LMD (Linux Malware Detect) ເປັນ Software ທີ່ຖືກພັດທະນາເພື່ອຫາມັດແວໃນເຄື່ອງ Linux ໂດຍສະເພາະເຊິ່ງມີຟີເຈີທີ່ຂ້ອນຂ້າງຄວບຄຸມທັງການກວດສອບຫາມັດແວຈາກ signatures ທີ່ມີການເຂົ້າລະຫັດ MD5 , HEX , Base64 , PHP Shell ແລະ ອື່ນໆ ( ຈະມີການອັບເດດຖານຂໍ້ມູນມັດແວໃໝ່ໆຈາກເຊີບເວີຂອງຜູ້ພັດທະນາຢູ່ສະເໝີ) ແລະ ຈາກທີ່ເຮົາທົດລອງໃຊ້ມາກໍຖືວ່າຂ້ອນຂ້າງຖືກຕ້ອງ ແລະ ເໝາະສົມກັບເວັບເຊີບເວີຫຼາຍ ຈຶ່ງຢາກແນະນໍາໃຫ້ໄດ້ທົດລອງໃຊ້ ທີ່ສໍາຄັນເປັນ Open Source
Features:
– MD5 file hash detection for quick threat identification – HEX based pattern matching for identifying threat variants – statistical analysis component for detection of obfuscated threats (e.g: base64) – integrated detection of ClamAV to use as scanner engine for improved performance – integrated signature update feature with -u|–update – integrated version update feature with -d|–update-ver – scan-recent option to scan only files that have been added/changed in X days – scan-all option for full path based scanning – checkout option to upload suspected malware to rfxn.com for review / hashing – full reporting system to view current and previous scan results – quarantine queue that stores threats in a safe fashion with no permissions – quarantine batching option to quarantine the results of a current or past scans – quarantine restore option to restore files to original path, owner and perms – quarantine suspend account option to Cpanel suspend or shell revoke users – cleaner rules to attempt removal of malware injected strings – cleaner batching option to attempt cleaning of previous scan reports – cleaner rules to remove base64 and gzinflate(base64 injected malware – daily cron based scanning of all changes in last 24h in user homedirs – daily cron script compatible with stock RH style systems, Cpanel & Ensim – kernel based inotify real time file scanning of created/modified/moved files – kernel inotify monitor that can take path data from STDIN or FILE – kernel inotify monitor convenience feature to monitor system users – kernel inotify monitor can be restricted to a configurable user html root – kernel inotify monitor with dynamic sysctl limits for optimal performance – kernel inotify alerting through daily and/or optional weekly reports – e-mail alert reporting after every scan execution (manual & daily) – path, extension and signature based ignore options – background scanner option for unattended scan operations – verbose logging & output of all actions
ຂັ້ນຕອນການຕິດຕັ້ງ (CentOS 6.4)
1 > ດາວໂຫຼດ Linux Malware Detect (LMD)
# cd /root # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
2 > ຕິດຕັ້ງ LMD
# tar xfz maldetect-current.tar.gz # cd maldetect-1.4.2 # chmod 775 install.sh # sh install.sh
3 > ຂັ້ນຕອນການ Config
vi /usr/local/maldetect/conf.maldet
email_alert : ຫາກໃຫ້ມີການແຈ້ງເຕືອນໄປທີ່ email ໃຫ້ກໍານົດເປັນ 1
email_subj : ຫົວຂໍ້ Email ທີ່ໃຊ້ສໍາລັບແຈ້ງເຕືອນ
email_addr : ຕັ້ງຄ່າ Email ທີ່ໃຊ້ສໍາລັບແຈ້ງເຕືອນ
quar_hits : ຫາກກວດພົບມັດແວ ກໍານົດ 0 ຄືໃຫ້ການແຈ້ງເຕືອນເສີຍໆ ກໍານົດ 1 ເພື່ອບໍ່ໃຫ້ກັກກັນບໍ່ໃຫ້ມີການ execute ໄຟລດັ່ງກ່າວ
quar_clean : ຫາກຕ້ອງການກໍາຈັດມັດແວເລີຍໃຫ້ກໍານົດຄ່າ 1
quar_susp : suspend Account ທີ່ກວດພົບມັດແວ ແນະນໍາຄ່າ 0 ເພາະອາດຈະກະທົບກັບ service ບາງຢ່າງໄດ້
quar_susp_minuid : ໄລຍະເວລາ suspend Account
# [ EMAIL ALERTS ] ## # The default email alert toggle # [0 = disabled, 1 = enabled] email_alert=1 # The subject line for email alerts email_subj=”maldet alert from $(hostname)” # The destination addresses for email alerts # [ values are comma (,) spaced ] email_addr=”[email protected]” # Ignore e-mail alerts for reports in which all hits have been cleaned. # This is ideal on very busy servers where cleaned hits can drown out # other more actionable reports. email_ignore_clean=0 ## # [ QUARANTINE OPTIONS ] ## # The default quarantine action for malware hits # [0 = alert only, 1 = move to quarantine & alert] quar_hits=1 # Try to clean string based malware injections # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = clean] quar_clean=1 # The default suspend action for users wih hits # Cpanel suspend or set shell /bin/false on non-Cpanel # [NOTE: quar_hits=1 required] # [0 = disabled, 1 = suspend account] quar_susp=0 # minimum userid that can be suspended quar_susp_minuid=500
4 > ວິທີການນໍາໃຊ້ maldet
# maldet –scan-all /home
# maldet –quarantine SCANID OR # maldet –clean SCANID
ສາມາດຕັ້ງຄ່າໃຫ້ maldet ເຮັດວຽກທຸກໆເວລາທີ່ເຮົາຕ້ອງການໄດ້ໂດຍແກ້ໄຂຄ່າ config ທີ່ໄຟລ /etc/cron.daily/maldet
ຂໍ້ມູນເພີ່ມເຕີມ
http://www.rfxn.com/projects/linux-malware-detect
http://www.tecmint.com/install-linux-malware-detect-lmd-in-rhel-centos-and-fedora/
