check_cpanel_rpms - p0f Missing

[izghitu]

Hi,

I started getting lots of emails from the service manager that the p0f process is down.

I logged in to the server and when running /scripts/restartsrv_p0f I get:
Service Error
(XID xn5vu9) The system could not find the ?p0f? binary.

p0f has failed. Contact your system administrator if the service does not automagically recover.

If I run which p0f I get:
/sbin/p0f

[email protected] [~]# rpm -q p0f
p0f-3.09b-1.el7.x86_64

/script/upcp did not help.

How do I fix this?
Please help

 

[ex300]

Hi,
we had this problem too after cPanel upgrade.

Just do this command:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

It will fix RPMs problems, you should see and output like this:

[2016-09-16 09:11:26 +0200]   Problems were detected with cPanel-provided files which are RPM controlled.
[2016-09-16 09:11:26 +0200]   If you did not make these changes intentionally, you can correct them by running:
[2016-09-16 09:11:26 +0200]
[2016-09-16 09:11:26 +0200]   > /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[2016-09-16 09:11:26 +0200]   The following RPMs are missing from your system:
[2016-09-16 09:11:26 +0200]   p0f-3.09b-1.cp1150

[2016-09-16 09:12:53 +0200]   Removing 0 broken rpms:
[2016-09-16 09:12:55 +0200]   Downloading [URL]http://httpupdate.cpanel.net/RPM/11.50/centos/7/x86_64/rpm.sha512[/URL]
[2016-09-16 09:12:55 +0200]   Successfully verified signature for cpanel (key types: release).
[2016-09-16 09:12:55 +0200]   Downloading [URL]http://httpupdate.cpanel.net/RPM/11.50/centos/7/x86_64/p0f-3.09b-1.cp1150.x86_64.rpm[/URL]
[2016-09-16 09:12:56 +0200]   Disabling service monitoring.
[2016-09-16 09:12:56 +0200]   Hooks system enabled.
[2016-09-16 09:12:56 +0200]   Checking for and running RPM::Versions 'pre' hooks for any RPMs about to be installed
[2016-09-16 09:12:56 +0200]   All required 'pre' hooks have been run
[2016-09-16 09:13:01 +0200]   No RPMS need to be uninstalled
[2016-09-16 09:13:01 +0200]   Installing new rpms: p0f-3.09b-1.cp1150.x86_64.rpm
[2016-09-16 09:13:01 +0200]   p0f-3.09b-1.cp1150.x86_64
[2016-09-16 09:13:02 +0200]   p0f-3.09b-1.el7.x86_64
[2016-09-16 09:13:02 +0200]   Hooks system enabled.
[2016-09-16 09:13:02 +0200]   Checking for and running RPM::Versions 'post' hooks for any RPMs about to be installed
[2016-09-16 09:13:02 +0200]   All required 'post' hooks have been run
[2016-09-16 09:13:02 +0200]   Restoring service monitoring.

Don't worry, it might take a while.

 

[Xtranetsa]

Hi there - Did you manage to find a fix for this? I am having the same issue which started earlier today!

 

[orudge]

I've experienced the same problem. You likely have EPEL enabled on your server. Running:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

should reinstall the cPanel version of p0f. If you were to then run "yum upgrade", you'd see something like the following:

[email protected] [~]# yum upgrade
Loaded plugins: fastestmirror, rhnplugin, tsflags, universal-hooks
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
* EA4: 185.69.232.245
* cloudlinux-x86_64-server-7: de-proxy.cl-mirror.net
* epel: mirror.example.net
Resolving Dependencies
--> Running transaction check
---> Package p0f.x86_64 0:3.09b-1.cp1150 will be updated
---> Package p0f.x86_64 0:3.09b-1.el7 will be an update
--> Finished Dependency Resolution

Basically, the EPEL version of p0f is being installed on top of the cPanel version. To fix it, I disabled EPEL:

yum-config-manager --disable epel

However, as there are packages from EPEL that we use on the server, it would be good if cPanel could coexist with it. I don't know if it's possible to exclude particular packages (i.e., p0f) from particular yum repositories - that would perhaps be a better fix.

 

[caroseuk]

Hi all,

this morning we came into email notifications stating the following:

The system detected problems with the following cPanel-provided files that the RPM controls:

p0f-3.08b-8.cp1150 - Missing

If you did not make these changes intentionally, execute the following command as the root user to correct them:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

Should we run this command? We are assuming that the server during its daily updates has done something to the cPanel RPM and this is why it is erroring?

Please could someone advise?

 

[izghitu]

This helped, thanks for you help!

 

[SysSachin]

Hi,
Yes, you can run the command on your server.
If any RPM missing then the script will install missing RPM

 

[izghitu]

Ok, regardless that the process is running I still get the alerts saying it is down. It happens even if I disable the monitor from the service manager for p0f:
The service “p0f” appears to be down.

And in processes I can see it running:
32012 6585 0.3 0.0 11188 4844 ? Ss 10:49 0:09 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket less 400 and not dst port 80 and not dst port 443 and tcp[13] & 8==0

Please help

 

[caroseuk]

Thanks, I know I can run the file, but when upcp process next runs, surely this will update the package from EPEL again causing a repeat of this error message?

Should I add p0f* to the yum.conf exclude section and then re-run the /usr/local/cpanel/scripts/check_cpanel_rpms --fix script?

I would ideally like the EPEL repo and cPanel repos to work in unity so that errors like this don't keep re-occuring?

 

[Satalink]

Hello,

i noticed WHM has new features and got upgraded, in Service status page in WHM i see p0f service has "Down" red icon.

Is this ok? What to do?

In Home »Service Configuration »Service Manager , this p0f service is ticked as Enabled..

Thank you

I started getting flooded with this notice this morning. I created a symbolic link between the old and the new and the service recovered fine. So there seems to be a hard coded path to the old in cpanel somewhere.

# cd /usr/local/cpanel/3rdparty/sbin
# ln -sn /usr/sbin/p0f p0f

In my case, .../3rdparty/sbin was empty, so I may go back and create a symbolic link for .../3rdparty/sbin to /usr/sbin . That way everything the system has in sbin will be available to cPanel's .../3rdparty/sbin path.

yeah, I went back and made that change.

# ps -ef | grep p0f
cpanelc+ 5810 1 0 08:39 ? 00:00:15 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket less 400 and not dst port 80 and not dst port 443 and tcp[13] & 8==0

 

[Travis]

Hello Satalink,

This issue seems to be caused when EPEL is installed on the server. The version of p0f in EPEL ends up replacing the cPanel supplied version of p0f. To fix this please run /scripts/check_cpanel_rpms --fix

This should stop the emails from coming in.

 

[Faizal Kh]

Me too has the same issue. The p0f service has been down for the last 5-6hours. Reboot didn't fix it and running the scripts update just gives the same error

[[email protected] centos]# /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[2016-09-17 05:19:43 +0000]
[2016-09-17 05:19:43 +0000]   Problems were detected with cPanel-provided files which are RPM controlled.
[2016-09-17 05:19:43 +0000]   If you did not make these changes intentionally, you can correct them by running:
[2016-09-17 05:19:43 +0000]
[2016-09-17 05:19:43 +0000]   > /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[2016-09-17 05:19:43 +0000]   The following RPMs are missing from your system:
[2016-09-17 05:19:43 +0000]   p0f-3.09b-1.cp1150
^C
[[email protected] centos]# /scripts/check_cpanel_rpms --fix
[2016-09-17 05:20:00 +0000]
[2016-09-17 05:20:00 +0000]   Problems were detected with cPanel-provided files which are RPM controlled.
[2016-09-17 05:20:00 +0000]   If you did not make these changes intentionally, you can correct them by running:
[2016-09-17 05:20:00 +0000]
[2016-09-17 05:20:00 +0000]   > /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[2016-09-17 05:20:00 +0000]   The following RPMs are missing from your system:
[2016-09-17 05:20:00 +0000]   p0f-3.09b-1.cp1150
^C

I also tried a yum update and there seems to be some error with the epel repo

# yum update
Loaded plugins: fastestmirror, tsflags, universal-hooks
EA4                                                                                                                                              | 2.9 kB  00:00:00
base                                                                                                                                             | 3.6 kB  00:00:00
epel/x86_64/metalink                                                                                                                             | 5.9 kB  00:00:00
epel                                                                                                                                             | 4.3 kB  00:00:00
extras                                                                                                                                           | 3.4 kB  00:00:00
s3tools                                                                                                                                          | 1.3 kB  00:00:00
updates                                                                                                                                          | 3.4 kB  00:00:00
epel/x86_64/primary_db         FAILED                                                                                                 ]  0.0 B/s |    0 B  --:--:-- ETA
http://ftp.riken.jp/Linux/fedora/epel/7/x86_64/repodata/597b1f1a3c6695106bbd64e74500ee452ea92bf02a2c4a2978936faf2faf40d6-primary.sqlite.xz: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

https://access.redhat.com/articles/1320623

If above article doesn't help to resolve this issue please create a bug on https://bugs.centos.org/

epel/x86_64/primary_db         FAILED                                                                                                 ]  0.0 B/s |  44 kB  --:--:-- ETA
https://epel.mirror.angkasa.id/pub/epel/7/x86_64/repodata/597b1f1a3c6695106bbd64e74500ee452ea92bf02a2c4a2978936faf2faf40d6-primary.sqlite.xz: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
epel/x86_64/primary_db         FAILED                                                                                                 ] 172 kB/s | 167 kB  00:00:27 ETA
http://mirror.wanxp.id/epel/7/x86_64/repodata/597b1f1a3c6695106bbd64e74500ee452ea92bf02a2c4a2978936faf2faf40d6-primary.sqlite.xz: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
(1/2): epel/x86_64/updateinfo                                                                                                                    | 627 kB  00:00:01
epel/x86_64/primary_db         FAILED
http://mirror01.idc.hinet.net/EPEL/7/x86_64/repodata/597b1f1a3c6695106bbd64e74500ee452ea92bf02a2c4a2978936faf2faf40d6-primary.sqlite.xz: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
(2/2): epel/x86_64/primary_db                                                                                                                    | 4.2 MB  00:00:00
Loading mirror speeds from cached hostfile
* EA4: 103.53.192.34
* base: centos.webwerks.com
* epel: epel.mirror.net.in
* extras: centos.webwerks.com
* updates: centos.webwerks.com
No packages marked for update

Please help. Doesn't this mean firewall is down? Without it, I cannot image the number of attacks that have taken place.

 

[BigIron]

I'm having the same exact issue. Any idea what we need to do to fix it?

 

[Infopro]

I'm having the same exact issue. Any idea what we need to do to fix it?

This post should be helpful:
p0f service shows "down" icon

 

[Dradden45]

I have the same issue. epel is installed.

/scripts/check_cpanel_rpms --fix

I ran yesterday and still have the same issue today (update generated same warning)

 

[caroseuk]

I just ran the --fix command and it appeared to fix it.

I'm waiting for the next scheduled 'upcp' to run tonight to see if it succeeds or if it removes the p0f rpm again..

Fingers crossed!

 

[fidividi]

Hi,
we had this problem too after cPanel upgrade.

Just do this command:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

That did it, hope cPanel will fix this conflict between their package and EPEL soon.

 

[OgreMHDW]

I am having the same issue. I was able to run the --fix command to fix it yesterday but today the system did the upgrade check and broke it again. Is there a way to prevent cPanel from trying to "upgrade" p0f?

 

[caroseuk]

Can cPanel advise on this issue then? As no one should have to keep running the --fix command every day??

I understand that we could just disable the EPEL repo, but we need it for other software on the server.

There must be something we can do surely?

Any cPanel/WHM folks able to help?

 

[rpvw]

Have you tried adding to your /etc/yum.repos.d/epel.repo file

includepkgs=xyz 123 abc*

where xyz, 123 are the package names you want this repo to update, and abc* is all packages starting with abc (packages should be separated with a space)

This is a bit of a pain if you are using EPEL for a lot of packages, but if it is only a few, it is relatively easy

Please Note : This applies to yum for CentOS 6x - for version 7 you may have to do some research into whether the syntax has changed or not.