Run ConfigServer eXploit Scanner CXS inside CloudLinux LVE

[actihost]

Hello, I notice that with the default installation of ConfigServer eXploit Scanner CXS my server starts to running slow during the cron scans, I tried to add a lve_suwrapper in /etc/cron.d/cxs-cron but it seems that the scans are not working anymore:

@daily lve_suwrapper 101 root /usr/sbin/cxs --report /var/log/cxsreports/scandaily.log --quiet --nosummary --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmMCh$
@weekly lve_suwrapper 101 root /usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --quiet --nosummary --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM$

Maybe im doing something wrong? Thanks

 

[fuzzylogic]

Manual is here...
WHM » Home » Plugins » ConfigServer eXploit Scanner » Documentation

--options OLfmMCh$
The dollar sign ($) is not a valid option, delete it.
That is not making it slow.

Always make sure your commands run from the terminal as root before moving them to a cron job.
To see what's going on loose the --quiet and the --nosummary
To test in a reasonable amount of time limit the scan to one user; add --user username
so...

root@server [/]#/usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM --user username

If you see dollar signs ($) in the output, ..............f........$.........#..............$.........
It means that clamscan is not running or not found at the default locations.
If your quarantine directory is not found that will also be in the report.
In my tests this scan took 143 seconds to scan an account with a WordPress install with about 8000 files.

If the last command is working now try...

root@server [/]#/usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM --user username --ctime 25

Note the --ctime 25
In my tests this took 10 seconds
With the resources just gained you might want to try losing the --www so that the whole user account directory is scanned.
In my tests this took 20 seconds

In WHM » Home » Plugins » ConfigServer eXploit Scanner » Documentation
From the RECOMMENDATIONS section...
4. Create a daily and weekly cron job to scan all user accounts e.g. create /etc/cron.d/cxs-cron and add:

@daily root /usr/sbin/cxs --report /var/log/cxsreports/scan.log --www --mail root --virusscan --quarantine /home/quarantine --qoptions Mv --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRrP --ctime 25 --all

@weekly root /usr/sbin/cxs --report /var/log/cxsreports/scan.log --www --mail root --virusscan --quarantine /home/quarantine --qoptions Mv --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRrP --all

To speed up the @weekly you could add --ctime=169 so that only new files are scanned.

Using the --ctime option the matched file will only be reported the first time it is found.
It won't be scanned again unless it changes.

 

[actihost]

Hello! @fuzzylogic , thanks for your reply!

I see that adding "$" is wrong but the weird thing is that ConfigServer support team itself installed and configured all the thing as part as their ConfigServer Server Services.

The problem is that every week or two, at the same hour my server starts to run at high load and all the php process in the cpanel accounts like Wordpress installations starts to run at the same time, the only thing that I believe that maybe can trigger this is the weekly CXS scan misconfiguration. Also if that scans runs daily, would it be safe to avoid the weekly?

Thats why I want to put that processes in a CloudLinux LVE wrapper so I can get more control over it.

 

[cPanelLauren]

Thank you @fuzzylogic for the information on this.

@actihost I'd suggest contacting ConfigServer for further information on their plugin this isn't something that is provided or supported by cPanel.