Coders Tent

Server Admin's Diary

Page 2 of 2

How to Install and Configure Linux Malware Detect (LMD) on CentOS 7

Reader Score
[Total: 1 Average: 5]

Linux Malware Detect (LMD) or simply Maldet is a free malware scanner designed for Linux machines released under the GNU GPLv2. It is specially designed around the threats in the shared hosted environment. LMD uses threat data from network edge intrusion detection systems to get the actual malware that is used in attacks and generates a variety of signatures for detection.

In addition to these features, LMD threat data can also be extracted from user submissions with the checkout feature in LMD from malware resources. It uses signatures such as HEX pattern and MD5 file hashes. They can also be extracted from a variety of detection tools including ClamAV.

Before we start the installation process, this tutorial assumes that you have some basic knowledge of SSH. These instructions apply to users who deal with VPS (Virtual Private Servers) or Dedicated servers.

Let’s get started.

Step 1: Updating the Packages

First, make sure the packages are up-to-date. To do so, run the command below:


$ yum -y update

Step 2: Installing Linux Malware Detect

Go to the official Linux Malware Detect page and download the software to your server:


$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Open the already downloaded Linux Malware file:


$ tar xfz maldetect-current.tar.gz

You can change the current directory with the command below:


$ cd maldetect-*

Now run the file to install the script:


sh install.sh

Once the installation process is complete, you should have the output below:


Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6
(C) 2002-2017, R-fx Networks (C) 2017, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1344): {sigup} performing signature update check...
maldet(1344): {sigup} local signature set is version 2017070716978
maldet(1344): {sigup} new signature set (2017080720059) available
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1344): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1344): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1344): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1344): {sigup} verified md5sum of maldet-clean.tgz
maldet(1344): {sigup} unpacked and installed maldet-clean.tgz
maldet(1344): {sigup} signature set update completed
maldet(1344): {sigup} 15215 signatures (12485 MD5 | 1951 HEX | 779 YARA | 0 USER)

Step 3: Configuring LMD

Linux Malware Detect configuration file is /usr/local/maldetect/conf.maldet and it can be modified as per the requirements below:


$ vi /usr/local/maldetect/conf.maldet

The default file in your system should look like this:


# Enable Email Alerting
email_alert="1"
# Email Address in which you want to receive scan reports
email_addr="igeek.web@gmail.com"
# Use with ClamAV
scan_clamscan="1"
# Enable scanning for root owned files. Set 1 to disable.
scan_ignore_root="0"
# Move threats to quarantine
quarantine_hits="1"
# Clean string based malware injections
quarantine_clean="1"
# Suspend user if malware found.
quarantine_suspend_user="1"
# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"

Now change the settings below:

email_alert=1 – If you want to receive email alerts

email_addr=”user@yourdomain.tld” – Type the address where you want to receive the malware email alerts

quar_hits=1 – The default quarantine alert for malware hits

quar_clean=1 – Clears the detected malware injections

Step 4: Set CronJob for Auto Scanning

In the installation process, a cron job file is installed in /etc/cron.daily/maldet.

These files installed by LMD are useful in keeping the current session, performing daily updates of the signature files, temp, as well as store quarantine data for not more than two weeks or 14 days. It runs a daily scan of all recent files on the system.

To ensure these files are compatible with the structure of your server and those in the Cron file, check the control panel and make the necessary changes.


#!/bin/bash
# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1
# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1
# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1
# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
/usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
# scan the last 2 days of file changes
if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
# ensim
/usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
# psa
/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
elif [ -d "/usr/local/directadmin" ]; then
# DirectAdmin
/usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
else
# cpanel, interworx and other standard home/user/public_html setups
/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
fi
fi

To active the email alerts once a malware is detected, open the Maldet configuration file that is found in /usr/local/maldetect/conf.maldet and type the following:

email_alert=1
email_subj=”Maldet alert from $(hostname)”
email_addr=”email@domain.com

Step 5: Manual Scanning

To scan a directory you want to use, run the command below:


$ maldet -a /path/to/directory

To ensure Maldet is up-to-date, run the command below:


$ maldet -u

You can see the details of the options available by running the following command:


$ maldet - h

Now Linux Malware Detect (LMD) is successfully installed.

Installing and configuring ConfigServer Security & Firewall (CSF)

Reader Score
[Total: 1 Average: 5]

Config Server Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

It’s is a security tool that can protect your server against attacks, such as brute force, and improve server security.

This application will work as a WHM plugin and is free. Follow these instructions to complete a basic CSF installation:

1. Install CSF: Log into your server as root, using SSH.


cd /usr/local/src/
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

You will see “Installation Completed”.


cd ..
rm -Rfv csf/ csf.tgz

2. Configure CSF: Login to your server via WHM as root and go to the bottom left menu. In the Plugins section, go to ConfigServer Security Firewall.

Then, in the “csf – ConfigServer Firewall” section (on the right panel), click on “Firewall Configuration”.

# Port filtering configuration – IPv4 Port Settings #

The following ports are opened by default:

TCP_IN =
20,21,22,25,53,80,110,143,443,465,587,993,995,
2077,2078,2082,2083,2086,2087,2095,2096,26

TCP_OUT =
20,21,22,25,37,43,53,80,110,113,443,587,873,2086,2087,2089,2703

UDP_IN =
20,21,53

UDP_OUT =
20,21,53,113,123,873,6277

If you have changed your SSH port number, you need to add this new port on the “IPv4 Port Settings” and/or “IPv6 Port Settings”.

You can also use this section to add a specific port for an new application installed on the server.

If you are using R1soft/Idera external backup solution, you need to allow inbound traffic for TCP port 1167 in the port TCP_IN section.

# Enable syslog monitoring #

Set “SYSLOG_CHECK” to “1800”

# Detect suspicious process #

Set “PT_DELETED” to “1”

Set “PT_ALL_USERS” to “1”

# Spam Protection and massive email activity detection (optional) – SMTP Settings#

CSF can help you to secure spam abuse vector and detect suspicious email activities.

Set “SMTP_BLOCK” to “1” in “SMTP Settings” section.

Set “LF_SCRIPT_LIMIT” to “250” to identify scripts sending out 250 emails messages in an hour.

Set “LF_SCRIPT_ALERT” to “1” to send an email alert to the system administrator when the limit configured above is reached.

# Save the configuration and confirm the firewall status #

You can save the configuration by clicking the “Change” button at the end of the page. Then restart csf/lfd service.

Thereafter, go back in the ConfigServer Security Firewall main page.

On the top of this page, you should see “Firewall Status: Enabled but in Test Mode”

If you see “Firewall Status: Disabled and Stopped” please click on “Enable”.

3. Confirm the configuration and remove the “Testing mode”.

Once you are satisfied with the configuration and confirmed that it is working fine, you need to remove the “Testing mode”.

Go back in the “Firewall Configuration (“csf – ConfigServer Firewall” section)

Set “TESTING” to 0

Save this modification by clicking the “Change” button at the end of the page and restart csf/lfd service.

4. Monitor the firewall activity

You can monitor the firewall activity by clicking the “Watch system Logs” button on the ConfigServer Security Firewall main page.

Or read the log file /var/log/lfd.log which is accessible via SSH.


Reference: http://www.configserver.com/cp/csf.html

Install GoDaddy SSL Certificate on Ubuntu 16.04

Reader Score
[Total: 1 Average: 5]

Elements

Basically in order to successfully install an SSL certificate you need the following things

  • CSR file
  • Private key
  • Certificate key
  • Certificate chain

Prepare Your Server

The first step to installing your certificate is to prepare your server directories to hold the final keys later on.

So ssh into your server and do the following:


sudo mkdir /etc/apache2/ssl
chmod 700 /etc/apache2/ssl
chown www-data:www-data /etc/apache2/ssl

Then to be sure, do the following to install openssl. Nothing will happen naturally if openssl is already installed.

sudo apt-get install openssl

Then install the required ssl mods for your apache instance and activate them:

sudo a2enmod ssl

Generate the CSR

In order for GoDaddy to be able to issue our SSL certificate, we need to generate the CSR (Certificate Signing Request) key and our Private Key. In your home directory, do the following. You don’t need to do sudo at this point.

openssl req -newkey rsa:2048 -nodes -keyout website_ssl.key -out website_ssl.csr -sha256

After running the above command you will be required to answer some identity questions. Make sure you answer them as accurate as possible. The questions will look like something below:

You don’t really need to use the challenge password with GoDaddy at the time of this writing.

Now that you have completed generating the private key and the CSR, it’s time to send it through to GoDaddy.

Generate the Secure Certificate

Open the website_ssl.csr that we generated before. You can use vim or you can simply cat it to the terminal. The CSR should look like this:


-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKMZ0czj18lWf2v2C0sl7mYVLn732G0/Pa/N3/yp
DwdHmfkmDbRG5xDo2AQ7VzIWpXnzsz9hNhLSJx1kcwBX7N7/CAQnMYLpDm5TUYs0
x8l5yhvXBn/QSA1ItaT2hgWixlml8zuzlucCfc6gnu+g4Bef95o1yE218AZQV1Pl
JooiHqsDycetfl/7KEw10hfRjV8TX+vDcBUkJ/BubyPYEf1j3dbDqlUGGXco1AB1
xiMbfFTU20uzvpaPz333vj64uKMr/+rFkso0bHy1LaLYVQCAoYhGj7SbveB5qbtO
AkgsYKCfLbatmyBrSB2gKFbyNlRj1AH3E7NeNrkXdVcSrH8CAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQBxWB4NHv7JtcxcyTmwTDizUG/cf0vlyZSz/mvgTUI5Vgbr
jJsRe7d/xyIKTKpp4uhl1J96CE8Qhqy7dezEht7Y7iluzJBJV8RRuHvBc1YKBFd+
Py5AVZwmgpdwPDj83/+yD4vuJdsBkAxCUflWzuQ35zEucCwwlcDbl/r1PJae0UdC
mYF09YImve2G7dHvvi/hQ7AEUbaxnAX0u53HZBELJF41bW1eoInsaxnEMNMvfl/1
xoxmfaCZiKXZWDHB+7sw3YRyxbZ7E0kwLx7xENH3FpbFCADJehLvacPA8obzsqWV
sWVG1SDyNqrPbyFlwsTcJjkM8CfvIbE93Z5A/A0A
-----END CERTIFICATE REQUEST-----

So copy the entire content from your CSR file, including the —–BEGIN and END.

Then login to GoDaddy, locate your secure certificate product and click launch. After that, click on setup and choose provide CSR. Then paste the content of the CSR file that you just copied previously.

When done, just wait until GoDaddy verifies your website’s identity and grant you access to download the certificate, in my case this happens very quick, at most within 10 minutes.

Installing the Certificate in Your Server

Once GoDaddy email you that your certificate has been generated, follow the link and download the certificate to you computer for now. Basically it’s a zip file containing 2 files, the one that looks like a randomly generated hash is your secure certificate (let’s call it 6eba0aa5c1b8.crt for this article), while the one that starts with gd_bundle_ is your certificate chain file.

So upload both files to your home directory in your Ubuntu server instance. You should now have the website_ssl.key, 6eba0aa5c1b8.crt, gd_bundle-g2-g1.crt. Then move those 3 files to the ssl directory that you created previously.

 


sudo mv ~/6eba0aa5c1b8.crt /etc/apache2/ssl/6eba0aa5c1b8.crt
sudo mv ~/website_ssl.key /etc/apache2/ssl/website_ssl.key
sudo mv ~/gd_bundle-g2-g1.crt /etc/apache2/ssl/gd_bundle-g2-g1.crt

Then make sure you set the correct permission to those files.


sudo chmod 600 /etc/apache2/ssl/*
sudo chown www-data:www-data /etc/apache2/ssl/*

Configure Apache

Open the default SSL virtual host file for editing :
sudo nano /etc/apache2/sites-available/default-ssl.conf

Change ServerAdmin to your valid email address:

ServerAdmin webmaster@localhost

Below this line, add the ServerName with either the domain name or IP address:


ServerAdmin webmaster@localhost
ServerName example.com

Find the lines which read:


SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Change these to the location and name of your SSL certificate and key file:


SSLCertificateFile /etc/ssl/certs/example.com_ssl_certificate.cer
SSLCertificateKeyFile /etc/ssl/private/example.com_private_key.key

Save and exit the file.

Enable SSL on the server:

sudo a2enmod ssl

Enable the SSL virtual host:

sudo a2ensite default-ssl

Restart Apache for the changes to take effect:

sudo systemctl restart apache2


Helpful Article :

1. https://www.codingepiphany.com/2014/11/26/installing-godaddy-ssl-certificate-in-an-ubuntu-server/
2. https://www.ionos.com/community/markdown-migration/install-a-ionos-ssl-certificate-on-ubuntu-1604/

Exim Remove All messages From the Mail Queue

Reader Score
[Total: 1 Average: 5]

To print a list of the messages in the queue, enter:

# exim -bp

To remove a message from the queue, enter:

# exim -Mrm {message-id}

To remove all messages from the queue, enter:

# exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

Newer posts »