You might think your Linux server is invulnerable to malicious code. You’re wrong. Although the platform itself may not be directly affected, if that server happens to dish out files to users (via Samba, SSHFS, NFS, etc.), then the users who are connected could easily fall victim to the malicious files. That is a nightmare in the waiting. How do you avoid that on a Linux server? You install a real-time antivirus/antimalware solution like Sophos.
Sophos antivirus for Linux is a free, command line-only, real-time scanner for your server and desktop. The tool can run in the background or a scan can be manually issued. I want to walk you through the process of installing this piece of software, so you can rest assured (albeit slightly) that your server is less likely to contain malicious code.
Remember, no server (regardless of platform) is 100% safe. Connected to the internet or not, a server or desktop can be compromised. To that end, don’t think adding a piece of antivirus will be your end-all security measure for your Linux server. You must still be diligent with your administration duties.
With that said, let’s install.
SEE: Securing Linux policy (Tech Pro Research)
Getting the software
In order to get the software, you must go through the process of registering your email address. Eventually you will find yourself with a download link. This can get a bit tricky, if your server is GUI-less. The download link contains a unique key (associated with your email address), so you can’t just copy/paste it and use the wget command to pull the file to the server. Instead, you can download it to a desktop machine on your network and then make use of scp to copy the file to the server. This is done like so:
scp sav-linux-free-9.tgz USER@IP:/path/to/save/file
Where USER is a user on the remote server, IP is the IP address of the server, and /path/to/save/file is the actual path where you will save the file (such as the USER’s home directory).
Once that file has been uploaded to the server, you can extract it with the command:
tar xvzf sav-linux-free-9.tgz
The extraction of the .tgz file will create a new directory, called sophos-av. Change into that directory with the command cd sophos-av. Inside that directory you will find the necessary installer script; run that script with the command sudo sh install.sh. You will be presented with the welcome screen, asking you to hit Enter to view the EULA (Figure A).
While viewing the license, hit the spacebar to scroll through and then type Y to accept. You will then be asked where you would like to install Sophos. The default installation directory is /opt/sophos-av. Unless you have a reason to install it in another location, I would recommend accepting that default.
Next you will be asked if you want to enable on-access scanning. This is the real-time scanning option. I recommend enabling this option. Yes it will consume CPU cycles, but unless you want to create your own bash scripts and cron jobs for regular scanning, this is your best bet. When prompted, either type Y and hit Enter, or just hit Enter (as Yes is the default).
Once you’ve enabled on-access scanning, the installer will prompt you for an update location. You have three choices:
- Sophos — download definition updates from the official Sophos servers.
- Your own server — download definition updates from an on-premise server.
- None — do not download definition updates.
Unless you’re willing to set up an update server, I would recommend going with the default (Sophos). Either type s and hit Enter, or just hit Enter.
The next question wants to know if the installation will be the Free or Supported version of Sophos. The default is Supported, which we’re not installing. Type f and hit Enter to install the Free version.
Finally, you can configure a proxy (if necessary). If no proxy is required, type N and hit Enter (or just hit Enter). The installation will begin and complete with Sophos Antivirus Installed. The installation will enable everything necessary, so when you receive the Installation completed, Sophos is good to go.
Adding alert email address
You might have noticed, during the installation, you weren’t able to add an email address for alerts. That’s because it is done post-install. You can add multiple email addresses to receive alerts, as well as an email server (if needed). By default Sophos will use SMTP on the localhost (port 25). If this is a problem, you can set your email server with the command:
/opt/sophos-av/bin/savconfig set EmailServer SERVER_ADDRESS
Where SERVER_ADDRESS is the actual IP address or Domain of your email server.
Next you can add email addresses, as alert recipients, with the command:
/opt/sophos-av/bin/savconfig add Email EMAIL@ADDRESS
Where EMAIL@ADDRESS is the actual email address to add.
If you need to add multiple addresses, add them all to the above command (separating them by a space).
Your Linux server, safer
Congratulations, your Linux server is now a bit safer. Sophos AV is running in the background, doing a real-time scan, of your server. Should it find a questionable file, it will take action and alert you, via email.
Again, I must make mention that this shouldn’t give you a false sense of security. If your machine is turned on, it’s vulnerable. If you have users sharing files on that machine, it’s even more capable of spreading malicious code. Do everything you can to keep your users and your data safe.
An admin’s job is never done.