The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD file and folder watching is confusing

Discussion in 'Security' started by BlueSteam, Oct 14, 2015.

  1. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    Hi All,

    I have set the CSF filrewall to monitor two folders for any changes. Names my WHMCS directory. Inside this folder there are hundreds if not thousands of files.

    No when a single file is changed for any reason, an email is sent to me telling me that there were files changed. but it doesn't indicate WHICH file. It's a bit useless to me at this stage but I would really like to know WHICH files have actually changed.

    Is this possible to simply filter out the changed files??

    Thanks in advance
    BlueSteam
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You will likely receive more feedback to this question on the CSF forums, as this is a feature of CSF instead of cPanel/WHM.

    Thank you.
     
  3. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    I have received absolutely NO feedback on the CSF forums. I even proceeded to open a support ticket to which they batted me away saying I must pay to have my concern answered. :eek:
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please post one of these emails intact, only obfuscate your personal details first please, thanks.
     
  5. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    The email just contains a full list of the folder it is monitoring. This email is meant to indicate to me that something has changed. but to know WHICH file has changed is a nightmare if the folder has thousands of files in it. see attached
     

    Attached Files:

  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you please explain exactly how you set this up? What I mean is, what you added to the csf.dirwatch file, exactly.
     
  7. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    I simply added this location to the csf.dirwatch
    /home/cpanelaccount/public_html/admin
     
  8. simon templar

    simon templar Member

    Joined:
    Mar 28, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    The best way to see if something changed would be to export the result of /home/cpanelaccount/public_html/admin via ls -lsAr into a file , and once you receive an email , do the same (into another file) then compare the md5sum . If they are different, then something changed.

    This is what csf.dirwatch does basically .
     
  9. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    Thank you for looking. I do realize that this is how it works but I'm saying that it is silly to watch a directory to alert you that something changed and then not actually SHOW you what changed. This tool can be improved on so many levels. Really sad that no one has corrected it.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you give me an example of a file change you might make in your WHMCS admin directory?

    What are your other settings under the Directory Watching & Integrity section?
     
  11. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    There are no other setting to set. If csf.dirwatch has content in it then it will monitor those files and locations. then simply send you an email with a full output of all the files and directories. It has not intuitive way of telling you what changed and no additional settings to set. it's a very STUPID system.
     
    #11 BlueSteam, Oct 27, 2015
    Last edited: Oct 27, 2015
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sure there is: CSF > Directory Watching & Integrity

    Can you provide me an example that triggers the email you got?
     
  13. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    anything that changes. like if a file is uploaded or renamed or replaced etc.
    directory_watching.PNG
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I do not have LF_DIRWATCH_DISABLE set to 1. As it states, that would grab and tarball the files.

    I am unable to trip this and get an email like you are. I'm using the same directory as you (different name though see: Further Security Steps > WHMCS Docs) and the same (I assume) WHMCS files.

    Editing a file, replacing a file, deleting a file, uploading a new completely unrelated file to that directory, does not trip this for me.

    I do note that you first posted this thread on Oct 14, and by the dates in the output you posted, it seems you just updated WHMCS on Oct 14 as well. I updated my own on Oct 13. I got no email about that, like your email, either.

    I wonder what the difference is between yours and mine then?
     
  15. BlueSteam

    BlueSteam Well-Known Member

    Joined:
    Feb 21, 2013
    Messages:
    53
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    That setting doesn't tarball the files. It doesn't state that it does. it states
    So, the LF_DIRWATCH simply watches the directories that you want watched for any changes. If there are changes, it kicks off a mail. Mine works. I don't know why you'rs isn't working.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Me either.

    LF_DIRWATCH_FILE is the one emailing you, not LF_DIRWATCH. Descriptions are above, not below each setting.
     
Loading...

Share This Page