lfd Suspicious File Alert after Acronis installation

rs200

• November 20, 2019 18:06

Hello, i recently installed Acronis agent on my VPS for doing backup of the entire server. Everything is ok but, after midnight, lfd sent me many notifications like that lfd on server.vpstest.it: Suspicious File Alert Time: Thu Nov 21 00:05:06 2019 +0100 File: /tmp/dkms.9npzAf/dkms_main_tree/2.6.32-504.12.2.el6.i686/i686/module/snumbd26.ko Reason: Linux Binary Owner: : (197619:197121) Action: No action taken Time: Thu Nov 21 00:05:06 2019 +0100 File: /tmp/dkms.9npzAf/dkms_main_tree/2.6.32-504.12.2.el6.i686/i686/module/snapapi26.ko Reason: Linux Binary Owner: : (197619:197121) Action: No action taken Time: Thu Nov 21 00:05:07 2019 +0100 File: Reason: Owner: Action: Too many hits for LF_DIRWATCH - Directory Watching disabled continue with others alerts
I am sure these are related to the Acronis agent. How can i disable alerts about Acronis agent in the csf.pignore file? The process related to the agent is this /usr/lib/Acronis/BackupAndRecovery/mms
Thanks

• 

  quietFinn

  • November 21, 2019 00:47

  I believe you could just delete that directory /tmp/dkms.9npzAf/ but if you think it might cause problems you can stop the alerts by adding this line to /etc/csf/csf.fignore (csf.fignore, not csf.pignore) /tmp/dkms.9npzAf/.* and then restart lfd.

  0
• 

  cPanelLauren

  • November 21, 2019 19:13

  @quietFinn is correct you wouldn't use csf.pignore you would use csf.fignore DIRWATCH automatcially (without any configuration) adds /tmp as a directory to watch the following helps explain use as well: Directory Watching ##################### Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits. If a suspicious file is found an email alert is sent using the template filealert.txt. NOTE: Only one alert per file is sent until lfd is restarted, so if you remove a suspicious file, remember to restart lfd To remove any suspicious files found during directory watching, enable corresponding setting the suspicious files will be appended to a tarball in /var/lib/csf/suspicious.tar and deleted from their original location. Symlinks are simply removed. If you want to extract the tarball to your current location, use: tar -xpf /var/lib/csf/suspicious.tar This will preserver the path and permissions of the original file. Any false-positives can be added to /etc/csf/csf.fignore and lfd will then ignore those listed files and directories. Within csf.fignore is a list of files that lfd directory watching will ignore. You must specify the full path to the file You can also use perl regular expression pattern matching, for example: /tmp/clamav.* /tmp/.*\.wrk Remember that you will need to escape special characters (precede them with a backslash) such as \. \? Pattern matching will only occur with strings containing an asterisk (*), otherwise full file path matching will be applied You can also add entries to ignore files owner by a particular user by preceding it with user:, for example: user:bob Note: files owned by root are ignored For information on perl regular expressions: http://www.perl.com/doc/manual/html/pod/perlre.html
  

  0
• 

  rs200

  • November 21, 2019 23:50

  I believe you could just delete that directory /tmp/dkms.9npzAf/ but if you think it might cause problems you can stop the alerts by adding this line to /etc/csf/csf.fignore (csf.fignore, not csf.pignore) /tmp/dkms.9npzAf/.* and then restart lfd.

  
  Thanks, that solved the issue :)

  0

Please sign in to leave a comment.