LFD flagging processes by spamd child

blaszlo

Verified User
Joined
Jun 9, 2008
Messages
116
Hello all,

This is more of an annoyance than a problem. I get about 24 alerts from LFD accompanied by an email about suspicious processes and excessive resource usage for certain users. I want to modify LFD so that I am not alerted by these, or if these are actually taking up excessive resources, modify it so that I am not alerted. I am using less than 4% propcessor time and the server is running smooth as ever with the exception of this. Any help is appreciated. Thanks
 
I'm sorry, I should be more specific... This is for CSF+LFD (ConfigServer Firewall+Login Failure Daemon), where the alert is coming from LFD... I think I may have found the problem, I will post back
 
OK - Still getting alerts... It seems that Perl is being executed and apparently LFD's process watcher doesn't like it (because /usr/bin/perl is being executed, and can be exploited). Here is an example of an email I'm getting...

Code:
Time:         Tue Jan 12 09:45:37 2010 -0500
Account:      someuser
Resource:     Process Time
Exceeded:     44942 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child
PID:          14602
Killed:       No
 
Set csf config to

OK - Still getting alerts... It seems that Perl is being executed and apparently LFD's process watcher doesn't like it (because /usr/bin/perl is being executed, and can be exploited). Here is an example of an email I'm getting...

Code:
Time:         Tue Jan 12 09:45:37 2010 -0500
Account:      someuser
Resource:     Process Time
Exceeded:     44942 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child
PID:          14602
Killed:       No

# This User Process Tracking option sends an alert if any linux user process
# exceeds the time usage set (seconds). To ignore specific processes or users
# use csf.pignore
#
# Set to 0 to disable this feature
PT_USERTIME = Default: 1800 [0-86400]
 
Please watch posting dates! You are replying to a 3 year old post!

I wouldn't do that because that way you disable all process tracking.

A better way is to ignore those things which you don't need to monitor. This can be done by adding them to csf.pignore:
Code:
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
Don't forget to restart csf and lfd an probably it's a good choice to restart spamassassin too afterwards.
 
Please watch posting dates! You are replying to a 3 year old post!

I wouldn't do that because that way you disable all process tracking.

A better way is to ignore those things which you don't need to monitor. This can be done by adding them to csf.pignore:
Code:
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
Don't forget to restart csf and lfd an probably it's a good choice to restart spamassassin too afterwards.
thanks Richard G worked fine
 
Back
Top