How to install CXS on a cPanel server

ConfigServer eXploit Scanner (CXS) is a fantastic tool when it comes to malware detection and removal on a cPanel server. The live scanning capability of CXS and large exploit database makes it a must have tool for the battle against malware. In this tutorial, I will show you how to install & configure CXS on cPanel servers.

Step 1

CXS is commercial software and worth it. The first step is to purchase a license on their website.

http://configserver.com/cp/cxs.html

Step 2

Once you have your license, log into your server as root and download the software.

wget https://download.configserver.com/cxsinstaller.tgz

Step 3

Extract CXS and run the installer.

tar -xzf cxsinstaller.tgz

Step 4

Run the CXS installer.

perl cxsinstaller.pl

Step 5

Create your quarantine directory.

cxs --qcreate --quarantine /etc/cxs/quarantine

Step 6

Edit the cxswatch.sh, cxsftp.sh and cxsdaily.sh files. Below are samples for each file. Adjust these to suit your own requirements. A full list of commands can be found here.

cxswatch.sh

#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
###############################################################################
# The option --Wstart MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --Wstart --allusers --mail root
#/usr/sbin/cxs --Wstart --allusers --www --mail root --quarantine /home/safe/ --qoptions Mv --Wadd /etc/cxs/cxs.wadd
#
# We would recommend using --qoptions Mv initially if you use --quarantine
# otherwise you might find cxs quarantining files that you do not want to.
# For example, you probably do NOT want to quarantine all script files (T)!
#

/usr/sbin/cxs --options -wW --Wstart --allusers --www --smtp --ignore /etc/cxs/cxs.ignore --qoptions Mv --quarantine /etc/cxs/quarantine --log /var/log/cxs.log --Wmaxchild 3 --Wloglevel 0 --Wsleep 3 --filemax 0 --Wrateignore 300

cxsftp.sh

#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
###############################################################################
# The option --ftp MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --quiet --ftp --mail root "$1"
#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ "$1"
#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ --block "$1"
#/usr/sbin/cxs --quiet --ftp --logfile /var/log/cxs.log "$1"
#
# If you use --logfile, remember to chmod 666 [file] to allow write access

/usr/sbin/cxs --quiet --ftp --quarantine /etc/cxs/quarantine --logfile /var/log/cxs.log --mail yourname@youremail.com "$1"

cxsdaily.sh

#!/bin/sh
###############################################################################
# Copyright 2009-2015, Way to the Web Limited
###############################################################################
# Run this script via cron daily

# Daily update of cxs and/or fingerprint definitions
/usr/sbin/cxs --upgrade --quiet

# Daily cleanup of quarantine if used. Modify to specify your quarantine
# directory and duplicate if you use more than one.
#
# Set --qclean to the number of days to retain, e.g. 7 = one week
/usr/sbin/cxs --qclean 7 --quarantine /etc/cxs/quarantine --quiet

Step 7

Ensure that ClamAV is installed.

/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav

Step 8

Create a log file.

touch /var/log/cxs.log
chmod 630 /var/log/cxs.log

Step 9

Enable CallUploadScript function in pure-ftp so that files uploaded via FTP can be scanned in real time.

vi /etc/pure-ftpd.conf
find #CallUploadScript and change to CallUploadScript (remove comment)
service pure-ftpd restart
service pure-uploadscript restart

Step 10

Enable to CXS ModSecurity rule.

/scripts/modsec_vendor add https://download.configserver.com/waf/meta_configserver.yaml
/scripts/modsec_vendor enable configserver
service httpd restart

Step 11

Create Symlink for daily update cron to ensure that CXS is updated to the latest database on a daily basis.

ln -s /etc/cxs/cxsdaily.sh /etc/cron.daily/

Step 12

Create new cron job for a daily scan. This will scan all files changed in the last configured number of days for virusses / fingerprint matches.

vi /etc/cron.d/daily-cxs

Example command for the file to run a scan at 4am daily for files changed in the past 48 hours, quarantine any viruses or fingerprint matches found and mail you a report.

0   4   *   *   *   root  /usr/sbin/cxs --logfile /var/log/cxs.log --mail yourname@youremail.com

 --exploitscan --virusscan --sversionscan --bayes -I /etc/cxs/cxs.ignore -Q /etc/cxs/quarantine --options mMOLfSGchexdnwZRD --voptions mfuhexT --qoptions Mv -Z --www --summary --html --ssl -C /var/clamd --nofallback -T 5 --ctime 48 --allusers --quiet

Step 13

Start cxswatch daemon & enable when server is rebooted.

service cxswatch start
chkconfig cxswatch on

The initial startup is sometimes a little resource hungry depending on the number of cPanel accounts on the server. Once all the accounts are scanned, it uses almost no resources and will work seamlessly in the background.

The cxswatch log file can be found under /var/log/cxswatch.log and the quarantine/activity log under /var/log/cxs/log.

 
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

How to Harden Your cPanel System's Kernel

  Important: The cPanel-provided kernel update will not work for OpenVZ®,...

Enable or disable root ssh login do the following

Open the file /etc/ssh/sshd_config Look for the line that says PermitRootLogin no. Change the no...

Country Codes required for CC_DENY/ALLOW in CSF Firewall

To block or allow website access to certain countries, following country codes are used in the...

ssh commands to list the file sizes

Here are some commands to list the file sizes..#present the largest...

open3: exec of ipset flush failed at csf

On CentOS CloudLinux Server starting csf firewall got following erroropen3: exec of ipset flush...