The release of LMD 1.4.1 is now live and with it comes a few new features. In this small update, I have tried to deliver on on a couple of common feature requests from users which were in-line with my development goals. That said, right to it…
The biggest change has come in the form of what has been dubbed public mode scanning. This is where non-root users can execute malware scans. For this to work, a new quarantine, session and temporary path directory tree needed to be created that users had write access under. This presented some challenges and in the early incarnation of this feature, the pub/ directory tree created for this feature was set world writable. The more I worked with the ideas around this feature the more I hated it, I simply could not impose upon users a world writable path. Then I flirted with the idea of simply creating the directory tree and if users wanted the feature they had to set it mode 777 themselves, though this was a fair trade it still felt like a lazy solution.
In the end, the solution I came up with was to populate the new pub directory tree with user paths based on passwd users and explicitly set ownership to each user for their pub/username path (–mkpubpaths). This meant that something was needed to regularly update the pub directory tree for new users and as such a cronjob was added that runs every 10 minutes to create said paths (cron.d/maldet_pub). This feature is controlled by conf.maldet variable public_scan which is disabled by default and when in a disabled state the cronjob simply does nothing along with user initiated scans exiting with an error that the feature is not currently enabled.
Supplementing the public mode scanning feature is the support for mod_security2 upload scanning which next to user initiated scans was one of the most requested features recently. Although the inotify real-time monitoring still works very well, it is not an option in some environments which makes mod_security2 upload scanning highly desirable. Conveniently, the only obstacle for upload scanning was simply that LMD did not support user initiated scans and with the introduction of public mode scanning there was only a few changes required to fully integrate it. That being the creation of a validation script for mod_security2’s inspectFile hook which returns an approved or denied status for uploaded files based on malware hits. This script was created as modsec.sh and is located in the LMD installation path. Full details on public mode and mod_security2 upload scanning are included in the README file.
Another highly requested feature is the ability to redefine configuration variables on the CLI on a per execution basis. This has been added through the -co|–config-option CLI flags. This was primarily requested by those creating integration interfaces for LMD along with those who create custom scan cronjobs. Likewise, this proved useful in the creation of the mod_security2 validation script. The usage of this feature is straight forward, simply append a comma spaced list of variables you would like to redefine in the format of VAR=VALUE.
For example, to change the email address for a specific scan and enable quarantining of hits:
maldet –config-option [email protected],quar_hits=1
Effectively, any LMD variable located in conf.maldet or internal.conf can be redefined in this way.
Smaller changes include added support for Plesk in the cron.daily scans, email_ignore_clean conf.maldet variable that allows for reports where all hits are cleaned to be ignored and improved accuracy of (gz)base64 injection signatures to reduce false positives.
That covers the notable changes in this release. Although this isn’t as big or feature packed of an update as the last couple of releases, I am confident it will add to the maturity and utility of the project for all users. Please check the CHANGELOG and README files for further details. This update will push out automatically to LMD installations with the default daily cronjob enabled or you can manually update using the ‘maldet -d’ command.
LMD By The Numbers:
16,036 Downloads month-to-date (includes version updates)
15,261 Malware source URL’s tracked
14,443 Active installations (by unique IP daily signature queries)
11,017 Active 1.4.x installations (by unique IP daily signature queries)
10,192 File submissions pending malware review
9,644 Updates to 1.4.1 (by unique IP signature queries)
8,579 Total malware signatures
7,300 Google references to “linux malware detect”
6,715 MD5 malware signatures
6,374 Unique malware files in the LMD malware repository
3,221 Zombie server nodes seen in the last 30d on IRC C&C networks
1,864 HEX malware signatures
1,338 New signatures since 1.4.0
261 Command & Control IRC networks tracked
226 Signature updates in the last 12 months
196 Unique malware signature classifications
112 Files on average submitted daily through checkout feature
101 GB of bandwidth used per month on average to serve LMD updates
18 Signature updates per month on average
6.3 New signatures per day on average
1.6 Days between signature updates on average