At first blush, you might be wondering why anyone would need to scan a Linux server for malware. Even though the Linux platform isn’t nearly as vulnerable to malware as other systems, that doesn’t mean your email or file server can’t host malicious files that could take down a connected (and vulnerable) machine. Say, for instance, your Linux server uses Samba to allow users to store files. Or maybe it’s a cloud server that allows users to sync and share their files to various devices. How do you know a user hasn’t inadvertently uploaded a malicious file to the server? You don’t, unless you take action.
I want to show you how to install the Maldet malware detector on a Linux server and how to use that scanner to check for malicious files. I’ll be demonstrating on Ubuntu Server 16.04, however the installation works the same on nearly any Linux distribution.
Maldet is 100% command line goodness, so get ready to type a bit. The installation is actually quite simple, just follow these steps:
- Log into your Linux server
- Download the necessary file with the command wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
- Extract the downloaded file with the command tar -xvf maldetect-current.tar.gz
- Change into the newly created directory with the command cd maldetect-XXX (Where XXX is the release number)
- Install the software with the command sudo ./install.sh
That’s it for the installation.
Open the file configuration file with the command sudo nano /usr/local/maldetect/conf.maldet. The first thing you will want to configure is an email address for Maldet to send alerts. Search for email_alert=”0″ and change it to email_alert=”1″ (Figure A).
You will also want to set your email address, in the email_addr= option. The last email option is to set email_ignore_clean= to “1”. This will tell Maldet to not bother sending you alerts when malware is automatically cleaned.
Take a look through the [ SCAN OPTIONS ] section. Most of the default options should work fine for you; but you might have a special need. For example, the maximum directory depth the scanner will search is set to 15. Maldet recommends between 10-15, but you may have cause to configure less or more.
There is another option here you’ll want to take care of. Out of the box, Maldet is set to ignore any file owned by root. This can cause issues if you’re hoping to scan folders like /var/www. If you know you’re going to need to scan root-owned files, look for the option scan_ignore_root and set it to “0”.
Next, scroll down to the [ QUARANTINE OPTIONS ] section and configure as needed. Each of these options is explained within the configuration file and you only have the option to either enable or disable for each.
After you’ve combed through the configuration file, and made any changes to suit your needs, save and close the file.
SEE: 10 ways to minimize fileless malware infections (TechRepublic)
Manually running a scan
Let’s say you have one particular directory that houses all Samba shares. For example sake, we’ll call that directory /data/shares. To scan the directory, the command would be:
sudo maldet –scan-all /data/shares
Maldet will dive into the directory (and subdirectories) to scan all files. Should it come up with a malicious file, it will act on it, according to your configuration. If you have quarantine_hits enabled (set to “1”), Maldet will automatically move any malicious files to quarantine. If this option is disabled (set to “0”), Maldet will simply report where the file is located, so you can decide what to do with said malicious file.
You don’t have to worry about setting up a cron job for Maldet, as it automatically creates one (during installation) that will automatically scan all home folders as well as files and folders that were recently changed. Any reports from automatic scans will be sent to your configured email address.
Simple and effective
Maldet is very adept at scanning and cleaning your system for malicious files. If you have a Linux server that users of other platforms connect to, you should immediately install and configure this scanner. Your Linux server may not be affected by malicious files, but your user machines could.