Blogs‎ > ‎

Getting excessive LFD Excessive resource usage / Suspicious Process Messages?

posted 9 Mar 2016, 13:16 by Andrew at Lycom   [ updated 9 Mar 2016, 13:17 ]
I've been doing a project setting up a Cpanel dedicated Linux CentOS server.

Part of the process involved getting the environment ready for hosting, and fine-tuning the various security / alerting options prior to it going live. One thing that I came across was a couple of excessive LFD alert emails every 30 mins or so:

e.g. lfd on xxx.xxx.co.uk: Excessive resource usage: xxxxx (2305 (Parent PID:2305))
lfd on xxx.xxx.co.uk: Suspicious process running under user xxxxx

pretty annoying and when I checked out the source I found it wasn't anything to worry about, it just offended the defaults set up in the LFD daemon. What's that?

Short for Login Failure Daemon, LFD is a process that is part of the ConfigServer Security & Firewall (CSF) that periodically checks for potential threats to a server. LFD looks for such attacks as brute-force login attempts and if found blocks the IP address attempting to attack that server.

It's part of ConfigServer, a "Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers" bundled with my server build / cpanel.  Useful, but like Peter, too may emails crying "wolf" get ignored and you end up missing a real incident.

So, I logged in with SSH as root, found the CSF configuration file (/etc/csf/csf.conf) and edited a couple of options to fit my setup.

Then I found the /etc/csf/csf.pignore file and edited it to exclude the executable that was generating the spurious results:

exe:/usr/sbin/the_executable

Then I restarted csf and lfd when done:

csf -r
service lfd restart

Checked my emails for a few hours, and they had settled down - I still got various alerts (e.g. telling me I had logged on via SSH) but not so many that I didn't look at them any more.
Comments