Table of Contents
Background
CSF firewall is a very powerful tool, but unfortunately the default notifications on a busy or mature system is way too heavy.
It order to focus on actual problems at hand you probably want to fine tune or turn off some of these excessive notifications, starting with the ones that you see most and that you never intend to on checking anyway.
Turning off Excessive Processes Warnings
In our case of a mature server, the one we got the most is:
lfd on server.example.com: Excessive processes running under user XYZ
To modify the process limit or disable the notifications, go to:
WHM -> ConfigServer Security & Firewall
Proceed to CSF >> Firewall Configuration.
There, you can search for the PT_USERPROC parameter. Set it to 0 if you want to stop receiving these notifications altogether.
The default value for this setting is 10. The actual description for this feature is:
User Process Tracking. This option enables the tracking of the number of
process any given account is running at one time. If the number of processes
exceeds the value of the following setting an email alert is sent with
details of those processes. If you specify a user in csf.pignore it will be
ignored
We don’t recommend turning it off completely, but rather fine tuning it. Fine tuning implies small incremental changes. For example, if you really want to understand these processes and what’s going on, rather make the limit something like 12 or 15. Then keep on monitoring the situation.
If you decide to go the route of csf.pignore then look in `/etc/csf` for the file or create it. The syntax is:
exe:/full/path/to/file
user:username
cmd:command line
E.g.:
exe:/home/${cPuser}/path/to/cron.php
cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
Turning off Suspicious Processes
The next annoying one is suspicious processes. For example, you tell me how this is suspicious:
Executable:
/usr/local/cpanel/3rdparty/per
Command Line (often faked in exploits):
spamd child
Clearly CSF, which is actually a 3rd party program away from WHM, doesn’t properly understand WHM running on a WHM server?
To turn off suspicious processes, go here:
WHM -> ConfigServer Security & Firewall -> Firewall Configuration
Search for PT_LIMIT. When you read the text, it seems PT_SKIP_HTTP is also relevant, but it’s not. This is just part of the confusion of using WHM with CSF, it’s just so complicated because of the 100s of settings, and so many that are actually not used every day.
Change PT_LIMIT to zero.
Scroll to the bottom and click “Change”.
Also click Restart csf+lfd
References
- https://www.namecheap.com/support/knowledgebase/article.aspx/10093/30/csflfd-security-notifications/#suspicious_process
- https://forums.cpanel.net/threads/csf-csf-pignore-syntax-for-suspicious-process.679115/
- https://www.namecheap.com/support/knowledgebase/article.aspx/10093/30/csflfd-security-notifications/