How to turn fine tune or turn off excessive notifications in WHM when using CSF Firewall


CSF firewall is a very powerful tool, but unfortunately the default notifications on a busy or mature system is way too heavy.

It order to focus on actual problems at hand you probably want to fine tune or turn off some of these excessive notifications, starting with the ones that you see most and that you never intend to on checking anyway.

Turning off Excessive Processes Warnings

In our case of a mature server, the one we got the most is:

lfd on Excessive processes running under user XYZ

To modify the process limit or disable the notifications, go to:

WHM -> ConfigServer Security & Firewall

Proceed to CSF >> Firewall Configuration.

There, you can search for the PT_USERPROC parameter. Set it to 0 if you want to stop receiving these notifications altogether.

The default value for this setting is 10. The actual description for this feature is:

User Process Tracking. This option enables the tracking of the number of
process any given account is running at one time. If the number of processes
exceeds the value of the following setting an email alert is sent with
details of those processes. If you specify a user in csf.pignore it will be

We don’t recommend turning it off completely, but rather fine tuning it. Fine tuning implies small incremental changes. For example, if you really want to understand these processes and what’s going on, rather make the limit something like 12 or 15. Then keep on monitoring the situation.

If you decide to go the route of csf.pignore then look in `/etc/csf` for the file or create it. The syntax is:

cmd:command line


cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php

Turning off Suspicious Processes

The next annoying one is suspicious processes. For example, you tell me how this is suspicious:


Command Line (often faked in exploits):
spamd child

Clearly CSF, which is actually a 3rd party program away from WHM, doesn’t properly understand WHM running on a WHM server?

To turn off suspicious processes, go here:

WHM -> ConfigServer Security & Firewall -> Firewall Configuration

Search for PT_LIMIT. When you read the text, it seems PT_SKIP_HTTP is also relevant, but it’s not. This is just part of the confusion of using WHM with CSF, it’s just so complicated because of the 100s of settings, and so many that are actually not used every day.

Change PT_LIMIT to zero.

Scroll to the bottom and click “Change”.

Also click Restart csf+lfd

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top