{"id":6381,"date":"2021-05-22T01:42:32","date_gmt":"2021-05-22T01:42:32","guid":{"rendered":"https:\/\/oxhosting.com\/blog\/2021\/05\/22\/csf-lfd-security-notifications-hosting\/"},"modified":"2021-05-22T01:42:32","modified_gmt":"2021-05-22T01:42:32","slug":"csf-lfd-security-notifications-hosting","status":"publish","type":"post","link":"https:\/\/oxhosting.com\/blog\/2021\/05\/22\/csf-lfd-security-notifications-hosting\/","title":{"rendered":"CSF\/LFD security notifications &#8211; Hosting"},"content":{"rendered":"<p> <script data-ad-client=\"ca-pub-3214842754935876\" async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\n<\/p>\n<div id=\"article\">&#13;<br \/>\n\t\t<b>ConfigServer Security &amp; Firewall (CSF)<\/b> is a Stateful Packet Inspection (SPI) firewall, login\/intrusion detection, and security application for Linux servers provided by ConfigServer.<\/p>\n<p><b>Login Failure Daemon (LFD)<\/b> is a daemon process that runs on our servers, which uses CSF for server security. <\/p>\n<p><b>CSF <\/b>and <b>LFD <\/b>come pre-installed on our servers with cPanel and offer many helpful features to ensure server security. <\/p>\n<div>In case it\u2019s not already installed, you can find information on how to install CSF\/LFD as well as how to work with the <b>CSF <\/b>plugin.<\/div>\n<p>One of the many benefits of CSF and LFD is that they provide you with various notifications to help keep track of important events taking place in your server. Please note that these notifications only appear if you have a VPS or Dedicated Server.<\/p>\n<div>\n<p><b>1. Excessive resource usage alert<\/b><\/p>\n<p>Let\u2019s start with a type of notification you\u2019ll most likely often face. LFD has a feature in place to watch running processes to see if they are <b>using too many resources<\/b>. For some of these resources, you can even configure how much counts as too much. In some cases, if a process is using more resources than expected, this can indicate a security issue. Even if it does not, it should be investigated to check whether or not something is misconfigured, which can cause loading issues on the server. <\/p>\n<p>By default, these notifications look like this:<\/p>\n<\/div>\n<div>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: Excessive resource usage: [user] ([pid])<p>Time:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [time]<br\/>Account:\u00a0\u00a0\u00a0\u00a0\u00a0 [user]<br\/>Resource:\u00a0\u00a0\u00a0\u00a0 [resource]<br\/>Exceeded:\u00a0\u00a0\u00a0\u00a0 [level]<br\/>Executable:\u00a0\u00a0 [exe]<br\/>Command Line: [cmd]<br\/>PID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [pid]<br\/>Killed:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [kill]<\/pre>\n<\/div>\n<div>\n<ul>\n<li><i>root <\/i>in the<b> From: <\/b>and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[user]<\/i> is replaced by the user the process in question is running under<\/li>\n<\/ul>\n<p>With this particular feature, you will most likely encounter false-positives. The purpose of the feature is to bring to your attention the processes that have been running for a long time under a user account, which ones that are consuming a lot of memory or the ports that remain open outside of your server. <\/p>\n<p>Here is an example LFD email alert when <b>memory is exceeded<\/b>:<\/p>\n<\/div>\n<div>\n<pre class=\"prettyprint\">Time: Mon Nov 14 09:41:10 2016 +0530<br\/>Account: xxxxxx<br\/>Resource: Virtual Memory Size<br\/>Exceeded: 205 &gt; 200 (MB)<br\/>Executable: \/usr\/bin\/php<br\/>Command Line: \/usr\/bin\/php \/home\/xxxxxx\/public_html\/index.php<br\/>PID: 26953 (Parent PID:24974)<br\/>Killed: No<\/pre>\n<\/div>\n<div>This alert is sent by LFD when a process uses more memory resources than defined in the CSF configuration file.<\/p>\n<p>Here is an example LFD email alert when <b>time is exceeded<\/b>:<\/p>\n<\/div>\n<div>\n<pre class=\"prettyprint\">Time: Mon Nov 14 09:41:10 2016 +0530<br\/>Account: xxxxxx<br\/>Resource: Virtual Memory Size<br\/>Exceeded: 125389 &gt; 1800 (seconds)<br\/>Executable: \/usr\/bin\/php<br\/>Command Line: \/usr\/bin\/php \/home\/xxxxxx\/public_html\/index.php<br\/>PID: 28429 (Parent PID:26561)<br\/>Killed: No<\/pre>\n<\/div>\n<div>This alert is sent by LFD when a process takes more time to execute than as defined in the CSF configuration file.<\/p>\n<p>Sometimes you may find yourself receiving a lot of resource usage alert emails and might want to get them disabled. Make sure to <b>double check<\/b> that they are indeed false-positives before ignoring or disabling them.<\/p>\n<p>To <b>disable <\/b>such notifications, go to <b>WHM &gt;&gt; <\/b><b>Plugins <\/b>section <b>&gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>Now proceed to<b> CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>There, find the <i><b>PT_USERMEM<\/b><\/i> and <i><b>PT_USERTIME<\/b><\/i> parameters and change their values to <b>0<\/b>.<\/p>\n<p>This will disable the notifications <b>completely <\/b>as these parameters define the threshold after which the notifications will be sent. However, we strongly recommended to keep them enabled so that you\u2019re able to check whether that particular process is expected to use that much allotted resource. <br \/>You might feel that the default values are too low and you are getting flooded with notifications about valid processes, so you might want to change <i><b>PT_USERMEM<\/b><\/i> and <i><b>PT_USERTIME<\/b><\/i> to the values you feel will be the most appropriate.<\/p>\n<p>Once you have done this, scroll down and click on the <b>Change <\/b>button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<p>There is also an <b>ignore list<\/b> at <i>\/etc\/csf\/csf.pignore<\/i> that can be used to either whitelist usernames or full paths to binaries. The following format should be used in the file:<\/p>\n<pre class=\"prettyprint\">exe:\/full\/path\/to\/file<br\/>user:username<br\/>cmd:command line<\/pre>\n<p>The file can be edited via SSH using your editor of choice.<\/p>\n<p>After the changes are done, you need to reload CSF and restart LFD using the following SSH\u00a0 command:<\/p>\n<pre class=\"prettyprint\">csf -r or service lfd restart<\/pre>\n<\/div>\n<div>LFD has a feature in place to check for changes in certain system files. This helps to detect compromised files but also sends you an alert any time these files are changed by legitimate system updates. If you aren\u2019t sure why these files are being changed, it\u2019s important to check the server logs to determine whether the changes are the expected results of updates\/other intentional changes or if there\u2019s a compromised file that needs to be addressed.<br \/>These notifications are only sent once and, in most cases, are triggered by a system update. In this case, no further action from your side is needed. <br \/>\u00a0<br \/>By default, these notifications look like this:<\/p>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: System Integrity checking detected a modified system file<br\/>\u00a0<br\/>Time:\u00a0\u00a0\u00a0\u00a0 [time]<br\/>\u00a0<br\/>The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated.<br\/>\u00a0<br\/>[text]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From: <\/b>and <b>To<\/b>: lines is usually replaced by<i> root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[time]<\/i> is replaced by the time at which the changes were detected<\/li>\n<li><i>[text]<\/i> is replaced by some information concerning the detected changes<\/li>\n<\/ul>\n<p>As for checking the server logs, you can check recent system updates for CentOS using this command:<\/p>\n<pre class=\"prettyprint\">yum history<\/pre>\n<p>For more detailed information about each update, you can use <i>yum history <\/i><i>info <\/i>with the update <b>ID <\/b>(<i>ID <\/i>is to be found in the output of <i>yum history<\/i>).<\/p>\n<p>The cPanel system update log files are stored in <i>\/var\/cpanel\/updatelogs<\/i>.<\/p>\n<p>We recommend to keep these types of notifications enabled so that you can investigate all unexpected changes as soon as possible. Still, if you wish to disable these notifications, you can do it in the following way:<\/p>\n<p>Go to <b>WHM &gt;&gt; Plugins &gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>Then, proceed to <b>CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>There, find the<i><b> LF_INTEGRITY<\/b><\/i> parameter and set its value to <b>0<\/b>.<\/p>\n<p>Once you have done this, scroll down and click the <b>Change <\/b>button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<div>The <b>Process Tracking<\/b> option enables tracking of user\u2019s and nobody\u2019s processes and examines them for suspicious executable files or opened network ports (e.g., if it\u2019s running from a deleted executable file or has network connections open). Its purpose is to identify potentially exploitative processes that are running on the server, even if they are obfuscated to appear as system services.<\/p>\n<p>By default, these notifications look like this:<\/p>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: Suspicious process running under user [user]<br\/>\u00a0<br\/>Time:\u00a0\u00a0\u00a0 [time]<br\/>PID:\u00a0\u00a0\u00a0\u00a0 [pid]<br\/>Account: [user]<br\/>Uptime:\u00a0 [uptime] seconds<br\/>\u00a0<br\/>Executable:<br\/>[exe]<br\/>\u00a0<br\/>Command Line (often faked in exploits):<br\/>[cmdline]<br\/>\u00a0<br\/>Network connections by the process (if any):<br\/>[sockets]<br\/>\u00a0<br\/>Files open by the process (if any):<br\/>[files]<br\/>\u00a0<br\/>Memory maps from the process (if any):<br\/>[maps]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From:<\/b> and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[user]<\/i> is replaced by the user the process is running under<\/li>\n<li>[<i>time]<\/i> is replaced by the time at which the process was detected as suspicious<\/li>\n<li><i>[pid]<\/i> is replaced by the Process ID of the process<\/li>\n<li><i>[uptime] <\/i>is replaced by the time the process has been running for<\/li>\n<li><i>[exe] <\/i>is replaced by the executable file the process is running from<\/li>\n<li><i>[cmdline]<\/i> is replaced by the command line command associated with the process<\/li>\n<li><i>[sockets] <\/i>ID replaced by information about any network connections the process has open<\/li>\n<li><i>[files]<\/i> ID replaced by a list of files the process has open<\/li>\n<li><i>[maps]<\/i> ID replaced by a list of memory maps the process has open<\/li>\n<\/ul>\n<p>We recommend that you keep these types of notifications enabled so that you can check whether or not the process is actually suspicious. <\/p>\n<p>If you still wish to disable these notifications, you can do it in the following way:<\/p>\n<p>Go to <b>WHM &gt;&gt; Plugins<\/b> section <b>&gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>Then, proceed to <b>CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>There, you will find the<i><b> PT_LIMIT<\/b><\/i> parameter. Please set its value to <b>0<\/b>.<\/p>\n<p>Once you have done this, scroll down and click the <b>Change <\/b>button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<p>You can also add an executable file or command line path to <i>\/etc\/csf\/csf.pignore<\/i> file.<br \/>The file can be edited via SSH using your editor of choice. <\/p>\n<p>After the changes to the file are done, you need to reload CSF and restart LFD using the following command:<\/p>\n<pre class=\"prettyprint\">csf -r or service lfd restart<\/pre>\n<\/div>\n<div>CSF\/LFD automatically blocks IP addresses for certain configurable reasons. By default, any time the system blocks an IP address, it will send you an email to let you know which IP was blocked and why it was blocked.<\/p>\n<p>Let\u2019s look at how some of these notifications look, by default:<\/p>\n<pre class=\"prettyprint\">Login Failures:<br\/>From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: blocked [ip]<p>Time:\u00a0\u00a0\u00a0\u00a0 [time]<br\/>IP:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ip]<br\/>Failures: [ipcount]<br\/>Interval: [iptick] seconds<br\/>Blocked:\u00a0 [block]<p>Log entries:<\/p>[text]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From: <\/b>and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[ip]<\/i> is replaced by the blocked IP<\/li>\n<\/ul>\n<p>The message itself includes the time the notification was sent, the IP address that was blocked, how many times that IP address failed the respective trigger rule, how long the IP address will be blocked for, and whether or not the IP address was temporarily or permanently blocked.<\/p>\n<p>For example, if the IP address was permanently blocked, the following notification will be sent:<\/p>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: [ip] blocked permanently<p>Time:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [time]<br\/>IP:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ip]<br\/>Temporary Blocks: [count]<p>Temporary blocks that triggered the permanent block:<br\/>[blocks]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From: <\/b>and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[ip]<\/i> is replaced by the blocked IP<\/li>\n<\/ul>\n<p>The message also contains information about the time the permanent block was created and the amount of temporary blocks triggered.<\/p>\n<p>We recommend that you first keep such notifications enabled to make sure that the firewall is configured correctly, blocking only the IP addresses you want blocked. Once you\u2019ve confirmed that everything is OK, you might want to disable these types of notifications so that your mailbox doesn\u2019t get flooded with too many emails or distract you from the more helpful ones.<\/p>\n<p>To enable such notifications, please do the following: <\/p>\n<p>Go to <b>WHM &gt;&gt; Plugins<\/b> section <b>&gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>Now proceed to <b>CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>Here you will see the following parameters:<\/p>\n<ul>\n<li><i><b>LF_EMAIL_ALERT<\/b><\/i> &#8211; sends an email alert if an IP address is blocked by one of the triggers.<\/li>\n<li><i><b>LF_PERMBLOCK_ALERT<\/b><\/i> &#8211; sends an email alert if an IP address is permanently blocked. This happens if the IP address has been temporarily blocked more than a few times (to configure, use <i>LF_PERMBLOCK_COUNT<\/i>).<\/li>\n<li><i><b>LF_NETBLOCK_ALERT<\/b><\/i> &#8211; sends an email alert if an IP network class was blocked (conditions of such blocks can be configured by editing the adjacent parameters).<\/li>\n<li><i><b>LF_DISTFTP_ALERT<\/b><\/i> &#8211; sends an email alert if <i>LF_DISTFTP<\/i> is triggered. The <i>LF_DISTFTP<\/i> option will keep track of all successful FTP logins.<\/li>\n<li>It blocks all the IPs that are suspected in being involved into an FTP distributed attack. You can configure it by editing the parameters in the <b>Distributed Attacks<\/b> section. <\/li>\n<li><i><b>LF_DISTSMTP_ALERT<\/b><\/i> &#8211; sends an email alert if LF_DISTSMTP is triggered. The same scenario applies as above, but for SMTP.<\/li>\n<li><i><b>LT_EMAIL_ALERT <\/b><\/i>&#8211; sends an email alert if the account exceeds a certain number of hourly logins per IP address.<\/li>\n<li><i><b>CT_EMAIL_ALERT<\/b><\/i> &#8211; sends an email alert if an IP address is blocked due to connectivity tracking.<\/li>\n<\/ul>\n<p>If you do not want to be notified about certain IP address blocks, please set the corresponding parameter from the list above to <i><b>OFF<\/b><\/i>.<\/p>\n<p>Once you have done this, scroll down and click the <b>Change <\/b>button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<div>LFD has a feature in place for watching the length of email queues. When many emails are sent from a server, the SMTP server automatically places them into an email queue where email messages await to be processed. The delivery starts from the first ones and then carries on with the others. If many messages accumulate in the email queue, this may lead to issues where emails are delivered with delays. <\/p>\n<p>If you receive such a notification, it\u2019s important to check what\u2019s causing this situation. Many emails that get stuck in this email queue may indicate a security issue. <\/p>\n<p>By default, these notifications look like this:<\/p>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: Email queue size alert<p>Time:\u00a0\u00a0\u00a0\u00a0 [time][text]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From:<\/b> and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[time] <\/i>is replaced with the time when the long queue was first detected<\/li>\n<\/ul>\n<p>We recommend that you leave these notifications enabled in order to immediately address any potential issues. If you wish to disable them, please follow these steps:<\/p>\n<p>Go to <b>WHM &gt;&gt; Plugins<\/b> section <b>&gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>Now proceed to <b>CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>There, locate the <i><b>LF_QUEUE_ALERT<\/b><\/i> parameter and set it to <b>0<\/b>. Alternatively, you can set a threshold value from 0 to 5000 for these notifications to be sent. <\/p>\n<p>Once you have done this, please scroll down and click the <b>Change <\/b>button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<p>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<div>Scripts usually involve the sendmail or exim binary. When this happens, certain lines will appear in the LFD mail log which detects and notifies you if it happens repeatedly.<\/p>\n<p>By default, these notifications look like this:<\/p>\n<pre class=\"prettyprint\">From: root<br\/>To: root<br\/>Subject: lfd on [hostname]: Script Alert for [path]<p>Time:\u00a0 [time]<br\/>Path:\u00a0 [path]<br\/>Count: [count] emails sent<\/p><p>Sample of the first 10 emails:<br\/>[emails]<p>Possible Scripts:<br\/>[scripts]<\/pre>\n<p><\/p>\n<ul>\n<li><i>root <\/i>in the <b>From:<\/b> and <b>To:<\/b> lines are usually replaced by <i>root@&lt;hostname&gt;<\/i><\/li>\n<li><i>[hostname]<\/i> is replaced by the server&#8217;s hostname<\/li>\n<li><i>[path]<\/i> is replaced by the folder path found in the mail log<\/li>\n<li><i>[time] <\/i>is replaced by the time the behavior was detected<\/li>\n<li><i>[count] <\/i>is replaced by the number of emails detected<\/li>\n<li><i>[emails]<\/i> is replaced by some relevant log lines<\/li>\n<li><i>[scripts] <\/i>is replaced by LFD&#8217;s estimate of which scripts might be involved. Unfortunately, such guesses are often inaccurate so it\u2019s important to check which script is actually involved.<\/li>\n<\/ul>\n<p>We recommend to keep these types of notifications enabled so that you can address any potential issues in a timely manner. You can also disable them following these steps:<\/p>\n<p>Go to <b>WHM &gt;&gt; Plugins <\/b>section <b>&gt;&gt; ConfigServer Security &amp; Firewall<\/b>.<\/p>\n<p><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/CSFLFD-security-notifications-Hosting.png\"\/><\/p>\n<p>Now proceed to <b>CSF &gt;&gt; Firewall Configuration<\/b>.<\/p>\n<p><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_403_CSFLFD-security-notifications-Hosting.png\"\/><\/p>\n<p>There, you will find the <i><b>LF_SCRIPT_ALERT<\/b><\/i> parameter. Set it to <i><b>OFF<\/b><\/i>.<\/p>\n<p>Once you have done this, please scroll down and click the <b>Change <\/b>button.<\/p>\n<p><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_629_CSFLFD-security-notifications-Hosting.png\"\/><\/p>\n<p>On the next page, you will see the <i><b>Changes saved. You should restart both csf and lfd.<\/b><\/i> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/p>\n<\/div>\n<div>\n<p><b>7. Excessive processes alert<\/b><\/p>\n<p>LFD also tracks the <b>number of processes<\/b> running under cPanel accounts, for example, PHP, CGI, SSH or cron jobs.<\/p>\n<p>Each visitor who accesses a PHP page will generate an entry process, but these processes usually end quickly. It\u2019s unlikely that 10 processes will be generated concurrently and at a single moment.<\/p>\n<p>A large number of concurrent processes indicates high levels of traffic or an improperly-coded website that takes too long to finish one process. Additionally, this kind of situation happens when there are DDoS attacks on the website.<\/p>\n<p>By default, these notifications look like this:<\/p>\n<\/div>\n<div>\n<pre class=\"prettyprint\">From: root&#13;\nTo: root&#13;\nSubject: lfd on [hostname]: Excessive processes running under user [user]&#13;\n&#13;\nTime:         [time]&#13;\nAccount:      [user]&#13;\nProcess Count: [number]&#13;\n&#13;\nProcess Information:&#13;\n&#13;\nUser: [user]&#13;\nPID: [pid]&#13;\nPPID: [ppid]&#13;\nRun Time: [secs]&#13;\nMemory: [kb]&#13;\nRSS: [kb]&#13;\nExecutable [exe]&#13;\nCommand Line: [cmd]&#13;\n&#13;\n<\/pre>\n<p>If the traffic you have on the websites is legitimate, the notifications may be false-positive. <\/div>\n<p>To modify the process limit or disable the notifications, go to <b>WHM<\/b> &gt;&gt; <b>Plugins<\/b> section &gt;&gt; <b>ConfigServer Security &amp; Firewall<\/b>: <\/p>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_410_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>Now proceed to <b>CSF<\/b> &gt;&gt; <b>Firewall Configuration<\/b>.<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_668_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>There, you will find the\u00a0 PT_USERPROC parameter. <\/p>\n<p>Set it to<b> 0<\/b> if you want to stop receiving these notifications altogether. However, we recommend keeping them enabled in order to be notified if the process usage exceeds the allowed limit.<\/p>\n<p>You might feel that the default value is too low and you are getting flooded with notifications about valid processes, so you might want to change PT_USERPROC to the value you feel will be the most appropriate.<\/p>\n<p>Once you have done this, scroll down and click on the <b>Change<\/b> button.<\/p>\n<\/div>\n<div><img class=\"kb-image\" src=\"https:\/\/oxhosting.com\/blog\/wp-content\/uploads\/2021\/05\/1621647751_268_CSFLFD-security-notifications-Hosting.png\"\/><\/div>\n<div>On the next page, you will see the <b>Changes saved. You should restart both csf and lfd.<\/b> message. Click <b>Restart csf+lfd<\/b> and the changes will be saved.<\/div>\n<p>That&#8217;s it!<\/p>\n<\/div>\n<script data-ad-client=\"ca-pub-3214842754935876\" async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\n","protected":false},"excerpt":{"rendered":"<p>&#13; ConfigServer Security &amp; Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall, login\/intrusion detection, and security application for Linux servers provided by ConfigServer. Login&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/posts\/6381"}],"collection":[{"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/comments?post=6381"}],"version-history":[{"count":0,"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/posts\/6381\/revisions"}],"wp:attachment":[{"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/media?parent=6381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/categories?post=6381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oxhosting.com\/blog\/wp-json\/wp\/v2\/tags?post=6381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}