Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd reporting excessive resource usage / suspicious process "spamd child"

Discussion in 'Security' started by dcusimano, May 16, 2018.

  1. dcusimano

    dcusimano Member

    Joined:
    Feb 24, 2008
    Messages:
    16
    Likes Received:
    5
    Trophy Points:
    53
    Location:
    Toronto, Ontario, Canada
    It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long.

    I see a pair of notification emails every now and then:

    lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162))
    lfd on SERVERNAME: Suspicious process running under user USERNAME


    Excerpt from the "Excessive resource usage" email:

    Time: Wed May 16 07:01:43 2018 -0700
    Account: USERNAME
    Resource: Process Time
    Exceeded: 22283 > 1800 (seconds)
    Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl
    Command Line: spamd child
    PID: 15690 (Parent PID:14162)
    Killed: No


    The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not.

    Is this an issue with spamd or lfd?
    How do I fix it?

    Thanks.
     
    Gino Viroli likes this.
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Try adding the following process regex matches to the/etc/csf/csf.pignore file:
    Code:
    



pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
    If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code
    Code:
    pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Gino Viroli and dcusimano like this.
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,766
    Likes Received:
    439
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    dcusimano likes this.
  4. Sanjay Narayan

    Sanjay Narayan Member

    Joined:
    Jul 30, 2018
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @cPanelLauren
    By adding the line in above file, CSF will ignore spamd process. But RPC also keep running for longer time and sometimes spamd in my case. What could be the reason for excessive resource usage by RPC and spamd?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,766
    Likes Received:
    439
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Sanjay Narayan


    I believe the confusion is with the alert itself, this isn't an excessive resource usage alert it's a process time alert indicating that the process has run longer than the threshold LFD has set, for these processes it is normal for them to be running like this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    FYI: we added only:

    Code:
    exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd
    to /etc/csf/csf.pignore file

    It seems to work fine.
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process !

    For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 rpvw, Jan 15, 2019
    Last edited: Jan 15, 2019
    Gino Viroli likes this.
  8. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    61
    Likes Received:
    3
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Sorry, didn't mean to pick on your answer. :(

    I'm still learning. :-p

    Thanks ;)

    P.S. for improved secuirity maybe this one could be even better:
    Code:
    pexe:^/usr/local/cpanel/3rdparty/perl/.*/bin/spamd$
     
    #8 Gino Viroli, Jan 15, 2019
    Last edited: Jan 15, 2019
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice