csf.pignore just not working!

Post Reply
eldergeek
Junior Member
Posts: 27
Joined: 18 Mar 2010, 07:25

csf.pignore just not working!

Post by eldergeek »

These are our settings on a number of mixed centos installations (Centos 6, and 7) running latest Cloudlinux kernels. We have dozens of servers for which csf.pignore is just not working

csf:v8.22

PT_LIMIT = "600"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "0"
PT_ALL_USERS = "1"
PT_DELETED = "0"
PT_DELETED_ACTION = ""
PT_USERPROC = "50"
PT_USERMEM = "0"
PT_USERTIME = "3600"
PT_USERKILL = "0"
PT_USERKILL_ALERT = "0"
PT_USER_ACTION = ""
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "15"
PT_LOAD_SKIP = "3600"
PT_APACHESTATUS = "http://127.0.0.1/whm-server-status"
PT_LOAD_ACTION = ""
PT_FORKBOMB = "0"
PT_SSHDHUNG = "0"

Here are a couple of examples of the kinds of alerts we are receiving, but shouldn't

e.g.

Time: Thu Apr 28 06:03:04 2016 +0100
Account: mailman
Resource: Process Time
Exceeded: 175985 > 3600 (seconds)
Executable: /usr/bin/python
Command Line: /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
PID: 719206 (Parent PID:719206)
Killed: No

Files: [files]

# cat /proc/719206/cmdline
/usr/local/cpanel/3rdparty/bin/python/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl-sstart

in csf.pignore
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman

Another e.g. just to see if we could block an alert we actually wanted to see - but agzain, the pignore file is... well... ignored!

Time: Thu Apr 28 06:03:18 2016 +0100
Account: redacted
Resource: Process Time
Exceeded: 11562 > 600 (seconds)
Executable: /opt/alt/php53/usr/bin/lsphp
Command Line: lsphp
PID: 563358 (Parent PID:563358)
Killed: No

Files: [files]

# cat /proc/563358/cmdline
lsphp

# ls -la /proc/563358/exe
lrwxrwxrwx 1 redacted redacted 0 Apr 28 02:51 /proc/563358/exe -> /opt/alt/php53/usr/bin/lsphp*

in csf.pignore

pexe:/opt/alt/php[0-9][0-9]/usr/bin/lsphp.*
exe:/opt/alt/php52/usr/bin/lsphp
exe:/opt/alt/php53/usr/bin/lsphp
exe:/opt/alt/php54/usr/bin/lsphp
exe:/opt/alt/php55/usr/bin/lsphp
exe:/opt/alt/php70/usr/bin/lsphp
cmd:lsphp

None of the above will stop the alerts!

We have carefully checked the regexes in csf.pignore and they are all valid pcre regex - Happy to send along if you want to have a look.

As a host we would prefer this was working properly, and would be happy to pay for the product.
Top
eldergeek
Junior Member
Posts: 27
Joined: 18 Mar 2010, 07:25

Re: csf.pignore just not working!

Post by eldergeek »

Ahem... <cough> Restarting the LFD service fixed things ;-)
Top
Post Reply

Return to “General Discussion (csf)”