Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
Hello,

How can i disable this email notification `lfd on xxxxxxxxxxxxxxxxxxxxx: WHM/cPanel root access alert from IP xxxxxx` whenever i switch tabs?

I want to receive this email only when I/someone logging in to the WHM interface. If i switch browser tab, and if i click some other menu item again I'm getting this alert? why is that? im already logged in so i shouldnt be getting this alert right?
 

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
Hey there! I'm not sure as to the specific setting's name, but I believe there is a setting that determines whether access notifications are enabled.

Could you run this to see what options are available?

Code:
grep -i alert /etc/csf/csf.conf
Hi @cPJustinD

Here you go -

Code:
# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT
# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
# 2 = Disable only alerts about this feature and do nothing else
# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
# syslogalert.txt is sent
# Send an alert if log file flooding is detected which causes lfd to skip log
# lines to prevent lfd from looping. If this alert is sent you should check the
LOGFLOOD_ALERT = "0"
# By default, lfd will send alert emails using the relevant alert template to
# option will override the configured To: field in all lfd alert emails
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""
# By default, lfd will send alert emails using the relevant alert template from
# option will override the configured From: field in all lfd alert emails
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""
# By default, lfd will send all alerts using the SENDMAIL binary. To send using
LF_ALERT_SMTP = ""
# In addition to the standard lfd email alerts, you can additionally enable the
# block alert messages will be sent. The reports use our schema at:
# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
LF_PERMBLOCK_ALERT = "1"
LF_NETBLOCK_ALERT = "1"
# SECTION:Login Failure Blocking and Alerts
# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"
# Send an email alert if an IP address is only temporarily blocked by one of
# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails
LF_TEMP_EMAIL_ALERT = "1"
# [*]Enable detection of repeated suhosin ALERTs
# Send an email alert if anyone logs in successfully using SSH
LF_SSH_EMAIL_ALERT = "1"
# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
LF_SU_EMAIL_ALERT = "1"
# Send an email alert if anyone uses sudo to access another account. This will
# send an email alert whether the attempt to use sudo was successful or not
LF_SUDO_EMAIL_ALERT = "0"
# Send an email alert if anyone accesses webmin
LF_WEBMIN_EMAIL_ALERT = "1"
# Send an email alert if anyone logs in successfully to root on the console
LF_CONSOLE_EMAIL_ALERT = "1"
# Send an email alert if anyone accesses WHM/cPanel via an account listed in
# LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the
LF_CPANEL_ALERT = "1"
# If a LF_CPANEL_ALERT event is triggered, then if the following contains the
LF_CPANEL_ALERT_ACTION = ""
# This is a comma separated list of accounts to send alerts for. To send an
# alert for all accounts set this to "all"
LF_CPANEL_ALERT_USERS = "root"
# This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
LF_SCRIPT_ALERT = "0"
# The limit afterwhich the email alert for email scripts is sent. Care should
# If an LF_SCRIPT_ALERT event is triggered, then if the following can contain
# following information as parameters which also appears in the email alert:
# If this option is enabled, the directory identified by LF_SCRIPT_ALERT will
# Checks the length of the exim queue and sends an alert email if the value of
# Note: If there are problems sending out email, this alert may not be received
LF_QUEUE_ALERT = "2000"
# This option will send an alert if the ModSecurity IP persistent storage grows
# used is modsecipdbalert.txt
LF_MODSECIPDB_ALERT = "5"
# to send an alert in case a possible server compromise is detected
# file is found an email alert is sent. One alert per file per LF_FLUSH
# changes and should they change and email alert using watchalert.txt is sent
# md5sum of a monitored file changes an alert is sent. This option is intended
# Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"
# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"
# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
LT_EMAIL_ALERT = "1"
# server. There are also options to send alerts and block external IP addresses
# RT_[relay type]_ALERT: 0 = disable, 1 = enable
# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
RT_RELAY_ALERT = "1"
RT_AUTHRELAY_ALERT = "1"
RT_POPRELAY_ALERT = "1"
RT_LOCALRELAY_ALERT = "1"
RT_LOCALHOSTRELAY_ALERT = "1"
# information as parameters which also appears in the email alert:
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1"
# suspicious process is found an alert email is sent with relevant information.
# exceeds the value of the following setting an email alert is sent with
# This User Process Tracking option sends an alert if any user process exceeds
# This User Process Tracking option sends an alert if any user process exceeds
# This User Process Tracking option sends an alert if any cPanel user process
# If you want to disable email alerts if PT_USERKILL is triggered, then set
PT_USERKILL_ALERT = "1"
# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
# This is the Apache Server Status URL used in the email alert. Requires the
# terminated and an alert sent
# Set the following to "1" to enable Port Scan Tracking email alerts, set to
PS_EMAIL_ALERT = "1"
# times within UID_INTERVAL seconds, an alert will be sent
# a modifications to an account, an alert email is sent. Only the modification
# You can set AT_ALERT to the following:
AT_ALERT = "2"
# Send alert if a new account is created
# Send alert if an existing account is deleted
# Send alert if an account password has changed
# Send alert if an account uid has changed
# Send alert if an account gid has changed
# Send alert if an account login directory has changed
# Send alert if an account login shell has changed
# This controls what email alerts are sent with regards to logins to the UI. It
# uses the uialert.txt template
UI_ALERT = "4"
RECAPTCHA_ALERT = "1"
# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
PORTKNOCKING_ALERT = "0"
# This is the interval each report will be sent based on the logalert.txt
 

Ksmith08

Member
May 7, 2019
12
0
1
Root
cPanel Access Level
Root Administrator
You want to change
Code:
LF_CONSOLE_EMAIL_ALERT
to off, which I believe would be a "0" for that config file.
im not talking about the console login. im talking abt WHM logins... i'd like to know why im getting lfd notifications when i switch tabs and when im already logged in?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
@Ksmith08 - I suppose that could happen if each tab had a different authentication token. If you check the URL, do you see the same number in the cpsess########## portion of the URL?

It's important to note that cPanel doesn't create the CSF/LFD software, so if you're seeing odd behavior with that it would be best to reach out to them directly here to let them know: ConfigServer Technical Support