How to disable LFD excessive resource usage alert?

In this tutorial, we can check different methods to disable LFD excessive resource usage alert.

Login Failure Daemon(LFD) is a daemon process which runs on VPS or Dedicated servers that uses Config Server Firewall(CSF) for server security. LFD scans the server logs and sends notifications every time when the process uses more memory or takes more time than the value assigned in your CSF configuration file. LFD considers recent failed login attempts as ‘Brute Force Attacks’ and blocks those IPs using CSF. CSF is a firewall configuration script commonly used in cPanel. It is used to provide better security and care for your server. Its advanced and easy to use interface enables server firewall management simple. You can configure your server’s firewall to block the public access to the services and only allow certain connections.

A Brute Force Attacks is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). Brute Force Attack is a common method used by hackers to crack the encrypted data. The software used by the hacker generates consecutive guesses on the desired data. CSF is capable of spotting this type of hacking attempts with the help of LFD and blocks the IPs temporarily from accessing the server. If the temporarily blocked IPs are found guilty, then you can permanently block them using CSF. All these actions are managed in CSF configuration. You can access the CSF configuration in WHM by using the following steps.

1)Login to your WHM

2) Go to Home >> select Plugins

3) Click ‘ConfigServer Security & Firewall’

4) Choose ‘Firewall Configuration’

 

LFD excessive resource usage alert

LFD service sends excessive resource usage alerts to the email address which is assigned to it, normally to root user account. This notification points out a particular process or service using excessive server resources. This helps in identifying the resource eating process/service. We can either kill/stop the process/service to free the resource or allocate more resource to it, if necessary.

 

Example email alert from LFD when memory is exceeded

—Time: Mon Nov 14 09:41:10 2016 +0530

—Account: xxxxxx

—Resource: Virtual Memory Size

—Exceeded: 205 > 200 (MB)

—Executable: /usr/bin/php

—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php

—PID: 26953 (Parent PID:24974)

—Killed: No

This alert is sent by LFD when a process uses more memory resources than defined in the CSF configuration file.

 

Example email alert from LFD when the time is exceeded

—Time: Mon Nov 14 09:41:10 2016 +0530

—Account: xxxxxx

—Resource: Virtual Memory Size

—Exceeded: 125389 > 1800 (seconds)

—Executable: /usr/bin/php

—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php

—PID: 28429 (Parent PID:26561)

—Killed: No

This alert is sent by LFD when a process takes more time to execute than defined in the CSF configuration file.

 

How to disable these alerts

Disabling these alerts is not a good method to be performed. These email alerts are very useful in monitoring the usage of server resources by the user accounts. If you find this particular process/service is necessary, you can enable them to continue using the server resources and disable the LFD notifications. You can disable LFD excessive memory usage notifications by using three methods. Each method is explained below. You can either access the CSF configuration via WHM/terminal. I have already explained how to access CSF configuration via WHM.

 

Method 1

This method will permanently disable the LFD excessive resource usage alert. Performing this method will pose a security issue.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to 0.

 PT_USERMEM = 0

PT_USERTIME = 0

4) Save the settings.

 

Method 2

In this method, we will increase the values of both memory and time to disable the LFD alerts. This method is a temporary one. If any process/service uses more resources than defined, you will continue to receive the LFD alerts.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to desired.

PT_USERMEM = 500

PT_USERTIME = 150000

4) Save the settings

 

Method 3

This method is a standard technique to disable the LFD alerts. In this method, we will include the particular process/service in pignore of CSF. The pignore of CSF will ignore the particular process/service included in it and hence disables the LFD alerts.

1) Login to your server as root user.

2) Using your favorite editor open pignore of CSF. The common location of pignore is /etc/csf/csf.pignore.

3) Add the command line path specified in the alert to the pignore of CSF.

4) Save changes.

How to disable cPanel redirection to SSL?

There are times you want to disable automatic to SSL connection while accessing WHM, cPanel, Webmail, so you can access cPanel/WHM via standard ports 2082 and 2086, this is pretty useful if you have SSL issue that’s preventing you from loging into your server or cPanel account because it may unable to decrypt your stored password.

 

Login to WHM >> Tweak Setting >> Uncheck the following options under Redirection

Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.

Also you have to uncheck the following option under Security in Tweak Settings.

Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended.

If you are unable to login to WHM backend, you can disable those options from the shell. SSH to the server as root.

SSH to your server as root

Open

# nano /var/cpanel/cpanel.config and set the following options to 0 (zero).

alwaysredirecttossl

requiressl

alwaysredirecttossl=0

requiressl=0

 

Save the file and exit.

Fix Unlimited Quota in WHM

Issue: Quota in WHM under Account Information > List Accounts shows “unlimited” for all users in a SolusVM OpenVZ container environment. The following steps will demonstrate how to fix the issue. It will require access to the Node and to the VPS.

1. SSH into the VPS and run this command:

# /scripts/fixquotas
Installing Default Quota Databases......Done
Quota Mode: Linux
journaled quota support: not available with vzaquota (disabled)
checking out /backup
checking out /backup
Quotas have been enabled, however they may not be up to date as quotacheck has been skipped.
Resetting quota for user1 to 1024 M
No filesystems with quota detected.
Resetting quota for user2 to 2048 M
No filesystems with quota detected.
Resetting quota for user2 to 1024 M
No filesystems with quota detected.
Resetting quota for user2 to 1024 M
No filesystems with quota detected.

2. Run another check in the VPS.

# quotacheck -vagum

Failed output results:

# quotacheck -vagum
quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.

3. Exit the VPS.

4. SSH into the Node and stop the server with the following command (Assuming VPS has a CT_ID of 106).

# vzctl stop 106

5. Now edit the Openvz configuration file to make sure DISK_QUOTA is set correctly.

# vi /etc/vz/vz.conf

Check to make sure disk quota is set to “yes”. Save and exit.

File Example:

## Disk quota parameters
DISK_QUOTA=yes
VZFASTBOOT=no

6. Next we edit the container configuration file. (Assuming VPS has a CT_ID of 106)

# vi /etc/vz/conf/106.conf

Insert this code to the very bottom of the config file

QUOTAUGIDLIMIT="1000"

Save and exit.

Alternate Command to insert QUOTAUGIDLIMIT into the Config file.
For example here CT_ID is 106 and Disk Space for VPS is 1000GB.

# vzctl set 106 --quotaugidlimit 1000 --save

7. Start the VPS.

# vzctl restart 106

8. Run the command to fix quotas in the VPS.

#  /scripts/fixquotas

9. Check Quota in WHM. It should be set correctly now.

OPTIONAL Steps but may be required

FROM OPENVZ:

WHM/Cpanel, a popular commercial web-based control panel for Linux, has a tendency to overwrite the special quota files in the VE context. I am referring to:

lrwxr-xr-x     1 root root    39 Jun  8 17:27 aquota.group -> /proc/vz/vzaquota/00000073/aquota.group
lrwxr-xr-x     1 root root    38 Jun  8 17:27 aquota.user -> /proc/vz/vzaquota/00000073/aquota.user

The result of these being overwritten will be WHM showing “unlimited” quota reports for all users in the system. An quick solution to this is to run these commands from within the VE as root:


rm -f /aquota.user 2>/dev/null
rm -f /aquota.group 2>/dev/null
for x in `find /proc/vz/vzaquota/ | tail -2 `; do ln -s $x / ; done