Jump to content

Maldetect fazendo varredura no upload


redirect

Recommended Posts

Não acho que seja possível fazer isso em tempo real, pois o maldet não é conectado ao cPanel (mas sim ao ClamAV).

 

Com o ClamAV talvez você consiga fazer um escaneamento em tempo real, mas vai consumir muito recursos se 100 usuários enviarem arquivos ao mesmo tempo.

Link to comment
Share on other sites

Na realidade é possível sim habilitar isto.

As configurações do monitoramento estão no final do arquivo de configuração do Maldet ( /usr/local/maldetect/conf.maldet )

 

Informações adicionais:

 

Real-Time Monitoring:
The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:
There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.
       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:

USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS: A comma spaced list of paths to monitor
FILE: A line spaced file list of paths to monitor
 
Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of
its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage.
See http://www.rfxn.com/appdocs/README.maldetect for more details on inotify monitoring.
Link to comment
Share on other sites

Funcionou perfeitamente seguindo o README que fica no mesmo diretório do maldet, ao tentar enviar um malware para o servidor recebo a mensagem "Forbidden" :)

 

Você colocou as regras no arquivo /usr/local/apache/conf/modsec2.user.conf ? Se sim, em qual lugar dentro do arquivo?

Link to comment
Share on other sites

Como eu uso as regras da comodo o arquivo modsec2.user.conf não é chamado então fiz o seguinte:

 

1) Criei o arquivo modsec2.maldet.conf com o conteúdo do README

2) No arquivo modsec2.conf adicionei um: Include "/usr/local/apache/conf/modsec2.maldet.conf"

Link to comment
Share on other sites

Segundo o readme é para colocar a seguinte regra no arquivo que citei acima:

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
                "log,auditlog,deny,severity:2,phase:2,t:none"

Coloquei no final dele mas ao reiniciar o apache dá o seguinte erro:

Syntax error on line 162 of /usr/local/apache/conf/modsec2.user.conf:
ModSecurity: No action id present within the rule

Alguém poderia ajudar?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

Do you agree with our terms?