One of the biggest challenges of maintaining a web server is keeping it safe from all the hackers out there. Although we can implement many security features on our VPS, hackers sometimes find their way through them due to poorly coded or outdated web applications. But you can still protect your VPS in such situations by enabling real-time malware scanning for Virtualmin and your VPS.
Linux Malware Detect (LMD) is a malware scanner for Linux based systems. We can use it to protect our Ubuntu 16.04 VPS against commonly known malware. In this tutorial, we’ll configure Linux Malware Detect with ClamAV antivirus and inotify to enable real-time protection against malware.
Before you start, make sure you have Virtualmin up and running. You can use my tutorial to install Virtualmin on a Ubuntu 16.04 VPS with nginx.
Install Linux Malware Detect (LMD) on Ubuntu 16.04 VPS
As the subtitle hints, this section has nothing to do with Virtualmin. This is how anyone would go about installing Linux Malware Detect on a Ubuntu 16.04 VPS. You need to be logged in as root user for this whole tutorial. Let’s install latest version of maldet on Ubuntu 16.04 VPS.
Navigate to opt directory,
Download latest version of Linux Malware Detect,
Extract downloaded file,
tar -xzvf maldetect-current.tar.gz
Navigate to extracted directory,
This installs maldet on your Ubuntu 16.04 VPS and updates the signatures database. Next, there are few settings we need to adjust in maldet.
Configure Linux Malware Detect (LMD) on Ubuntu 16.04 VPS
Open maldet main configuration file with nano text editor,
The configuration file is well commented. You can go ahead and read about each and every option. For me in most cases, I only make following changes.
# Enable Email Alerting email_alert="1" # Email Address in which you want to receive scan reports email_addr="email@example.com" # Disable daily cron cron_daily_scan="0" # Move threats to quarantine quarantine_hits="1" # Clean string based malware injections quarantine_clean="1" # Suspend user if malware found. quarantine_suspend_user="1" # Minimum userid value that be suspended quarantine_suspend_user_minuid="500"
Above configuration requires you to have ClamAV installed. It should be already installed if you’ve built your Ubuntu 16.04 VPS with Virtualmin. But if you don’t have it for whatever reason, you can install ClamAV with following command.
apt install clamav clamav-daemon
Enable Linux Malware Detect (LMD) Monitoring Mode
At this point, maldet does nothing. Because we’ve disabled daily scans with above configuration. But that’s okay, we’ll now enable real-time malware scanning for Virtualmin with Linux Malware Detect. To do that, we need inotify-tools. Let’s install it.
apt install inotify-tools
Now we can use maldet in monitoring mode. What we need to monitor are public_html directories. Virtualmin creates a public_html directory inside each user’s home directory. And public_html for sub servers are inside Domains directory, which is also a subdirectory of user home directory. So monitoring user home directories makes sense for us. Because, virtual server owners don’t have access outside of their respective home directories. There is a simple way to do this with maldet.
maldet --monitor /home
Above command will start maldet in monitoring mode. It’ll scan files as they are being modified or uploaded in the home directories. But since maldet isn’t a service, it won’t automatically start on system reboots. You’ll have to execute above command after each reboot. Which can be annoying, if you have to do it yourself. So we’ll automate this with a cronjob. Open crontab with following command,
Paste following line at the bottom,
@reboot /usr/local/sbin/maldet --monitor /home
Save & close the file. You’ve successfully enabled real-time malware scanning for Virtualmin with maldet and ClamAV. You can monitor maldet detections and actions by viewing maldet events_log. Following command will open events_log with nano text editor.
That concludes the instructions to enable real-time malware scanning for Virtualmin with Linux Malware Detect. Create a topic on sysadmin forum if you have issues with the installation.