csf.pignore being... ignored, in csf: v3.39 (generic)
csf.pignore being... ignored, in csf: v3.39 (generic)
Couple of non-cPanel boxes that have upgraded themselves to 3.39 (generic), and we're now seeing a constant influx of warning emails such as:
Time: Fri Jul 11 07:22:19 2008
Account: haldaemon
Resource: Process Time
Exceeded: 76977 > 1800 (seconds)
Executable: /usr/sbin/hald
Command Line: hald
PID: 1818
Killed: No
What's weird is, in the csf.pignore we already had:
exec:/usr/sbin/hald
and when this first started yesterday, we added a:
user:haldaemon
and we're still getting the messages. These are centos boxes, and we're seeing emails for haldaemon, dbus, and mysql at this time. When we first installed csf we saw the same thing, but added the relevant "exec:" lines to csf.pignore and the emails stopped... but now they're back.
Now that I'm thinking about it, we did do a yum upgrade from centos 5.1 to 5.2 this week on these boxes, so it could be something that changed as a result of that... might not be a bug in 3.39?
Time: Fri Jul 11 07:22:19 2008
Account: haldaemon
Resource: Process Time
Exceeded: 76977 > 1800 (seconds)
Executable: /usr/sbin/hald
Command Line: hald
PID: 1818
Killed: No
What's weird is, in the csf.pignore we already had:
exec:/usr/sbin/hald
and when this first started yesterday, we added a:
user:haldaemon
and we're still getting the messages. These are centos boxes, and we're seeing emails for haldaemon, dbus, and mysql at this time. When we first installed csf we saw the same thing, but added the relevant "exec:" lines to csf.pignore and the emails stopped... but now they're back.
Now that I'm thinking about it, we did do a yum upgrade from centos 5.1 to 5.2 this week on these boxes, so it could be something that changed as a result of that... might not be a bug in 3.39?
Looks as though we're not the only ones seeing this. According to this post.
I've restarted lfd a few times while trying to resolve this, also added "user:" lines to csf.pignore in addition to the exec: lines, in an attempt to try and make the emails stop. No luck.
It's almost as if something happened and .pignore is just not being watched/followed at all.. I guess I could try removing it entirely to see if we get any *new* emails ontop of the ones we're already getting.... that would atleast tell me if the file is being taken into account at all.
I've restarted lfd a few times while trying to resolve this, also added "user:" lines to csf.pignore in addition to the exec: lines, in an attempt to try and make the emails stop. No luck.
It's almost as if something happened and .pignore is just not being watched/followed at all.. I guess I could try removing it entirely to see if we get any *new* emails ontop of the ones we're already getting.... that would atleast tell me if the file is being taken into account at all.
In case it helps, here's a couple of the weird emails we just started getting in the last week or so.. all are from CentOS 5.2 servers or CentOS 5.2 xen DomUs, none of them used to do this until shortly after the 5.2 upgrade.
And here is our csf.pignore from one of said boxes:
Also seeing an occasional one for dbus as well... Don't seem to have any of those in my inbox just now however.
Code: Select all
Time: Tue Jul 22 19:47:25 2008
Account: haldaemon
Resource: Process Time
Exceeded: 1072216 > 1800 (seconds)
Executable: /usr/sbin/hald
Command Line: hald
PID: 1818
Killed: No
Code: Select all
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/sbin/portmap
user:root
user:named
user:apache
user:ntp
user:dbus
user:smmsp
user:postfix
user:www-data
I set PT_ALL_USERS to 1, and started receiving these mails:
I have these 3 lines (regarding dbus) in csf.pignore:
I added user:dbus myself to see if that would make a difference, and restarted csf. The mails are still coming in. OS is Centos 4.7
Any ideas?
Code: Select all
Time: Sun Sep 14 10:07:50 2008 +0000
Account: dbus
Resource: Process Time
Exceeded: 4039170 > 1800 (seconds)
Executable: /usr/bin/dbus-daemon-1 uZ/eYdz4P0G7GqCa (deleted)
Command Line: dbus-daemon-1 --system
PID: 5282
Killed: No
Code: Select all
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
user:dbus
Any ideas?
For deleted binary processes:
http://www.configserver.com/techfaq/index.php?faqid=72
http://www.configserver.com/techfaq/index.php?faqid=72
Re:
I get something like this
the following is already in the ignore file
exe:/usr/bin/dbus-daemon-1
Time: Fri Sep 19 15:58:59 2008 +0400
Account: dbus
Resource: Process Time
Exceeded: 6626985 > 1800 (seconds)
Executable: /usr/bin/dbus-daemon-1 (deleted)
Command Line: dbus-daemon-1 --system
PID: 4650
Killed: No
I did read the post to restart binaries and under /etc/init.d i dont see dbus
can you please guid me on how to prevent this message from coming
also i get the following very often
Time: Fri Sep 19 15:41:18 2008 +0400
File: /tmp/.wapi
Reason: Suspicious directory
Owner: nobody:nobody
Action: No action taken
But there is no file to delete when you go and check, can you help me out.
\
Thanks
the following is already in the ignore file
exe:/usr/bin/dbus-daemon-1
Time: Fri Sep 19 15:58:59 2008 +0400
Account: dbus
Resource: Process Time
Exceeded: 6626985 > 1800 (seconds)
Executable: /usr/bin/dbus-daemon-1 (deleted)
Command Line: dbus-daemon-1 --system
PID: 4650
Killed: No
I did read the post to restart binaries and under /etc/init.d i dont see dbus
can you please guid me on how to prevent this message from coming
also i get the following very often
Time: Fri Sep 19 15:41:18 2008 +0400
File: /tmp/.wapi
Reason: Suspicious directory
Owner: nobody:nobody
Action: No action taken
But there is no file to delete when you go and check, can you help me out.
\
Thanks