Automating Maldet scan question

DennisMidjord

Well-Known Member
Sep 27, 2016
261
33
28
Denmark
cPanel Access Level
Root Administrator
We have some servers with around 250 accounts on them. Most accounts have multiple domains, so we've specified that maldet should background scan /home/.*/ each day. This takes a very long time, as you can probably imagine.

I'm not very skilled with maldet so I'm looking for some tips to do this scan better. Would it be better to scan only the new files? I've heard of maldet monitoring (or inotify), but how does this work?

Any tips about maldet is greatly appreciated!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Hi @DennisMidjord

I think what might be the easiest (and quickest) thing to do after your initial LMD (Maldet) scan would be to set it to scan recent paths rather than scan all paths:

Code:
- scan-recent option to scan only files that have been added/changed in X days
Inotify would provide real time scanning and could also be beneficial for your purposes. Their readme has a lot of good information: https://www.rfxn.com/appdocs/README.maldetect
 

DennisMidjord

Well-Known Member
Sep 27, 2016
261
33
28
Denmark
cPanel Access Level
Root Administrator
Hi @cPanelLauren!
Thanks for your answer. I've setup a cron job every three days that runs the command 'maldet -b --scan-recent /home/?/?/ 3'.

One thing I'm curious about: Is maldet running a daily scan unless run in monitor mode? How would I go about disabling this daily scan?

Also, do you know if maldet is compatible with CloudLinux' file changing API instead of inotify? I've read that inotify can be prette resource intensive, but I've never really messed with it.
As I understand, monitor mode would provide the best security but I don't want it to have a huge impact on resource usage.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Hi @DennisMidjord

Thanks for your answer. I've setup a cron job every three days that runs the command 'maldet -b --scan-recent /home/?/?/ 3'.
Let me know how the cron works out for you.

One thing I'm curious about: Is maldet running a daily scan unless run in monitor mode? How would I go about disabling this daily scan?
Based on the information in their readme:
Code:
- daily cron based scanning of all changes in last 24h in user homedirs
- daily cron script compatible with stock RH style systems, Cpanel & Ensim
Code:
.: 10 [ CRON DAILY ]

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used
to perform a daily update of signatures, keep the session, temp and quarantine
data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports a variety of control panel systems or standard Linux
/home*/user paths.

If you are running monitor mode, the daily scans will be skipped and instead a
daily report will be issued for all monitoring events.

If you need to scan additional paths, you should review the cronjob and use one
of the customization hook files, such as '/usr/local/maldetect/cron/custom.cron',
to write in custom scanning execution. For configuration based cron changes, you
can redefine any conf.maldet variables at '/etc/sysconfig/maldet' or
'/usr/local/maldetect/cron/conf.maldet.cron'.
I would assume that you could make a modification to this.

Also, do you know if maldet is compatible with CloudLinux' file changing API instead of inotify? I've read that inotify can be prette resource intensive, but I've never really messed with it.
As I understand, monitor mode would provide the best security but I don't want it to have a huge impact on resource usage.
I am not aware of the compatibility unfortunately. You might check with CloudLinux (CloudLinux - Main | New template) on that one since LMD doesn't actually have a forum or channel for support.