We are now performing real time monitoring in some of the servers using maldet. The steps to be performed for that are as follows:
1. Perform a full server scan using maldet.
maldet -a /home/?/public_html
2. Once the scanning is completed, remove the cmdshells and bots and also remove the eval codes from the files. Make sure that no files contain vulnerable contents.
3. While installing maldet, a cron will be added in the folder /etc/cron.daily. Remove that file and create a file /root/maldet.sh with the following content:
Turkey (Türkçe)
Worldwide (English)
#!/bin/bash
# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1
# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1
# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
/usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
# if were on ensim, scan the last 2 days of file changes in fst roots
if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
/usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
/usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
else
# scan the last 2 days of file changes on home*/public_html
/usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
fi
fi
4. Set 755 permission for the file /root/maldet.sh
chmod 755 /root/maldet.sh
5. Set a cron using the following command:
crontab -e 30 01 * * * sh /root/maldet.sh /etc/init.d/crond restart
6. Now start the real time monitoring by running the command:
maldet --monitor /home
The details of the files like the file name, whether it was newly created or modified and the date will be added to the file /usr/local/maldet/inotify/inotify_log. Then daily at 01.30AM, it will check the files which were modified or newly created for the vulnerabilities and it will mail to “anyone@anyone.com”
IT Security and Ethical Hacking Trivandrum, Kerala. Check out http://www.aspirantz.in
Copyright © 2024 All Rights Reserved
