ConfigServer Security & Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall, login/intrusion detection, and security application for Linux servers provided by ConfigServer.
Login Failure Daemon (LFD) is a daemon process that runs on our servers, which uses CSF for server security.
CSF and LFD come pre-installed on our servers with cPanel and offer many helpful features to ensure server security.
One of the many benefits of CSF and LFD is that they provide you with various notifications to help keep track of important events taking place in your server. Please note that these notifications only appear if you have a VPS or Dedicated Server.
1. Excessive resource usage alert
2. System integrity alert
3. Suspicious process alert
4. Alert about IP block
5. Email queue size alert
6. Email script alert
7. Excessive processes alert
1. Excessive resource usage alert
LFD has a feature to watch running processes, to check if they are using too many resources. If a process is using more resources than expected, this can indicate a security issue and in result can cause loading issues on the server.
To disable such notifications, go to WHM >> Plugins section >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, find the PT_USERMEM and PT_USERTIME parameters and change their values to 0.
Once you have done this, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
2. System integrity alert
LFD has a feature see for changes with some system files. This helps to detect compromised files and immediately sends an alert.
In case if you aren’t sure why these files are being changed, it’s important to check the server logs to determine the root cause of change.
These notifications are only sent once and, in most cases, are triggered by a system update. In this case, no further action from your side is needed.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, point the LF_INTEGRITY parameter and set its value to 0. Once you have done this, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
3. Suspicious process alert
The Process Tracking option enables tracking of user’s processes and examines them for suspicious executable files. Its purpose is to identify potentially exploitative processes that are running on the server.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, locate PT_LIMIT parameter. Please set its value to 0. Once you have done this, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
4. Alert about IP block
CSF/LFD automatically blocks IP addresses for certain configurable reasons. By default, it will send you an email to let you know which IP was blocked and why it was blocked.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
Here you will see the following parameters:
LF_EMAIL_ALERT - sends an email alert if an IP address is blocked by one of the triggers.
LF_PERMBLOCK_ALERT - sends an email alert if an IP address is permanently blocked. This happens if the IP address has been temporarily blocked more than a few times (to configure, use LF_PERMBLOCK_COUNT).
LF_NETBLOCK_ALERT - sends an email alert if an IP network class was blocked (conditions of such blocks can be configured by editing the adjacent parameters).
LF_DISTFTP_ALERT - sends an email alert if LF_DISTFTP is triggered. The LF_DISTFTP option will keep track of all successful FTP logins.
It blocks all the IPs that are suspected in being involved in an FTP distributed attack. You can configure it by editing the parameters in the Distributed Attacks section.
LF_DISTSMTP_ALERT - sends an email alert if LF_DISTSMTP is triggered. The same scenario applies as above, but for SMTP.
LT_EMAIL_ALERT - sends an email alert if the account exceeds a certain number of hourly logins per IP address.
CT_EMAIL_ALERT - sends an email alert if an IP address is blocked due to connectivity tracking.
Once you have done this, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
5. Email queue size alert
When many emails are sent from a server, the SMTP server automatically places them into an email queue where email messages await to be processed. The delivery starts with the first ones and then carries on with the others. If many messages accumulate in the email queue, this may lead to issues where emails are delivered with delays. LFD has a feature for watching the length of email queues.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, locate the LF_QUEUE_ALERT parameter and set it to 0. On complete, you can scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
6. Email script alert
Scripts usually involve the Sendmail or exim binary. When this happens, certain lines will appear in the LFD mail log which detects and notifies you if it happens repeatedly.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, you will find the LF_SCRIPT_ALERT parameter. Set it to OFF.
Once you have finished, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
7. Excessive processes alert
LFD also tracks the number of processes running.
Each visitor who accesses a PHP page will generate an entry process, but these processes usually end quickly. It’s unlikely that 10 processes will be generated concurrently and at a single moment.
A large number of concurrent processes indicates high levels of traffic or an improperly-coded website that takes too long to finish one process. Additionally, this kind of situation happens when there are DDoS attacks on the website.
Go to WHM >> Plugins >> ConfigServer Security & Firewall.
Now proceed to CSF >> Firewall Configuration.
There, you will find the PT_USERPROC parameter. Upon complete, scroll down and click on the Change button.
On the next page, you will see the Changes saved. You should restart both csf and lfd. message. Click Restart csf+lfd and the changes will be saved.
Done!!