View Single Post
  #1  
Old 30th August 2012, 09:19
felan felan is offline
Junior Member
 
Join Date: Aug 2012
Posts: 21
Thanks: 0
Thanked 8 Times in 3 Posts
Default Linux Malware Detect on Debian 6 with ISPConfig 3

I just added this system to two production servers and felt like sharing this with the rest of you. THe system is pretty good at detecting malware in websites. Hope you will all enjoy it.
-----
To install maldet

1. Install

First we need to install inotify-tools

apt-get install inotify-tools

Now we are ready to install maldetect. Run the following commands.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh


2. Configuring your system.

First we need to modify the main script to work with Debian.

Edit
vi /usr/local/maldetect/maldet

Replace the line that starts with $nice in the main maldet script with the following:
$nice -n $inotify_nice $inotify -r --fromfile $inotify_fpaths $exclude --timefmt "%d %b %H:%M:%S" –format "%w%f %e %T" -m -e create,move,modify >> $inotify_log 2>&1 &

Close and save.

Edit
vi /usr/local/maldetect/internals.conf

Find inotify= and change the value to /usr/bin/inotifywait

Next delete inotifywait and libinotifytools.so.0

rm -rf /usr/local/maldetect/inotify/inotifywait
rm -rf /usr/local/maldetect/inotify/libinotifytools.so.0

Next step is to make sure that the cronjob works as it should.

vi /etc/cron.daily/maldet

Comment out
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

This prevents it from upgrading itself. If it does, all the changes we've just made, will disapear. It is better to upgrade manually until we get proper debian support in the package.

Next comment out
/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1

Add this beneath instead.
# Instead use ISPConfig 3 path var/www
/usr/local/maldetect/maldet -b -r /var/www

Comment out these lines as well, as they are not needed.
if [ -d "/var/www/html" ]; then
/usr/local/maldetect/maldet -b -r /var/www/html 2
fi
if [ -d "/usr/local/apache/htdocs" ]; then
/usr/local/maldetect/maldet -b -r /usr/local/apache/htdocs 2
fi

Save and quit.

If you want to run maldetect as a monitor, type
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist

If you want to run the monitor at boot, we need to add some paths.
Now to add some paths to scan and monitor.

vi /usr/local/maldetect/maldetfilelist

Insert
/var/www/clients

Edit /etc/rc.local
vi /etc/rc.local

Insert
/usr/local/maldetect/maldet -m /usr/local/maldetect/maldetfilelist
Reply With Quote
Sponsored Links