Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd reporting excessive resource usage / suspicious process "spamd child"

Discussion in 'Security' started by dcusimano, May 16, 2018.

  1. dcusimano

    dcusimano Member

    Joined:
    Feb 24, 2008
    Messages:
    16
    Likes Received:
    5
    Trophy Points:
    53
    Location:
    Toronto, Ontario, Canada
    It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long.

    I see a pair of notification emails every now and then:

    lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162))
    lfd on SERVERNAME: Suspicious process running under user USERNAME


    Excerpt from the "Excessive resource usage" email:

    Time: Wed May 16 07:01:43 2018 -0700
    Account: USERNAME
    Resource: Process Time
    Exceeded: 22283 > 1800 (seconds)
    Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl
    Command Line: spamd child
    PID: 15690 (Parent PID:14162)
    Killed: No


    The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not.

    Is this an issue with spamd or lfd?
    How do I fix it?

    Thanks.
     
    Gino Viroli likes this.
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    908
    Likes Received:
    349
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Try adding the following process regex matches to the/etc/csf/csf.pignore file:
    Code:
    



pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
    If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code
    Code:
    pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    dcusimano likes this.
  3. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    dcusimano likes this.
  4. Sanjay Narayan

    Joined:
    Jul 30, 2018
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @cPanelLauren
    By adding the line in above file, CSF will ignore spamd process. But RPC also keep running for longer time and sometimes spamd in my case. What could be the reason for excessive resource usage by RPC and spamd?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Sanjay Narayan


    I believe the confusion is with the alert itself, this isn't an excessive resource usage alert it's a process time alert indicating that the process has run longer than the threshold LFD has set, for these processes it is normal for them to be running like this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice