Just wanted to ad that the problem disappeared once I did a clean re-install so it was most probably my mistake although I can't say what exactly it was. Nothing wrong with the script Croydon posted, it works flawless.
Here comes another question: I just got a report by the daily maldet run that informed me about 2 infected and quarantined files. Now I am wondering why the files have not been picked up by the monitor? maldet IS running as a monitor... Shouldn't maldet running as monitor with inotify send me emails when an infection was found?
Ok, I'll try my luck again even though it seems nobody is reading this thread anymore I got it all working just fine with one exception: Every 1-2 days I find that maldet is no longer running in monitor mode. The inotify process is still there but maldet died. I then have to kill the inotify proces, restart maldet in monitor mode. No idea why, nothing in my logs, anyone else seen this behavior?
Despite the great effors in this thread (it solved my initial inotify troubles), using inotify to monitor malware isn't very usefull on bigger installations. We have about 500 websites per server, and I found it to be impossible to use inotify to watch that many files. If seems /proc/sys/fs/inotify/max_user_watches has an upper limit, so when you set that to an insane limit it is ignored. From what I found on Google max_user_watches is a regular int, so max_user_watches is limited to MAX_INT. There are plans to change this to a long, but from what I found that is not yet implemented in recent kernels.
No, maldet monitor doesn't e-mail you immediatly. Instead the detection is logged, which is then e-mailed when /etc/cron.daily/maldet is ran. The cron script checks if a monitor is running and then runs maldet --report-daily.
Hmm... Yes I've noticed the same issue on one of my servers too, but I have not found a solution yet... If anyone ells can be of assistance, do not hesitate to post
Another helpful one. If you prefer LMD over ClamAV for pure-ftpd upload scan, you can use the following within the upload scipt: Code: /usr/local/sbin/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$1" > /dev/null 2>&1 which will put the file to quarantine. Code is from modsec.sh from LMD.
Hi MaddinXx, I set file upload scan by http://www.howtoforge.com/how-to-integrate-clamav-into-pureftpd-for-virus-scanning-on-debian-squeeze and used the script you suggested. It works well but I am facing problem with "part" extension during upload of files. I tried upload of test.txt. Here are messages from event_log: Code: maldet(23688): {scan} invalid path /var/www/clients/client55/web175/private/test.txt.part The txt file was small, so upload finished and file was rename to test.txt but the scan was executed on test.txt.part. Bigger files are scanned but before upload is finished I am afraid: maldet(22107): {scan.modsec} results returned OK on /var/www/clients/clientXX/webXX/private/test.txt.part (id: 120113-0000.22107) Do you have same sort of problems or not? I use Debian 6. Thanks for any suggestion. EDIT: I found the problem is in FTP client. This client is the culprit which creates files with .part extension EDIT 2: I did some testing and my FTP client is able sucessfully upload infected file to server when scan is executed on ".part" file .. so the script has to be improved somehow
Hello, since today, when i want to edit conf.maldet i got a error, that the file is readonly. File Properties should be 644 and owned by root. I´m loged in as root. Some other files i can edit normally??? Greetz
Isn't there anyone willing to "adopt" this Debian-Mod? I really think maldet is an awesome script but the author is very unresponsive and in its current state there are way too many errors and unanswered questions in this thread... I'd be willing to donate maybe 1-2 hour's worth of work?
Ovidiu: I wish I could be of more help, but work keeps me busy, sadly. If anyone ells would take this up, personally I'd be really grateful.
I have just installed the newest version 1.4.2 of year 2014 on my Ubuntu 10.04. The installation and running are straight forward and no more modification is required. This is not needed anymore: apt-get install inotify-tools
Anybody knows how to use /etc/cron.d/maldet_pub for ISPConfig3? It scans the Linux user's public directory every 10 minutes.
I get the following when I try to run it: Code: maldet(25457): {mon} set inotify max_user_instances to 128 maldet(25457): {mon} set inotify max_user_watches to 599040 /usr/bin/wc: /usr/local/maldetect/sess/inotify.paths.25457: No such file or directory maldet(25457): {mon} added /var/www/clients to inotify monitoring array maldet(25457): {mon} starting inotify process on 1 paths, this might take awhile... maldet(25457): {mon} no inotify process found, check /usr/local/maldetect/inotify/inotify_log for errors.
