Page 1 of 1
Ignore rpc
Posted: 12 Aug 2016, 13:37
by thinkshovels
Hi,
I am trying to have CSF/LFD not alert about rpc. I've tried adding the following exe's to the csf.pignore file to no avail:
exe:/sbin/rpcbind
exe:/usr/sbin/rpc.statd
For some reason I am still being bombarded with this alert:
Executable:
/usr/sbin/rpcbind
Command Line (often faked in exploits):
/sbin/rpcbind -w
I also tried adding them as cmd: as well with no difference.... am I missing something? Should it not just be add the exe lines and restart csf/lfd ?
Thanks.
Re: Ignore rpc
Posted: 04 Apr 2018, 22:37
by bitbanger
Did you ever find a resolution to this? I have the same exact problem. I put "exe:/sbin/rpcbind" in the pignore file and restarted cfs (which also restarts lfd), and I still get the email warnings.
Thanks
Re: Ignore rpc
Posted: 21 Jun 2019, 16:56
by cautery
Mmmm... this is STILL an issue in CentOS 7.0 with csf csf v12.12
I am trying to selectively stop BOTH...
rpcbind
AND
perl
warnings using "exe:" lines in csf.pignore, which seems to be the correct way to make this happen. As the docs say, I am trying to avoid using "cmd:" lines.
PLEASE could someone who has dealt with this issue successfully post their solution!!!
My INBOX fills up EVERY day with these warnings...
And I need both rpcbind (for NFS) and perl (for spamd) to be running all the time.
Thanks!
Here are the warning email texts:
Code: Select all
Time: Fri Jun 21 06:09:35 2019 -0500
Account: rpc
Resource: Process Time
Exceeded: 12628 > 1800 (seconds)
Executable: /usr/sbin/rpcbind
Command Line: /sbin/rpcbind -w
PID: 2322 (Parent PID:2322)
Killed: No
AND
Code: Select all
Time: Fri Jun 21 06:26:36 2019 -0500
PID: 3557 (Parent PID:3020)
Account: (account name removed for security)
Uptime: 13587 seconds
Executable:
/usr/local/cpanel/3rdparty/perl/528/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
udp: (IP address removed):40118 -> (removed for security):24441
tcp: 127.0.0.1:783 -> 127.0.0.1:53468
Here are the lines I put in csf.pignore:
Code: Select all
exe:/usr/local/cpanel/3rdparty/perl/528/bin/perl
SOLUTION!!!
Posted: 22 Jun 2019, 07:05
by cautery
I was adding a comment to the rpcbind exe: line on the same line, like this:
Code: Select all
exe:/usr/sbin/rpcbind # Added by cautery 22 June 2019; 0543 hrs UTC to stop rpcbind warning emails
The comment appears to be interpreted as an argument or something and BREAKS the line.
Using this:
Code: Select all
exe:/usr/sbin/rpcbind
# Preceding line added by cautery 22 June 2019; 0543 hrs UTC to stop rpcbind warning emails
With the documentation comment on the NEW line, it works. No more rpcbind email warnings (which if the line is not working you get every time lfd restarts.
Now.... on the perl warnings, I read the readme.txt and realize that I should not do an exe: to the perl path or it will kill warnings on ALL perl scripts.... but the reason it was broken was also because of the same line comment.
I can figure out some other way to stop the spamd generated warnings via perl.... hopefully without having to resort to: