CSF/LFD Alerts

CSF / LFD Alert Notifications

 

CSF/LFD notifications

Many  Linux / Cpanel server owners are nowadays using Configserver Firewall (CSF). The main reason for this much extensive usage is due to the utility and simplicity it offers and also an interface that is there for some control panels like cPanel/DirectAdmin etc

But one drawback is the alerts it generates and most of the time these may be False positives or customers may not be aware of why such an alert is there and what needs to be done in such kind of alerts. So I will be writing this in a series in multiple blogs. 

If you ever need any help with any of these alerts, you can always contact us for our server management service like the below ones

cPanel Server Management
Plesk Server Management
Per Hour Support 

  1. Excessive resource usage alert

One of the most common alerts is an excessive resource alert. LFD has a feature that will keep an eye on the process running in the server and if lfd determines a process that is taking more resources then it will send an alert similar to the below ones

From: root
To: root
Subject: lfd on [hostname]: Excessive resource usage: [user] ([pid])

Time:         [time]
Account:      [user]
Resource:     [resource]
Exceeded:     [level]
Executable:   [exe]
Command Line: [cmd]
PID:          [pid]
Killed:       [kill]

The main purpose of this is to alert the server owner for most resource-taking or process which is running for a longer duration. 

One such alert is when memory is exceeded

Time: Mon Feb 14 09:41:10 2023 +0530
Account: username
Resource: Virtual Memory Size
Exceeded: 205 > 200 (MB)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/username/public_html/index.php
PID: 25953 (Parent PID:26974)
Killed: No

In this, you can see 200 MB is the Limit set in the csf conf and the process exceeds that limit and reaches 205 MB

Next Set is when the process is running for long duration than the limit set in the csf.conf

Time: Mon Feb 15 06:41:10 2023 +0560
Account: username
Resource: Virtual Memory Size
Exceeded: 335389 > 1800 (seconds)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/username/public_html/index.php
PID: 285429 (Parent PID:264561)
Killed: No

IMP ::: Since such kinds of alerts may come in large numbers, there is a normal tendency to ignore or disable such alerts and I never suggest the same. Most of the cases, after initial tweaking and adding to process ignore file (csf.pignore) file which is definitely genuine ones, future alerts will be worth checking. So never ignore such alerts, instead, check and then decide what to do like adding to ignore file, increasing the limits, etc. 

Understanding and Tweaking Such alerts

PT_USERMEM and PT_USERTIME is the values that we need to take care in the csf.conf to handle the above alerts. 

Entries related to the process tracking in the csf.conf

# User Process Tracking. This option enables the tracking of the number of
# process any given account is running at one time. If the number of processes
# exceeds the value of the following setting an email alert is sent with
# details of those processes. If you specify a user in csf.pignore it will be
# ignored
#
# Set to 0 to disable this feature
PT_USERPROC = "10"
# This User Process Tracking option sends an alert if any user process exceeds
# the virtual memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "0"
# This User Process Tracking option sends an alert if any user process exceeds
# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
# processes or users use csf.pignore
#
# Set to 0 to disable this feature
PT_USERRSS = "0"
# This User Process Tracking option sends an alert if any cPanel user process
# exceeds the time usage set (seconds). To ignore specific processes or users
# use csf.pignore
#
# Set to 0 to disable this feature
PT_USERTIME = "0"

Zero values disable that feature. If you want to enable the feature and then add the needed process alone in the csf.pignore , that will be best to do. 

We can add ignore using csf.pignore file using three options.

1. Ignore a user completely using user:username option
2. Ignore an executable like exe:/usr/sbin/php-fpm
3. Ignore a Command by adding cmd:/usr/bin/php /home/username/public_html/index.php

After we add this, do a restart of the services

# service csf restart && service lfd restart

If you ever need any help with any of these alerts, you can always contact us for our server management service like the below ones

cPanel Server Management
Plesk Server Management
Per Hour Support 

Facebook Comments