Securing your server with maldet

Securing your server with maldet

Linux Malware Detect (https://github.com/rfxn/linux-malware-detect) is a great tool allowing to scan and clean Linux servers from malware. Whether you run Drupal, WordPress or Joomla, it runs in the background and monitors all traffic by system users, blocking malicious patterns. It is incredibly useful if your website is spamming.

In a more recent post, Drupal ClamAV module vs maldet to eliminate malware in uploaded files, I outlined using Drupal ClamAV module with ClamAV to scan uploaded files for malware and virus.

In addition to the normal user monitoring, it could be plugged into mod_security and provide great WAF (Web Application Firewall) protection. Whenever a file is getting uploaded to your server, maldet scans it for known malware and blocks all attempts to upload files that contain malware. Whether an infected file is uploaded via a known vulnerability in your application, maldet ensures such file is not stored in the filesystem.

If your server has ClamAV installed, maldet automatically detects it’s availability and uses ClamAV engine to scan files and monitor user traffic in addition to its own.

In my experience working with clean or compromised servers, adding maldet helps to stop the compromise immediately and buys you some time to clean the compromised files.

How to install maldet

Whether you have CentOS, Ubuntu or Debian, maldet is very easy to install. I will be covering installation of maldet in CentOS 7.x system

SSH into your server as root and execute:

Installing required repositories and packages first

yum -y install epel-release

Ensure maldet can send email notifications:

yum -y install mailx

Now we could download and install maldet

cd /tmp 
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz 
tar -xzvf maldetect-current.tar.gz

Based on the current version (1.5 at the time of writing this article), the command may require navigating to a different folder

cd maldetect-1.5 
./install.sh

At this point, ou should have maldet installed. It creates a daily cronjob to update itself and malware signatures, however, to ensure it starts on server reboot, add this to your crontab:

crontab -e

Add this line to the end of the file:

@reboot /usr/local/sbin/maldet --monitor users

To configure maldet to send email notifications:

cd /usr/local/maldetect/ 
vim conf.maldet

Enable email alerting:

email_alert="1"

Enable ClamAV: scan_clamscan="1"

Run your first malware scan with maldet

maldet -a /var/www/html

or

maldet -a /home/

When the scan is complete, maldet will provide you with the report ID which you could review by executing

maldet --report [report-id]

Monitoring directories with maldet

To monitor a directory with maldet, execute

maldet -m /var/www/html/

Monitoring all users with maldet

If you prefer to monitor all user activity on your server, rather than folder monitoring, execute

maldet -m users

Enable all file uploads scan with maldet

Enable user access to the maldet scanner.

vim /usr/local/maldetect/conf.maldet
# Set scan_user_access to 1 to enable ModSecurity upload scanner to work.
scan_user_access="0"

To ensure any file loaded to your server is scanned for malware, let’s create a ModSecurity rule and add it to the Apache web server. This will create basic high-performance WAF to protect your entire server (and all websites running) from malware uploads.

Install ModSecurity

yum --enablerepo=epel install mod_security -y

If you manage a cPanel server, you have to install mod_security via EasyApache.

Next, let’s create a ModSecurity rule that uses maldet to scan all files uploaded to your server. Based on your setup the path below may differ.

vim /etc/httpd/modsecurity.d/00_maldet.conf

Copy and paste the following content into the 00_maldet.conf file:

SecRequestBodyAccess On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99,msg:'Malware found'"

Test your Apache configuration

apachectl -t

If Apache configuration has no errors, restart Apache webserver

systemctl restart httpd

To monitor maldet activity blocking malware, tail the log file

tail -f /var/log/httpd/modsec_audit.log

At this point you have your entire server protected by maldet Malware Detection engine.

Enjoy!!!

Posted in Server Security and tagged , .

One Comment

  1. Pingback: Drupal ClamAV module vs maldet to eliminate malware in uploaded files | Ivan Grynenko

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.