Automating Maldet scan question

[DennisMidjord]

We have some servers with around 250 accounts on them. Most accounts have multiple domains, so we've specified that maldet should background scan /home/.*/ each day. This takes a very long time, as you can probably imagine.

I'm not very skilled with maldet so I'm looking for some tips to do this scan better. Would it be better to scan only the new files? I've heard of maldet monitoring (or inotify), but how does this work?

Any tips about maldet is greatly appreciated!

 

[cPanelLauren]

Hi @DennisMidjord

I think what might be the easiest (and quickest) thing to do after your initial LMD (Maldet) scan would be to set it to scan recent paths rather than scan all paths:

- scan-recent option to scan only files that have been added/changed in X days

Inotify would provide real time scanning and could also be beneficial for your purposes. Their readme has a lot of good information: https://www.rfxn.com/appdocs/README.maldetect

 

[DennisMidjord]

Hi @cPanelLauren!
Thanks for your answer. I've setup a cron job every three days that runs the command 'maldet -b --scan-recent /home/?/?/ 3'.

One thing I'm curious about: Is maldet running a daily scan unless run in monitor mode? How would I go about disabling this daily scan?

Also, do you know if maldet is compatible with CloudLinux' file changing API instead of inotify? I've read that inotify can be prette resource intensive, but I've never really messed with it.
As I understand, monitor mode would provide the best security but I don't want it to have a huge impact on resource usage.

 

[cPanelLauren]

Hi @DennisMidjord

Thanks for your answer. I've setup a cron job every three days that runs the command 'maldet -b --scan-recent /home/?/?/ 3'.

Let me know how the cron works out for you.

One thing I'm curious about: Is maldet running a daily scan unless run in monitor mode? How would I go about disabling this daily scan?

Based on the information in their readme:

- daily cron based scanning of all changes in last 24h in user homedirs
- daily cron script compatible with stock RH style systems, Cpanel & Ensim

.: 10 [ CRON DAILY ]

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used
to perform a daily update of signatures, keep the session, temp and quarantine
data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports a variety of control panel systems or standard Linux
/home*/user paths.

If you are running monitor mode, the daily scans will be skipped and instead a
daily report will be issued for all monitoring events.

If you need to scan additional paths, you should review the cronjob and use one
of the customization hook files, such as '/usr/local/maldetect/cron/custom.cron',
to write in custom scanning execution. For configuration based cron changes, you
can redefine any conf.maldet variables at '/etc/sysconfig/maldet' or
'/usr/local/maldetect/cron/conf.maldet.cron'.

I would assume that you could make a modification to this.

Also, do you know if maldet is compatible with CloudLinux' file changing API instead of inotify? I've read that inotify can be prette resource intensive, but I've never really messed with it.
As I understand, monitor mode would provide the best security but I don't want it to have a huge impact on resource usage.

I am not aware of the compatibility unfortunately. You might check with CloudLinux (CloudLinux - Main | New template) on that one since LMD doesn't actually have a forum or channel for support.