clamav
wget http://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz
### Install
yum -y install gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel llvm-devel libxml2 libxml2-devel libcurl-devel
tar zxf clamav-0.102.0.tar.gz
cd clamav-0.102.0
./configure --prefix=/opt/clamav
make && make install
### Setting
groupadd clamav
useradd clamav -g clamav -s /sbin/nologin
mkdir /opt/clamav/logs
mkdir /opt/clamav/share/clamav
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
chown -R clamav.clamav /opt/clamav/logs
chown clamav.clamav /opt/clamav/share/clamav
cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf
cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
sed -i 's/^Example/\#Example/g' /opt/clamav/etc/freshclam.conf
sed -i 's/^Example/\#Example/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#LogFile\ \/tmp\/clamd.log/LogFile\ \/opt\/clamav\/logs\/clamd.log/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#PidFile\ \/var\/run\/clamd.pid/PidFile\ \/opt\/clamav\/updata\/clamd.pid/g' /opt/clamav/etc/clamd.conf
sed -i 's/^#DatabaseDirectory\ \/var\/lib\/clamav/DatabaseDirectory\ \/opt\/clamav\/updata/g' /opt/clamav/etc/clamd.conf
# cd ..
## 病毒库的压缩包clamav.virus_data.tar.gz,解压这个压缩包后,得到一个calmav目录,目录里面是官网上下载的病毒库
# tar zxf clamav.virus_data.tar.gz
# cp clamav/* /opt/clamav/share/clamav/
## 更新病毒库
/opt/clamav/bin/freshclam
### 添加定时扫描任务
mkdir /tmp/virus_collection
echo "#scan virus" >>/etc/crontab
echo '30 4 5 * * /opt/clamav/bin/clamscan -r --move=/tmp/virus_collection / >/dev/null 2>&1' >>/etc/crontab
# 执行扫描
/opt/clamav/bin/clamscan -r /data
# 把病毒文件移动到/tmp/virus
/opt/clamav/bin/clamscan --no-summary -ri --move=/tmp/virus /data
# 检查用户 home 目录并移除感染的文件
clamscan -r --remove /home/USER
基本安全排查
# 查看登录信息 vim /var/log/auth.log # 登录日志,可以查看到尝试登陆的用户名和ip等信息 last -f /var/log/btmp # 记录所有失败的登陆日志 last -u <userName> last -f /var/log/wtmp # 登陆Ip,登陆时长 # 当前谁在线等信息 w users # 查看所有用户 vim /etc/passwd history # 操作历史,登陆用户查看这个用户的操作历史 # 查看运行的进程 pstree -a ps aux # 查看网络情况 netstat -ntulp # CPU和内存情况 free -m uptime top htop for user in $(cat /etc/passwd | cut -f1 -d:); do crontab -l -u $user; done # 查看每个用户的定时任务 # 系统日志和内核消息 $ dmesg $ less /var/log/messages $ less /var/log/secure $ less /var/log/auth
