Bobcares

cPanel LFD

by | Apr 18, 2022

Willing to know about cPanel LFD? We can help you.

As part of our Server Management Services, we assist our customers with similar queries.

Today, let us see how our Support techs assist with this query.

cPanel LFD

Basically, LFD is a process that’s part of the CSF (ConfigServer Security & Firewall) that periodically checks for potential threats to a server.

LFD looks for such attacks as brute-force login attempts and if found blocks the IP address attempting to attack that server.

CSF and LFD  provide you with various notifications to help keep track of important events taking place in your server.

1.Excessive resource usage alert

LFD has a feature in place to watch running processes to see if they are using too many resources.

For some of these resources, you can even configure how much counts as too much.

In some cases, if a process is using more resources than expected, this can indicate a security issue.

Even if it does not, it should be investigated to check whether or not something is misconfigured, which can cause loading issues on the server.

Sometimes you may find yourself receiving a lot of resource usage alert emails and might want to get them disable.

Make sure to double check that they are indeed false-positives before ignoring or disabling them.

To disable such notifications, go to WHM >> Plugins section >> ConfigServer Security & Firewall.

Then, pproceed to CSF >> Firewall Configuration.

There, find the PT_USERMEM and PT_USERTIME parameters and change their values to 0.

This will disable the notifications completely as these parameters define the threshold after which the notifications will be sent.

Once you have done this, scroll down and click on the Change button.

On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.

There is also an ignore list at /etc/csf/csf.pignore that can be used to either whitelist usernames or full paths to binaries.

The following format should be used in the file:

exe:/full/path/to/file
user:username
cmd:command line

The file can be edited via SSH using your editor of choice.

After the changes are done, you need to reload CSF and restart LFD using the following SSH  command:

csf -r or service lfd restart

2. System integrity alert

LFD has a feature in place to check for changes in certain system files.

This helps to detect compromised files but also sends you an alert any time these files are changed by legitimate system updates.

We recommend to keep these types of notifications enabled so that you can investigate all unexpected changes as soon as possible.

Still, if you wish to disable these notifications, you can do it in the following way:

Go to WHM >> Plugins >> ConfigServer Security & Firewall.

Then, proceed to CSF >> Firewall Configuration.

There, find the LF_INTEGRITY parameter and set its value to 0.

Once you have done this, scroll down and click the Change button.

On the next page, you will see the Changes saved. You should restart both csf and lfd. message.

Click Restart csf+lfd and the changes will be saved.

3. Suspicious process alert

The Process Tracking option enables tracking of user’s and nobody’s processes and examines them for suspicious executable files or opened network ports.

Its purpose is to identify potentially exploitative processes that are running on the server, even if they are obfuscated to appear as system services.

We recommend that you keep these types of notifications enabled so that you can check whether or not the process is actually suspicious.

If you still wish to disable these notifications, you can do it in the following way:

Go to WHM >> Plugins section >> ConfigServer Security & Firewall.

Then, proceed to CSF >> Firewall Configuration.

There, you will find the PT_LIMIT parameter. Please set its value to 0.

Once you have done this, scroll down and click the Change button.

On the next page, you will see the Changes saved.

You should restart both csf and lfd. message.

Click Restart csf+lfd and the changes will be saved.

After the changes to the file are done, you need to reload CSF and restart LFD using the following command:

csf -r or service lfd restart

4. Alert about IP block

CSF/LFD automatically blocks IP addresses for certain configurable reasons.

By default, any time the system blocks an IP address, it will send you an email to let you know which IP was blocked and why it was blocked.

The message also contains information about the time the permanent block was created and the amount of temporary blocks triggered.

We recommend that you first keep such notifications enabled to make sure that the firewall is configured correctly, blocking only the IP addresses you want blocked.

Once you’ve confirmed that everything is OK, you might want to disable these types of notifications so that your mailbox doesn’t get flooded with too many emails or distract you from the more helpful ones.

To enable such notifications, please do the following:

Go to WHM >> Plugins section >> ConfigServer Security & Firewall.

Then, pproceed to CSF >> Firewall Configuration.

There you will see list of parameters.

If you do not want to be notified about certain IP address blocks, please set the corresponding parameter from the list above to OFF.

Once you have done this, scroll down and click the Change button.

On the next page, you will see the Changes saved.

You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.

5. Email queue size alert

LFD has a feature in place for watching the length of email queues.

When many emails are sent from a server, the SMTP server automatically places them into an email queue where email messages await to be processed.

The delivery starts from the first ones and then carries on with the others.

If many messages accumulate in the email queue, this may lead to issues where emails are delivered with delays.

If you receive such a notification, it’s important to check what’s causing this situation.

Many emails that get stuck in this email queue may indicate a security issue.

If you wish to disable them, please follow these steps:

Go to WHM >> Plugins section >> ConfigServer Security & Firewall.

Now proceed to CSF >> Firewall Configuration.

There, locate the LF_QUEUE_ALERT parameter and set it to 0.

Alternatively, you can set a threshold value from 0 to 5000 for these notifications to be sent.

Once you have done this, please scroll down and click the Change button.

On the next page, you will see the Changes saved. You should restart both csf and lfd. message.

Click Restart csf+lfd and the changes will be saved.

6. Email script alert

Scripts usually involve the sendmail or exim binary.

When this happens, certain lines will appear in the LFD mail log which detects and notifies you if it happens repeatedly.

You can disable them following these steps:

Go to WHM >> Plugins section >> ConfigServer Security & Firewall.

Now proceed to CSF >> Firewall Configuration.

There, you will find the LF_SCRIPT_ALERT parameter. Set it to OFF.

Once you have done this, please scroll down and click the Change button.

On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.

7. Excessive processes alert

LFD also tracks the number of processes running under cPanel accounts.

Each visitor who accesses a PHP page will generate an entry process, but these processes usually end quickly.

It’s unlikely that 10 processes will be generated concurrently and at a single moment.

A large number of concurrent processes indicates high levels of traffic or an improperly-coded website that takes too long to finish one process.

Additionally, this kind of situation happens when there are DDoS attacks on the website.

If the traffic you have on the websites is legitimate, the notifications may be false-positive.

To modify the process limit or disable the notifications, go to WHM >> Plugins section >> ConfigServer Security & Firewall:

Now proceed to CSF >> Firewall Configuration.

There, you will find the PT_USERPROC parameter.

Set it to 0 if you want to stop receiving these notifications altogether.

Once you have done this, scroll down and click on the Change button.

On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.

[Stuck in between? We are glad to assist you]

Conclusion

In short, today we saw how our Support Techs assist with cPanel LFD.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF