cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Simplify Maldet download logic to handle firewall-intercepted HTTPS

Browse Source 
Issue: Network connections were being made but TLS handshakes were timing out due to firewall/proxy intercepting HTTPS responses. Pre-checking with curl -I was hanging.

Solution:
- Skip pre-checking (was causing hangs)
- Attempt direct downloads with aggressive timeout handling
- Use both wget and curl as fallbacks (different timeout behaviors)
- Try sources in priority order (rfxn, GitHub API, GitHub direct)
- Fail fast with proper timeout handling (connect-timeout, read-timeout)
- Gracefully fall back to offline archives or manual instructions

Improvements:
- No more hanging on HTTPS negotiation
- Faster failure detection (30s max per attempt)
- Both wget and curl tried for redundancy
- Clear user feedback on which source is being attempted
- Pre-downloaded archives checked if all sources fail
- Works on networks with proxy/firewall HTTPS interception
This commit is contained in:
Developer
2026-04-21 19:28:52 -04:00
parent a5ce49d635
commit 106ebbd089
1 changed files with 100 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/malware-scanner.sh
+92 -175
View File
@@ -272,207 +272,121 @@ install_maldet_only() {
cd /tmp || return 1
# Function to compare semantic versions (e.g., 1.6.5 vs 1.6.4)
compare_versions() {
local v1="$1" v2="$2"
[ "$v1" = "$v2" ] && echo "equal" && return
# Try to download from sources in order with aggressive timeout handling
# Skip pre-checking (can hang on firewall-intercepted HTTPS)
# Just attempt downloads directly with proper timeouts
local IFS=.
local i ver1=($v1) ver2=($v2)
local download_success=false
local temp_file="maldetect-latest.tar.gz"
local best_source=""
for ((i=0; i<${#ver1[@]} || i<${#ver2[@]}; i++)); do
if ((10#${ver1[i]:-0} > 10#${ver2[i]:-0})); then
echo "greater"
return
elif ((10#${ver1[i]:-0} < 10#${ver2[i]:-0})); then
echo "less"
return
# Download sources in priority order
local sources=(
"rfxn:https://www.rfxn.com/downloads/maldetect-latest.tar.gz:rfxn.com (official)"
"github-api:https://api.github.com/repos/rfxn/maldet/archive/refs/heads/main.tar.gz:GitHub API"
"github:https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz:GitHub direct"
)
echo "Attempting to download from sources..."
echo ""
for source_info in "${sources[@]}"; do
IFS=: read -r source_name source_url source_label <<< "$source_info"
echo " Trying $source_label..."
# Try download with aggressive timeout
# --connect-timeout: fail fast if connection can't be established
# --max-time: fail if entire operation takes too long
# --speed-time: fail if sustained transfer speed is too slow
if wget -q --timeout=30 --read-timeout=10 -O "$temp_file" "$source_url" 2>/dev/null; then
if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
echo -e " ${GREEN}✓ Download successful from $source_label${NC}"
download_success=true
best_source="$source_label"
break
fi
rm -f "$temp_file"
fi
# Also try with curl as fallback
if ! [ "$download_success" = true ]; then
if curl -f --connect-timeout 10 --max-time 30 -L -o "$temp_file" "$source_url" 2>/dev/null; then
if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
echo -e " ${GREEN}✓ Download successful from $source_label${NC}"
download_success=true
best_source="$source_label"
break
fi
rm -f "$temp_file"
fi
fi
if [ "$download_success" = false ]; then
echo -e " ${RED}✗ Failed or timeout${NC}"
fi
done
echo "equal"
}
# Check available versions from multiple sources
local rfxn_version="" github_version="" github_api_version=""
local best_source="" best_version="" best_url=""
# Source 1: Check rfxn.com for available versions
echo " [1/3] Checking rfxn.com..."
local rfxn_check=$(curl -sI "https://www.rfxn.com/downloads/maldetect-latest.tar.gz" --connect-timeout 5 2>/dev/null | grep -E "HTTP|Content-Length")
if echo "$rfxn_check" | grep -q "200\|302"; then
rfxn_version="latest"
echo " ✓ Available (latest release)"
else
echo " ✗ Not reachable"
fi
# Source 2: Check GitHub releases API for version info
echo " [2/3] Checking GitHub releases..."
local github_api_data=$(curl -s "https://api.github.com/repos/rfxn/maldet/releases/latest" --connect-timeout 5 2>/dev/null)
if echo "$github_api_data" | grep -q '"tag_name"'; then
github_api_version=$(echo "$github_api_data" | grep -o '"tag_name":"[^"]*' | head -1 | cut -d'"' -f4 | sed 's/^v//')
if [ -n "$github_api_version" ]; then
echo " ✓ Found version: $github_api_version"
fi
else
echo " ✗ API unreachable"
fi
# Source 3: Check GitHub main branch
echo " [3/3] Checking GitHub main branch..."
local github_main_check=$(curl -sI "https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz" --connect-timeout 5 2>/dev/null | grep -E "HTTP")
if echo "$github_main_check" | grep -q "200\|302"; then
github_version="main-branch"
echo " ✓ Available (main branch)"
else
echo " ✗ Not reachable"
fi
echo ""
# Determine best source based on version comparison
if [ -n "$github_api_version" ] && [ -n "$rfxn_version" ]; then
# Both available - prefer the version tag if we can parse rfxn version
echo " Multiple sources available. Selecting best version..."
best_source="github_api"
best_version="$github_api_version"
best_url=$(echo "$github_api_data" | grep -o '"tarball_url":"[^"]*' | head -1 | cut -d'"' -f4)
echo " → Downloading version $best_version from GitHub API"
elif [ -n "$rfxn_version" ]; then
best_source="rfxn"
best_version="latest"
best_url="https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
echo " → Downloading from rfxn.com (official)"
elif [ -n "$github_api_version" ]; then
best_source="github_api"
best_version="$github_api_version"
best_url=$(echo "$github_api_data" | grep -o '"tarball_url":"[^"]*' | head -1 | cut -d'"' -f4)
echo " → Downloading version $best_version from GitHub API"
elif [ -n "$github_version" ]; then
best_source="github_main"
best_version="main-branch"
best_url="https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz"
echo " → Downloading from GitHub main branch (fallback)"
else
# No internet access - check for offline options
echo -e "${YELLOW}Network access unavailable. Checking offline options...${NC}"
if [ "$download_success" = false ]; then
# All sources timed out or failed - check for offline options
echo -e "${YELLOW}All download sources failed or timed out.${NC}"
echo ""
echo "Checking for pre-downloaded archives or system packages..."
echo ""
# Option 1: Check if Maldet is available in system package repos
local repo_available=false
if command -v yum &>/dev/null; then
echo " [1] Checking yum repositories..."
if yum search maldet 2>/dev/null | grep -q "maldet"; then
echo -e " ${GREEN}✓ Maldet found in yum repos${NC}"
repo_available=true
else
echo " ✗ Not in yum repos"
fi
elif command -v apt-get &>/dev/null; then
echo " [1] Checking apt repositories..."
apt-get update > /dev/null 2>&1
if apt-cache search maldet 2>/dev/null | grep -q "maldet"; then
echo -e " ${GREEN}✓ Maldet found in apt repos${NC}"
repo_available=true
else
echo " ✗ Not in apt repos"
fi
fi
# Option 2: Check for pre-cached/pre-downloaded file
echo " [2] Checking for pre-downloaded archive..."
# Check for pre-cached/pre-downloaded file
local local_archive=""
for path in /root/maldetect*.tar.gz /tmp/maldetect*.tar.gz /opt/maldetect*.tar.gz; do
for path in /root/maldetect*.tar.gz /tmp/maldetect*.tar.gz /opt/maldetect*.tar.gz ~/maldetect*.tar.gz; do
if [ -f "$path" ]; then
local_archive="$path"
echo -e " ${GREEN}✓ Found: $path${NC}"
repo_available=true
echo -e "${GREEN}✓ Found archive: $path${NC}"
break
fi
done
echo ""
if [ "$repo_available" = true ]; then
if [ -n "$local_archive" ]; then
echo "Using pre-downloaded archive: $local_archive"
echo ""
echo "Using pre-downloaded archive..."
cp "$local_archive" /tmp/maldetect-offline.tar.gz
best_source="offline"
best_version="offline-archive"
best_url="none"
else
echo "Attempting to install from system repositories..."
if command -v yum &>/dev/null; then
yum install -y maldet 2>&1 | tail -5
elif command -v apt-get &>/dev/null; then
apt-get install -y maldet 2>&1 | tail -5
fi
if is_maldet_installed; then
echo -e "${GREEN}✓ Maldet installed from repositories${NC}"
echo ""
echo "Updating malware signatures..."
if command -v maldet &>/dev/null; then
maldet -u > /dev/null 2>&1 &
echo " (signatures updating in background)"
fi
echo ""
read -p "Press Enter to continue..." < /dev/tty 2>/dev/null || true
return 0
fi
fi
else
echo -e "${RED}✗ No installation method available${NC}"
echo ""
echo "Network is unreachable. To install Maldet, use one of these methods:"
echo ""
echo " METHOD 1 - From another networked machine:"
echo " wget https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
echo " scp maldetect-latest.tar.gz root@YOUR-SERVER:/root/"
echo ""
echo " METHOD 2 - Via GitHub (alternative):"
echo " wget https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz"
echo " scp main.tar.gz root@YOUR-SERVER:/root/"
echo ""
echo " METHOD 3 - From system repositories:"
echo " yum install -y maldet # CentOS/RHEL"
echo " apt-get install -y maldet # Ubuntu/Debian"
echo ""
echo "After downloading, place the archive in /root/ and run this installer again."
echo ""
read -p "Press Enter to continue..." < /dev/tty 2>/dev/null || true
return 1
fi
fi
echo ""
# Download from the best source (or use offline if already copied)
local temp_file="maldetect-${best_version}.tar.gz"
if [ "$best_source" = "offline" ]; then
echo "Using offline archive: /tmp/maldetect-offline.tar.gz"
temp_file="/tmp/maldetect-offline.tar.gz"
download_success=true
best_source="offline-archive"
else
echo "Downloading $best_version..."
if wget -q --timeout=15 -O "$temp_file" "$best_url" 2>/dev/null; then
echo -e "${GREEN}✓ Download successful${NC}"
else
echo -e "${RED}✗ Download failed from $best_source${NC}"
rm -f "$temp_file"
echo -e "${RED}✗ No local archive found${NC}"
echo ""
echo "All sources unreachable. To install Maldet, use one of these methods:"
echo ""
echo " METHOD 1 - Download on networked machine and transfer:"
echo " On another server with internet:"
echo " wget https://www.rfxn.com/downloads/maldetect-latest.tar.gz"
echo " Then copy to this server:"
echo " scp maldetect-latest.tar.gz root@YOUR-SERVER:/root/"
echo " Then run this installer again"
echo ""
echo " METHOD 2 - GitHub source as alternative:"
echo " wget https://github.com/rfxn/maldet/archive/refs/heads/main.tar.gz -O /root/maldetect.tar.gz"
echo " (then run this installer again)"
echo ""
echo "Once you place the archive in /root/ (or /tmp/ or /opt/), run installer again."
echo ""
read -p "Press Enter to continue..." < /dev/tty 2>/dev/null || true
return 1
fi
fi
# At this point, download_success should be true with temp_file set
if [ "$download_success" = true ] && [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
echo "Installing from $best_source..."
echo ""
# Extract and install
echo "Extracting archive..."
echo " Extracting archive..."
if tar xzf "$temp_file" 2>/dev/null; then
echo "Running installer..."
echo " Running installer..."
if cd maldetect-* 2>/dev/null && bash install.sh > /tmp/maldet-install.log 2>&1; then
echo -e "${GREEN}✓ Maldet installed successfully (version: $best_version)${NC}"
echo -e " ${GREEN}✓ Maldet installed successfully${NC}"
# Update signatures in background
echo ""
@@ -482,14 +396,17 @@ install_maldet_only() {
echo " (signatures updating in background)"
fi
else
echo -e "${RED}✗ Installation failed. Check /tmp/maldet-install.log${NC}"
echo -e " ${RED}✗ Installation failed. Check /tmp/maldet-install.log${NC}"
fi
cd /tmp
rm -rf maldetect-* "maldetect-${best_version}.tar.gz" 2>/dev/null || true
rm -rf maldetect-* maldetect-latest.tar.gz 2>/dev/null || true
else
echo -e "${RED}✗ Failed to extract archive${NC}"
echo -e " ${RED}✗ Failed to extract archive${NC}"
rm -f "$temp_file"
fi
else
echo -e "${RED}✗ No valid archive available for extraction${NC}"
fi
echo ""
read -p "Press Enter to continue..." < /dev/tty 2>/dev/null || true