csf.pignore just not working!
Posted: 28 Apr 2016, 06:26
These are our settings on a number of mixed centos installations (Centos 6, and 7) running latest Cloudlinux kernels. We have dozens of servers for which csf.pignore is just not working
csf:v8.22
PT_LIMIT = "600"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "0"
PT_ALL_USERS = "1"
PT_DELETED = "0"
PT_DELETED_ACTION = ""
PT_USERPROC = "50"
PT_USERMEM = "0"
PT_USERTIME = "3600"
PT_USERKILL = "0"
PT_USERKILL_ALERT = "0"
PT_USER_ACTION = ""
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "15"
PT_LOAD_SKIP = "3600"
PT_APACHESTATUS = "http://127.0.0.1/whm-server-status"
PT_LOAD_ACTION = ""
PT_FORKBOMB = "0"
PT_SSHDHUNG = "0"
Here are a couple of examples of the kinds of alerts we are receiving, but shouldn't
e.g.
Time: Thu Apr 28 06:03:04 2016 +0100
Account: mailman
Resource: Process Time
Exceeded: 175985 > 3600 (seconds)
Executable: /usr/bin/python
Command Line: /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
PID: 719206 (Parent PID:719206)
Killed: No
Files: [files]
# cat /proc/719206/cmdline
/usr/local/cpanel/3rdparty/bin/python/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl-sstart
in csf.pignore
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman
Another e.g. just to see if we could block an alert we actually wanted to see - but agzain, the pignore file is... well... ignored!
Time: Thu Apr 28 06:03:18 2016 +0100
Account: redacted
Resource: Process Time
Exceeded: 11562 > 600 (seconds)
Executable: /opt/alt/php53/usr/bin/lsphp
Command Line: lsphp
PID: 563358 (Parent PID:563358)
Killed: No
Files: [files]
# cat /proc/563358/cmdline
lsphp
# ls -la /proc/563358/exe
lrwxrwxrwx 1 redacted redacted 0 Apr 28 02:51 /proc/563358/exe -> /opt/alt/php53/usr/bin/lsphp*
in csf.pignore
pexe:/opt/alt/php[0-9][0-9]/usr/bin/lsphp.*
exe:/opt/alt/php52/usr/bin/lsphp
exe:/opt/alt/php53/usr/bin/lsphp
exe:/opt/alt/php54/usr/bin/lsphp
exe:/opt/alt/php55/usr/bin/lsphp
exe:/opt/alt/php70/usr/bin/lsphp
cmd:lsphp
None of the above will stop the alerts!
We have carefully checked the regexes in csf.pignore and they are all valid pcre regex - Happy to send along if you want to have a look.
As a host we would prefer this was working properly, and would be happy to pay for the product.
csf:v8.22
PT_LIMIT = "600"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "0"
PT_ALL_USERS = "1"
PT_DELETED = "0"
PT_DELETED_ACTION = ""
PT_USERPROC = "50"
PT_USERMEM = "0"
PT_USERTIME = "3600"
PT_USERKILL = "0"
PT_USERKILL_ALERT = "0"
PT_USER_ACTION = ""
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "15"
PT_LOAD_SKIP = "3600"
PT_APACHESTATUS = "http://127.0.0.1/whm-server-status"
PT_LOAD_ACTION = ""
PT_FORKBOMB = "0"
PT_SSHDHUNG = "0"
Here are a couple of examples of the kinds of alerts we are receiving, but shouldn't
e.g.
Time: Thu Apr 28 06:03:04 2016 +0100
Account: mailman
Resource: Process Time
Exceeded: 175985 > 3600 (seconds)
Executable: /usr/bin/python
Command Line: /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
PID: 719206 (Parent PID:719206)
Killed: No
Files: [files]
# cat /proc/719206/cmdline
/usr/local/cpanel/3rdparty/bin/python/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl-sstart
in csf.pignore
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman
Another e.g. just to see if we could block an alert we actually wanted to see - but agzain, the pignore file is... well... ignored!
Time: Thu Apr 28 06:03:18 2016 +0100
Account: redacted
Resource: Process Time
Exceeded: 11562 > 600 (seconds)
Executable: /opt/alt/php53/usr/bin/lsphp
Command Line: lsphp
PID: 563358 (Parent PID:563358)
Killed: No
Files: [files]
# cat /proc/563358/cmdline
lsphp
# ls -la /proc/563358/exe
lrwxrwxrwx 1 redacted redacted 0 Apr 28 02:51 /proc/563358/exe -> /opt/alt/php53/usr/bin/lsphp*
in csf.pignore
pexe:/opt/alt/php[0-9][0-9]/usr/bin/lsphp.*
exe:/opt/alt/php52/usr/bin/lsphp
exe:/opt/alt/php53/usr/bin/lsphp
exe:/opt/alt/php54/usr/bin/lsphp
exe:/opt/alt/php55/usr/bin/lsphp
exe:/opt/alt/php70/usr/bin/lsphp
cmd:lsphp
None of the above will stop the alerts!
We have carefully checked the regexes in csf.pignore and they are all valid pcre regex - Happy to send along if you want to have a look.
As a host we would prefer this was working properly, and would be happy to pay for the product.