Excessive resource usage from cPanel 3rdparty processes

[tui]

First, i want to clarify that i know from where the alerts are comming and that CSF/LFD is not part of cPanel, i know how to "disable" or prevent the CSF/LFD alerts, and thats not what i want to do...

The issue is not with CSF/LFD exactly, is from cPanel php-fpm directly let me explain:

Here is one of the alerts im receiving everyday since a past cPanel update WHERE cpanel started using php-fpm as the default php handler for cPanel processes:

Subject: lfd on host.server.com: Excessive resource usage: useraccount (30966 (Parent PID:30443))
Time: Thu Oct 20 10:29:40 2022 -0500
Account: useraccount
Resource: Process Time
Exceeded: 2165 > 2100 (seconds)
Executable: /usr/local/cpanel/3rdparty/php/74/sbin/php-fpm
Command Line: php-fpm: pool user_useraccount
PID: 30966 (Parent PID:30443)
Killed: No

I know what this mean and that if i change the time on CSF/LFD or ignore the user account or ignore the executable the alerts are going to go away, but thats not the purpose of CSF/LFD in that case if i will start to ignore users and processes is better to remove CSF/LFD.

What i see here is that this alerts are comming after cPanel change the handler to php-fpm;

After investigating, the alerts im receiving are from users that are using roundcube, however, with php-fpm is not possible to ignore the roundcube executable, and, if you raise the time to receive an alert (that is not what i want for my server) the alerts keeps triggering because the user keeps the roundcube opened in their browser, there are users that leave their browser with roundcube opened all the 24hours of the day.

If you ignore the executable you will not receive alerts when a accounts get compromised or a user uses a php file to do nasty things, if you ignore the user pool is the same.

So, the problem i see is that they way that php-fpm works there is no way to se the exact filename, process or executable that is triggering the alerts...

My question is no how can i get rid of the alerts but many questions:

1) How can i properly handle the executable or files when using php-fpm?
2) How can i properly add roundcube to ignore if php-fpm only shows the user pool so i can still watching the users processes?
3) Is there a way to completely disable php-fpm for cpanel processes?
3.1) Turning PHP-FPM service for cPanel Daemons off on "WHM>>Service Configuration>> Service Manager" is not a way because it turn on automatically after few hours/days (SOLVED - CPANEL-37047 - How to disable PHP-FPM for cpanel) and the option to disable it will be removed in future.
4) Is there a way that the php-fpm service for cPanel Daemons are handled by different handler like suphp instead of cgi/fcgi so we can keep track of the real executable and ignore them properly?

 

[cPRex]

Hey there! I think the main issue is the root cause of the notification. PHP-FPM process are longer-running than their more traditional PHP counterparts, so I think disabling the process time check for that specific process globally is a fine option.

1 - I'm not sure I understand this question - can you get me more details?
2 - Adding the specific Roundcube executable will stop that notification for all users.
3 - We determined this is happening by design during the nightly updates as WordPress Toolkit required PHP-FPM, so there's not a way to disable that. Is there a specific reason you need this disabled? We ship this is a default and few users run into issues with that configuration.
4 - Not that I know of at this time.

 

[tui]

Hey there! I think the main issue is the root cause of the notification. PHP-FPM process are longer-running than their more traditional PHP counterparts, so I think disabling the process time check for that specific process globally is a fine option.

1 - I'm not sure I understand this question - can you get me more details?
2 - Adding the specific Roundcube executable will stop that notification for all users.
3 - We determined this is happening by design during the nightly updates as WordPress Toolkit required PHP-FPM, so there's not a way to disable that. Is there a specific reason you need this disabled? We ship this is a default and few users run into issues with that configuration.
4 - Not that I know of at this time.

For 1 and 2

The problem is that there is no way to disable the process time check for specific process as php-fpm just show itself as the process but not the exact process

In this specific case (but there are more cases that apply) CSF/LFD sees the process as "Executable: /usr/local/cpanel/3rdparty/php/74/sbin/php-fpm" and the command line as "Command Line: php-fpm: pool user_useraccount", but the real process is "webmaild" (as you can see on the attached image) that is roundcube

There is no way to add webmaild or roundcube to the pignore list because php-fpm is what CSF/LFD sees, no mater if you add webmaild or roundcube to ignore, alerts about php-fpm will still triggering

If you turn off php-fpm for cpanel, the process changes and CSF/LFD sees the process exactly as the command that is triggering it and then you can ignore the process but not with php-fpm

So, if i add php-fpm to ignore and a user execute a php script to do nasty things i will never get the alert, did you get what is happening here?

The same ocurrs if you use cgi/fcgi as a php handler for domains because cgi/fcgi never shows you the exact process, but this is not problem because we can change the php handler to suphp but not for php-fpm for cpanel

In this case, if a user keeps the webmail opened in the browser all the time i receive php-fpm alerts every xx time and there is no way to ignore the webmaild service

 

[cPRex]

@tui - I'm sure there is a good workaround, but I'm not finding much on my end. Could you create a ticket for this issue so our team can look into this and get you a more official response?

 

[foxmedo]

did you find solution for this matter ?

 

[cPRex]

@foxmedo - can you post additional details on the specific problem you're experiencing?

 

[tui]

did you find solution for this matter ?

No, and I don't think there exists or will exist a solution in the future. Currently, the only thing you can do is to turn off php-fpm for cpanel from the "service manager," but this is only a temporary solution since php-fpm for cpanel automatically activates again after a few days. Additionally, cpanel plans to remove the function of deactivating it in the future (SOLVED - CPANEL-37047 - How to disable PHP-FPM for cpanel). So, when that happens, your only option will be to ignore php-fpm completly on csf, but if you ignore it, you won't know if a user is consuming excessive resources due to some bad PHP script, or if a user has been hacked and there is a PHP script with malicious intent. The other option is that you review the lfd/csf alerts everytime they arrive one by one to see if they are related to webmail or some malicious script and delete them if they are not from wemail, but you will have to live with that for the rest of your life...

What I am doing for now, while cpanel still allows deactivation of php-fpm for cpanel, is completely disabling WordPress Toolkit. As mentioned in the post I shared above, WordPress Toolkit is one of the culprits that automatically activates php-fpm for cpanel. Additionally, I am deactivating php-fpm for cpanel every time it is reactivated. Even doing that, php-fpm for cpanel automatically reactivates after a few days, but it is less frequent now that WordPress Toolkit is disabled on the server.

However, the "problem" (if we can call it like that because is not exactly a problem) is that lfd/csf only sees php-fpm for cpanel as php-fpm instead the actual proccess (/usr/local/cpanel/base/3rdparty/roundcube/index.php) as php-fpm runs every php script for cpanel but there is no way to "know" (at naked eyes) that the process is the php file of roundcube, we know that but lfd/csf does not knows as php-fpm runs everything on the server, so, if you ignore it you will never knows if an account or some malicious php script runs on your server