/ Register

Learn about Centmin Mod LEMP Stack today
Become a Member

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

Tags:
Previous Thread Next Thread
Loading...
Page 4 of 7
  1. Dec 19, 2015 #61
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:38 PM
    1.9.9
    10.1.10
    Neither
    Code:
    [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quarantine_hits="0"
    Update: [root@server maldetect]# cat conf.maldet ## # Linux Malware Detect v1.5 # - Pastebin.com the complete config file (quar options are adjusted by me, they were set to 0 as well)
     
  2. Dec 19, 2015 #62
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
  3. Dec 19, 2015 #63
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:38 PM
    1.9.9
    10.1.10
    Shouldn't it be quarantine_hits and not quar_hits though?
    Code:
    [root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quar_hits
[root@server ~]# cat /usr/local/maldetect/conf.maldet | grep quarantine_hits
quarantine_hits="1"
# [NOTE: quarantine_hits=1 required]
# [NOTE: quarantine_hits=1 required]
     
  4. Dec 19, 2015 #64
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    can you post a sanitized copy of your /usr/local/maldetect/conf.maldet to gist or pastebin seems the config file settings might have changed from what i posted in 1st post of this thread. Is this on centos 6 or 7 ?
     
  5. Dec 19, 2015 #65
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:38 PM
    1.9.9
    10.1.10
    Yup it has indeed changed. Running CentOS 7.2 but checked on my CentOS 6 server and the config is the same. Seems to have changed in some version of maldetect.
    # [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = e - Pastebin.com
     
  6. Dec 19, 2015 #66
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    Last edited: Dec 19, 2015
  7. Dec 21, 2015 #67
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:38 PM
    1.9.9
    10.1.10
    Using clamdscan returns a permission error for me, the capital X also doesn't seem to adjust the permissions.
    Code:
    #!/bin/bash

sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf

cat >/etc/pure-ftpd/clamscan.sh<< EOF
#!/bin/bash
/usr/bin/clamscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
EOF

chmod +x /etc/pure-ftpd/clamscan.sh

pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh

echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local

service pure-ftpd restart
    then chmod +x and run script
    Code:
    chmod +x setup-callupload.sh
./setup-callupload.sh
    In short, if this doesn't work for anyone, try to change clamdscan to clamscan and the capital X to x.
     
  8. Dec 21, 2015 #68
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    nice find a typo ! x not X !
     
  9. Jan 8, 2016 #69
    negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    1:38 PM
    1.9.10
    10.1.11
    I've started to using maldet today and when i look the "/usr/local/maldetect/conf.maldet" configuration file, i can't see or find these values like;

    Code:
    email_subj="maldet alert from $(hostname)"
    and

    Code:
    # [ QUARANTINE OPTIONS ]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

    why? They are default and not important on latest version?
     
  10. Jan 8, 2016 #70
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    what OS centos 6 or 7 ? as posted earlier in thread https://community.centminmod.com/posts/22618/ and https://community.centminmod.com/posts/22623/ seems some changes occured

    post to pastebin.com or gist.github.com the contents of your /usr/local/maldetect/conf.maldet as it stands now
     
  11. Jan 8, 2016 #71
    negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    1:38 PM
    1.9.10
    10.1.11
    Centos 7.2 and centmin mod 123.09beta01.

    I installed the maldet to my another server which running on centos 6.5 and cpanel, i see these options even so. But i can't see these options from centmin mod maldet installer.
     
  12. Jan 8, 2016 #72
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    added a note to first post too https://community.centminmod.com/posts/3761/ for changes in variables

    centmin mod maldet addon just installs official maldet so config options are whatever maldet's recent version supplies and is accounted for already in maldet.sh addon from updates done 20 days ago - history for maldet.sh addon commits at History for addons/maldet.sh - centminmod/centminmod · GitHub
     
  13. Dec 12, 2016 #73
    arlon

    arlon Member

    92
    6
    8
    Feb 20, 2016
    Ratings:
    +12
    Local Time:
    5:38 PM
    1.13.6
    10.1
    how to update my clamav? yum update doesn't work
    Code:
     freshclam
ClamAV update process started at Mon Dec 12 12:10:33 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.4 Recommended version: 0.99.2
     
  14. Dec 12, 2016 #74
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    You only update clamav definitions not the version as you can't update the version as it's using clamav rpmforge package which does not have a newer version that 0.98.4. 0.99.2 is not available in rpmforge yum repo. Other yum repo's clamav packages maybe newer but their file and directory structure differs and can break a few things for centmin mod.
     
  15. Jan 17, 2017 #75
    Sunka

    Sunka Well-Known Member

    1,150
    323
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +521
    Local Time:
    12:38 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    clamav use about 500MB ram all the time.
    Is it wise to stop clamav and (somehow) start only when need it (when maldet need it)?
    So, how to stop clamav from automatic start on boot
    How to stop it right now
    How to start it right now
     
  16. Jan 17, 2017 #76
    Colin

    Colin Premium Member Premium Member

    185
    56
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +147
    Local Time:
    11:38 AM
    1.19.#
    MariaDB 10.1.#
    Code:
    systemctl status clamd
    Should get you a status, then swap status for stop or start.

    Is 500MB alot of ram, whats your total?
     
  17. Jan 18, 2017 #77
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    yes clamav and maldet will use quite a bit of memory. Price you pay for security and keeping clean :)
     
  18. Jan 18, 2017 #78
    Sunka

    Sunka Well-Known Member

    1,150
    323
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +521
    Local Time:
    12:38 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Code:
    ------------------------------------------------------------------
 Centmin Mod Quick Info:
------------------------------------------------------------------
Server Location Info

  ip: 94.237.29.18
  city: Paderborn
  region: North Rhine-Westphalia
  country: DE

Processors physical = 4, cores = 4, virtual = 4, hyperthreading = no

      4  2999.998
      4  Intel(R) Xeon(R) CPU E5-2687W v4 @ 3.00GHz
      4  30720 KB

 System Up Since:       2016-12-31 03:40:19
 System Uptime:         up 2 weeks, 3 days, 12 hours, 58 minutes
 MySQL Server Started   2017-01-10 04:01:45
 MySQL Uptime:          7 days 12 hours 36 min 43 sec
 MySQL Uptime (secs):   650203
 Server Type:           kvm
 CentOS Version:        7.3
 Centmin Mod:           1.2.3-eva2000.09.001
 Nginx PageSpeed:       OFF
 Nginx Version:         1.11.8
 PHP-FPM Version:       7.1.0
 MariaDB Version:       10.1.20
 CSF Firewall:          v9.28
 Memcached Server:      1.4.33
 NSD Version:           66:
 Siege Version:         4.0.2
 Maldet Version:        v1.5
 ClamAV Version:        0.98.4
 ElasticSearch:         5.1.2
------------------------------------------------------------------
    Code:
    [root@upcloud ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           3790        2748         175         139         866         532
Swap:          1023        1022           1
    4GB is total

    2Gb for mysql
    0,5GB for elasticsearch

    Code:
    [root@upcloud ~]# systemctl status clamd -l
â— clamd.service - SYSV: Clam AntiVirus Daemon is a TCP/IP or socket protocol server.
   Loaded: loaded (/etc/rc.d/init.d/clamd; bad; vendor preset: disabled)
   Active: active (running) since Mon 2017-01-09 12:15:30 CET; 1 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
 Main PID: 11994 (clamd)
   CGroup: /system.slice/clamd.service
           └─11994 clamd

Jan 17 14:52:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:02:36 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:32:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:42:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 15:52:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:02:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:12:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
Jan 17 16:22:37 upcloud.pijanitvor.com clamd[11994]: SelfCheck: Database status OK.
    It seems that run every 10 minutes, but 500MB ram is consumed all the time


    Any chance to setup in that way so it uses 500MB but not all the time?


    Capture.PNG
     
  19. Jan 18, 2017 #79
    eva2000

    eva2000 Administrator Staff Member

    49,875
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    8:38 PM
    Nginx 1.21.x
    MariaDB 10.x
    AFAIK, that's normal for clamav which is used by maldet as a speedier scanner as outlined at https://community.centminmod.com/posts/3761/ but you can also read that link to disable clamav and let maldet natively scan instead - it's alot slower though as Clamav scanner is 4x times faster than maldet native scanner.

    in /usr/local/maldetect/conf.maldet disable clamav
    Code (Text):
    # Attempt to detect the presence of ClamAV clamscan binary
# and use as default scanner engine; up to four times faster
# scan performance and superior hex analysis. This option
# only uses ClamAV as the scanner engine, LMD signatures
# are still the basis for detecting threats.
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=0

    then disable clamd service
    Code (Text):
    service clamd stop
chkconfig clamd off
     
  20. Jan 18, 2017 #80
    Sunka

    Sunka Well-Known Member

    1,150
    323
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +521
    Local Time:
    12:38 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Maldet is not in real time? I mean, it is not scanning 0/24h in real time.
    If not, is it possible to enable automatically clamd service when maldet need it?
     
Previous Thread Next Thread
Loading...
Page 4 of 7

.