CSF csf.pignore syntax for suspicious process
I know a lot of Cpanel users are running CSF/LFD. I've searched and read many posts on this topics before but I still don't find it clear what specific syntax to use in the csf.pignore file. These is the type of warning I'm trying to ignore.
lfd[5333]: *Suspicious Process* PID:3792 PPID:3788 User:username Uptime:121 secs EXE:/home/virtfs/elemcms/opt/cpanel/ea-php73/root/usr/bin/php CMD:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
Right now I have:
pcmd:cron\.php$
cmd:cron\.php$
There's so many different options of what to specify in the file and the syntax, it leaves most users like myself on sort of a trial and error quest and so for I'm unsuccessful.
-
Greetings! The syntax for the 'csf.pignore' file is: exe:/full/path/to/file user:username cmd:command line
so if you would like to whitelist the 'cron.php' file itself, you would need to use the full path, e.g.:exe:/home/${cPuser}/path/to/cron.php
or alternatively, you may also try the entire command, e.g.:cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
Please give that a try and let us know if it works for you. Thanks!0 -
Prior to your reply, I added all 4 of these: cmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php pcmd:/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php cmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php pcmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php One of them worked as I stopped getting the warning. When I get some time I'll use trial and error to find out. I'm guessing/hoping it's this one: cmd:/opt/cpanel/.*/root/usr/bin/php -f cron.p As the first two will no longer work if I upgrade to a PHP version newer than 7.3 and will have to remember to go update the file. 0 -
You can's use wildcards in the cmd option. That's what pcmd is for. pcmd uses perl regular expressions. If you look in /etc/csf/csf.pignore it gives examples near the top. 0 -
Then it is probably the pcmd:/opt/cpanel/.*/root/usr/bin/php -f cron.php that is working. Thanks for the clarification. I for some reason misunderstood 'p' as referring to process instead of PERL. 0
Please sign in to leave a comment.
Comments
4 comments