Step 1:
Go to Firewall Configuration (/etc/csf/csf.conf) and add these custom logs (they are at the end of the file):
CUSTOM2_LOG = “/var/log/maillog”
CUSTOM3_LOG = “/var/log/dovecot-info.log”” – (‘grep -rnw ‘auth failed’ /var/log/’ – to check where failed logins are logged)
Step 2:
Add this regex to /usr/local/csf/bin/regex.custom.pm or /etc/csf/regex.custom.pm :
# Do not edit before this point
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","1");
}
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ pop3\-login.*auth failed.*rip\=(\S+[0-9])/)) { return (“Pop3 failed login”,$1,”pop3failed”,”3″,”110″,”995″,”1″); }
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ imap\-login.*no auth attempts.*rip\=(\S+[0-9])/)) { return (“imap-login: Info: Disconnected (no auth attempts)”,$1,”imapnoauth”,”3″,”143″,”993″,”1″); }
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ imap\-login.*auth failed.*rip\=(\S+[0-9])/)) { return (“imap-login: Info: Disconnected: Inactivity (auth failed”,$1,”imapfailedlogins”,”3″,”143″,”993″,”1″); }
# Do not edit beyond this point
Restart CSF & LFD (csf -r & lfd -r)
If you run the CSF/LFD firewall on your server then you’ve no doubt seen the emails complaining about high resource usage for various accounts. This small tutorial will show you how to minimize them.
What does it mean?
Simply, it means that the process is using more resources than allowed.
Is it safe to change the default settings for it?
This is up to you – more than likely, if you’re searching for the term “Excessive resource usage”, then you are getting hammered with emails – which is actually worse because you’ll be numb to the alerts and won’t react if something really is going wrong (or won’t notice it because of all of the other email/alerts coming in all the time).
There are three thing you can do:
1. Disable the check
2. Modify the check
3. Ignore certain users/commands that frequently send resource emails
1. Disable:
If you want to disable the check (we recommend you modify it instead – since you actually DO want these emails.. if they’re real), simply edit /etc/csf/csf.conf and change:
PT_USERMEM = “200”
2. Modify:
If you would like to modify the check (we recommend), simply edit /etc/csf.csf.conf and change:
PT_USERMEM = “300”
This will raise the limit from 200mb to 300mb. You can put whatever you want there.. but you want to put it a little higher than what you’re seeing come through as your false positives.
3. Ignore certain users/commands:
If you want to ignore certain users or commands, then you would edit /etc/csf/csf.pignore and add a line for each user or command.
If you get an ‘excessive resource usage
exe:/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d
exe:/usr/sbin/pmtad
exe:/usr/sbin/hald
exe:/usr/libexec/hald-addon-acpi
How to disable these alerts
Disabling these alerts is not a good method to be performed. This email alerts are very useful in monitoring the usage of server resources by the user accounts. If you find this particular process/service is necessary, you can enable them to continue using the server resources and disable the LFD notifications. You can disable LFD excessive memory usage notifications by using three methods. Each method is explained below. You can either access the CSF configuration via WHM/terminal. I have already explained how to access CSF configuration via WHM.
Method 1
This method will permanently disable the LFD excessive resource usage alert. Performing this method will pose a security issue.
1) Login to your WHM
2) Open the CSF Firewall configuration
3) Modify the value of directives PT_USERMEM and PT_USERTIME to 0.
PT_USERMEM = 0
PT_USERTIME = 0
4) Save the settings.
Method 2
In this method, we will increase the values of both memory and time to disable the LFD alerts. This method is a temporary one. If any process/service uses more resources than defined, you will continue to receive the LFD alerts.
1) Login to your WHM
2) Open the CSF Firewall configuration
3) Modify the value of directives PT_USERMEM and PT_USERTIME to desired.
PT_USERMEM = 500
PT_USERTIME = 150000
4) Save the settings
Method 3
This method is a standard technique to disable the LFD alerts. In this method, we will include the particular process/service in pignore of CSF. The pignore of CSF will ignore the particular process/service included in it and hence disables the LFD alerts.
1) Login to your server as root user.
2) Using your favorite editor open pignore of CSF. The common location of pignore is /etc/csf/csf.pignore.
3) Add the command line path specified in the alert to the pignore of CSF.
4) Save changes.
CATEGORY:Postfix