README
¶
CSM (Continuous Security Monitor)
Real-time security daemon for cPanel and Linux web hosts. Detects, blocks, and cleans up shared-hosting attacks from one binary, in seconds. First class on cPanel/WHM. Runs cleanly on AlmaLinux, Rocky, RHEL, Ubuntu, and Debian with Apache or Nginx.
Documentation | Install | CLI | Web UI | CVE Mitigations
Quick start
# Debian / Ubuntu
curl -fsSL https://mirrors.pidginhost.com/csm/csm-signing.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/csm.gpg
echo "deb [signed-by=/etc/apt/keyrings/csm.gpg] https://mirrors.pidginhost.com/csm/deb stable main" | sudo tee /etc/apt/sources.list.d/csm.list
sudo apt update && sudo apt install csm
# AlmaLinux / Rocky / RHEL / CloudLinux / cPanel
sudo rpm --import https://mirrors.pidginhost.com/csm/csm-signing.gpg
sudo tee /etc/yum.repos.d/csm.repo >/dev/null <<'EOF'
[csm]
name=CSM
baseurl=https://mirrors.pidginhost.com/csm/rpm/el$releasever/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.pidginhost.com/csm/csm-signing.gpg
EOF
sudo dnf install csm
Then:
sudo vi /etc/csm/csm.yaml # set hostname, alert email, infra IPs
sudo csm validate
sudo systemctl enable --now csm.service
sudo csm baseline
csm baseline talks to the running daemon and records the current server state as known-good. Add --confirm if the command warns that existing history would be cleared.
Web UI at https://<server>:9443. Drop-in fragments under /etc/csm/conf.d/*.yaml are merged after the main config in lexicographic order. Scalars override; lists append. Use drop-ins for automation that should not touch the operator's config.
No repository setup: curl -sSL https://raw.githubusercontent.com/pidginhost/csm/main/scripts/install.sh | bash. Full install reference: Installation.
Why CSM
Shared-hosting incidents rarely stay small. One weak mailbox can become an Exim spam run, one stolen WordPress admin can become a siteurl hijack, and one brute-force campaign can spray a whole /24 before a periodic scanner gets another turn.
CSM is built for that operator reality. It watches mail logs, access logs, PAM, fanotify events, cPanel/WHM state, WordPress files and database content, ModSecurity, and nftables state. When it has a high-confidence signal, it can block, freeze mail, quarantine a file, clean common WordPress damage, or leave the decision visible in the Web UI and audit log.
The goal is to replace brittle glue: fail2ban snippets, LFD rules, hand-written Exim checks, one-off cleanup scripts, and dashboard scraping. CSM runs as one Go daemon with local state, signed package installs, Prometheus/syslog/webhook outputs, and no required SaaS dependency.
Auto-response starts in dry-run by default, so you can see exactly what CSM would block or clean before allowing it to touch nftables or files.
Good fit / not a good fit
| Good fit | Not a good fit |
|---|---|
| cPanel/WHM shared-hosting fleets | Desktop antivirus |
| WordPress-heavy web servers | Kubernetes runtime security |
| Exim/Dovecot mail stacks with abuse pressure | Full EDR or workstation management |
| Operators replacing LFD/fail2ban plus custom scripts | A substitute for patching vendor packages |
| Teams that want local state, package installs, and standard exports | A hosted SIEM or log-retention service |
What it solves
| You're dealing with... | CSM does... | Where |
|---|---|---|
| Mailbox takeover via SASL brute -> outbound spam | Tails maillog, blocks on the failure-then-success pattern, auto-freezes the Exim spool | Real-time |
| WordPress wp-login / xmlrpc flood | Real-time access-log monitor, blocks within seconds | Real-time |
| Compromised WP admin / siteurl injection | csm db-clean --revoke-user, --option, --delete-spam |
CLI |
| Webshells, obfuscated/eval-chain PHP, tail-appended payloads | fanotify watcher + 7 cleaning strategies; quarantine preserves owner/perms/mtime | Real-time, Auto-response |
PHP-relay form abuse (PHPMailer with spoofed From) |
Inotify watcher on /var/spool/exim/input, 4 detection paths, optional exim -Mf auto-freeze |
Real-time |
| Outbound abuse to GCP/AWS/Azure cloud relays | Realtime fanotify block + retro-scan on startup | Real-time |
| ModSecurity rule sprawl and triage | Web UI on/off + edit, WAF blocks feed attacker scoring | ModSecurity |
| Subnet-spread brute force | Per-/24 scoring + auto-block of the whole CIDR | Auto-response |
| Kernel-level CVEs you can't immediately patch | csm harden, continuous enforcement, live exploit-signature detection |
CVE Mitigations |
| A fleet of servers to monitor as one | Prometheus, JSONL audit log, RFC 5424 syslog, SIEM backfill, panel-side webhooks | Audit log, Metrics |
Headline features
- Broad host coverage: critical and deep checks plus real-time fanotify, inotify, PAM, and access-log watchers.
- Sub-1-second response on syscall events. ~45 MB resident idle. Single static Go binary.
- One web UI at
:9443with admin and read-scope tokens, SSE event stream, Prometheus metrics, and REST API. - nftables firewall with TTLs, subnet escalation, country blocking (MaxMind), commit-confirmed safety.
- Pluggable threat intel: local attack DB + AbuseIPDB + Rspamd + optional shared upstream cache.
- Hot-reload safe config +
/etc/csm/conf.d/*.yamldrop-ins for automation. - bbolt-backed state with TTL retention,
csm backup/csm restore, and SIEM backfill viacsm export --since. - Signed
.deband.rpmpackages, reproducible builds, OpenSSF Scorecard.
Safety defaults
- Auto-response IP blocks start in dry-run unless
auto_response.dry_run: falseis explicit. - Infrastructure IPs are protected from auto-block.
- Root processes and system daemons are not killed by auto-response.
- Quarantine keeps ownership, permissions, and mtime so restores are clean.
Platforms
| Platform | Support |
|---|---|
| cPanel/WHM on AlmaLinux, CloudLinux, Rocky | First class. Full cPanel account, WordPress, Exim, WHM plugin, and firewall coverage. |
| AlmaLinux, Rocky, RHEL 8+ on Apache or Nginx | Supported. Generic checks run, cPanel-specific ones skip cleanly. |
| Ubuntu 20.04+, Debian 11+ on Apache or Nginx | Supported. Same coverage with debsums-based integrity. |
x86_64 and ARM64. cPanel itself is x86_64 only. Per-check coverage is in detection-critical.md and detection-deep.md.
Performance
| Workload | Speed | Memory |
|---|---|---|
| Real-time fanotify event | under 1 s | ~5 MB |
| 36 critical checks | under 1 s | ~35 MB peak |
| 33 deep checks | ~40 s | ~100 MB peak |
| Daemon idle | n/a | 45 MB resident |
Optional add-ons: YARA-X (-tags yara), email AV tooling, MaxMind GeoIP data.
CLI
csm daemon run the daemon
csm check one-shot scan, no auto-response
csm status [--json] current state and findings
csm doctor [--json] config + daemon + watchers + store sanity check
csm baseline mark current state as known-good via the daemon
csm scan <user> scan a single cPanel account
csm firewall ... IP/subnet bans, port allows, GeoIP
csm clean <path> clean an infected PHP file
csm db-clean ... remove WordPress DB injections
csm harden ... operator-driven hardening (see csm harden --help)
csm phprelay status PHP-relay detector state (cPanel only)
csm backup <path> tar.gz of csm.yaml + conf.d + state
csm restore <archive> extract a backup archive
csm store compact reclaim bbolt free pages
csm store export <path> backup daemon state to tar.zst
csm export --since <when> SIEM backfill in JSONL
csm config schema --json JSON Schema reflected from the Config struct
csm validate dry-run config
Full reference: CLI docs.
Hardening / CVE mitigations
Operator-driven via csm harden, then continuously enforced by the daemon. Live audit/BPF listeners flag exploit signatures even on hosts that can't be kernel-patched. Current list and operator commands: CVE Mitigations.
Development
go build ./... # standard build, YARA stubs
go build -tags yara ./cmd/csm/ # with YARA-X
go test ./... -count=1 -race # tests
go test -run=Fuzz ./... # fuzz seed corpus
make lint # lint entrypoint
make ci # full local CI entrypoint
govulncheck ./...
Public releases land on GitHub. Internal builds and packaging go through the GitLab pipeline.
Documentation
- Installation, Configuration, Upgrading, CLI, Web UI
- Real-time detection, Critical checks, Deep checks
- Auto-response, CVE Mitigations, Challenge pages
- ModSecurity, Firewall, Email AV, Threat intel
- API, Metrics, Audit log
License
CSM is licensed under AGPL-3.0-or-later. Running unmodified CSM to protect your own hosting servers -- including commercially -- has no source-disclosure obligation. Distributing CSM (binaries or source) or running a modified version that users interact with over a network triggers the AGPL's source-availability requirements.
Releases up to and including v2.x remain under the MIT License; v3.0.0 onward is AGPL-3.0-or-later.
See LICENSE, CONTRIBUTING, SECURITY, CHANGELOG.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
csm
command
|
|
|
internal
|
|
|
bpf
Package bpf provides the shared scaffolding that BPF-backed live monitors across the daemon use: a common Backend interface, backend-kind constants for operator config, sentinel errors that distinguish "not built" from "kernel unsupported", and a per-feature backend metric.
|
Package bpf provides the shared scaffolding that BPF-backed live monitors across the daemon use: a common Backend interface, backend-kind constants for operator config, sentinel errors that distinguish "not built" from "kernel unsupported", and a per-feature backend metric. |
|
broadcast
Package broadcast provides a one-to-many publish bus for alert.Finding events.
|
Package broadcast provides a one-to-many publish bus for alert.Finding events. |
|
control
Package control defines the wire protocol between the CSM daemon and its local command-line client.
|
Package control defines the wire protocol between the CSM daemon and its local command-line client. |
|
daemon/af_alg_bpfprog
Package af_alg_bpfprog hosts the BPF C source for the AF_ALG (CVE-2026-31431 "Copy Fail") kernel-side deny program and the generated Go bindings produced by bpf2go.
|
Package af_alg_bpfprog hosts the BPF C source for the AF_ALG (CVE-2026-31431 "Copy Fail") kernel-side deny program and the generated Go bindings produced by bpf2go. |
|
daemon/connection_bpfprog
Package connection_bpfprog hosts the BPF C source for the cgroup/connect outbound-connection tracker and the generated Go bindings produced by bpf2go.
|
Package connection_bpfprog hosts the BPF C source for the cgroup/connect outbound-connection tracker and the generated Go bindings produced by bpf2go. |
|
daemon/exec_bpfprog
Package exec_bpfprog hosts the BPF C source for the sched/sched_process_exec tracepoint live monitor and the generated Go bindings produced by bpf2go.
|
Package exec_bpfprog hosts the BPF C source for the sched/sched_process_exec tracepoint live monitor and the generated Go bindings produced by bpf2go. |
|
daemon/sensitive_file_bpfprog
Package sensitive_file_bpfprog hosts the BPF C source for the lsm/file_permission live monitor and the generated Go bindings produced by bpf2go.
|
Package sensitive_file_bpfprog hosts the BPF C source for the lsm/file_permission live monitor and the generated Go bindings produced by bpf2go. |
|
firewall/rollback
Package rollback implements the firewall settings tentative-apply workflow: a save with a deadline that auto-reverts unless the operator confirms before the timer expires.
|
Package rollback implements the firewall settings tentative-apply workflow: a save with a deadline that auto-reverts unless the operator confirms before the timer expires. |
|
geoip
Package geoip provides IP geolocation via MaxMind GeoLite2 databases and on-demand RDAP lookups for detailed ISP/org information.
|
Package geoip provides IP geolocation via MaxMind GeoLite2 databases and on-demand RDAP lookups for detailed ISP/org information. |
|
incident
Package incident groups related security findings into a single "story" with a timeline.
|
Package incident groups related security findings into a single "story" with a timeline. |
|
log
Package log provides a structured-logging wrapper around log/slog.
|
Package log provides a structured-logging wrapper around log/slog. |
|
maillog
Package maillog reads postfix/dovecot log lines from either a tailed file or systemd-journald, normalizing them into a single Line type so the daemon's mail-brute and PHP-relay parsers don't have to care which source supplied the line.
|
Package maillog reads postfix/dovecot log lines from either a tailed file or systemd-journald, normalizing them into a single Line type so the daemon's mail-brute and PHP-relay parsers don't have to care which source supplied the line. |
|
metrics
Package metrics is CSM's local OpenMetrics implementation.
|
Package metrics is CSM's local OpenMetrics implementation. |
|
obs
Package obs centralises crash reporting and selective error capture via Sentry.
|
Package obs centralises crash reporting and selective error capture via Sentry. |
|
platform
Package platform detects the host OS, control panel, and web server so CSM checks can pick the right config/log paths instead of hardcoding cPanel+Apache layouts.
|
Package platform detects the host OS, control panel, and web server so CSM checks can pick the right config/log paths instead of hardcoding cPanel+Apache layouts. |
|
processctx
Package processctx maintains process context (PID/PPID/UID/account/exe/cmdline) for use enriching real-time security findings.
|
Package processctx maintains process context (PID/PPID/UID/account/exe/cmdline) for use enriching real-time security findings. |
|
sdnotify
Package sdnotify is a thin wrapper around go-systemd's daemon notification helpers.
|
Package sdnotify is a thin wrapper around go-systemd's daemon notification helpers. |
|
threatintel
Package threatintel defines a pluggable interface for IP reputation providers and an Aggregator that combines their scores.
|
Package threatintel defines a pluggable interface for IP reputation providers and an Aggregator that combines their scores. |
|
updatecheck
Package updatecheck polls upstream release channels and tells the daemon whether a newer CSM version is available so the Web UI can surface a banner.
|
Package updatecheck polls upstream release channels and tells the daemon whether a newer CSM version is available so the Web UI can surface a banner. |
|
verdict
Package verdict implements an HMAC-signed HTTP client for the auto_response.verdict_callback hook.
|
Package verdict implements an HMAC-signed HTTP client for the auto_response.verdict_callback hook. |
|
yaraipc
Package yaraipc defines the wire protocol spoken between the CSM daemon and the supervised `csm yara-worker` child process.
|
Package yaraipc defines the wire protocol spoken between the CSM daemon and the supervised `csm yara-worker` child process. |
|
yaraworker
Package yaraworker implements the `csm yara-worker` subcommand: a child process that exists only to host the YARA-X cgo surface and reply to scan requests over a Unix socket.
|
Package yaraworker implements the `csm yara-worker` subcommand: a child process that exists only to host the YARA-X cgo surface and reply to scan requests over a Unix socket. |
Click to show internal directories.
Click to hide internal directories.