Ignore rpc

Post Reply
thinkshovels
Junior Member
Posts: 1
Joined: 11 Aug 2016, 14:28

Ignore rpc

Post by thinkshovels »

Hi,

I am trying to have CSF/LFD not alert about rpc. I've tried adding the following exe's to the csf.pignore file to no avail:

exe:/sbin/rpcbind
exe:/usr/sbin/rpc.statd

For some reason I am still being bombarded with this alert:
Executable:

/usr/sbin/rpcbind


Command Line (often faked in exploits):

/sbin/rpcbind -w
I also tried adding them as cmd: as well with no difference.... am I missing something? Should it not just be add the exe lines and restart csf/lfd ?

Thanks.
Top
bitbanger
Junior Member
Posts: 1
Joined: 04 Apr 2018, 22:32

Re: Ignore rpc

Post by bitbanger »

Did you ever find a resolution to this? I have the same exact problem. I put "exe:/sbin/rpcbind" in the pignore file and restarted cfs (which also restarts lfd), and I still get the email warnings.

Thanks
Top
cautery
Junior Member
Posts: 13
Joined: 22 May 2015, 07:06

Re: Ignore rpc

Post by cautery »

Mmmm... this is STILL an issue in CentOS 7.0 with csf csf v12.12

I am trying to selectively stop BOTH...

rpcbind

AND

perl

warnings using "exe:" lines in csf.pignore, which seems to be the correct way to make this happen. As the docs say, I am trying to avoid using "cmd:" lines.

PLEASE could someone who has dealt with this issue successfully post their solution!!!

My INBOX fills up EVERY day with these warnings...

And I need both rpcbind (for NFS) and perl (for spamd) to be running all the time.

Thanks!

Here are the warning email texts:

Code: Select all

Time:         Fri Jun 21 06:09:35 2019 -0500
Account:      rpc
Resource:     Process Time
Exceeded:     12628 > 1800 (seconds)
Executable:   /usr/sbin/rpcbind
Command Line: /sbin/rpcbind -w
PID:          2322 (Parent PID:2322)
Killed:       No
AND

Code: Select all

Time:    Fri Jun 21 06:26:36 2019 -0500
PID:     3557 (Parent PID:3020)
Account: (account name removed for security)
Uptime:  13587 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/528/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

udp: (IP address removed):40118 -> (removed for security):24441
tcp: 127.0.0.1:783 -> 127.0.0.1:53468
Here are the lines I put in csf.pignore:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/528/bin/perl

Code: Select all

exe:/usr/sbin/rpcbind
Top
cautery
Junior Member
Posts: 13
Joined: 22 May 2015, 07:06

SOLUTION!!!

Post by cautery »

I was adding a comment to the rpcbind exe: line on the same line, like this:

Code: Select all

exe:/usr/sbin/rpcbind  # Added by cautery 22 June 2019; 0543 hrs UTC to stop rpcbind warning emails
The comment appears to be interpreted as an argument or something and BREAKS the line.

Using this:

Code: Select all

exe:/usr/sbin/rpcbind
# Preceding line added by cautery 22 June 2019; 0543 hrs UTC to stop rpcbind warning emails
With the documentation comment on the NEW line, it works. No more rpcbind email warnings (which if the line is not working you get every time lfd restarts.

Now.... on the perl warnings, I read the readme.txt and realize that I should not do an exe: to the perl path or it will kill warnings on ALL perl scripts.... but the reason it was broken was also because of the same line comment.

I can figure out some other way to stop the spamd generated warnings via perl.... hopefully without having to resort to:

Code: Select all

cmd:spamd child
Top
Post Reply

Return to “General Discussion (csf)”