help with perl syntax in csf.fignore

WorkinOnIt

Well-Known Member
Aug 3, 2016
212
30
28
UK
cPanel Access Level
Root Administrator
Hi all

I keep getting the "Suspicious process running under user" email from CSF.

I know that I can modify the pignore (ignore process) file in CSF, but for this particular issue, it is relevant only to a specific file - a log file that is taking too long to upload to external backup repository (Dropbox). The reason it's taking too long is a separate issue (that I am working to solve) and that will ultimately stop the emails.....

However, meanwhile, I would like some help on writing the correct Perl syntax, that I can add to the file ignore (csf.fignore) in CSF so that I no longer get the Suspicious process emails, where the log file is referenced.

The full path of the log file is as follows;

/home/userxyz/public_html/wp-content/infinitewp/backups/log.1234567abcdef.txt

The prefix and suffix changes due to user and log file name change - so I need some wildcards to ignore the first and last part of the string will be ignored e.g.

*/infinitewp/backups/log.*.txt

Here is what I have tried in the fignore file, but it is not working (I am still getting the emails)

*\/wp-content\/infinitewp\/backups\/log.*\.txt

I created this using the Regex Tester and Debugger Online - Javascript, PCRE, PHP reg ex debugger - where it seemed to be valid, but not working with CSF.

Thanks for any help!
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
460
113
UK
cPanel Access Level
Root Administrator
I think the reason your regex is not working is because you are trying to block a data file and not a process.

Try blocking the specific process that CSF reports (this will probably be a PHP file somewhere in your wp fileset) that is responsible for uploading the file to your Dropbox
 

WorkinOnIt

Well-Known Member
Aug 3, 2016
212
30
28
UK
cPanel Access Level
Root Administrator
Thanks for your help, however as mentioned, I don't want to block the process as that has wide reaching ramifications.

For example, the process concerned is listed as either;

exe: /opt/cpanel/ea-php56/root/usr/bin/php-cgi or
exe: /opt/cpanel/ea-php71/root/usr/bin/php-cgi

My understanding is the fignore would allow me to target a specific data file, rather than a wider process.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
460
113
UK
cPanel Access Level
Root Administrator
csf.fignore is a list of files that lfd directory watching will ignore. (eg directories and/or files being watched for changes)

If your alert is due to a process
"Suspicious process running under user"
the presence of the filename in the fignore will not have any impact on the process alert

If you have a specific PHP file that is eg being called by a cron, try adding that to the
csf.pignore file (full path to file) or add the username the PHP is running under.
 
Last edited:
  • Like
Reactions: cPanelLauren