how to view “p0f” usage only

Spirogg

Well-Known Member
Feb 21, 2018
700
161
43
chicago
cPanel Access Level
Root Administrator
Hello how can I view p0f usage. I keep getting emails from LFD / CSF about p0f 1744 WARNING: too many tracked connections deleting 101. use -m to adjust

so where do we know how many is too many?
is this based on website visitors visitng the site, or emails sent from different notifications?
I see i get from LFD email when I log in and it give me more info of my IP and computer OS browser etc.

but logs get pretty much pounded with this over 300 plus lines
all the same message. can there be someway an attacker can create so many of these p0f warnings by just clicking on a certain part of the cpanel site or ssh backend trying to log in. and it needs to delete 10% of the data for room to log more?
is there its own log for p0f?

is there a way to watch this somehow live in real time and see if its sending that warning to much in the last couple hours.
have never saw that before so I am wondering why it shows up in the last 2 hourly emails I get from CSF / LFD Log Scanner Report.

- last question: is it worth having this ON I am the only one login onto WHM and cPanel.
no other users use this server or login.. so I get an email from CSF when I log in. so not sure if i need the extra who logged in from where and what computer.

if there is any other related security advantage, can you give me your thoughts and why?

Thanks so much
Spiro
 
Last edited by a moderator:

ITHKBO

Active Member
Jun 23, 2020
28
30
13
Netherlands
cPanel Access Level
Root Administrator
I am not 100% sure if this is what you exactly search but live view of LFD, CSF logs can be done from "Watch System Logs" under Home »Plugins »ConfigServer Security & Firewall

For example /usr/local/cpanel/logs/acces_logs shows these type of alerts.
Code:
123.123.123.123 - root [05/05/2022:12:46:38 -0000] "GET /cpsess1788942004/cgi/configserver/csf.cgi?action=logtailcmd&lines=100&lognum=3&nocache=1651754804569 HTTP/1.1" 200 0 "https://servername.tld:2087/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36" "s" "-" 2087
The "Search System Logs" on the other hand can be used to narrow down on possible undesired behavior based on the information observed during the watch.
But personally if it is indeed those type of logs getting pruned I would not worry unless it states bruteforce attempts.

Though I do recommend to wait for a second opinion on this matter.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
From the Service Manager documentation:

This daemon reports the visitor’s operating system and other information for email notifications that the system administrator requests in WHM’s Contact Manager interface (WHM >> Home >> Server Contacts >> Contact Manager). This information helps a system administrator quickly identify visitors that trigger events that cause alerts. The spam prevention and cPHulk systems use this information to identify potential spammers and brute force attacks. For example, if a user logs in to a server from multiple locations and uses multiple operating systems, this may indicate that someone has compromised the user’s account. For more information about this daemon, read the Passive OS Fingerprinting documentation at GitHub.

If you don't find that information useful, you can disable the service completely in WHM >> Service Manager.

How much this runs really depends on the amount of traffic the server is receiving. There were a few cases in the past (CPANEL-2092, CPANEL-699, for example) where we tweaked the service for improved performance. However, it sounds like you're just seeing it running a lot, not necessarily causing performance issues.

The best way to see things in real-time for this might be to just check "top" or "ps aux" to see how many p0f processes are running.