csf.pignore being... ignored, in csf: v3.39 (generic)

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Locked
shannon
Junior Member
Posts: 3
Joined: 11 Jul 2008, 13:06

csf.pignore being... ignored, in csf: v3.39 (generic)

Post by shannon »

Couple of non-cPanel boxes that have upgraded themselves to 3.39 (generic), and we're now seeing a constant influx of warning emails such as:

Time: Fri Jul 11 07:22:19 2008
Account: haldaemon
Resource: Process Time
Exceeded: 76977 > 1800 (seconds)
Executable: /usr/sbin/hald
Command Line: hald
PID: 1818
Killed: No


What's weird is, in the csf.pignore we already had:

exec:/usr/sbin/hald

and when this first started yesterday, we added a:

user:haldaemon

and we're still getting the messages. :( These are centos boxes, and we're seeing emails for haldaemon, dbus, and mysql at this time. When we first installed csf we saw the same thing, but added the relevant "exec:" lines to csf.pignore and the emails stopped... but now they're back.

Now that I'm thinking about it, we did do a yum upgrade from centos 5.1 to 5.2 this week on these boxes, so it could be something that changed as a result of that... might not be a bug in 3.39?
Top
shannon
Junior Member
Posts: 3
Joined: 11 Jul 2008, 13:06

Post by shannon »

Looks as though we're not the only ones seeing this. According to this post.

I've restarted lfd a few times while trying to resolve this, also added "user:" lines to csf.pignore in addition to the exec: lines, in an attempt to try and make the emails stop. :) No luck.

It's almost as if something happened and .pignore is just not being watched/followed at all.. I guess I could try removing it entirely to see if we get any *new* emails ontop of the ones we're already getting.... that would atleast tell me if the file is being taken into account at all.
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

That is odd. On my CentOS v5.2 server hald is running under root, not haldaemon.

Edit: just read that you tried excluding the haldaemon user.

I'll check the code.
Top
shannon
Junior Member
Posts: 3
Joined: 11 Jul 2008, 13:06

Post by shannon »

In case it helps, here's a couple of the weird emails we just started getting in the last week or so.. all are from CentOS 5.2 servers or CentOS 5.2 xen DomUs, none of them used to do this until shortly after the 5.2 upgrade. :(

Code: Select all

Time:         Tue Jul 22 19:47:25 2008
Account:      haldaemon
Resource:     Process Time
Exceeded:     1072216 > 1800 (seconds)
Executable:   /usr/sbin/hald
Command Line: hald
PID:          1818
Killed:       No
And here is our csf.pignore from one of said boxes:

Code: Select all

exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/sbin/portmap
user:root
user:named
user:apache
user:ntp
user:dbus
user:smmsp
user:postfix
user:www-data
Also seeing an occasional one for dbus as well... Don't seem to have any of those in my inbox just now however. :)
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

I've tried, but have been unable to replicate this problem (csf.pignore always works for me). If you have a server with this issue that I can access, please log a ticket.
Top
dinot
Junior Member
Posts: 4
Joined: 12 Sep 2007, 09:18

Post by dinot »

I set PT_ALL_USERS to 1, and started receiving these mails:

Code: Select all

Time:         Sun Sep 14 10:07:50 2008 +0000
Account:      dbus
Resource:     Process Time
Exceeded:     4039170 > 1800 (seconds)
Executable:   /usr/bin/dbus-daemon-1 uZ/eYdz4P0G7GqCa (deleted)
Command Line: dbus-daemon-1 --system
PID:          5282
Killed:       No
I have these 3 lines (regarding dbus) in csf.pignore:

Code: Select all

exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
user:dbus
I added user:dbus myself to see if that would make a difference, and restarted csf. The mails are still coming in. OS is Centos 4.7

Any ideas?
Top
Snowman
Junior Member
Posts: 61
Joined: 11 Dec 2006, 02:09

Post by Snowman »

we have this occuring on all of our cPanel servers, all are running centos 4.7 or centos 5.2

I find that its all deleted processes that this occurs on and mostly postgres, hald and mysqld processes if that makes any difference
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

For deleted binary processes:
http://www.configserver.com/techfaq/index.php?faqid=72
Top
Snowman
Junior Member
Posts: 61
Joined: 11 Dec 2006, 02:09

Post by Snowman »

Thanks for the tips on that...damn i have a lot of processes to restart across one hell of a lot of servers then... going to be a busy night :(
Top
linuxer
Junior Member
Posts: 1
Joined: 30 Jun 2007, 14:02

Re:

Post by linuxer »

I get something like this
the following is already in the ignore file

exe:/usr/bin/dbus-daemon-1


Time: Fri Sep 19 15:58:59 2008 +0400
Account: dbus
Resource: Process Time
Exceeded: 6626985 > 1800 (seconds)
Executable: /usr/bin/dbus-daemon-1 (deleted)
Command Line: dbus-daemon-1 --system
PID: 4650
Killed: No

I did read the post to restart binaries and under /etc/init.d i dont see dbus

can you please guid me on how to prevent this message from coming

also i get the following very often

Time: Fri Sep 19 15:41:18 2008 +0400
File: /tmp/.wapi
Reason: Suspicious directory
Owner: nobody:nobody
Action: No action taken

But there is no file to delete when you go and check, can you help me out.
\
Thanks
Top
Locked

Return to “Report Bugs (csf)”