Introduction
Servers are seeing a constant level of attacks and port scans all the time, While a firewall and regular system updates are a good first layer of defense to keep the system safe, but you should also regularly check if anyone got in!. The tools described in this tutorial are made for these security checks and they are able to detect Malwares, Viruses, Rootkits, and Malicious behaviors. You can make them run regularly e.g. every night and send reports to you by Email.
Chkrootkit – A Linux Rootkit Scanner
Chkrootkit is a classic rootkit scanner. It checks your server for suspicious rootkit processes and checks for a list of known rootkit files.
You can install Chkrootkit either from source or the official Ubuntu repository. In this tutorial we are going to install it through repository package because it’s quite easier:
apt-get install chkrootkitTo check your server with Chkrootkit execute the command below:
chkrootkitIt will start checking your system for Malwares and Rootkits and after the process is finished, you can see the report.
So if you want your system to be scanned by the Chkrootkit regularly, you can create a Cron job for it with the following instructions.
In this section, we are going to create a Cron job to make Chkrootkit scan your system once o week and Email you the reports. First of all, open your Cron configuration with the following command:
crontab -eNow paste the following line in the file then save and exit (Make sure to replace the red parts with your own Email address):
0 0 * * 6 /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit Reports of my server" you@yourmail.comNow your server will be scanned every Friday at midnight and the results will be Emailed to you.
Lynis – Universal security auditing tool and Rootkit scanner
Lynis (formerly rkhunter) is a security auditing tool for Linux and BSD based systems. It performs a scrupulous auditing of many security aspects and configurations of your system.
We are going to install Lynis using the source. At the time of writing this tutorial, the latest stable version is “2.5.7” but you can always get the latest version download link from its official website: https://cisofy.com/downloads/lynis/
Switch to the “opt” directory to download the “tar” file:
cd /opt/Execute the following commands to download, extract, and move the files to a proper location:
wget https://cisofy.com/files/lynis-2.5.7.tar.gztar xvzf lynis-2.5.7.tar.gzmv lynis /usr/local/
Create a symlink from the binary file to an executable path for easy access:
ln -s /usr/local/lynis/lynis /usr/local/bin/lynisNow you can start scanning your system with the command below:
lynis audit systemLynis will perform a complete scan and will show you a summary of it at the end.
You can add a Cron job for lynis as well using the following instructions:
open your Cron configuration with the following command:
crontab -eNow paste the following line in the file then save and exit (Make sure to replace the red parts with your own Email address):
0 0 * * 6 /usr/local/bin/lynis 2>&1 | mail -s "Lynis Reports of my server" you@yourmail.comNow your server will be scanned every Friday at midnight and the results will be Emailed to you.
ISPProtect – Website malware scanner
ISPProtect is a malware scanner for web servers, it scans for malware in website files and CMS systems like WordPress, Joomla, Drupal etc. If you run a web hosting server, then the hosted websites are the most attacked part of your server and it is recommended to do sanity checks on them regularly. ISPProtect contains 5 scanning engines:
- Signature-based malware scanner.
- Heuristic malware scanner.
- A scanner to show the installation directories of outdated CMS systems.
- A scanner that shows you all outdated WordPress plugins on the whole server.
- A database content scanner which checks MySQL databases for potentially malicious content.
ISPProtect is not a free software but there is a free trial that you can use without a registration to test it or clean an infected system. Also, ISPProtect requires PHP to be installed on the server so if you don’t have it installed already you can install it with the following command:
apt-get install php php-cliAfter you installed PHP you can go ahead and install the ISPProtect by executing the following commands one by one:
mkdir -p /usr/local/ispprotectcd /usr/local/ispprotectwget http://www.ispprotect.com/download/ispp_scan.tar.gztar xzf ispp_scan.tar.gzchown -R root:root /usr/local/ispprotectchmod -R 750 /usr/local/ispprotect
Now you can create a symlink to your executable path for easy access:
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scanRun the following command to start the ISPProtect:
ispp_scanThe scanner automatically checks for updates then asks for the key which you can Enter the word “TRIAL”. Then you will be asked for your websites path e.g. “/var/www/”
After that, The scanner will start scanning and showing you the infected items, at the end of the scan the results will store in the ISPProtect installation directory.
To run ISPProtect as a weekly Cron job you can follow these instructions:
crontab -eAdd the following line to the file then save and exit (Make sure to replace the red parts with your own values)
0 0 * * 6 /usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=you@yourmail.com --non-interactive --scan-key=AAA-BBB-CCC-DDD
Actually, it is really the high time to make a valid concern regarding such malware software in any Ubuntu based platform. This article is recommending the required malware software as these are truly effective to provide satisfactory services for maintaining the devices from every aspect.
A tool that should not miss when you talk about Ubuntu is debcheckroot. It verifies against the md5 and sha256sums in the package headers. see: https://www.elstel.org/debcheckroot/