Yadda ake Shigar da Amfani da Linux Malware Detect (LMD) tare da ClamAV azaman Injin Antivirus

Malware, ko software mara kyau, ita ce keɓancewar da aka ba duk wani shirin da ke da nufin tarwatsa ayyukan yau da kullun na tsarin kwamfuta. Duk da cewa sanannun nau'ikan malware sune ƙwayoyin cuta, kayan leken asiri, da adware, cutarwar da suke niyyar haifarwa na iya kamawa daga satar bayanan sirri zuwa goge bayanan sirri, da duk abin da ke tsakanin, yayin da wani amfani na yau da kullun na malware shine sarrafa kayan aikin. tsarin don amfani da shi don ƙaddamar da botnets a cikin harin (D) DoS.

A wasu kalmomi, ba za ku iya yin tunani ba, Bana buƙatar kiyaye tsarina (s) daga malware tun da ba na adana duk wani bayani mai mahimmanci ko mahimmanci, saboda waɗannan ba su ne kawai hari na malware ba. .

Don haka, a cikin wannan labarin, za mu yi bayanin yadda ake shigarwa da kuma daidaita Linux Malware Detect (aka MalDet ko LMD a takaice) tare da ClamAV (Injin Antivirus) a cikin RHEL 8/7/6 (inda x shine lambar sigar), CentOS 8/7/6 da Fedora 30-32 (umarni iri ɗaya kuma suna aiki akan tsarin Ubuntu da Debian) .

Na'urar daukar hoto ta malware da aka saki a ƙarƙashin lasisin GPL v2, wanda aka kera musamman don mahalli. Koyaya, da sauri zaku gane cewa zaku amfana daga MalDet komai irin yanayin da kuke aiki akai.

Shigar da LMD akan RHEL/CentOS da Fedora

LMD baya samuwa daga ma'ajiyar kan layi amma ana rarraba shi azaman kwalta daga gidan yanar gizon aikin. Kwallon da ke ɗauke da lambar tushe na sabon sigar koyaushe yana samuwa a hanyar haɗin yanar gizo, inda za'a iya saukewa tare da umarnin wget:

# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Sa'an nan kuma muna buƙatar cire kayan kwalta kuma mu shigar da directory inda aka ciro abubuwan da ke cikinsa. Tunda sigar yanzu ita ce 1.6.4, kundin adireshin shine maldetect-1.6.4. A can za mu sami rubutun shigarwa, install.sh.

# tar -xvf maldetect-current.tar.gz
# ls -l | grep maldetect
# cd maldetect-1.6.4/
# ls

Idan muka duba rubutun shigarwa, wanda shine kawai layin 75 tsawo (ciki har da sharhi), za mu ga cewa ba kawai shigar da kayan aiki ba amma kuma yana yin pre-check don ganin ko tsohon directory shigarwa ( /usr/na gida/maldetect) akwai. Idan ba haka ba, rubutun ya ƙirƙiri littafin shigarwa kafin a ci gaba.

A ƙarshe, bayan an gama shigarwa, ana tsara aiwatar da aiwatar da kullun ta hanyar cron ta hanyar sanya rubutun cron.daily ( koma zuwa hoton da ke sama) a cikin /etc/ cron. kullum. Wannan rubutun mai taimako zai, a tsakanin sauran abubuwa, share tsoffin bayanan wucin gadi, bincika sabbin abubuwan LMD, da kuma bincika tsohowar Apache da fa'idodin sarrafa gidan yanar gizo (watau CPanel, DirectAdmin, don suna suna kaɗan) tsoffin kundayen adireshi.

Wannan ana faɗi, gudanar da rubutun shigarwa kamar yadda aka saba:

# ./install.sh

Ana saita Linux Malware Detect

Ana sarrafa saitin LMD ta hanyar /usr/local/maldetect/conf.maldet kuma duk zaɓuka an yi sharhi da kyau don yin daidaitawa aiki mai sauƙi. Idan kun makale, zaku iya komawa zuwa /maldetect-1.6.4/READMEdon ƙarin umarni.

A cikin fayil ɗin daidaitawa za ku sami sassan masu zuwa, an rufe su a cikin maƙallan murabba'i:

  1. SANARWA EMAIL
  2. Zaɓuɓɓukan QURARANTINE
  3. Zaɓuɓɓukan SAUKI
  4. ANALYSISIN LITTAFI
  5. ZABI NA KIRKI

Kowane ɗayan waɗannan sassan yana ƙunshe da mabanbanta da yawa waɗanda ke nuna yadda LMD zai kasance da kuma abubuwan da ke akwai.

  1. Sai email_alert=1 idan kuna son karɓar sanarwar imel na sakamakon binciken malware. Don taƙaitawa, kawai za mu isar da saƙo zuwa ga masu amfani da tsarin gida, amma kuna iya bincika wasu zaɓuɓɓuka kamar aika faɗakarwar saƙo zuwa waje kuma.
  2. Saita email_subj=“Maudu’in ku anan” da [email kare] idan kun riga kun saita email_alert=1.
  3. Tare da quar_hits, tsoho matakin keɓewa ga malware hits (0 = faɗakarwa kawai, 1 = matsawa zuwa keɓewa & faɗakarwa) za ku gaya wa LMD abin da za ku yi lokacin da aka gano malware.
  4. quar_clean zai baka damar yanke shawara ko kana son tsaftace allurar malware masu tushen kirtani. Ka tuna cewa sa hannu na kirtani shine, ta ma'anarsa, \jerin byte mai ci gaba wanda zai iya daidaita yawancin bambance-bambancen dangin malware.
  5. quar_susp, tsoho aikin dakatarwa ga masu amfani da hits, zai ba ka damar kashe asusun da aka gano fayilolin mallakarsa a matsayin hits.
  6. clamav_scan=1 zai gaya wa LMD don ƙoƙarin gano kasancewar ClamAV binary kuma a yi amfani da azaman injin na'urar daukar hotan takardu. Wannan yana haifar da aikin dubawa har zuwa sau huɗu cikin sauri da aikin bincike mai inganci. Wannan zaɓin yana amfani da ClamAV kawai a matsayin injin na'urar daukar hotan takardu, kuma sa hannun LMD har yanzu shine tushen gano barazanar.

A taƙaice, layin da ke da waɗannan masu canji ya kamata su yi kama da haka a cikin /usr/local/maldetect/conf.maldet:

email_alert=1
[email 
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1

Shigar da ClamAV akan RHEL/CentOS da Fedora

Don shigar da ClamAV don cin gajiyar saitin clamav_scan, bi waɗannan matakan:

Kunna ma'ajiyar EPEL.

# yum install epel-release

Sannan a yi:

# yum update && yum install clamd
# apt update && apt-get install clamav clamav-daemon  [Ubuntu/Debian]

Lura: Waɗannan ƙa'idodi ne kawai don shigar da ClamAV don haɗa shi da LMD. Ba za mu yi cikakken bayani game da saitunan ClamAV ba tunda kamar yadda muka fada a baya, sa hannun LMD har yanzu shine tushen ganowa da tsaftace barazanar.

Gwajin Gano Malware Linux

Yanzu lokaci ya yi da za a gwada shigarwar mu na kwanan nan LMD/ClamAV. Maimakon yin amfani da malware na gaske, za mu yi amfani da fayilolin gwajin EICAR, waɗanda suke don saukewa daga gidan yanar gizon EICAR.

# cd /var/www/html
# wget http://www.eicar.org/download/eicar.com 
# wget http://www.eicar.org/download/eicar.com.txt 
# wget http://www.eicar.org/download/eicar_com.zip 
# wget http://www.eicar.org/download/eicarcom2.zip

A wannan gaba, kuna iya ko dai jira aikin cron na gaba don gudana ko aiwatar da maldet da hannu. Za mu tafi tare da zaɓi na biyu:

# maldet --scan-all /var/www/

LMD kuma yana karɓar kati, don haka idan kuna son bincika takamaiman nau'in fayil kawai, (watau fayilolin zip, misali), kuna iya yin haka:

# maldet --scan-all /var/www/*.zip

Lokacin da binciken ya cika, zaku iya bincika imel ɗin da LMD ya aiko ko duba rahoton tare da:

# maldet --report 021015-1051.3559

Inda 021015-1051.3559 shine SCANID (SCANID zai ɗan bambanta a yanayin ku).

Muhimmi: Lura cewa LMD ya sami hits 5 tun lokacin da aka sauke fayil ɗin eicar.com sau biyu (hakan ya haifar da eicar.com da eicar.com.1).

Idan ka duba babban fayil ɗin keɓewa (Na bar ɗaya daga cikin fayilolin kuma na goge sauran), za mu ga masu zuwa:

# ls -l

Kuna iya cire duk fayilolin keɓe tare da:

# rm -rf /usr/local/maldetect/quarantine/*

Idan haka ne,

# maldet --clean SCANID

Ba a yi aikin ba saboda wasu dalilai. Kuna iya komawa zuwa sigar allo mai zuwa don bayanin mataki-mataki na tsarin da ke sama:

Tunda maldet yana buƙatar haɗawa tare da cron, kuna buƙatar saita masu canji masu zuwa a cikin tushen crontab (nau'in crontab -e azaman tushen kuma danna maɓallin. Shigar da maɓalli) idan kun lura cewa LMD ba ya aiki daidai a kullum:

PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
SHELL=/bin/bash

Wannan zai taimaka samar da mahimman bayanan gyara kuskure.

Kammalawa

A cikin wannan labarin, mun tattauna yadda ake girka da kuma daidaita Linux Malware Detect, tare da ClamAV, ƙawance mai ƙarfi. Tare da taimakon waɗannan kayan aikin 2, gano malware yakamata ya zama aiki mai sauƙi.

Duk da haka, yi wa kanku alheri kuma ku saba da fayil ɗin README kamar yadda aka bayyana a baya, kuma za ku iya samun tabbacin cewa tsarin ku yana da kyau kuma ana sarrafa shi sosai.

Kada ku yi jinkirin barin tsokaci ko tambayoyinku, idan akwai, ta amfani da fom ɗin da ke ƙasa.

Rubutun Magana

Shafin Gida na LMD