ConfigServer Community Forum

Posted: **15 Jan 2014, 22:37**

I have this already for a longer time but nobody responded to my other thread (november last year).

It seems csf.pignore is not ignoring certain shoutcast processes. I get this email:

Time: Wed Jan 15 20:32:31 2014 +0100
Account: admin
Resource: Process Time
Exceeded: 10888 > 1800 (seconds)
Executable: /home/admin/domains/mydomain.com/public_html/mediacp/files/shoutcast198/linux/sc_serv
Command Line: /home/admin/domains/mydomain.com/public_html/mediacp/files/shoutcast198/linux/sc_serv /home/admin/domains/mydomain.com/public_html/mediacp/content/user_2/shoutcast198/8060_1/etc/service.conf
PID: 3005 (Parent PID:3005)
Killed: No

And I used this line in my csf.pignore, which should be correct because that is the executable mentioned in this mail:

Code: Select all

exe:/home/admin/domains/mydomain.com/public_html/mediacp/files/shoutcast198/linux/sc_serv

I already restarted everything, but still these emails arrive.
Same problem I had with the old castcontrol server. Why does csf.pignore does not ignore this executable?

Linux server15.mydomain.com 2.6.32-431.3.1.el6.x86_64 (Centos 6 x64.)
PHP 5.3.28 (cli) (built: Dec 14 2013 01:26:41)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
with the ionCube PHP Loader v4.4.0, Copyright (c) 2002-2013, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies
Newest version of csf/lfd.

Posted: **16 Jan 2014, 09:12**

If the other entries in /etc/csf/csf.pignore are being ignored, then I've no idea why it's not working for you. You should:

Check that you are definitely editing /etc/csf/csf.pignore
Restart lfd after making any changes
Ensure that the file /etc/csf/csf.pignore only contains linux linefeeds and not MS or MAC linefeeds
Try using other methods to ignore the process, i.e. a regex using pexe: and pcmd:

Posted: **16 Jan 2014, 14:11**

Thank you for your reply.

I don't understand either. It's only happening when there are long lines like these shoutcast/castcontrol lines.
There can not be any other linefeeds then linux, because I'm editting csf.pignore (yes ofcourse I'm sure I'm editting that one) with either nano or vim in SSH console as root.
I always start csf and lfd after making such changes.

Could you give me an example with the lines I put in using regex, pexe or pcmd? I'm not quite good at regex things.

There are always 2 emails I get. One of the I already posted, this is the second one:

Executable:

/home/admin/domains/mydomain/public_html/mediacp/files/shoutcast198/linux/sc_serv

Command Line (often faked in exploits):

/home/admin/domains/mydomain.com/public_html/mediacp/files/shoutcast198/linux/sc_serv /home/admin/domains/mydomain.com/public_html/mediacp/content/user_2/shoutcast198/8060_1/etc/service.conf

Posted: **16 Jan 2014, 15:24**

You could try:

Code: Select all

pexe:.*/sc_serv

Posted: **16 Jan 2014, 15:56**

Thank you very much, going to try that!

Posted: **19 Nov 2020, 15:30**

Got the same problem with my csf.pignore file. After a lot of research I found out that there are many possible reasons behind the problem. I tried to collect a lot of them in this blog article:
https://return2.net/csf-lfd-firewall-cs ... t-working/

Hope that helps someone else.

ConfigServer Community Forum

CSF.Pignore not ignoring process

CSF.Pignore not ignoring process

Re: CSF.Pignore not ignoring process

Re: CSF.Pignore not ignoring process

Re: CSF.Pignore not ignoring process

Re: CSF.Pignore not ignoring process

Re: CSF.Pignore not ignoring process