Get the most out of your Centmin Mod LEMP stack
Become a Member

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    7:37 PM
    1.9.9
    10.1.10
    Neither
    Code:
    [ QUARANTINE OPTIONS ]
    ##
    # The default quarantine action for malware hits
    # [0 = alert only, 1 = move to quarantine & alert]
    quarantine_hits="0"
    
    Update: [root@server maldetect]# cat conf.maldet ## # Linux Malware Detect v1.5 # - Pastebin.com the complete config file (quar options are adjusted by me, they were set to 0 as well)

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    7:37 PM
    1.9.9
    10.1.10
    Shouldn't it be quarantine_hits and not quar_hits though?
    Code:
    [root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quar_hits
    [root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quarantine_hits
    quarantine_hits="1"
    # [NOTE: quarantine_hits=1 required]
    # [NOTE: quarantine_hits=1 required]
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    can you post a sanitized copy of your /usr/local/maldetect/conf.maldet to gist or pastebin seems the config file settings might have changed from what i posted in 1st post of this thread. Is this on centos 6 or 7 ?
     
  5. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    7:37 PM
    1.9.9
    10.1.10
    Yup it has indeed changed. Running CentOS 7.2 but checked on my CentOS 6 server and the config is the same. Seems to have changed in some version of maldetect.
    # [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = e - Pastebin.com
     
  6. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Dec 19, 2015
  7. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    7:37 PM
    1.9.9
    10.1.10
    Using clamdscan returns a permission error for me, the capital X also doesn't seem to adjust the permissions.
    Code:
    #!/bin/bash
    
    sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf
    
    cat >/etc/pure-ftpd/clamscan.sh<< EOF
    #!/bin/bash
    /usr/bin/clamscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
    EOF
    
    chmod +x /etc/pure-ftpd/clamscan.sh
    
    pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh
    
    echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local
    
    service pure-ftpd restart
    
    then chmod +x and run script
    Code:
    chmod +x setup-callupload.sh
    ./setup-callupload.sh
    In short, if this doesn't work for anyone, try to change clamdscan to clamscan and the capital X to x.
     
  8. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice find a typo ! x not X !
     
  9. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:37 PM
    1.9.10
    10.1.11
    I've started to using maldet today and when i look the "/usr/local/maldetect/conf.maldet" configuration file, i can't see or find these values like;

    Code:
    email_subj="maldet alert from $(hostname)"
    and

    Code:
    # [ QUARANTINE OPTIONS ]
    quar_hits=1
    
    # Try to clean string based malware injections
    # [NOTE: quar_hits=1 required]
    # [0 = disabled, 1 = clean]
    quar_clean=1
    
    # The default suspend action for users wih hits
    # Cpanel suspend or set shell /bin/false on non-Cpanel
    # [NOTE: quar_hits=1 required]
    # [0 = disabled, 1 = suspend account]
    quar_susp=0
    # minimum userid that can be suspended
    quar_susp_minuid=500

    why? They are default and not important on latest version?
     
  10. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what OS centos 6 or 7 ? as posted earlier in thread https://community.centminmod.com/posts/22618/ and https://community.centminmod.com/posts/22623/ seems some changes occured

    post to pastebin.com or gist.github.com the contents of your /usr/local/maldetect/conf.maldet as it stands now
     
  11. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:37 PM
    1.9.10
    10.1.11
    Centos 7.2 and centmin mod 123.09beta01.

    I installed the maldet to my another server which running on centos 6.5 and cpanel, i see these options even so. But i can't see these options from centmin mod maldet installer.
     
  12. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    added a note to first post too https://community.centminmod.com/posts/3761/ for changes in variables

    centmin mod maldet addon just installs official maldet so config options are whatever maldet's recent version supplies and is accounted for already in maldet.sh addon from updates done 20 days ago - history for maldet.sh addon commits at History for addons/maldet.sh - centminmod/centminmod · GitHub
     
  13. arlon

    arlon Member

    95
    6
    8
    Feb 20, 2016
    Ratings:
    +12
    Local Time:
    12:37 AM
    1.13.6
    10.1
    how to update my clamav? yum update doesn't work
    Code:
     freshclam
    ClamAV update process started at Mon Dec 12 12:10:33 2016
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.98.4 Recommended version: 0.99.2
     
  14. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You only update clamav definitions not the version as you can't update the version as it's using clamav rpmforge package which does not have a newer version that 0.98.4. 0.99.2 is not available in rpmforge yum repo. Other yum repo's clamav packages maybe newer but their file and directory structure differs and can break a few things for centmin mod.
     
  15. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    7:37 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    clamav use about 500MB ram all the time.
    Is it wise to stop clamav and (somehow) start only when need it (when maldet need it)?
    So, how to stop clamav from automatic start on boot
    How to stop it right now
    How to start it right now
     
  16. Colin

    Colin Premium Member Premium Member

    192
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +154
    Local Time:
    6:37 PM
    1.19.#
    MariaDB 10.1.#
    Code:
    systemctl status clamd
    Should get you a status, then swap status for stop or start.

    Is 500MB alot of ram, whats your total?
     
  17. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes clamav and maldet will use quite a bit of memory. Price you pay for security and keeping clean :)
     
  18. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    7:37 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code:
    ------------------------------------------------------------------
     Centmin Mod Quick Info:
    ------------------------------------------------------------------
    Server Location Info
    
      ip: 94.237.29.18
      city: Paderborn
      region: North Rhine-Westphalia
      country: DE
    
    Processors physical = 4, cores = 4, virtual = 4, hyperthreading = no
    
          4  2999.998
          4  Intel(R) Xeon(R) CPU E5-2687W v4 @ 3.00GHz
          4  30720 KB
    
     System Up Since:       2016-12-31 03:40:19
     System Uptime:         up 2 weeks, 3 days, 12 hours, 58 minutes
     MySQL Server Started   2017-01-10 04:01:45
     MySQL Uptime:          7 days 12 hours 36 min 43 sec
     MySQL Uptime (secs):   650203
     Server Type:           kvm
     CentOS Version:        7.3
     Centmin Mod:           1.2.3-eva2000.09.001
     Nginx PageSpeed:       OFF
     Nginx Version:         1.11.8
     PHP-FPM Version:       7.1.0
     MariaDB Version:       10.1.20
     CSF Firewall:          v9.28
     Memcached Server:      1.4.33
     NSD Version:           66:
     Siege Version:         4.0.2
     Maldet Version:        v1.5
     ClamAV Version:        0.98.4
     ElasticSearch:         5.1.2
    ------------------------------------------------------------------
    Code:
    [root@upcloud ~]# free -m
                  total        used        free      shared  buff/cache   available
    Mem:           3790        2748         175         139         866         532
    Swap:          1023        1022           1
    4GB is total

    2Gb for mysql
    0,5GB for elasticsearch

    Code:
    [root@upcloud ~]# systemctl status clamd -l
    â— clamd.service - SYSV: Clam AntiVirus Daemon is a TCP/IP or socket protocol server.
       Loaded: loaded (/etc/rc.d/init.d/clamd; bad; vendor preset: disabled)
       Active: active (running) since Mon 2017-01-09 12:15:30 CET; 1 weeks 1 days ago
         Docs: man:systemd-sysv-generator(8)
     Main PID: 11994 (clamd)
       CGroup: /system.slice/clamd.service
               └─11994 clamd
    
    Jan 17 14:52:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:02:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:32:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:42:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 15:52:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 16:02:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 16:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    Jan 17 16:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    It seems that run every 10 minutes, but 500MB ram is consumed all the time


    Any chance to setup in that way so it uses 500MB but not all the time?


    Capture.PNG
     
  19. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    3:37 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    AFAIK, that's normal for clamav which is used by maldet as a speedier scanner as outlined at https://community.centminmod.com/posts/3761/ but you can also read that link to disable clamav and let maldet natively scan instead - it's alot slower though as Clamav scanner is 4x times faster than maldet native scanner.

    in /usr/local/maldetect/conf.maldet disable clamav
    Code (Text):
    # Attempt to detect the presence of ClamAV clamscan binary
    # and use as default scanner engine; up to four times faster
    # scan performance and superior hex analysis. This option
    # only uses ClamAV as the scanner engine, LMD signatures
    # are still the basis for detecting threats.
    # [ 0 = disabled, 1 = enabled; enabled by default ]
    clamav_scan=0

    then disable clamd service
    Code (Text):
    service clamd stop
    chkconfig clamd off
    
     
  20. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    7:37 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Maldet is not in real time? I mean, it is not scanning 0/24h in real time.
    If not, is it possible to enable automatically clamd service when maldet need it?