how to view “p0f” usage only

Spirogg

• May 05, 2022 04:45

Hello how can I view p0f usage. I keep getting emails from LFD / CSF about p0f 1744 WARNING: too many tracked connections deleting 101. use -m to adjust so where do we know how many is too many? is this based on website visitors visitng the site, or emails sent from different notifications? I see i get from LFD email when I log in and it give me more info of my IP and computer OS browser etc. but logs get pretty much pounded with this over 300 plus lines all the same message. can there be someway an attacker can create so many of these p0f warnings by just clicking on a certain part of the cpanel site or ssh backend trying to log in. and it needs to delete 10% of the data for room to log more? is there its own log for p0f? is there a way to watch this somehow live in real time and see if its sending that warning to much in the last couple hours. have never saw that before so I am wondering why it shows up in the last 2 hourly emails I get from CSF / LFD Log Scanner Report. - last question: is it worth having this ON I am the only one login onto WHM and cPanel. no other users use this server or login.. so I get an email from CSF when I log in. so not sure if i need the extra who logged in from where and what computer. if there is any other related security advantage, can you give me your thoughts and why? Thanks so much Spiro

• 

  ITHKBO

  • May 05, 2022 13:12

  I am not 100% sure if this is what you exactly search but live view of LFD, CSF logs can be done from "Watch System Logs" under Home "Plugins "ConfigServer Security & Firewall For example /usr/local/cpanel/logs/acces_logs shows these type of alerts. 123.123.123.123 - root [05/05/2022:12:46:38 -0000] "GET /cpsess1788942004/cgi/configserver/csf.cgi?action=logtailcmd&lines=100&lognum=3&nocache=1651754804569 HTTP/1.1" 200 0 "https://servername.tld:2087/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36" "s" "-" 2087
  The "Search System Logs" on the other hand can be used to narrow down on possible undesired behavior based on the information observed during the watch. But personally if it is indeed those type of logs getting pruned I would not worry unless it states bruteforce attempts. Though I do recommend to wait for a second opinion on this matter.

  0
• 

  cPRex Jurassic Moderator

  • May 05, 2022 13:52

  From the Service Manager documentation: This daemon reports the visitor"s operating system and other information for email notifications that the system administrator requests in WHM"s

  0

Please sign in to leave a comment.