What is LMD & Why You Should Use It To Help Secure Your Linux Server
If you are a server administrator you need a way to protect the integrity of your server, in particular from sending out spam. This usually occurs when an account has been compromised. Often users will not have updated their applications to the latest version (e.g. WordPress, Joomla), or they are simply running insecure applications (e.g. remember that neat program you wrote years ago). Failure to address this can mean that malware like php backdoors and bulk mailing/spamming tools can be uploaded.
One really good tool that can help server admins to identify compromised accounts and take action quickly is LMD. LMD is short for Linux Malware Detect. It is also referred to as Maldet. LMD is a Linux based malware scanner. In this tutorial we show you how to setup and configure LMD.
Download maldetect package using wget
Go to the below path
Download the tar file using the below link:
Extract the file using the below command
tar -xzf maldetect-current.tar.gz
go to the maldet folder
Now, run the below command to install maldet.
By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.
email_alert : If you would like to receive email alerts, then it should be set to 1.
email_subj : Set your email subject here.
email_addr : Add your email address to receive malware alerts.
quar_hits : The default quarantine action for malware hits, it should be set 1.
quar_clean : Cleaning detected malware injections, must set to 1.
quar_susp : The default suspend action for users wih hits, set it as per your requirements.
quar_susp_minuid : Minimum userid that can be suspended.
Open file /usr/local/maldetect/conf.maldet and make changes according to your needs
To update the maldet use the below commands.
To scan the files. perticular user
maldet -a /home/username/
It will scan all the files and provide you the output.
To scan all user under public_html paths under /home*/ this can be done with:
maldet --scan-all /home?/?/public_html
maldet --scan-all /home
To scan the same path but the content that has been created/modified in the last 5 days:
maldet --scan-recent /home?/?/public_html 5
To scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:
maldet --quarantine SCANID
If you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do with.
maldet --clean SCANID
If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:
maldet --restore config.php.2384 maldet --restore /usr/local/maldetect/quarantine/config.php.2384