1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

LFD ignore process dosn't work

Discussion in 'Security' started by shuman202, Jul 25, 2012.

0
  1. #1
    hello guys
    i opened the following
    WHM >> "ConfigServer Security&Firewall" >> "lfd - Login Failure Daemon"
    i have tried to configur the LFD to ignore a user and i wrote the following
    user:username
    and restarted the script
    but the firewall still sending me email about that user
    how can i congigure the LFD to completely ignore a user from the watching
    the csf.pignore contains the following

    
###############################################################################
# Copyright 2006-2010, Way to the Web Limited
#
#
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex
[*]
# puser:username as a perl regex
[*]
# pcmd:command line as a perl regex
[*]
#
#
[*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/cpanel/cpsrvd
exe:/usr/local/cpanel/3rdparty/bin/imapd
exe:/usr/local/cpanel/bin/cppop
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/local/cpanel/3rdparty/bin/php
exe:/usr/local/cpanel/3rdparty/bin/analog
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/local/cpanel/cpsrvd-ssl
exe:/usr/bin/spamc
exe:/usr/local/cpanel/bin/cppop-ssl
exe:/usr/local/cpanel/bin/logrunner
exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/bin/cpwrap
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
user:mailnull
user:mailman
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/nsd
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/var/cpanel/3rdparty/bin/php
user:myangel
    Code (markup):

     
    shuman202, Jul 25, 2012 IP
  2. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    35
    Best Answers:
    7
    Trophy Points:
    173
    #2
    Yes, that's the correct format. Is it possible for you to paste the email content you receive ?
     
    MilesWeb, Jul 27, 2012 IP
  3. shuman202

    shuman202 Well-Known Member

    Messages:
    638
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    145
    Digital Goods:
    1
    #3
    thank you for reply
    i get the following email

    
Time:    Thu Jul 26 18:08:29 2012 +0200
PID:     7496
Account: myangel
Uptime:  155 seconds


Executable:

/usr/local/bin/php


Command Line (often faked in exploits):

/usr/local/bin/php -c /imports/php5/php.ini mirrors/easyshare.php 01INC5W5 0


Network connections by the process (if any):

tcp: 204.197.246.137:55259 -> 95.211.187.202:80


Files open by the process (if any):

/dev/null
/dev/null


Memory maps by the process (if any):

08048000-08611000 r-xp 00000000 00:5b 423654555                          /usr/local/bin/php
08611000-0863d000 rw-p 005c9000 00:5b 423654555                          /usr/local/bin/php
0863d000-08647000 rw-p 0863d000 00:00 0
08ebb000-09009000 rw-p 08ebb000 00:00 0                                  [heap]
b7316000-b7320000 r-xp 00000000 00:5b 364944440                          /lib/libnss_files-2.5.so
b7320000-b7321000 r--p 00009000 00:5b 364944440                          /lib/libnss_files-2.5.so
b7321000-b7322000 rw-p 0000a000 00:5b 364944440                          /lib/libnss_files-2.5.so
b7363000-b7366000 rw-p b7363000 00:00 0
b7366000-b73a1000 r-xp 00000000 00:5b 365016407                          /lib/libsepol.so.1
b73a1000-b73a2000 rw-p 0003b000 00:5b 365016407                          /lib/libsepol.so.1
b73a2000-b73ac000 rw-p b73a2000 00:00 0
b73ac000-b73c2000 r-xp 00000000 00:5b 365016405                          /lib/libselinux.so.1
b73c2000-b73c4000 rw-p 00015000 00:5b 365016405                          /lib/libselinux.so.1
b73c4000-b73c5000 rw-p b73c4000 00:00 0
b73c5000-b73dd000 r-xp 00000000 00:5b 423642121                          /usr/lib/libsasl2.so.2.0.22
b73dd000-b73de000 rw-p 00017000 00:5b 423642121                          /usr/lib/libsasl2.so.2.0.22
b73de000-b73eb000 r-xp 00000000 00:5b 423626293                          /usr/lib/liblber-2.3.so.0.2.31
b73eb000-b73ec000 rw-p 0000c000 00:5b 423626293                          /usr/lib/liblber-2.3.so.0.2.31
b73ec000-b73ee000 r-xp 00000000 00:5b 365016386                          /lib/libkeyutils-1.2.so
b73ee000-b73ef000 rw-p 00001000 00:5b 365016386                          /lib/libkeyutils-1.2.so
b73ef000-b73f7000 r-xp 00000000 00:5b 423641973                          /usr/lib/libkrb5support.so.0.1
b73f7000-b73f8000 rw-p 00007000 00:5b 423641973                          /usr/lib/libkrb5support.so.0.1
b73f8000-b740d000 r-xp 00000000 00:5b 364944524                          /lib/libpthread-2.5.so
b740d000-b740e000 ---p 00015000 00:5b 364944524                          /lib/libpthread-2.5.so
b740e000-b740f000 r--p 00015000 00:5b 364944524                          /lib/libpthread-2.5.so
b740f000-b7410000 rw-p 00016000 00:5b 364944524                          /lib/libpthread-2.5.so
b7410000-b7413000 rw-p b7410000 00:00 0
b7413000-b7418000 r-xp 00000000 00:5b 423641785                          /usr/lib/libXdmcp.so.6.0.0
b7418000-b7419000 rw-p 00004000 00:5b 423641785                          /usr/lib/libXdmcp.so.6.0.0
b7419000-b741b000 r-xp 00000000 00:5b 423641783                          /usr/lib/libXau.so.6.0.0
b741b000-b741c000 rw-p 00001000 00:5b 423641783                          /usr/lib/libXau.so.6.0.0
b741c000-b7433000 r-xp 00000000 00:5b 365016349                          /lib/libaudit.so.0.0.0
b7433000-b7435000 rw-p 00016000 00:5b 365016349                          /lib/libaudit.so.0.0.0
b7435000-b7447000 r-xp 00000000 00:5b 365016415                          /lib/libz.so.1.2.3
b7447000-b7448000 rw-p 00011000 00:5b 365016415                          /lib/libz.so.1.2.3
b7448000-b7453000 r-xp 00000000 00:5b 365023715                          /lib/libgcc_s-4.1.2-20080825.so.1
b7453000-b7454000 rw-p 0000a000 00:5b 365023715                          /lib/libgcc_s-4.1.2-20080825.so.1
b7454000-b75a6000 r-xp 00000000 00:5b 364943790                          /lib/libc-2.5.so
b75a6000-b75a7000 ---p 00152000 00:5b 364943790                          /lib/libc-2.5.so
b75a7000-b75a9000 r--p 00152000 00:5b 364943790                          /lib/libc-2.5.so
b75a9000-b75aa000 rw-p 00154000 00:5b 364943790                          /lib/libc-2.5.so
b75aa000-b75ae000 rw-p b75aa000 00:00 0
b75ae000-b7713000 r-xp 00000000 00:5b 383377246                          /opt/xml2/lib/libxml2.so.2.7.6
b7713000-b7718000 rw-p 00165000 00:5b 383377246                          /opt/xml2/lib/libxml2.so.2.7.6
b7718000-b7719000 rw-p b7718000 00:00 0
b7719000-b7845000 r-xp 00000000 00:5b 423644902                          /usr/lib/mysql/libmysqlclient.so.15.0.0
b7845000-b7874000 rw-p 0012c000 00:5b 423644902                          /usr/lib/mysql/libmysqlclient.so.15.0.0
b7874000-b7875000 rw-p b7874000 00:00 0
b7875000-b78ae000 r-xp 00000000 00:5b 423626295                          /usr/lib/libldap-2.3.so.0.2.31
b78ae000-b78af000 rw-p 00039000 00:5b 423626295                          /usr/lib/libldap-2.3.so.0.2.31
b78af000-b78df000 r-xp 00000000 00:5b 423641948                          /usr/lib/libidn.so.11.5.19
b78df000-b78e0000 rw-p 0002f000 00:5b 423641948                          /usr/lib/libidn.so.11.5.19
b78e0000-b792b000 r-xp 00000000 00:5b 371230374                          /opt/curlssl/lib/libcurl.so.4.2.0
b792b000-b792d000 rw-p 0004a000 00:5b 371230374                          /opt/curlssl/lib/libcurl.so.4.2.0
b792d000-b792e000 rw-p b792d000 00:00 0
b792e000-b7930000 r-xp 00000000 00:5b 364943437                          /lib/libcom_err.so.2.1
b7930000-b7931000 rw-p 00001000 00:5b 364943437                          /lib/libcom_err.so.2.1
b7931000-b7957000 r-xp 00000000 00:5b 423641960                          /usr/lib/libk5crypto.so.3.1
b7957000-b7958000 rw-p 00025000 00:5b 423641960                          /usr/lib/libk5crypto.so.3.1
b7958000-b79ec000 r-xp 00000000 00:5b 423641971                          /usr/lib/libkrb5.so.3.3
b79ec000-b79ef000 rw-p 00093000 00:5b 423641971                          /usr/lib/libkrb5.so.3.3
b79ef000-b7a1b000 r-xp 00000000 00:5b 423641936                          /usr/lib/libgssapi_krb5.so.2.2
b7a1b000-b7a1c000 rw-p 0002c000 00:5b 423641936                          /usr/lib/libgssapi_krb5.so.2.2
b7a1c000-b7a31000 r-xp 00000000 00:5b 364944259                          /lib/libnsl-2.5.so
b7a31000-b7a32000 r--p 00014000 00:5b 364944259                          /lib/libnsl-2.5.so
b7a32000-b7a33000 rw-p 00015000 00:5b 364944259                          /lib/libnsl-2.5.so
b7a33000-b7a35000 rw-p b7a33000 00:00 0
b7a35000-b7a5c000 r-xp 00000000 00:5b 364944092                          /lib/libm-2.5.so
b7a5c000-b7a5d000 r--p 00026000 00:5b 364944092                          /lib/libm-2.5.so
b7a5d000-b7a5e000 rw-p 00027000 00:5b 364944092                          /lib/libm-2.5.so
b7a5e000-b7a5f000 rw-p b7a5e000 00:00 0
b7a5f000-b7a70000 r-xp 00000000 00:5b 364944544                          /lib/libresolv-2.5.so
b7a70000-b7a71000 r--p 00010000 00:5b 364944544                          /lib/libresolv-2.5.so
b7a71000-b7a72000 rw-p 00011000 00:5b 364944544                          /lib/libresolv-2.5.so
b7a72000-b7a74000 rw-p b7a72000 00:00 0
b7a74000-b7a7b000 r-xp 00000000 00:5b 364944552                          /lib/librt-2.5.so
b7a7b000-b7a7c000 r--p 00007000 00:5b 364944552                          /lib/librt-2.5.so
b7a7c000-b7a7d000 rw-p 00008000 00:5b 364944552                          /lib/librt-2.5.so
b7a7d000-b7aaf000 r-xp 00000000 00:5b 374888333                          /opt/pcre/lib/libpcre.so.0.0.1
b7aaf000-b7ab0000 rw-p 00031000 00:5b 374888333                          /opt/pcre/lib/libpcre.so.0.0.1
b7ab0000-b7ad1000 r-xp 00000000 00:5b 423641958                          /usr/lib/libjpeg.so.62.0.0
b7ad1000-b7ad2000 rw-p 00020000 00:5b 423641958                          /usr/lib/libjpeg.so.62.0.0
b7ad2000-b7af7000 r-xp 00000000 00:5b 423642095                          /usr/lib/libpng12.so.0.10.0
b7af7000-b7af8000 rw-p 00024000 00:5b 423642095                          /usr/lib/libpng12.so.0.10.0
b7af8000-b7b08000 r-xp 00000000 00:5b 423641792                          /usr/lib/libXpm.so.4.11.0
b7b08000-b7b09000 rw-p 00010000 00:5b 423641792                          /usr/lib/libXpm.so.4.11.0
b7b09000-b7b0a000 rw-p b7b09000 00:00 0
b7b0a000-b7c09000 r-xp 00000000 00:5b 423641782                          /usr/lib/libX11.so.6.2.0
b7c09000-b7c0d000 rw-p 000ff000 00:5b 423641782                          /usr/lib/libX11.so.6.2.0
b7c0d000-b7c8a000 r-xp 00000000 00:5b 423641893                          /usr/lib/libfreetype.so.6.3.10
b7c8a000-b7c8d000 rw-p 0007d000 00:5b 423641893                          /usr/lib/libfreetype.so.6.3.10
b7c8d000-b7c97000 r-xp 00000000 00:5b 365016397                          /lib/libpam.so.0.81.5
b7c97000-b7c98000 rw-p 0000a000 00:5b 365016397                          /lib/libpam.so.0.81.5
b7c98000-b7dc2000 r-xp 00000000 00:5b 365016177                          /lib/libcrypto.so.0.9.8e
b7dc2000-b7dd6000 rw-p 00129000 00:5b 365016177                          /lib/libcrypto.so.0.9.8e
b7dd6000-b7dd9000 rw-p b7dd6000 00:00 0
b7dd9000-b7e1d000 r-xp 00000000 00:5b 365016213                          /lib/libssl.so.0.9.8e
b7e1d000-b7e21000 rw-p 00043000 00:5b 365016213                          /lib/libssl.so.0.9.8e
b7e21000-b7e24000 r-xp 00000000 00:5b 364943965                          /lib/libdl-2.5.so
b7e24000-b7e25000 r--p 00002000 00:5b 364943965                          /lib/libdl-2.5.so
b7e25000-b7e26000 rw-p 00003000 00:5b 364943965                          /lib/libdl-2.5.so
b7e26000-b7e27000 rw-p b7e26000 00:00 0
b7e27000-b7e2d000 r-xp 00000000 00:5b 423641984                          /usr/lib/libltdl.so.3.1.4
b7e2d000-b7e2e000 rw-p 00005000 00:5b 423641984                          /usr/lib/libltdl.so.3.1.4
b7e2e000-b7e55000 r-xp 00000000 00:5b 372789623                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
b7e55000-b7e58000 rw-p 00027000 00:5b 372789623                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
b7e58000-b7e5d000 rw-p b7e58000 00:00 0
b7e5d000-b7ea2000 r-xp 00000000 00:5b 374348608                          /opt/mhash/lib/libmhash.so.2.0.1
b7ea2000-b7ea3000 rw-p 00044000 00:5b 374348608                          /opt/mhash/lib/libmhash.so.2.0.1
b7ea3000-b7eac000 r-xp 00000000 00:5b 364943894                          /lib/libcrypt-2.5.so
b7eac000-b7ead000 r--p 00008000 00:5b 364943894                          /lib/libcrypt-2.5.so
b7ead000-b7eae000 rw-p 00009000 00:5b 364943894                          /lib/libcrypt-2.5.so
b7eae000-b7ed5000 rw-p b7eae000 00:00 0
b7ed5000-b7ed9000 r-xp 00000000 00:5b 364944404                          /lib/libnss_dns-2.5.so
b7ed9000-b7eda000 r--p 00003000 00:5b 364944404                          /lib/libnss_dns-2.5.so
b7eda000-b7edb000 rw-p 00004000 00:5b 364944404                          /lib/libnss_dns-2.5.so
b7edb000-b7edd000 rw-p b7edb000 00:00 0
b7ede000-b7fbc000 r-xp 00000000 00:5b 423626438                          /usr/lib/libstdc++.so.6.0.8
b7fbc000-b7fbf000 r--p 000dd000 00:5b 423626438                          /usr/lib/libstdc++.so.6.0.8
b7fbf000-b7fc1000 rw-p 000e0000 00:5b 423626438                          /usr/lib/libstdc++.so.6.0.8
b7fc1000-b7fc8000 rw-p b7fc1000 00:00 0
b7fc8000-b7fe3000 r-xp 00000000 00:5b 364943576                          /lib/ld-2.5.so
b7fe3000-b7fe4000 r--p 0001a000 00:5b 364943576                          /lib/ld-2.5.so
b7fe4000-b7fe5000 rw-p 0001b000 00:5b 364943576                          /lib/ld-2.5.so
bffa5000-bffba000 rw-p 7ffffffe9000 00:00 0                              [stack]
    Code (markup):
     
    shuman202, Jul 27, 2012 IP
  4. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    35
    Best Answers:
    7
    Trophy Points:
    173
    #4
    Why don't you try excluding the executable file "/usr/local/bin/php" ? See if it works.
     
    MilesWeb, Jul 27, 2012 IP
  5. shuman202

    shuman202 Well-Known Member

    Messages:
    638
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    145
    Digital Goods:
    1
    #5
    i tried so too but didn't work i'm wondering why it didn't work
    the script works fine when i disable the firewall when i enable it and exclude the user or the file it stops sending me emails but the script doesn't work properly
     
    shuman202, Jul 27, 2012 IP
  6. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    35
    Best Answers:
    7
    Trophy Points:
    173
    #6
    An other alternative is to increase the execution time threshold set.
     
    MilesWeb, Jul 27, 2012 IP
  7. shuman202

    shuman202 Well-Known Member

    Messages:
    638
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    145
    Digital Goods:
    1
    #7
    and how to do that..
     
    shuman202, Jul 28, 2012 IP
  8. shuman202

    shuman202 Well-Known Member

    Messages:
    638
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    145
    Digital Goods:
    1
    #8
    i think it's PT_USERTIME am i right? for increasing the execution time threshold set.............
     
    shuman202, Jul 28, 2012 IP
  9. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    35
    Best Answers:
    7
    Trophy Points:
    173
    #9
    Yes, that's right.
     
    MilesWeb, Jul 30, 2012 IP
  10. samirj09

    samirj09 Well-Known Member

    Messages:
    335
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    125
    #10
    Also, the user line in the ignore file should work fine as well. Did you remember to restart csf and lfd after updating the file?
     
    samirj09, Jul 31, 2012 IP
  11. shuman202

    shuman202 Well-Known Member

    Messages:
    638
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    145
    Digital Goods:
    1
    #11
    actually the user line doesn't work the firewall seems not evaluating the inputs in the csf.pignore
     
    shuman202, Jul 31, 2012 IP