X
X
X
X

Knowledge Base

HomepageKnowledge BaseLinuxMaldet – Realtime Monitoring

Maldet – Realtime Monitoring

We are now performing real time monitoring in some of the servers using maldet. The steps to be performed for that are as follows:

1. Perform a full server scan using maldet.

maldet -a /home/?/public_html

2. Once the scanning is completed, remove the cmdshells and bots and also remove the eval codes from the files. Make sure that no files contain vulnerable contents.
3. While installing maldet, a cron will be added in the folder /etc/cron.daily. Remove that file and create a file /root/maldet.sh with the following content:

#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
	# if were on ensim, scan the last 2 days of file changes in fst roots
	if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
	else
		# scan the last 2 days of file changes on home*/public_html
	        /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
	fi
fi

4. Set 755 permission for the file /root/maldet.sh

chmod 755 /root/maldet.sh

5. Set a cron using the following command:

crontab -e
30 01 * * * sh /root/maldet.sh
/etc/init.d/crond restart

6. Now start the real time monitoring by running the command:

maldet --monitor /home

The details of the files like the file name, whether it was newly created or modified and the date will be added to the file /usr/local/maldet/inotify/inotify_log. Then daily at 01.30AM, it will check the files which were modified or newly created for the vulnerabilities and it will mail to “anyone@anyone.com”

 

IT Security and Ethical Hacking Trivandrum, Kerala.  Check out http://www.aspirantz.in

Can't find the information you are looking for?

Create a Support Ticket
Did you find it useful?
(50495 times viewed / 0 people found it helpful)

Powered by WISECP
Top