Real-time Malware Scanning for Virtualmin with Linux Malware Detect

Install and configure Linux Malware Detect (LMD or maldet) to protect your Virtualmin powered VPS against malware infections.

One of the biggest challenges of maintaining a web server is keeping it safe from all the hackers out there. Although we can implement many security features on our VPS, hackers sometimes find their way through them due to poorly coded or outdated web applications. But you can still protect your VPS in such situations by enabling real-time malware scanning for Virtualmin and your VPS.

Linux Malware Detect (LMD) is a malware scanner for Linux based systems. We can use it to protect our Ubuntu 16.04 VPS against commonly known malware. In this tutorial, we’ll configure Linux Malware Detect with ClamAV antivirus and inotify to enable real-time protection against malware.

Before you start, make sure you have Virtualmin up and running. You can use my tutorial to install Virtualmin on a Ubuntu 16.04 VPS with nginx.

Install Linux Malware Detect (LMD) on Ubuntu 16.04 VPS

As the subtitle hints, this section has nothing to do with Virtualmin. This is how anyone would go about installing Linux Malware Detect on a Ubuntu 16.04 VPS. You need to be logged in as root user for this whole tutorial. Let’s install latest version of maldet on Ubuntu 16.04 VPS.

Navigate to opt directory,

cd /opt

Download latest version of Linux Malware Detect,

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract downloaded file,

tar -xzvf maldetect-current.tar.gz

Navigate to extracted directory,

cd maldetect-*

Install maldet

./install.sh

This installs maldet on your Ubuntu 16.04 VPS and updates the signatures database. Next, there are few settings we need to adjust in maldet.

Configure Linux Malware Detect (LMD) on Ubuntu 16.04 VPS

Open maldet main configuration file with nano text editor,

nano /usr/local/maldetect/conf.maldet

The configuration file is well commented. You can go ahead and read about each and every option. For me in most cases, I only make following changes.

# Enable Email Alerting
email_alert="1"

# Email Address in which you want to receive scan reports
email_addr="name@domain.com"

# Disable daily cron
cron_daily_scan="0"

# Move threats to quarantine
quarantine_hits="1"

# Clean string based malware injections
quarantine_clean="1"

# Suspend user if malware found. 
quarantine_suspend_user="1"

# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Above configuration requires you to have ClamAV installed. It should be already installed if you’ve built your Ubuntu 16.04 VPS with Virtualmin. But if you don’t have it for whatever reason, you can install ClamAV with following command.

apt install clamav clamav-daemon

Enable Linux Malware Detect (LMD) Monitoring Mode

At this point, maldet does nothing. Because we’ve disabled daily scans with above configuration. But that’s okay, we’ll now enable real-time malware scanning for Virtualmin with Linux Malware Detect. To do that, we need inotify-tools. Let’s install it.

apt install inotify-tools

Now we can use maldet in monitoring mode. What we need to monitor are public_html directories. Virtualmin creates a public_html directory inside each user’s home directory. And public_html for sub servers are inside Domains directory, which is also a subdirectory of user home directory. So monitoring user home directories makes sense for us. Because, virtual server owners don’t have access outside of their respective home directories. There is a simple way to do this with maldet.

maldet --monitor /home

Above command will start maldet in monitoring mode. It’ll scan files as they are being modified or uploaded in the home directories. But since maldet isn’t a service, it won’t automatically start on system reboots. You’ll have to execute above command after each reboot. Which can be annoying, if you have to do it yourself. So we’ll automate this with a cronjob. Open crontab with following command,

crontab -e

Paste following line at the bottom,

@reboot /usr/local/sbin/maldet --monitor /home

Save & close the file. You’ve successfully enabled real-time malware scanning for Virtualmin with maldet and ClamAV. You can monitor maldet detections and actions by viewing maldet events_log. Following command will open events_log with nano text editor.

nano /usr/local/maldetect/logs/event_log

That concludes the instructions to enable real-time malware scanning for Virtualmin with Linux Malware Detect. Create a topic on sysadmin forum if you have issues with the installation.

Tags
Show More

Tharindu

Hey!! I'm Tharindu. I'm from Sri Lanka. I'm a part time freelancer and this is my blog where I write about everything I think might be useful to readers. If you read a tutorial here and want to hire me, contact me here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Close