Obbiettivo

Installare su CentOS 6 Linux Malware Detector (LMD), shedulare scansioni ed inviare report tramite e-mail.

Scenario

Linux distro: CentOS 6.5 (x86_64)
LMD version: 1.4.2
Selinux: SI

Installazione Linux Malware Detector

Scaricare l’ultima versione disponibile di LMD dal sito ufficiale:

[root@lmd_test tmp]# cd /tmp
[root@lmd_test tmp]#
[root@lmd_test tmp]# wget wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
....
....
....
2014-04-07 19:53:30 (491 KB/s) - "maldetect-current.tar.gz" salvato [811467/811467]

Scompattare l’archivio ed installare il software linux malware detector:

[root@lmd_test tmp]# tar xvfz maldetect-current.tar.gz
maldetect-1.4.2/
maldetect-1.4.2/CHANGELOG
maldetect-1.4.2/cron.daily
maldetect-1.4.2/README
....
....
...
maldetect-1.4.2/.ca.def
maldetect-1.4.2/install.sh

[root@lmd_test tmp]# cd maldetect-1.4.2/

[root@lmd_test maldetect-1.4.2]# ./install.sh
Linux Malware Detect v1.4.2
 (C) 2002-2013, R-fx Networks <[email protected]>
 (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1574): {sigup} performing signature update check...
maldet(1574): {sigup} local signature set is version 201205035915
maldet(1574): {sigup} new signature set (201404059860) available
maldet(1574): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
maldet(1574): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
maldet(1574): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
maldet(1574): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
maldet(1574): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
maldet(1574): {sigup} signature set update completed
maldet(1574): {sigup} 11669 signatures (9783 MD5 / 1886 HEX)

Scansione manuale con Linux Malware Detector

Ponendo il caso di voler eseguire una scansione della directory “/web“, digitare:

[root@lmd_test maldetect-1.4.2]# maldet --scan-all /web
Linux Malware Detect v1.4.2
 (C) 2002-2013, R-fx Networks <[email protected]>
 (C) 2013, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(1683): {scan} signatures loaded: 11669 (9783 MD5 / 1886 HEX)
maldet(1683): {scan} building file list for /web, this might take awhile...
maldet(1683): {scan} file list completed, found 9815 files...
maldet(1683): {scan} 9815/9815 files scanned: 0 hits 0 cleaned
maldet(1683): {scan} scan completed on /web: files 9815, malware hits 0, cleaned hits 0
maldet(1683): {scan} scan report saved, to view run: maldet --report 040714-1155.1683

Per leggere il report in maniera dettagliata bisogna far riferimento all’ultima riga dell’output di scansione:

`maldet(1683): {scan} scan report saved, to view run: maldet --report 040714-1155.1683` Schedulazione scansioni ed invio report

L’installazione di LMD crea in automatico un cronjob giornaliero, il file di riferimento è “/etc/cron.daily/maldet“.

Con l’editor preferito, sostituire il path della directory da controllare modificando il file da così:

# scan default apache docroot paths
 if [ -d "/var/www/html" ]; then
 /usr/local/maldetect/maldet -b -r /web 2 >> /dev/null 2>&1
 fi

a così:

# scan default apache docroot paths
 if [ -d "/web" ]; then
 /usr/local/maldetect/maldet -b -r /web 2 >> /dev/null 2>&1
 fi

Se vogliamo ricevere per e-mail il report della scansione , si devono modificare alcune opzioni del file di configurazione “/usr/local/maldetect/conf.maldet“, in particolare:

##
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=0
# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="[email protected]"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=1

Monitoraggio in tempo reale

LMD tra le su caratteristiche ha anche la scansione in tempo reale, per abilitarla basta eseguire il comando:

maldet --monitor /web

Quarantena

Di default la quarantena di LMD non è attiva, per abilitarla basta modificare un parametro nel file di configurazione:

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

Obbiettivo#

Scenario#

Installazione Linux Malware Detector#

Scansione manuale con Linux Malware Detector#

maldet(1683): {scan} scan report saved, to view run: maldet --report 040714-1155.1683 Schedulazione scansioni ed invio report

Monitoraggio in tempo reale#

Quarantena#