csf.pignore for php running under cagefs

Post Reply
Mockdot
Junior Member
Posts: 1
Joined: 24 Jan 2014, 02:23

csf.pignore for php running under cagefs

Post by Mockdot »

Hi there,

I have tried using different paths and regular expressions pointing to the executable that is causing me constant excessive resource emails but I can't seem to find the right one. I am currently getting that the executable is the following:

Code: Select all

Executable:   /opt/cpanel/ea-php56/root/usr/bin/lsphp.cagefs
I tried doing

pexe:/opt/cpanel/ea-*/root/usr/bin/lsphp
pexe:/opt/cpanel/ea-*/root/usr/bin/lsphp.cagefs
exe:/opt/cpanel/ea-php56/root/usr/bin/lsphp
exe:/opt/cpanel/ea-php56/root/usr/bin/lsphp.cagefs

And a few others and yet I keep getting that those files are doing excessive usage.

Any ideas? Thanks!

Havri
Junior Member
Posts: 5
Joined: 05 Jan 2016, 10:10

Re: csf.pignore for php running under cagefs

Post by Havri »

Hello,

I've just had to deal with a somewhat similar situation.. I managed to whitelist my lshttpd process with the following in my csf.pignore file:

pexe:^/usr/local/lsws/bin/lshttpd\..*

I don't want to whitelist every different version

Please notice:
1. the caret sign at the beginning of the command
2. the escaped dot after the "lshttpd" + another . (dot) to match any following characters
3. the asterisk.

This is the only way that I managed to make CSF ignore this process that was giving me this line in the lfd.log:

Apr 5 08:08:41 myserver lfd[290098]: *Suspicious Process* PID:256627 PPID:256621 User:nobody Uptime:4001 secs EXE:/usr/local/lsws/bin/lshttpd.5.1.14 CMD:litespeed (lshttpd).

I don't want to whitelist all of the lshttpd versions that are to come from now on, so this did the trick for me.

I think you can adapt this to everything you need.

Post Reply