Managing Linux VPS Firewall Alerts

From Wiki
Jump to: navigation, search

Managing Linux VPS Firewall Alerts

lfd on VPS server: Excessive resource usage alerts

On a Linux VPS with cPanel you may receive alerts along the lines of the following:
Time: <some specific time>
Account: <Your cPanel user account>
Resource: Virtual Memory Size
Exceeded: 218 > 200 (MB)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/your_site/public_html/index.php
PID: <some_number>
Killed: No

This alert is an informational message. How you deal with these are a matter of personal preference and needs of your organization.

There is a daemon on your VPS, the lfd daemon, that will monitor processes and if a process' memory usage exceeds a defined threshold (in this case of the example above, 200MB), it sends an alert. That is all that is happening here. The server has no way of knowing if this is expected behavior or not, so it just sends an alert so the owner can decide whether to investigate.

So, if the threshold is set to 200 MB and a script or process uses more than 200 MB memory, you will get an alert containing the name of the script, the time it occurred, and the amount of memory that it is consuming.
Here are some options you may want to consider for how to deal with these. This is not an exhaustive list but should give a good starting point:

The first option is to do nothing. When you get the alerts, glance at them and see what script or process is triggering the alert. If your VPS is running particularly sluggish and you are getting alerts about a PHP script consuming large amounts of RAM, you can consider killing the script to return the server to normal responsiveness. Likewise, if you write some script and start getting alerts about the amount of RAM it is consuming, that might be a heads up to you that your script has problems.

The second option is to increase the memory threshold for the alerts from 200 MB to say 300 MB. That will allow scripts and processes to consume more RAM before they trigger the alert. If you want to increase it much higher than 300MB, then you might be better off just turning this feature off altogether (see the next option). Turn off this feature entirely. If you are not interested in knowing when a process exceeds a defined threshold, then there is no need to get the alert and it can be turned off.

To change the threshold that LFD alerts on:

  1. Log into WHM of your VPS at https://<your VPS IP address>:2087 with the root account.
  2. Go to ConfigServer Security & Firewall --> Firewall Configuration
  3. Change the value for PT_USERMEM to the threshold you want to report on.

To turn off this feature, set the PT_USERMEM paramter to 0.

There are other options but are only recommended for advanced users. For more details, read the ConfigServer Security & Firewall (CSF) readme

lfd on Linus VPS: Script Alert

On a Linux VPS with cPanel you may receive alerts notifying you of scripts sending a large amount of emails. The alert will be similar to the following:
Time:  Wed Nov 01 04:08:52 2012 -0600
Path:  /home/cpaneluser/public_html/subdirectory
Count: 101 emails sent

Sample of the first 10 emails:

2012-11-28 09:07:05 1TdjE9-0003tL-4a <= U=adp P=local S=10381 T="Email subject" for
2012-11-28 09:07:06 1TdjEA-0003ta-5H <= U=adp P=local S=10381 T="Email subject" for
2012-11-28 09:07:07 1TdjEB-0003ti-60 <= U=adp P=local S=10381 T="Email subject" for
2012-11-28 09:07:08 1TdjEC-0003uE-6k <= U=adp P=local S=10381 T="Email subject" for
2012-11-28 09:07:09 1TdjED-0003uP-7L <= U=adp P=local S=10381 T="Email subject" for
2012-11-28 09:07:10 1TdjEE-0003uX-86 <= U=adp P=local S=10381 T="Email subject" for

Possible Scripts:


This alert is informing you that a script on one of your server's sites is sending a lot of mail. You can ignore the alert if you recognize the script at the bottom of the alert, and you know it is used to send mail to an Opt-In mailing list.

In some cases though, the script will be a spam script that was uploaded to a site via a compromised upload form. You'll want to take immediate action if you do not recognize the script, and the subject line of the message looks suspicious. In this case, do the following:

  1. Navigate to the directory on your server and remove the script and any other scripts that were uploaded by the spammer.
  2. If you are running WordPress, Joomla, or any other 3rd-party software you will need to update it (and any templates/themes) ASAP.
  3. If you are not running 3rd-party software, make sure any upload forms are password protected, and make sure any forms on the site properly sanitize input.
  4. For good measure, you'll want to reset the cPanel user's password and any of its FTP accounts' passwords to very strong passwords. You can use our Password Generator to create a strong password.