TABLE OF CONTENT
Introduction
In this tutorial, we'll provide a detailed walkthrough, empowering you to enhance the security of your Linux OS. Strengthen your defense against malware with our step-by-step instructions, ensuring a resilient and protected Linux system.
In this guide, we will be using Debian Linux, and you can install ClamAV and Maldetect on both desktop or server environments. Let's dive into the process and safeguard your Debian operating system effectively.
Prerequisites
Home/Small Office – Debian Server
Home/Small Office – Debian Server Initial Customization
Install GNOME Desktop Environment on Debian: Easy Guide
GNOME Customization on Debian: Complete Guide
Antivirus Engine - ClamAV
ClamAV is an open-source antivirus engine designed to detect various types of malware, including viruses, trojans, and other malicious software. It is known for its effectiveness in scanning files on Linux-based systems and is widely used in email gateways, web servers, and file servers to protect against malware threats.
In the table below, you can see some key features and aspects of ClamAV, along with some general info about the project itself:
-
- Open Source
- Cross-Platform Compatibility
- Scalability
- On-Demand and On-Access Scanning
- Signature-Based Detection
- Heuristic Analysis
- Command Line Interface (CLI) and Graphical User Interface (GUI)
- Integration with Mail Servers
- Regular Updates
ClamAV Installation
apt install -y --no-install-recommends clamav clamav-base clamav-freshclam clamav-daemon clamdscan
Accepting the defaults for the rest of the questions the installer will ask is fine, so press Enter on your keyboard to do so.
Installation will set configuration files in the /etc/clamav directory, and database and signature updates will be downloaded in the /var/lib/clamav directory.
ClamAV Configuration
Configurations for ClamAV daemon (clamav-daemon) and updater (freshclam) come with reasonable default options, so they can be left as-is. What I will show you in this section is how to define a custom scan job for a specific location(s) on your file system.
I will show you how to configure a scan job for the path(s) on your system that ClamAV should scan during its run and how to set a cron job (scheduled task) with a definition of when to start the scan.
Usually, it's best only to scan the locations where most "user-created" files are located. That can be the home directory on your desktop or a folder where website(s) data is located on a public web server.
A list of locations (directories on the filesystem that need to be scanned) can be supplied to ClamAV by simply listing them in a simple text file. For example, if I want ClamAV to scan my home directory, I will open a new file /etc/clamav/clamav-paths.txt and paste in the following content:
/home
#!/usr/bin/env bash
set -euo pipefail
## Flush log
echo -n > /etc/clamav//clamav_scan_results.txt
## Scan files
/usr/bin/clamscan -r -z -i --file-list=/etc/clamav/clamav_paths.txt --log=/etc/clamav/clamav_scan_results.txt
chmod 750 /usr/local/sbin/clamav-scan.sh
# Execute virus scan on home folder
MAILTO=root
0 3 * * * root /usr/local/sbin/clamav-scan.sh
Malware Scanner - Maldetect
Linux Malware Detect (LMD) is an open-source malware scanner for Linux-based systems. It is developed by R-fx Networks and is primarily used to detect and remove malicious software on Linux servers. LMD is particularly popular in web hosting environments and server setups where security is a critical concern.
You can see some key features LMD offers, along with some info about the project in general in the table below:
-
- Signature-Based Detection
- Heuristic Detection
- Inotify Monitoring
- Quarantine and Removal
- Integration with ClamAV
- Email Notifications
- Command Line Interface (CLI)
- Configurability
Maldetect Installation
cd
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xzf maldetect-current.tar.gz
rm -rf maldetect-current.tar.gz
MALDET_VERSION=$(ls | grep maldetect)
cd $MALDET_VERSION
./install.sh
Maldetect Configuration
email_alert="1"
email_addr="root"
scan_clamscan="1"
scan_find_timeout="14400"
scan_export_filelist="1"
quarantine_hits="1"
quarantine_clean="1"
#default_monitor_mode="users"
default_monitor_mode="/usr/local/maldetect/monitor_paths"
/home
/usr/local/maldetect/logs/event_log {
missingok
weekly
compress
notifempty
size 1M
rotate 4
su root root
create 0644 root root
}
/usr/local/maldetect/logs/inotify_log {
missingok
weekly
compress
create 0644 root root
notifempty
size 1M
rotate 4
su root root
postrotate
/bin/systemctl condrestart maldet.service > /dev/null 2>/dev/null || true
endscript
}
systemctl restart maldet.service
It's important to note that while LMD and ClamAV are valuable tools for enhancing the security of Linux servers, no single security solution can provide complete protection. Regular system updates, proper configuration, and a combination of security tools are typically recommended for a robust defense against malware and other security threats. Additionally, LMD and ClamAV are just single components of a comprehensive security strategy, and they should be used in conjunction with other security measures such as firewalls, intrusion detection systems, and regular security audits.
With that said, I will conclude this guide. Please share it if you like, and thank you very much for reading.