Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Critical Checks

Critical checks run every 10 minutes. Typical wall-clock cost on a busy shared host is a few seconds; the runner enforces the 10-minute cadence even when a tick takes longer.

Process & System

CheckDescription
fake_kernel_threadsNon-root processes masquerading as kernel threads (rootkit indicator)
suspicious_processesReverse shells, interactive shells, GSocket, suspicious executables
php_processesPHP process execution, working dirs, environment variables
shadow_changes/etc/shadow modification outside maintenance windows
uid0_accountsUnauthorized root (UID 0) accounts
kernel_modulesKernel module loading (post-baseline)
af_alg_socket_useAF_ALG socket use that may indicate Copy Fail exploit activity
af_alg_enforcementAF_ALG hardening policy drift and correction status

SSH & Access

CheckDescription
ssh_keysUnauthorized entries in /root/.ssh/authorized_keys
sshd_configSSH hardening (PermitRootLogin, PasswordAuthentication, etc.)
ssh_loginsSSH access anomalies with geolocation
api_tokenscPanel/WHM API token usage
whm_accessWHM/root login patterns, multi-IP access
cpanel_loginscPanel login anomalies, multi-IP correlation
cpanel_filemanagerFile Manager usage for unauthorized access

Network

CheckDescription
outbound_connectionsRoot-level outbound to non-infra IPs (C2, backdoor ports)
user_outboundPer-user outbound connections (non-standard ports)
bad_asn_outboundOutbound connection whose destination resolves (via GeoLite2-ASN) to a bad or unexpected autonomous system. Config detection.bad_asn_outbound: blocked_asns (always bad) and/or allowed_asns (allowlist mode – anything outside is bad). Classified for every process including root (the periodic connection scan); non-root connections are also flagged in real time by the live BPF tracker. Off by default; the third leg of the host_takeover incident chain
dns_connectionsDNS exfiltration and suspicious queries
firewallFirewall status and rule integrity

Brute Force & Auth

CheckDescription
wp_bruteforceWordPress login brute force (wp-login.php, xmlrpc.php)
http_ua_spoofIP claiming a search-engine bot UA (Googlebot, Bingbot, Applebot) that fails reverse-DNS verification, or exceeding the per-IP spoof threshold for scripting/headless/empty UAs when those opt-in flags are enabled
http_distributed_floodMany already-abusive HTTP source IPs hitting the same vhost in one scheduled scan window
ftp_loginsFTP access patterns and failed auth
webmail_loginsRoundcube/Horde access anomalies
api_auth_failuresAPI authentication failure patterns

Email

CheckDescription
mail_queueMail queue buildup (spam outbreak indicator)
mail_per_accountPer-account email volume spikes

Data & Integrity

CheckDescription
crontabsSuspicious cron jobs and scheduled commands
mysql_usersMySQL user accounts and privileges
database_dumpsDatabase exfiltration attempts
exfiltration_pasteConnections to pastebin/code-sharing sites

Threat Intelligence

CheckDescription
ip_reputationIPs against external threat databases and optional rspamd history
local_threat_scoreAggregated score from internal attack database
modsec_auditModSecurity audit log parsing

Performance

CheckDescription
perf_loadCPU load average thresholds
perf_php_processesPHP process count and memory
perf_memorySwap usage and OOM killer activity

Health

CheckDescription
healthDaemon health, binary integrity, required services

Platform Support

Runs on every supported platform unless noted below. The daemon auto-detects OS and panel at startup and silently skips cPanel-specific checks on plain Linux hosts (no “not found” spam).

cPanel-only (skipped on plain Ubuntu/AlmaLinux):

  • api_tokens, whm_access, cpanel_logins, cpanel_filemanager – read WHM API and cPanel session logs
  • wp_bruteforce – iterates /home/*/public_html/*/wp-login.php and per-domain access logs. The domlog pass ranks recent logs first and honors thresholds.domlog_max_files, thresholds.domlog_tail_lines, and thresholds.domlog_max_age_min.
  • webmail_logins – parses cPanel Roundcube/Horde logs
  • mail_queue, mail_per_account – read Exim queue and /var/log/exim_mainlog

Plain Linux equivalents that still provide coverage:

  • Access log brute-force detection (wp_login_bruteforce, xmlrpc_abuse) runs against the detected web server’s access log (/var/log/nginx/access.log or /var/log/httpd/access_log), so WordPress brute-force alerts still fire on non-cPanel hosts – they just rely on the live log watcher rather than per-domain domlog scanning.
  • modsec_audit runs on any host with ModSecurity installed.
  • ssh_logins, SSH brute force, PAM listener, firewall, kernel modules, RPM/DEB integrity, and threat intelligence all run on every supported platform.