Set Up LMD Maldet and ClamAV on ServerPilot and VULTR

Set up a malware scanner with LMD Maldet and ClamAV on ServerPilot and an instance like Vultr or Digital Ocean.

One of the key server malware scanners is Linux Malware Detect and works very nicely scanning any Linux distribution, it keeps an updated database of known malware exploits from an updated registry.

The Linux Malware Detect tool can also integrate with Clam AV Scanner which can speed up file scanning.

SSH into your server and cd to /root

 Get Linux Malware Detect

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract It

tar -xvf maldetect-current.tar.gz

Remove the Archive

rm maldetect-current.tar.gz

Move in and Run the Installer

cd maldetect-1.6.2/

./install.sh

… this will download the latest hash registry databases, now to configure

Configure Linux Malware Detect

Using nano…

nano /usr/local/maldetect/conf.maldet

Set up Email Alerts

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=0

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="[email protected]"

Swap the alert toggle to 1, adjust the subject line if desired, add in your email address.

Daily Malware Scans

When installed LMD (Linux Malware Detect) adds a cron job to the daily folder:

/etc/cron.daily/maldet

This cron job will update the malware registry it initially downloaded including any new malware threats and also scan all home directories on the server. If anything is found you will get an email about it telling you the path to the offending file.

Dealing With Malware Files

Once you get a file hit on malware you can open the file and clean the malware code out. Then progress to how it got in in the first place – software patching, updating passwords etc

You can also opt to have LMD quarantine any file it finds – this is done back in the config file under the Email Alert section:

# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=0

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

The default is just to alert, but you can opt to remove the file from the filing system and have LMD also try and remove the malware code – then you just need to inspect and restore the file.

Manual Malware Scans

Of course you can also run manual scans at will on all files or selectively:

 maldet -a /srv/users/<appname>/apps/<appname>/public/

Or all public directories using a wildcard – ?:

 maldet -a /srv/users/?/apps/?/public/

Further Options

Check further usage with:

maldet --help

or official documentation

Adding ClamAV

You can use the ClamAV as the scanner engine which speeds up the scanning process.

Setting up Clam AV

sudo apt-get install clamav clamav-daemon

This will install ClamAV and put it here…

/usr/bin/clamscan

The above directory is where LMD will look for the Clamscan binary and use it when it scans the file system

Remove LMD and Clam AV

If you want to remove these apps…

To remove ClamAV

sudo apt-get remove clamav

To Remove Maldet LMD – run the uninstall script…

/usr/local/maldetect/uninstall.sh