If you’re running a CentOS as a file server, you owe it to yourself and your business to ensure the files housed on that Linux machine are free from malicious code.
You will probably have Windows users who connect to that server…the platform they are using could be susceptible to malware and viruses. Because of that, you must ensure those files are clean. Your best bet for managing that on CentOS is to install Linux Malware Detect (LMD) and ClamAV. I’ll walk you through the steps of installing and configuring these tools so you can rest easier that your CentOS server isn’t distributing malicious files.
Note: During the installation and usage of this tool, I employ sudo. You can skip that by first su’ing to the root user and then issue all of the commands without sudo.
SEE: Malware Protection Policy (Tech Pro Research)
Before we install LMD, there are three dependencies that must be installed. To install Extra Packages for Enterprise Linux, open a terminal window and issue the command:
sudo yum -y install epel-release
Once that installation completes, we then must install mailx. This piece of software will be charged with mailing reports to your email address. To install mailx, go back to your terminal window and issue the command:
sudo yum -y install mailx
Finally, inotify-tools must be installed so that LMD has access to the inotifywait command. From the terminal, issue the command:
sudo yum install inotify-tools
Now we’re ready to install LMD. Back at the terminal, issue the following commands:
sudo su cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvzf maldetect-current.tar.gz cd maldetect-XXX (Where XXX is the release number) ./install.sh
We must create a symbolic link to the LMD executable with the following two commands:
ln -s /usr/local/maldetect/maldet /bin/maldet hash -r
With LMD installed, it’s time to change a few configuration options. Issue the command nano /usr/local/maldetect/conf.maldet. In that file, you’ll want to take care of the following.
Enable the email alert by changing the value 0 to 1 in this line:
Add your email address (for notifications) here:
Enable the ClamAV clamscan binary as the default scan engine by changing the 0 to 1 on this line:
Note: You will probably already find ClamAV enabled.
Enable quarantining so that malware will be automatically quarantined during the scan process. Change the ‘0’ to ‘1’ in this line:
Finally, enable clean string based malware injections by changing the ‘0’ to ‘1’ in this line:
Save and close conf.maldet.
Now we move onto the installation of ClamAV. From the terminal window, issue the following command:
yum -y install clamav clamav-devel
The above command will also install a number of dependencies—allow this installation process to complete.
In order to ensure this is working, we need to download a few malicious files to our server. To do this, go to the terminal window and issue the following commands:
cd /var/www/html wget http://www.eicar.org/download/eicar.com.txt wget http://www.eicar.org/download/eicar_com.zip wget http://www.eicar.org/download/eicarcom2.zip
Back at the terminal, issue the command maldet -a /var/www/html. When this command runs, it will find the malware, quarantine it, and report it. At the end of the scan, maldet will instruct you on the command to run to view the report (in the form of maldet —report REPORT_NUMBER)—that report will list out how many hits as well as how many files were cleaned (Figure A).
Enabling folder monitoring
Now that we know the system is working, we need to set up folder monitoring, so you can depend upon LMD to regularly monitor the folder(s) that house your server’s files. Say you want to monitor both /var/www/html and a specific folder that houses shared company data (we’ll call it /data). To have LMD monitor these two folders (multiple directories are separated by a comma), issue the following command:
sudo maldet -m /var/www/html/,/data/
Out of the box, maldet is set to generate only one report a day; you can change this by creating a new hourly cronjob. Issue the following command:
sudo nano etc/cron.hourly/hourly_maldet_report
In this new file, add the following contents:
if [ "$(ps -A --user root -o "comm"http://www.techrepublic.com/" grep inotifywait)" ]; then /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1fi
Save and close the file. Now maldet will generate an hourly report.
That’s it—your specified folders are being monitored by LMD and ClamAV.
A solution for every need
One of the amazing things about Linux is that, if you have a need, there is a solution; in fact, with almost every need there are multiple solutions. This combination of LMD and ClamAV is one of the best solutions for keeping your folders free of malicious files and folders.