Excessive resource usage and csf default install

[jeffschips]

Hello. I hope everyone is safe and healthy.

I've read the post about exessive resource usage here:

lfd reporting excessive resource usage / suspicious process "spamd child"

It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long. I see a pair of notification emails every now and then: lfd on SERVERNAME...

forums.cpanel.net

In my case yes, I'm receiving a lot of exessive resource usage notifications such as:

/usr/local/cpanel/3rdparty/perl/536/bin/perl
/opt/cpanel/ea-php80/root/usr/sbin/php-fpm

When I look in my csf.pignore file I see a lot of processes ignored and wonder if this is the standard listing? I also see entries for programs no longer in use.

Any insight would be helpful. Thank you.

cat csf.pignore:

exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm
exe:/usr/local/openvpn_as/sbin/openvpn-openssl
exe:/usr/bin/redis-server
exe:/usr/local/openvpn_as/bin/python
exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/lsmd
exe:/usr/bin/postgres
exe:/usr/bin/spamc
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/polkit-1/polkitd
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/dict
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/lmtp
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/quota-status
exe:/usr/libexec/dovecot/stats
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/mysqld
exe:/usr/local/apache/bin/httpd
exe:/usr/local/cpanel/3rdparty/bin/analog
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/local/cpanel/3rdparty/bin/imapd
exe:/usr/local/cpanel/3rdparty/bin/php
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
exe:/usr/local/cpanel/3rdparty/php/54/bin/php-cgi
exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi
exe:/usr/local/cpanel/3rdparty/php/56/sbin/php-fpm
exe:/usr/local/cpanel/3rdparty/php/54/sbin/php-fpm
exe:/usr/local/cpanel/3rdparty/sbin/mydns
exe:/usr/local/cpanel/3rdparty/sbin/p0f
exe:/usr/local/cpanel/bin/cppop
exe:/usr/local/cpanel/bin/cppop-ssl
exe:/usr/local/cpanel/bin/cpuwatch
exe:/usr/local/cpanel/bin/cpwrap
exe:/usr/local/cpanel/bin/logrunner
exe:/usr/local/cpanel/bin/pkgacct
exe:/usr/local/cpanel/cpanel
exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/cpsrvd
exe:/usr/local/cpanel/cpsrvd-ssl
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/sbin/chronyd
exe:/usr/sbin/exim
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nscd
exe:/usr/sbin/nsd
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/sshd
exe:/var/cpanel/3rdparty/bin/php
exe:/usr/sbin/pdns_server
exe:/usr/local/cpanel/bin/autossl_check
exe:/usr/local/cpanel/bin/whm_xfer_download-ssl
pexe:^/usr/lib/jvm/java-.*/jre/bin/java$
exe:/usr/libexec/dovecot/indexer-worker
exe:/usr/libexec/dovecot/indexer
pexe:/usr/local/cpanel/3rdparty/bin/git.*
pexe:/usr/local/cpanel/3rdparty/libexec/git-core/git.*
pexe:/usr/bin/python2.7
exe:/usr/libexec/dovecot/imap-hibernate
exe:/opt/alt/python35/bin/python3.5
exe:/usr/sbin/imunify-notifier
exe:/usr/sbin/sw-cp-serverd
exe:/usr/bin/sw-engine
exe:/usr/sbin/sw-engine-fpm

 

[dexus]

Yes, that looks like a standard listing.

They tried to cover everything, but it's not possibile, so there will always be some more executables or command lines that you have to add to that list.

 

[cPRex]

It's also important to note that cPanel doesn't provide or distribute CSF, so that list isn't up to us at all.

 

[jeffschips]

Thanks all for the information.

I'm guessing I can disable the references to php 5x as I don't have that on my system? As well, my current install shows the following python versions, so I'm guessing I can also disable Python 2.7.5 as well?

active?: Python 2.7.5

current: Python 3.6.8

pexe:/usr/bin/python2.7
exe:/opt/alt/python35/bin/python3.5