How to disable LFD excessive resource usage alert?

In this tutorial, we can check different methods to disable LFD excessive resource usage alert.

Login Failure Daemon(LFD) is a daemon process which runs on VPS or Dedicated servers that uses Config Server Firewall(CSF) for server security. LFD scans the server logs and sends notifications every time when the process uses more memory or takes more time than the value assigned in your CSF configuration file. LFD considers recent failed login attempts as ‘Brute Force Attacks’ and blocks those IPs using CSF. CSF is a firewall configuration script commonly used in cPanel. It is used to provide better security and care for your server. Its advanced and easy to use interface enables server firewall management simple. You can configure your server’s firewall to block the public access to the services and only allow certain connections.

A Brute Force Attacks is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). Brute Force Attack is a common method used by hackers to crack the encrypted data. The software used by the hacker generates consecutive guesses on the desired data. CSF is capable of spotting this type of hacking attempts with the help of LFD and blocks the IPs temporarily from accessing the server. If the temporarily blocked IPs are found guilty, then you can permanently block them using CSF. All these actions are managed in CSF configuration. You can access the CSF configuration in WHM by using the following steps.

1)Login to your WHM

2) Go to Home >> select Plugins

3) Click ‘ConfigServer Security & Firewall’

4) Choose ‘Firewall Configuration’

 

LFD excessive resource usage alert

LFD service sends excessive resource usage alerts to the email address which is assigned to it, normally to root user account. This notification points out a particular process or service using excessive server resources. This helps in identifying the resource eating process/service. We can either kill/stop the process/service to free the resource or allocate more resource to it, if necessary.

 

Example email alert from LFD when memory is exceeded

—Time: Mon Nov 14 09:41:10 2016 +0530

—Account: xxxxxx

—Resource: Virtual Memory Size

—Exceeded: 205 > 200 (MB)

—Executable: /usr/bin/php

—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php

—PID: 26953 (Parent PID:24974)

—Killed: No

This alert is sent by LFD when a process uses more memory resources than defined in the CSF configuration file.

 

Example email alert from LFD when the time is exceeded

—Time: Mon Nov 14 09:41:10 2016 +0530

—Account: xxxxxx

—Resource: Virtual Memory Size

—Exceeded: 125389 > 1800 (seconds)

—Executable: /usr/bin/php

—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php

—PID: 28429 (Parent PID:26561)

—Killed: No

This alert is sent by LFD when a process takes more time to execute than defined in the CSF configuration file.

 

How to disable these alerts

Disabling these alerts is not a good method to be performed. These email alerts are very useful in monitoring the usage of server resources by the user accounts. If you find this particular process/service is necessary, you can enable them to continue using the server resources and disable the LFD notifications. You can disable LFD excessive memory usage notifications by using three methods. Each method is explained below. You can either access the CSF configuration via WHM/terminal. I have already explained how to access CSF configuration via WHM.

 

Method 1

This method will permanently disable the LFD excessive resource usage alert. Performing this method will pose a security issue.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to 0.

 PT_USERMEM = 0

PT_USERTIME = 0

4) Save the settings.

 

Method 2

In this method, we will increase the values of both memory and time to disable the LFD alerts. This method is a temporary one. If any process/service uses more resources than defined, you will continue to receive the LFD alerts.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to desired.

PT_USERMEM = 500

PT_USERTIME = 150000

4) Save the settings

 

Method 3

This method is a standard technique to disable the LFD alerts. In this method, we will include the particular process/service in pignore of CSF. The pignore of CSF will ignore the particular process/service included in it and hence disables the LFD alerts.

1) Login to your server as root user.

2) Using your favorite editor open pignore of CSF. The common location of pignore is /etc/csf/csf.pignore.

3) Add the command line path specified in the alert to the pignore of CSF.

4) Save changes.