← Docs

Installation guide

Installing the Astrari agent

The agent installs in under 60 seconds with a single command. The first full scan then takes 15–30 minutes while Trivy syncs its CVE database — every scan after is fast. Here's exactly what happens and how to verify it's running.

Requirements

OSLinux x86_64 or arm64
Init systemsystemd (required)
Toolscurl (for the install command)
AccessRoot or sudo access for install only
NetworkOutbound HTTPS to astrari.io
Disk~50 MB (agent + scan tool databases)
DistrosDebian, Ubuntu, RHEL, CentOS, Rocky, AlmaLinux, Fedora
PanelsPlesk, cPanel, and WHM are fully supported
1

Register the server in your dashboard

Sign in to your dashboard and go to Servers. Click + Add server, give it a label (e.g. "web-server-01"), and click Add server.

An agent token and a ready-to-run install command will appear immediately. Copy the token — it is shown only once. The install command includes it automatically.

2

Run the install command on your server

SSH into your server as root (or a user with sudo). Paste the complete command from the dashboard (it includes your agent token):

Run as root on your server

curl -fsSL https://astrari.io/install.sh | bash -s -- https://api.astrari.io YOUR_AGENT_TOKEN

The installer detects your architecture (x86_64 or arm64), downloads the correct agent binary, writes the config to /etc/astrari/agent.conf, creates systemd units, and installs the security scanning tools. The first Trivy CVE database download may take 10–30 minutes depending on your connection speed.

Before any packages are installed, the script shows you the plan and asks for confirmation.

Installing ClamAV and rkhunter via your system package manager (dnf / apt) can transitively upgrade existing packages — most commonly the rest of the ClamAV stack and OpenSSL on RHEL-family servers. The installer prints exactly what would be installed and upgraded and prompts you to choose:

  • y — install everything shown (recommended)
  • s — skip OS scanners (install agent only, no package upgrades)
  • n — abort, install nothing

For unattended installs, append --yes to confirm automatically, or --no-tools to install the agent without OS scanners.

Unattended install (skips the prompt)

curl -fsSL https://astrari.io/install.sh | bash -s -- https://api.astrari.io YOUR_AGENT_TOKEN --yes

Agent only — no OS scanner installation

curl -fsSL https://astrari.io/install.sh | bash -s -- https://api.astrari.io YOUR_AGENT_TOKEN --no-tools --yes
3

What gets installed

The installer sets up the following on your server:

astrari-agentThe main agent binary (~5 MB, statically compiled Go — no runtime dependencies).
agent.confConfig file containing your API URL and agent token. Mode 600 (root read-only).
astrari-agent.servicesystemd oneshot service. Runs the agent, then exits. Restarted by the timer.
astrari-agent.timersystemd timer. Fires every 30 seconds with up to 20 s randomised jitter.
TrivyCVE vulnerability scanner. Scans all installed OS packages against NVD/OSV.
ClamAVMalware and virus scanner. Installed by the system package manager if not already present (you'll see and approve any package changes during install).
rkhunterRootkit hunter. Checks for hidden processes, suspicious binaries, and backdoors.
MalDetWeb malware detector. Scans /var/www and public_html directories for PHP shells and skimmers.
4

Verify the agent is running

Check that the timer is active and the agent has checked in:

Check timer status

systemctl status astrari-agent.timer

View live agent logs

journalctl -u astrari-agent -f

Check agent version

astrari-agent --version

The agent fires every 30 seconds for fast heartbeats and queued action delivery. The first full scan starts automatically and may take up to 30 minutes on a fresh install while Trivy downloads its CVE database — your server will appear as active in the dashboard with a security score once it completes.

5

Link a site to this server (optional)

If you host WordPress sites on this server, link them to enable agent-assisted features: WordPress plugin updates via wp-cli, WordPress database scans for injected malware, and .htaccess auto-fixes.

Go to the site's detail page in the dashboard and open the Hosting server card. Select this server from the dropdown. Once linked, the agent will discover all WordPress installations on the server at the next check-in. Non-WordPress sites also benefit from linking — the agent can apply server-side fixes like nginx header directives when supported.

6

Optional: enable Astrari Vault (backups)

Vault is the optional backup add-on. The agent runs restic on this server, encrypts each snapshot client-side, and pushes it to a Backblaze B2 bucket Astrari provisions for you. Append-only by design — even if the server is compromised, the agent's key cannot delete prior snapshots.

Vault is opt-in per server and adds no overhead to servers that don't use it. Pricing is usage-based: £0.05 per GB stored per month, no per-server fee, with 10 GB/month of restore egress included.

  1. On the server's detail page, scroll to the Vault panel and click Install restic. The agent installs the restic binary on its next 30-second checkin (no other system packages are touched).
  2. Once restic is installed, click Enable backups. Choose paths, retention preset, region, and daily backup time. Astrari creates the bucket, provisions an append-only B2 key, and writes /var/lib/astrari/vault.env on the host.
  3. Save the recovery passphrase shown once at setup. Astrari keeps an encrypted escrow copy for assisted recovery, but only restic with your passphrase can decrypt the snapshots.
  4. To back up databases too, open Edit configuration on the configured target and tick the databases you want under Databases. The agent auto-discovers MySQL/MariaDB and PostgreSQL on each fire — including per-account databases on cPanel/Plesk hosts — but selection is opt-in (no databases are backed up unless you tick them).

See the Vault FAQ for retention details, database backup behaviour, restore flow, and the security model.

Uninstalling

To remove the agent completely, run the uninstall script as root. This stops the timer, removes the binary, config file, and state data.

Run as root

curl -fsSL https://astrari.io/uninstall.sh | bash

Security tools (Trivy, rkhunter, MalDet, and ClamAV if present) are not removed automatically — they may be used by other software on the server. To remove them manually:

Optional: remove scan tools

# Debian / Ubuntu
apt-get remove rkhunter clamav
dpkg -r trivy
maldet --uninstall

# RHEL / Fedora / Rocky
dnf remove rkhunter
rpm -e trivy
maldet --uninstall

Control panel compatibility

Astrari works on servers managed by Plesk, cPanel, and WHM. These panels use Apache as the web server, which means .htaccess-based WordPress auto-fixes work correctly on those servers.

MalDet automatically scans cPanel account directories (/home/*/public_html) and Plesk vhost directories for PHP shells and web malware.

Server performance impact

All scan tools run under nice -n 19 ionice -c 3. This gives them the absolute lowest scheduling priority — they only get CPU and disk access when the server is otherwise idle. In practice, scans are invisible to live workloads.

The agent binary itself consumes no resources between timer fires — it exits after each run. The systemd timer wakes it every 30 seconds, it reports a heartbeat, processes any queued actions, runs scans only when due (every 6h for full, weekly for ClamAV/MalDet/rkhunter), then exits again.

Installer alternatives (manual / Ansible / checksums) →Read the FAQ →Get started free