Suspicious process running, External connections, and the csf.ignore list

[RickKukiela]

Hello all,

I have been grappling with understanding why some of my sites on my server are always sending me these suspicious process emails (via CSF) related to php-cgi and php-fpm. It appears to me that the issue most of the time is related to an outbound network connection the script has opened. In this specific instance, the remote connection is to 172.64.145.91:443 which is a CloudFlare service IP. I also got one recently from another site on my server to 172.253.62.106:443 which resolves to google (this site uses curl to validate forum submissions with the google reCAPTCHA service so by logical deduction I can conclude this is what the "suspicious process" email was referring to).

Regard the google IP, I have like 20 sites on this server that all use google reCaptcha for their forum submissions. It appears that CSF does not usually have an issue with this and I do not receive reports related to that function 99% of the time. This makes it seem like google IPs are mostly "whitelisted" or "ignored" in the context of the suspicious processes, but this particular IP might be new or just not in our approved connections list for whatever reason. Does that seem accurate/plausible? If so, where/how do I manage this so that I can ensure the missing IPs are added?

Regarding the cloudflare IP, I found in my csf.ignore file a whole section dedicated to cloudflare ips, in-which the entry/line is present:

Code: Select all

172.64.0.0/13

This network CIDR does encompass the ip address linked to the reported "suspicious process" so I'm confused as to why this would be reported to me if the IP falls within an ignored network range?

Furthermore, doing "csf -g" followed by the offending IP and the \13 network both yield a negative / not found output (which might be expected so no biggie, just stating facts). If it should be registered and this seems off, we have a fairly long deny list, so is it possible that the ignore list is being skipped / pushed out because of that?

Is there a command to confirm if an IP is specifically registered in the ignore list otherwise?

Now, I'm not sure if adding the ranges to csf.allow would "fix" the issue, but I'm not so sure adding all CF ip ranges to the hard-allow list is ideal either.

I also do not see any mention of google network ranges anywhere.

What is the intended / correct way of "ignoring" suspicious activity involving IP addresses I know are generally "not suspicious"?

Thanks in advance for any help / guidance!

[RickKukiela]

Also, if anyone can confirm the network connection is the actual thing that is suspicious in this reports that would be great. My hosting provider tried telling me that the process runtime is the thing it's finding suspicious but I am finding that hard to believe. I find that hard to believe because Apache purposefully keeps these child php-cgi/php-fpm child processes open for extended periods of time and uses them to handle many requests over their lifetime. Considering any of these processes as suspicious based only on their runtime seems like an exorcise in futility and I cannot understand why that would have been programmed in this manner given that they are inherently long running processes.