in RHEL, CentOS and Fedora

Step 1: Downloading Linux Malware Detect (LMD)

Downloading latest LMD package using following wget command.

# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz[/code] 

Step 2: Installing LMD
Installation and Configuration of LMD is a bit easy task, just follow below steps as root user.
# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh


Sample Output
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)


Step 3: Configuring LMD
By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.

email_alert : If you would like to receive email alerts, then it should be set to 1.

email_subj : Set your email subject here.

email_addr : Add your email address to receive malware alerts.

quar_hits : The default quarantine action for malware hits, it should be set 1.

quar_clean : Cleaing detected malware injections, must set to 1.

quar_susp : The default suspend action for users wih hits, set it as per your requirements.

quar_susp_minuid : Minimum userid that can be suspended.

Open file /usr/local/maldetect/conf.maldet and make changes according to your needs.
# vi /usr/local/maldetect/conf.maldet


Sample Configuration
Here is the my sample configuration file.
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="tecmint.com@gmail.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500


Step 4: Manual Scans and Usage
If you would like to scan user’s Home directory, then simply issue following command.
# maldet --scan-all /home


You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.
# maldet --quarantine SCANID
OR
# maldet --clean SCANID


Step 5: Daily Scans
By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily
scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.
# vi /etc/cron.daily/maldet


If you like this article, please share with your friends and do leave comments.