Pls help me see why lfd drops rules during the day
Posted: 21 Sep 2016, 20:32
I'm running csf on my debian 8 server to try to mitigate against login attacks. To give Apache and php5-fpm more memory we moved mysql to another server and I wrote additional iptables scripts to allow mysql traffic on the apache server and put them into
/etc/csf/csfpre.sh
/etc/csf/csfpost.sh
so that they would be included on startup. They are set with chmod u+x and have the required #!bash in the first line. I tested them yesterday by going through a server reboot and the rules are working so they are being used.
So today, Wednesday (Monday as well), apache server is talking to the mysql server when all of a sudden at 2:12 p.m local time I get notice that my apache server is down. The error indicates that apache cannot talk to mysql so I check the lfd log. It shows the csf daemon going through its midnight reset. But what I cannot understand is why is it going through a reset at 2:12 p.m. local time?
My debian server is set to CDT .
I appear to be running v9.20 (generic)
I have apt-get install libwww-perl to get rid of the XXXXXX but it still shows up in the log.
So why did it restart itself at this time? And why are my additional firewall rules not being picked up?
thx, sam
my tail of the lfd log is below;
/etc/csf/csfpre.sh
/etc/csf/csfpost.sh
so that they would be included on startup. They are set with chmod u+x and have the required #!bash in the first line. I tested them yesterday by going through a server reboot and the rules are working so they are being used.
So today, Wednesday (Monday as well), apache server is talking to the mysql server when all of a sudden at 2:12 p.m local time I get notice that my apache server is down. The error indicates that apache cannot talk to mysql so I check the lfd log. It shows the csf daemon going through its midnight reset. But what I cannot understand is why is it going through a reset at 2:12 p.m. local time?
My debian server is set to CDT .
I appear to be running v9.20 (generic)
I have apt-get install libwww-perl to get rid of the XXXXXX but it still shows up in the log.
So why did it restart itself at this time? And why are my additional firewall rules not being picked up?
thx, sam
my tail of the lfd log is below;
Code: Select all
sudo tail -500 /var/log/lfd.log
Sep 21 00:00:02 myserver lfd[5073]: daemon started on myserver - csf v9.20 (generic)
Sep 21 00:00:02 myserver lfd[5073]: *WARNING* Unable to send email reports - [/usr/sbin/sendmail] not found
Sep 21 00:00:02 myserver lfd[5073]: CSF Tracking...
Sep 21 00:00:02 myserver lfd[5073]: IPv6 Enabled...
Sep 21 00:00:02 myserver lfd[5073]: LOAD Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Country Code Lookups...
Sep 21 00:00:02 myserver lfd[5073]: System Integrity Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Exploit Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Directory Watching...
Sep 21 00:00:02 myserver lfd[5073]: Temp to Perm Block Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Process Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Account Tracking...
Sep 21 00:00:02 myserver lfd[5073]: SSH Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Webmin Tracking...
Sep 21 00:00:02 myserver lfd[5073]: SU Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Console Tracking...
Sep 21 00:00:02 myserver lfd[5073]: Watching /var/log/customlog...
Sep 21 00:00:02 myserver lfd[5073]: Watching /var/log/secure...
Sep 21 00:00:02 myserver lfd[5073]: Watching /var/log/messages...
Sep 21 00:00:02 myserver lfd[5073]: Watching /var/log/apache2/error.log...
Sep 21 00:00:02 myserver lfd[5073]: Watching /var/log/auth.log...
Sep 21 00:00:02 myserver lfd[5083]: *Suspicious Process* PID:1108 PPID:985 User:www-data Uptime:67468 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
Sep 21 00:00:02 myserver lfd[5083]: Unable to send SENDMAIL alert via [/usr/sbin/sendmail]: No such file or directory at /usr/sbin/lfd line 3739.
Sep 21 00:00:02 myserver lfd[5083]: daemon stopped
Sep 21 00:00:04 myserver lfd[5080]: *System Integrity* has detected modified file(s): /usr/sbin/csf /usr/sbin/lfd
Sep 21 00:00:04 myserver lfd[5080]: Unable to send SENDMAIL alert via [/usr/sbin/sendmail]: No such file or directory at /usr/sbin/lfd line 6392.
Sep 21 00:00:04 myserver lfd[5080]: daemon stopped
Sep 21 00:00:07 myserver lfd[5073]: *Error* pid mismatch or missing, at line 907
Sep 21 00:00:07 myserver lfd[5073]: daemon stopped
Sep 21 14:12:07 myserver lfd[23855]: daemon started on myserver - csf v9.22 (generic)
Sep 21 14:12:07 myserver lfd[23855]: *WARNING* Unable to send email reports - [/usr/sbin/sendmail] not found
Sep 21 14:12:07 myserver lfd[23855]: CSF Tracking...
Sep 21 14:12:07 myserver lfd[23855]: IPv6 Enabled...
Sep 21 14:12:07 myserver lfd[23855]: LOAD Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Country Code Lookups...
Sep 21 14:12:07 myserver lfd[23855]: System Integrity Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Exploit Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Directory Watching...
Sep 21 14:12:07 myserver lfd[23855]: Temp to Perm Block Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Process Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Account Tracking...
Sep 21 14:12:07 myserver lfd[23855]: SSH Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Webmin Tracking...
Sep 21 14:12:07 myserver lfd[23855]: SU Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Console Tracking...
Sep 21 14:12:07 myserver lfd[23855]: Watching /var/log/secure...
Sep 21 14:12:07 myserver lfd[23855]: Watching /var/log/customlog...
Sep 21 14:12:07 myserver lfd[23855]: Watching /var/log/messages...
Sep 21 14:12:07 myserver lfd[23855]: Watching /var/log/auth.log...
Sep 21 14:12:07 myserver lfd[23855]: Watching /var/log/apache2/error.log...
Sep 21 14:12:07 myserver lfd[23864]: *Suspicious Process* PID:1108 PPID:985 User:www-data Uptime:118593 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
Sep 21 14:12:07 myserver lfd[23864]: Unable to send SENDMAIL alert via [/usr/sbin/sendmail]: No such file or directory at /usr/sbin/lfd line 3739.
Sep 21 14:12:07 myserver lfd[23864]: daemon stopped
Sep 21 14:12:10 myserver lfd[23862]: *System Integrity* has detected modified file(s): /usr/sbin/csf /usr/sbin/lfd
Sep 21 14:12:10 myserver lfd[23862]: Unable to send SENDMAIL alert via [/usr/sbin/sendmail]: No such file or directory at /usr/sbin/lfd line 6392.
Sep 21 14:12:10 myserver lfd[23862]: daemon stopped
Sep 21 14:12:12 myserver lfd[23855]: *Error* pid mismatch or missing, at line 907
Sep 21 14:12:12 myserver lfd[23855]: daemon stopped