Featured Maldet - Linux Malware Detect Addon (discussion)

Ahmad · Dec 19, 2015

eva2000 said: ↑
can you check if your config file has
Code:
quar_hits=1
or
Code:
quar_hits="1"
Click to expand...
Neither
Code:
[ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="0"
Update: [root@server maldetect]# cat conf.maldet ## # Linux Malware Detect v1.5 # - Pastebin.com the complete config file (quar options are adjusted by me, they were set to 0 as well)

eva2000 · Dec 19, 2015

yeah looks like they changed to double quotes there too so updated stable and beta branches to account for it update addons/maldet.sh addon · centminmod/centminmod@3e2d8be · GitHub

Ahmad · Dec 19, 2015

eva2000 said: ↑

yeah looks like they changed to double quotes there too so updated stable and beta branches to account for it update addons/maldet.sh addon · centminmod/centminmod@3e2d8be · GitHub
Click to expand...

Shouldn't it be quarantine_hits and not quar_hits though?
Code:
[root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quar_hits
[root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quarantine_hits
quarantine_hits="1"
# [NOTE: quarantine_hits=1 required]
# [NOTE: quarantine_hits=1 required]

eva2000 · Dec 19, 2015

can you post a sanitized copy of your /usr/local/maldetect/conf.maldet to gist or pastebin seems the config file settings might have changed from what i posted in 1st post of this thread. Is this on centos 6 or 7 ?

Ahmad · Dec 19, 2015

eva2000 said: ↑

can you post a sanitized copy of your /usr/local/maldetect/conf.maldet to gist or pastebin seems the config file settings might have changed from what i posted in 1st post of this thread. Is this on centos 6 or 7 ?
Click to expand...

Yup it has indeed changed. Running CentOS 7.2 but checked on my CentOS 6 server and the config is the same. Seems to have changed in some version of maldetect.
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = e - Pastebin.com

eva2000 · Dec 19, 2015

more updates to come i guess

updated Beta Branch - update addons/maldet.sh | Centmin Mod Community

Ahmad · Dec 21, 2015

Using clamdscan returns a permission error for me, the capital X also doesn't seem to adjust the permissions.

Code:

#!/bin/bash

sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf

cat >/etc/pure-ftpd/clamscan.sh<< EOF
#!/bin/bash
/usr/bin/clamscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
EOF

chmod +x /etc/pure-ftpd/clamscan.sh

pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh

echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local

service pure-ftpd restart

then chmod +x and run script

Code:

chmod +x setup-callupload.sh
./setup-callupload.sh

In short, if this doesn't work for anyone, try to change clamdscan to clamscan and the capital X to x.

eva2000 · Dec 21, 2015

nice find a typo ! x not X !

negative · Jan 8, 2016

I've started to using maldet today and when i look the "/usr/local/maldetect/conf.maldet" configuration file, i can't see or find these values like;
Code:
email_subj="maldet alert from $(hostname)"
and
Code:
# [ QUARANTINE OPTIONS ]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500
why? They are default and not important on latest version?

eva2000 · Jan 8, 2016

negative said: ↑
I've started to using maldet today and when i look the "/usr/local/maldetect/conf.maldet" configuration file, i can't see or find these values like;
Code:
email_subj="maldet alert from $(hostname)"
and
Code:
# [ QUARANTINE OPTIONS ]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500
why? They are default and not important on latest version?
Click to expand...
what OS centos 6 or 7 ? as posted earlier in thread https://community.centminmod.com/posts/22618/ and https://community.centminmod.com/posts/22623/ seems some changes occured

post to pastebin.com or gist.github.com the contents of your /usr/local/maldetect/conf.maldet as it stands now

negative · Jan 8, 2016

Centos 7.2 and centmin mod 123.09beta01.

I installed the maldet to my another server which running on centos 6.5 and cpanel, i see these options even so. But i can't see these options from centmin mod maldet installer.

eva2000 · Jan 8, 2016

negative said: ↑

Centos 7.2 and centmin mod 123.09beta01.

I installed the maldet to my another server which running on centos 6.5 and cpanel, i see these options even so. But i can't see these options from centmin mod maldet installer.
Click to expand...

added a note to first post too https://community.centminmod.com/posts/3761/ for changes in variables

centmin mod maldet addon just installs official maldet so config options are whatever maldet's recent version supplies and is accounted for already in maldet.sh addon from updates done 20 days ago - history for maldet.sh addon commits at History for addons/maldet.sh - centminmod/centminmod · GitHub

arlon · Dec 12, 2016

how to update my clamav? yum update doesn't work

Code:

 freshclam
ClamAV update process started at Mon Dec 12 12:10:33 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.4 Recommended version: 0.99.2

eva2000 · Dec 12, 2016

You only update clamav definitions not the version as you can't update the version as it's using clamav rpmforge package which does not have a newer version that 0.98.4. 0.99.2 is not available in rpmforge yum repo. Other yum repo's clamav packages maybe newer but their file and directory structure differs and can break a few things for centmin mod.

Sunka · Jan 17, 2017

clamav use about 500MB ram all the time.
Is it wise to stop clamav and (somehow) start only when need it (when maldet need it)?
So, how to stop clamav from automatic start on boot
How to stop it right now
How to start it right now

Colin · Jan 17, 2017

Code:
systemctl status clamd
Should get you a status, then swap status for stop or start.

Is 500MB alot of ram, whats your total?

eva2000 · Jan 18, 2017

Sunka said: ↑

clamav use about 500MB ram all the time.
Is it wise to stop clamav and (somehow) start only when need it (when maldet need it)?
So, how to stop clamav from automatic start on boot
How to stop it right now
How to start it right now
Click to expand...

yes clamav and maldet will use quite a bit of memory. Price you pay for security and keeping clean

Sunka · Jan 18, 2017

Code:

------------------------------------------------------------------
 Centmin Mod Quick Info:
------------------------------------------------------------------
Server Location Info

  ip: 94.237.29.18
  city: Paderborn
  region: North Rhine-Westphalia
  country: DE

Processors physical = 4, cores = 4, virtual = 4, hyperthreading = no

      4  2999.998
      4  Intel(R) Xeon(R) CPU E5-2687W v4 @ 3.00GHz
      4  30720 KB

 System Up Since:       2016-12-31 03:40:19
 System Uptime:         up 2 weeks, 3 days, 12 hours, 58 minutes
 MySQL Server Started   2017-01-10 04:01:45
 MySQL Uptime:          7 days 12 hours 36 min 43 sec
 MySQL Uptime (secs):   650203
 Server Type:           kvm
 CentOS Version:        7.3
 Centmin Mod:           1.2.3-eva2000.09.001
 Nginx PageSpeed:       OFF
 Nginx Version:         1.11.8
 PHP-FPM Version:       7.1.0
 MariaDB Version:       10.1.20
 CSF Firewall:          v9.28
 Memcached Server:      1.4.33
 NSD Version:           66:
 Siege Version:         4.0.2
 Maldet Version:        v1.5
 ClamAV Version:        0.98.4
 ElasticSearch:         5.1.2
------------------------------------------------------------------

Code:

[root@upcloud ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           3790        2748         175         139         866         532
Swap:          1023        1022           1

4GB is total

2Gb for mysql
0,5GB for elasticsearch

Code:

[root@upcloud ~]# systemctl status clamd -l
â— clamd.service - SYSV: Clam AntiVirus Daemon is a TCP/IP or socket protocol server.
   Loaded: loaded (/etc/rc.d/init.d/clamd; bad; vendor preset: disabled)
   Active: active (running) since Mon 2017-01-09 12:15:30 CET; 1 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
 Main PID: 11994 (clamd)
   CGroup: /system.slice/clamd.service
           â””â”€11994 clamd

Jan 17 14:52:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:02:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:32:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:42:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:52:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:02:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.

It seems that run every 10 minutes, but 500MB ram is consumed all the time

Any chance to setup in that way so it uses 500MB but not all the time?

eva2000 · Jan 18, 2017

AFAIK, that's normal for clamav which is used by maldet as a speedier scanner as outlined at https://community.centminmod.com/posts/3761/ but you can also read that link to disable clamav and let maldet natively scan instead - it's alot slower though as Clamav scanner is 4x times faster than maldet native scanner.

in /usr/local/maldetect/conf.maldet disable clamav
Code (Text):
# Attempt to detect the presence of ClamAV clamscan binary
# and use as default scanner engine; up to four times faster
# scan performance and superior hex analysis. This option
# only uses ClamAV as the scanner engine, LMD signatures
# are still the basis for detecting threats.
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=0
then disable clamd service
Code (Text):
service clamd stop
chkconfig clamd off

Sunka · Jan 18, 2017

Maldet is not in real time? I mean, it is not scanning 0/24h in real time.
If not, is it possible to enable automatically clamd service when maldet need it?

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Featured Maldet - Linux Malware Detect Addon (discussion)

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

negative Active Member

eva2000 Administrator Staff Member

negative Active Member

eva2000 Administrator Staff Member

arlon Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Colin Premium Member Premium Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Featured Maldet - Linux Malware Detect Addon (discussion)

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

Ahmad Active Member

eva2000 Administrator Staff Member

negative Active Member

eva2000 Administrator Staff Member

negative Active Member

eva2000 Administrator Staff Member

arlon Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Colin Premium Member Premium Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.