Step 4: Host Based Intrusion Detection

Overview

This tutorial describes how to install and configure host based intrusion detection tools on a Linux server.  Following the steps in this tutorial, you will configure your server to perform automated virus and rootkit scans.

This tutorial is intended for people with minimal knowledge of computer networks and Linux.  You should know how to start the linux terminal on your server machines. The instructions in this tutorial will cover all of the commands you must use and the files you must edit for a basic configuration. 

In this tutorial you will learn:

  • How to configure clamav anti virus scanning software and rkhunter root kit hunter scanning software.
  • How to manually run a scan of your system.
  • How to setup a script to run virus and root kit scans daily.

The most common virus detection program for Linux is clamav.  Together with the rootkit detection software rkhunter, you can configure scanning of your machine to protect against virus and malware infection.

There are various tutorials on the internet that describe how to install and configure these programs.  In my opinion, the easiest setup is to use the scripts and instructions from this github project:

To install and automate the scan script files:

  1. Install the required packages
$ sudo apt-get install clamav clamav-freshclam rkhunter git
  1. Create or go to the root user scripts folder
$ sudo su
$ mkdir ~/scripts
$ cd ~/scripts
  1. Get the script source code
$ git clone https://github.com/crylium/clamav-daily.git
  1. Modify the script files for your specific server. This step will depend on your setup and how much you want to customize the script. You must at least modify some of the variables at the top of the file to specify your email to and from address for notifications.
$ nano ./clamav-daily/clamav-rkhunter-scan.sh
  1. Make the script runnable.
 $ chmod u+x ./clamav-daily/*.sh
  1. Test the script and run a scan manually.
$ ./clamav-daily/clamav-rkhunter-scan.sh

Wait for the script to finish (it can take quite a while depending on how many files you have on your system.  Inspect the output to make sure there are no errors or warnings.

  1. To add the script to the daily task scheduler, create a link.
ln ./clamav-daily/clamav-rkhunter-scan.sh /etc/cron.daily/clamscan_daily

The script is setup to only send you email when there is a problem, so make sure you double check the log files over the next week or so to ensure that the scan is happening every day.