Linux Malware Detect on Debian 6 with ISPConfig 3

Discussion in 'Tips/Tricks/Mods' started by felan, Aug 30, 2012.

  1. Ovidiu

    Ovidiu Active Member

    Just wanted to ad that the problem disappeared once I did a clean re-install so it was most probably my mistake although I can't say what exactly it was. Nothing wrong with the script Croydon posted, it works flawless.
     
  2. Ovidiu

    Ovidiu Active Member

    Here comes another question:

    I just got a report by the daily maldet run that informed me about 2 infected and quarantined files. Now I am wondering why the files have not been picked up by the monitor? maldet IS running as a monitor...

    Shouldn't maldet running as monitor with inotify send me emails when an infection was found?
     
  3. Ovidiu

    Ovidiu Active Member

    Ok, I'll try my luck again even though it seems nobody is reading this thread anymore :)

    I got it all working just fine with one exception:

    Every 1-2 days I find that maldet is no longer running in monitor mode. The inotify process is still there but maldet died. I then have to kill the inotify proces, restart maldet in monitor mode.
    No idea why, nothing in my logs, anyone else seen this behavior?
     
  4. Tozz

    Tozz New Member

    Despite the great effors in this thread (it solved my initial inotify troubles), using inotify to monitor malware isn't very usefull on bigger installations.

    We have about 500 websites per server, and I found it to be impossible to use inotify to watch that many files. If seems /proc/sys/fs/inotify/max_user_watches has an upper limit, so when you set that to an insane limit it is ignored.

    From what I found on Google max_user_watches is a regular int, so max_user_watches is limited to MAX_INT. There are plans to change this to a long, but from what I found that is not yet implemented in recent kernels.
     
  5. Tozz

    Tozz New Member

    No, maldet monitor doesn't e-mail you immediatly. Instead the detection is logged, which is then e-mailed when /etc/cron.daily/maldet is ran. The cron script checks if a monitor is running and then runs maldet --report-daily.
     
  6. Ovidiu

    Ovidiu Active Member

    not happening for me :-(
     
  7. Tozz

    Tozz New Member

    Do you have email_alert set to 1 in conf.maldet?
     
  8. Ovidiu

    Ovidiu Active Member

    Yes I have.

    =>
     
  9. felan

    felan Member HowtoForge Supporter

    Hmm... Yes I've noticed the same issue on one of my servers too, but I have not found a solution yet... If anyone ells can be of assistance, do not hesitate to post :)
     
  10. Ovidiu

    Ovidiu Active Member

    Any progress? I still haven't received a single email from maldet :-(
     
  11. felan

    felan Member HowtoForge Supporter

    HIya.

    No sorry haven't found a solution yet...
     
  12. Ovidiu

    Ovidiu Active Member

    This maldet is really weird, check this:

    Then I start it manually:

     
  13. MaddinXx

    MaddinXx Member

    Another helpful one. If you prefer LMD over ClamAV for pure-ftpd upload scan, you can use the following within the upload scipt:

    Code:
    /usr/local/sbin/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$1" > /dev/null 2>&1
    which will put the file to quarantine. Code is from modsec.sh from LMD.
     
  14. SupuS

    SupuS Member HowtoForge Supporter

    Hi MaddinXx,

    I set file upload scan by http://www.howtoforge.com/how-to-integrate-clamav-into-pureftpd-for-virus-scanning-on-debian-squeeze and used the script you suggested. It works well but I am facing problem with "part" extension during upload of files. I tried upload of test.txt. Here are messages from event_log:

    Code:
    maldet(23688): {scan} invalid path /var/www/clients/client55/web175/private/test.txt.part
    
    The txt file was small, so upload finished and file was rename to test.txt but the scan was executed on test.txt.part. Bigger files are scanned but before upload is finished I am afraid:

    maldet(22107): {scan.modsec} results returned OK on /var/www/clients/clientXX/webXX/private/test.txt.part (id: 120113-0000.22107)

    Do you have same sort of problems or not? I use Debian 6.

    Thanks for any suggestion.

    EDIT: I found the problem is in FTP client. This client is the culprit which creates files with .part extension :)

    EDIT 2: I did some testing and my FTP client is able sucessfully upload infected file to server when scan is executed on ".part" file .. so the script has to be improved somehow
     
    Last edited: Dec 1, 2013
  15. shadowcast

    shadowcast New Member

    Hello,
    since today, when i want to edit conf.maldet i got a error, that the file is readonly.
    File Properties should be 644 and owned by root.
    I´m loged in as root.

    Some other files i can edit normally???

    Greetz
     
  16. Ovidiu

    Ovidiu Active Member

    Isn't there anyone willing to "adopt" this Debian-Mod?
    I really think maldet is an awesome script but the author is very unresponsive and in its current state there are way too many errors and unanswered questions in this thread...

    I'd be willing to donate maybe 1-2 hour's worth of work?
     
  17. felan

    felan Member HowtoForge Supporter

    Ovidiu: I wish I could be of more help, but work keeps me busy, sadly. If anyone ells would take this up, personally I'd be really grateful.
     
  18. concept21

    concept21 Active Member

    I have just installed the newest version 1.4.2 of year 2014 on my Ubuntu 10.04.

    The installation and running are straight forward and no more modification is required. :)


    This is not needed anymore:
    apt-get install inotify-tools
     
    Last edited: Sep 30, 2014
  19. concept21

    concept21 Active Member

    Anybody knows how to use /etc/cron.d/maldet_pub for ISPConfig3?

    It scans the Linux user's public directory every 10 minutes. :rolleyes:
     
  20. dayjahone

    dayjahone Member

    I get the following when I try to run it:

    Code:
    maldet(25457): {mon} set inotify max_user_instances to 128
    maldet(25457): {mon} set inotify max_user_watches to 599040
    /usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.25457: No such file or directory
    maldet(25457): {mon} added /var/www/clients to inotify monitoring array
    maldet(25457): {mon} starting inotify process on 1 paths, this might take awhile...
    maldet(25457): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
     
    Last edited: Nov 21, 2014

Share This Page