Welcome to Vastspace, provides Reliable Web Hosting since 2014

Welcome to Vastspace

Blog

Blog

Configure maldet to detect malware infected files

Configure maldet to detect malware infected files

In the last article, we install maldet. We learn how to configure maldet today. Again, I want to mention maldet is free and only for Linux server. Let us begin the configuration, assuming you have installed maldet successfully.

virusFor setting up maldet, the configuration file at /usr/local/maldet/conf.maldet has to make sure you be modified.

The next are some of the general options that you will may just want to set.

If you will want to be notified of the existence of malware by email, set the following selections.

email_alert : If you want to get email alerts whenever a suspect file is detected, then it should be set to 1.
email_addr : The email address to which notifications should be directed. This is used in combination with the email_alert option.
email_ignore_clean : When malware notifications have been automatically cleaned out (check the next two options), ignore dispatching email notifications. This is disabled by default. Set it to 1 to allow it, if you have decide to put up an automated daily scan that picks up and cleans the hits and you do not want to be notified of these by email.
What action will need to be used on the infected files? The following alternatives can be placed to quarantine (to push the affected files to a secure and protected area where they are unable to create any damage) the files.

quarantine_hits : The default value is 0. Set this to 1 and so that the infected files will be relocated to quarantine.
quarantine_clean : The default value is 0. This is used once quarantine_hits is set to 1. Do you want the program to further clean the files? Set this to 1 if you will want the program to try to clean the malware injections. Maintain this as zero if you want to check before cleaning.
In a multi-user conditions, the following choices may become useful.

quarantine_suspend_user : By default, the following is disabled and set to 0. If you set this to 1, the accounts of users who have got hits will be suspended. For this to function, quarantine_hits should be 1.
quarantine_suspend_user_minuid : The lowest user id which can be suspended. This is set to 500 by default.
inotify_minuid : The lowest user id above which users need to be watched. The default value is 500.
inotify_docroot : The web directory relative to the home directory of users. By default, it is set to public_html. If this is set, only this web directory will be checked.
Save and close the configuration file.

A simple scan
For a simple scan, run maldet with the –scan-all option with a path as an argument. It first builds a list of files for almost all the directories and sub-directories in that path. Then it reads through all any files and gives the number of hits. It also provides a report which you can easily view to examine the files that are suspicious. Help to make sure that you provide the full path and not the relative path.

sudo maldet –scan-all /home/username/public_html/

A notice of warning, though. The setting scan_ignore_root in the configuration file is set to 1 by default. This triggers files that are owned by root to be ignored in the file list that maldet builds. The default value is more efficient, but the assumption is that your root password has not been compromised and malware are not injected into root-owned files. Change this setting to 0 if you want root-owned files also to be scanned. This might slow down the scan. So, use it judiciously.

You can view the files that are affected by opening the report file mentioned.

Quarantine affected files
When quarantine_hits is set to 1, maldet not only scans for malware, but also moves the hits to quarantine so that your users do not have access to these files. So, your malware scan may produce results as below. In this case, quarantine_clean is set to 0.

If you view the report, you can see the affected files and their quarantine location. You can inspect the files and then decide on whether you want to clean them.

If you scan with the quarantine_hits set to 0, you need not set it to 1 and redo the scan. Instead, you could quarantine all malware results from the previous scan with

sudo maldet -quarantine SCANID

Quarantine and clean affected files
When quarantine_clean is set to 1, it moves the affected files to quarantine, maldet tries to clean them.

If you did a scan with the quarantine_hits or quarantine_clean set to 0, you can do a clean with the following option.

sudo maldet -clean SCANID

Restore a file
If you want to restore a file which was false positive as a malicious and quarantined, or if you have  cleaned the file and want it back in its proper location,

sudo maldet -restore FILENAME

Alternately, give the complete path of the quarantined file.

sudo maldet -restore /usr/local/maldetect/quarantine/FILENAME

Wildcard scan
You can also make use of wildcards in your scan path. ? is the wildcard character.

sudo maldet –scan-all /home/?/public_html/

This will check all directories inside /home and if any of them had a public_html sub-directory, then that directory will be scanned completely.

Recent scan
If you want to check the same path as a previous scan, but only those files created or modified in the recent past, you have to run maldet with the –scan-recent option and the number of days n

sudo maldet –scan-recent /home/username/public_html/

A weekly incremental check will be done by doing such a recent scan for 7 days.

Automate periodic scan
You can automate daily scans using the cronjob feature. During installation, LMD installs a cronjob at /etc/cron.daily/maldet.

This cronjob will update signatures, include new malware threats in its registry and perform a daily check of all the home directories and recent changes on the server. Whenever, it detects some malware, it will notify you specified in the configuration.

Monitor mode
The inotify monitor can be used to monitor users real-time for file creation, modification or movement. Monitoring can be done with one or more of the three options available,

Monitor users
The users option will take the home directories of all users in the system who have UID greater than inotify_minuid and monitor them. If inotify_docroot is set, the users’ web directory, if it exists, will only be monitored.

sudo maldet –monitor users

Monitor paths
Alternately, you can monitor paths. Give a comma-separated path with the –monitor option.

sudo maldet –monitor PATH1,PATH2,…
For example,sudo maldet –monitor /tmp,/home,/var

Monitor files
If you have concerns about specific files, you can monitor specific files by giving a comma-separated list of files.

sudo maldet –monitor FILE1,FILE2,..

Exclude files or paths
Certain paths or files can be excluded from the scan, by using the ignore files.

Add files or paths to be excluded from daily scan in /usr/local/maldetect/ignore_paths

Add signatures to be excluded from daily scan in /usr/local/maldetect/ignore_sigs

Add files or paths to be excluded from inotify monitoring in /usr/local/maldetect/ignore_inotify.

Add the extensions of file types that you want to exclude from daily scans (one per line) in /usr/local/maldetect/ignore_file_ext. Sample entries in file could be

.png
.jpg
Check out more options like running maldet in the background and other finer settings by using the help option.

sudo maldet –help
If you run a self-hosted website, at some point or the other, it is possible for malicious hackers to inject malware into your system. Before that happens, get your system secure and install maldet to keep ahead of such attacks.

Detect and remove malware on your Linux server

Detect and remove malware on your Linux server

Today, we learn how to remove malware in a Linux server. It is not 100% but it is the cheapest way to detect, clean or quarantine malware. I recommend this to be installed on all Linux server especially you are using open source CMS like WordPress for your website.

FIREWALLWhat is malware?

Malware is usually identified as any kind of harmful software or code that is harmful to devices.

Dangerous, invasive, and deliberately nasty, malware seeks to get into, harm, or deactivate computer systems, computer devices, networks, tablets, and mobile phone devices, often simply by taking general control over a device’s functions. Just like your flu, it disturbs with regular performance.

Malware is most about making income off you illicitly. Even though malware is not able to harm the physical equipment of devices or network system equipment it may take, encrypt, or erase your data, modify or maybe hijack main computer system capabilities, and spy on the device activity not having your knowledge or authorization.

Linux Malware Detect commonly referred to as Maldet is just an open-source malware scanner for Linux produced under the GNU GPLv2 license. The idea is built in and around the dangers experienced in shared hosted conditions. Install, configure and run this kind of free of charge software to detect and remove malware on your server.

Installation
Login as root or a user with root permissions into the server.

The source code of the current stable version of LMD or maldet is obtainable as a tarball in that link. Download it.

sudo wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
Unpack that tarball.

sudo tar -xvf maldetect-current.tar.gz
After that, list its files to discover the directory in which it is set up. The directory is generally of the format maldetect-x.y.z where x.y.z is the version number. Switch to this directory.

cd maldetect-1.5
Check if perhaps the install.sh script is certainly there and installs it.

sudo ./install.sh

The next topic will teach you on how to configure maldet

Why do you need to change domain name?

shockedWhy do you need to change the domain name?

This is one of the common question asked by customers. It is not very common, but there are a few instances or website the owners change the domain name.

There are 2 common mistakes or rather I should say it is the perception of a domain name. A domain name requires registration to own it if available and your website can change the name ad it is not broken. Some website like a WordPress website requires the domain name to be updated. Should you not have the domain name was hard-coded into a URL

If you have fulfilled the above you can change the existing domain name. However, when you are changing an existing domain, you must ask yourselves on why and if the reasons are valid. There are a few reasons why you need to change a domain name.

  • The business name is changed, due to an acquisition, combine or business decision.
  • The existing domain name is too long and hard to remember.
  • The domain TLD has not to symbolized a local business.
  • The domain name was a brand name, you are no longer representing.
  • You just bought a domain name that suits your business better.

These are usually the reasons why they have changed an existing domain. To change a domain name, you need to do the followings,

  • The new domain name must be registered and the owner to it.
  • Speak to your website developer, tell them you want to use the new domain name.
  • Make the old domain as an alias to the new domain name. Emails are delivered to the new domain name.
  • A 301Wildcard redirection to redirect web traffic from the old to the new domain name.
  • Announcement to your customers and business associates.

When you have all these above, you are ready to change the domain name. On the other hand, 301 redirection is important in SEO perspective. The new domain can affect your ranking in search engines for the domain age and backlinks to your website. Thus, 301 redirection is very important.

 

Some are using shared hosting?

Some are using shared hosting?

Actually, this question has bothered me, why people are using shared hosting while VPS are dirt cheap. Probably, you can get a VPS for just $5 a month and multiply by 12 months which is equal to $60. What $60? It is cheaper than a shared hosting plan.

virtualizationBut wait, we miss out a few things. There are a few reasons why they are still using and looking for shared hosting. If you look at a different angle or in their socks, VPS may not a good choice.

I have spoken to some, they have no idea what is a VPS, end of the day it is about price. In the past, VPS has a higher price than shared hosting, however, because of its popularity and server are cheaper nowadays, VPS’s price has fallen tremendously.

Price is probably the main factor. Secondly is the web panel like cPanel or Plesk, they are optional in a VPS. Unlike the shared hosting, basically, you do not have to think about it. Shared hosting is a web hosting ready to go. So it is simple, good for layman or people have little IT background.

Again, consumers must give themselves with choices and not limited to shared hosting. Hosting providers like us must be able to educate the consumers on the differences between VPS and shared hosting. Consumers will understand the pros and cons, and which types of web hosting are bettter.

Here are a few advantages of buying a VPS compares to shared hosting;

  • If you host more than one website, a VPS might save you more money.
  • Dedicated IP address comes default in a VPS. You never worry if your neighbour’s IP address is blacklisted in RBL.
  • You can update the kernel at your own schedule if it is a true VM.
  • Web service, mail service and others do not share with others. You have total control over these services.
  • You can root shell to your VPS.
  • You can modify the configuration of a VPS for the behaviour you wanted.
  • You can resell spare resources & more

However, there are cons like paying more for a control panel and it is likely you need to manage your web hosting if you faced any difficulty on a VPS. Only you have more time or you have the knowledge, it is worth considering buying a VPS for your website.

 

 

How to reduce spam emails?

How to reduce spam emails?

Actually, it is frustrating if you are receiving a lot of spam email. Even you have so-called the best anti-spam on your email service, you can receiving spam email, maybe lesser and at the same time, you might treat some emails as spam email, known as false positive.

SPAMEXPERTAs far as I’m concerned, there isn’t 100%. With anti-spam you are receiving lesser definitely but your definition is never the same as the server. Some anti-spam require you to set rules or train them in order to be effective

Thus, you cannot eliminate those spam emails defined by you. However, you can still minimise receiving spam emails without spending a lot to or buy a good anti-spam. Here are a few tips to help you;

a. Never use your ‘work’ email to do registration online for personal use, Your email address can be sold to someone for bulk sending. Always think twice if registration is necessary.

b. Avoid common account name like help, sales, enquiry or similar. If your name is John, avoid using john@, and add your last name.

c. Do not advertise your email address. Spammers like to use harvesting technique to collect email addresses. Common areas like auction portals, buy & sell portal etc.

e. Make sure you use SPF in your domain name DNS allows only permitted email server to send email on your behalf. I recommend ‘-a’ at the end of SPF record if you want to enforce those emails impersonate your organization.

f. Use effective RBLs on your email server. Reputable RBLs filter emails sent from bad IP addresses.

 

 

 

.

WordPress version 5.1 is here

wordpressWordPress version 5.1 is here

WordPress version 5.1 is here, you can find the details here https://wordpress.org/support/wordpress-version/version-5-1/ . If you are using an older version of WordPress, I suggest you upgrade as soon as possible.

Before you upgrade, always verify the plugins that you have installed are compatible. An upgrade to the outdated plugins may require. Do a backup of your WordPress website before the upgrade.

It is a common mistake made, the users backup the WordPress files only. WordPress website is a database CMS. Content updates are changes in the database table, thus making a database dump / backup is important.

Without the latest database backup, you have a high chance of getting a broken website during restoration.

A common mistake of choosing a dedicated server?

What is the common mistake of choosing a dedicated server? Does size matter? Or the price is a matter. Basically, we put them into 2 categories; the value and the performance.

shockedFrom my past experience, customers are looking at the disk size and the RAM. Yes, the more the merrier but this most time doesn’t help in performing but larger in quantity. For me. I will go with performance than value.

A 2.6Ghz CPU A if different to 2.6Ghz CPU B. CPU B have the same speed but it is the later generation consume 30 watts while CPU A use 60 watts. It meaB performs better and consumes power lesser.

Next, we come to storage, we have hard drives, SSDs and NVMe now. Even the Hard  Drives are different. The slower one spins at 5400rpm, follow by 7200rpm, 10,000rpm and 15,000rpm. The spin speeds give you better read and write performance. SSD reads at about 500Mb per second and NVMe is 2000MB per second. Hard Drives, the most common is 7200rpm gives you 150Mb.

A common mistake of choosing a dedicated server?

So, today you got a big hard drive which means you can store more but the server can only host 2 websites as compared to those with SSD 3 time more for the same website loading speed.

For a dedicated server, the priority should be the power, the performance unless you use it for files archiving and you need the pace. A website with images probably less than 10GB if you have a 6TB server, I will guess you used it for archiving.

On the other hand, big hard drives like 4TB are common now, who sells you 1 or 2 TB drives. Most probably, they are old stock if they do. The spin speed is still important if you stick with the hard drives., otherwise SSD at least.

All Support for version 11.30 Ends April 2, 2019

All Support for version 11.30 Ends April 2, 2019

Today cPanel told us; As of April 2, 2019, cPanel L.L.C. is dropping all support for cPanel & WHM version 11.30.

According to cPanel, there are still some servers running cPanel & WHM version 11.30 in use today! Version 11.30 reached End Of Life status back in January 2013 and has not received updates since that time.

cPanel wants you to know that with this action of ending support for 11.30, they will also end support for BSD, and anything not CentOS or RHEL. Please review these documents for more information:
cPanel & WHM End of Life Policy
cPanel & WHM Upgrade Blockers

Please also note that support for cPanel & WHM version 11.32, which reached End Of Life status back in August 2013, will be dropped, next. Our data tells us that there are servers still running on that tier as well.

So, if you are still using 11.30, need to act fast. Vastspace is cPanel NOC Partner.

How to prevent your website against hackers?

How to prevent your website against hackers?

We do not many cases but there is always a website was hacked and asked the same questions, how was my website hacked? And how to protect them?

malwareThere are a few reasons for your website was hacked. Occasionally, we can only share the possibilities until further investigation like checking the log files.

It is difficult to eliminate totally but we suggest you protect them. This will make hacking difficult or not possible.

Hackers are looking for backdoors to penetrate your website, only if you can shut it,  Here are some inexpensive ways to protect your website.

  • updated script and plugins – if you are using WordPress, Joomla or similar, always have up-to-date CMS, plugins and the PHP.
  • Limited your SQL connection or to local connection only.
  • Restrict your administration login page.
  • Use malware scanner to scan your website daily during off-peak.
  • Use WAF like Sucuri Firewall, you update less often which is useful to some.
  • Computers access to the website backend and control panel must install and scan by a good anti-virus/malware and up-to-date definition.
  • Use Strong Password for all users.
  • A penetration test. You can find a free solution online.
  • Use mod_security cPHulk brute-Force or Fail2ban – these can be found in popular cPanel or Plesk Onyx.
  • Use Firewall like CSF or APF. However, I don’t really recommend a software firewall. They can paralyse the website if you are under attacks while it takes resources from your server.

Lastly, you always have a backup copy can restore an up-to-date website.