LFD Alerts
Hello,
How can i disable this email notification `lfd on xxxxxxxxxxxxxxxxxxxxx: WHM/cPanel root access alert from IP xxxxxx` whenever i switch tabs?
I want to receive this email only when I/someone logging in to the WHM interface. If i switch browser tab, and if i click some other menu item again I'm getting this alert? why is that? im already logged in so i shouldnt be getting this alert right?
-
Hey there! I'm not sure as to the specific setting's name, but I believe there is a setting that determines whether access notifications are enabled. Could you run this to see what options are available? grep -i alert /etc/csf/csf.conf0 -
Hey there! I'm not sure as to the specific setting's name, but I believe there is a setting that determines whether access notifications are enabled. Could you run this to see what options are available?
grep -i alert /etc/csf/csf.conf
Hi @cPJustinD Here you go -# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT # LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP # LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT # PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT # LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT # 2 = Disable only alerts about this feature and do nothing else # message. If it fails to do so within SYSLOG_CHECK seconds an alert using # syslogalert.txt is sent # Send an alert if log file flooding is detected which causes lfd to skip log # lines to prevent lfd from looping. If this alert is sent you should check the LOGFLOOD_ALERT = "0" # By default, lfd will send alert emails using the relevant alert template to # option will override the configured To: field in all lfd alert emails # Leave this option empty to use the To: field setting in each alert template LF_ALERT_TO = "" # By default, lfd will send alert emails using the relevant alert template from # option will override the configured From: field in all lfd alert emails # Leave this option empty to use the From: field setting in each alert template LF_ALERT_FROM = "" # By default, lfd will send all alerts using the SENDMAIL binary. To send using LF_ALERT_SMTP = "" # In addition to the standard lfd email alerts, you can additionally enable the # block alert messages will be sent. The reports use our schema at: # LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT LF_PERMBLOCK_ALERT = "1" LF_NETBLOCK_ALERT = "1" # SECTION:Login Failure Blocking and Alerts # Send an email alert if an IP address is blocked by one of the- triggers LF_EMAIL_ALERT = "1" # Send an email alert if an IP address is only temporarily blocked by one of # Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails LF_TEMP_EMAIL_ALERT = "1" #
- Enable detection of repeated suhosin ALERTs # Send an email alert if anyone logs in successfully using SSH LF_SSH_EMAIL_ALERT = "1" # Send an email alert if anyone uses su to access another account. This will # send an email alert whether the attempt to use su was successful or not LF_SU_EMAIL_ALERT = "1" # Send an email alert if anyone uses sudo to access another account. This will # send an email alert whether the attempt to use sudo was successful or not LF_SUDO_EMAIL_ALERT = "0" # Send an email alert if anyone accesses webmin LF_WEBMIN_EMAIL_ALERT = "1" # Send an email alert if anyone logs in successfully to root on the console LF_CONSOLE_EMAIL_ALERT = "1" # Send an email alert if anyone accesses WHM/cPanel via an account listed in # LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the LF_CPANEL_ALERT = "1" # If a LF_CPANEL_ALERT event is triggered, then if the following contains the LF_CPANEL_ALERT_ACTION = "" # This is a comma separated list of accounts to send alerts for. To send an # alert for all accounts set this to "all" LF_CPANEL_ALERT_USERS = "root" # This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines LF_SCRIPT_ALERT = "0" # The limit afterwhich the email alert for email scripts is sent. Care should # If an LF_SCRIPT_ALERT event is triggered, then if the following can contain # following information as parameters which also appears in the email alert: # If this option is enabled, the directory identified by LF_SCRIPT_ALERT will # Checks the length of the exim queue and sends an alert email if the value of # Note: If there are problems sending out email, this alert may not be received LF_QUEUE_ALERT = "2000" # This option will send an alert if the ModSecurity IP persistent storage grows # used is modsecipdbalert.txt LF_MODSECIPDB_ALERT = "5" # to send an alert in case a possible server compromise is detected # file is found an email alert is sent. One alert per file per LF_FLUSH # changes and should they change and email alert using watchalert.txt is sent # md5sum of a monitored file changes an alert is sent. This option is intended # Send an email alert if LF_DISTFTP is triggered LF_DISTFTP_ALERT = "1" # Send an email alert if LF_DISTSMTP is triggered LF_DISTSMTP_ALERT = "1" # Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour LT_EMAIL_ALERT = "1" # server. There are also options to send alerts and block external IP addresses # RT_[relay type]_ALERT: 0 = disable, 1 = enable # RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent RT_RELAY_ALERT = "1" RT_AUTHRELAY_ALERT = "1" RT_POPRELAY_ALERT = "1" RT_LOCALRELAY_ALERT = "1" RT_LOCALHOSTRELAY_ALERT = "1" # information as parameters which also appears in the email alert: # Send an email alert if an IP address is blocked due to connection tracking CT_EMAIL_ALERT = "1" # suspicious process is found an alert email is sent with relevant information. # exceeds the value of the following setting an email alert is sent with # This User Process Tracking option sends an alert if any user process exceeds # This User Process Tracking option sends an alert if any user process exceeds # This User Process Tracking option sends an alert if any cPanel user process # If you want to disable email alerts if PT_USERKILL is triggered, then set PT_USERKILL_ALERT = "1" # load average is greater than or equal to PT_LOAD_LEVEL then an email alert is # This is the Apache Server Status URL used in the email alert. Requires the # terminated and an alert sent # Set the following to "1" to enable Port Scan Tracking email alerts, set to PS_EMAIL_ALERT = "1" # times within UID_INTERVAL seconds, an alert will be sent # a modifications to an account, an alert email is sent. Only the modification # You can set AT_ALERT to the following: AT_ALERT = "2" # Send alert if a new account is created # Send alert if an existing account is deleted # Send alert if an account password has changed # Send alert if an account uid has changed # Send alert if an account gid has changed # Send alert if an account login directory has changed # Send alert if an account login shell has changed # This controls what email alerts are sent with regards to logins to the UI. It # uses the uialert.txt template UI_ALERT = "4" RECAPTCHA_ALERT = "1" # Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must PORTKNOCKING_ALERT = "0" # This is the interval each report will be sent based on the logalert.txt
0 -
You want to change LF_CONSOLE_EMAIL_ALERT
to off, which I believe would be a "0" for that config file.0 -
You want to change
LF_CONSOLE_EMAIL_ALERT
to off, which I believe would be a "0" for that config file.
im not talking about the console login. im talking abt WHM logins... i'd like to know why im getting lfd notifications when i switch tabs and when im already logged in?0 -
@Ksmith08 - I suppose that could happen if each tab had a different authentication token. If you check the URL, do you see the same number in the cpsess########## portion of the URL? It's important to note that cPanel doesn't create the CSF/LFD software, so if you're seeing odd behavior with that it would be best to reach out to them directly here to let them know: ConfigServer Technical Support 0
Please sign in to leave a comment.
Comments
5 comments