The service “p0f” is now operational

santrix

Well-Known Member
Nov 30, 2008
225
2
68
Could you elucidate? Visitors to what services? What events/alerts? Could you give an example of the kind of data the service adds to the alerts? And where is the fingerprinting results data logged? Sorry, but there just isn't sufficient description of what this does for us to make an informed decision whether to use it or not. Thanks.
 

madsere

Well-Known Member
Apr 7, 2004
49
3
158
cPanel Access Level
DataCenter Provider
So what is this? A mail or a page from Cpanel or from WHM? I have installed p0f but fail to understand what it brings to the table, other than considerable system load. Can you point to some practical documentation?
 

madsere

Well-Known Member
Apr 7, 2004
49
3
158
cPanel Access Level
DataCenter Provider
No, sorry but I think you missed my point. I don't want to remove it. I want to understand why it is useful, i.e. a page explaining what it does, and how I can use that information.

Your documentation just says "The Passive OS Fingerprinting daemon reports the visitor's operating system and other information for email notifications. This information helps you quickly identify visitors that trigger events that cause alerts." Ok, fine, but I don't recall seeing any mail notifications with any p0s or fingerprinting information. I get other mail from the server of course.
 

madsere

Well-Known Member
Apr 7, 2004
49
3
158
cPanel Access Level
DataCenter Provider
I saw the attachment and replied in Post #5 asking what it was and explaining that I have so far not received any such mail. Who is it sent to, the WHM admin or the Cpanel customer?

I saw the thread, and already explained in Post #7 that I would like more details about it.

If the attachment in Post #4 is the all p0f brings to the table, it really isn't worth the load it puts on the server and I think we'll disable it.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I saw the attachment and replied in Post #5 asking what it was and explaining that I have so far not received any such mail. Who is it sent to, the WHM admin or the Cpanel customer?
Both. The one I added a screenshot of is to the Server Administrator.

What cPanel tier are you running?

I saw the thread, and already explained in Post #7 that I would like more details about it.
What details are you missing after reading those links posted in the other thread?

If the attachment in Post #4 is the all p0f brings to the table, it really isn't worth the load it puts on the server and I think we'll disable it.
The details are there to do that if you wish. I'd open a ticket to cPanel Technical Support to ask about the load issues you're seeing though.

I find the additional details in the emails of value. YMMV of course.
 

madsere

Well-Known Member
Apr 7, 2004
49
3
158
cPanel Access Level
DataCenter Provider
Both. The one I added a screenshot of is to the Server Administrator.

What cPanel tier are you running?
RELEASE, currently WHM 11.50.0 (build 29)

What details are you missing after reading those links posted in the other thread?
Hard to say without knowing what's available, just thought the available details are a bit sketchy.

The details are there to do that if you wish. I'd open a ticket to cPanel Technical Support to ask about the load issues you're seeing though.

I find the additional details in the emails of value. YMMV of course.
This is the kind of load p0f put on 4 VPS servers on one hardware node, mysql is the only other single piece of software consuming this much cpu power

Code:
# top -cbn1 | grep p0f
   3438 32011     20   0 12980 4876 4324 R 100.0  0.0   8928:01 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d
   3602 32011     20   0 12868 4712 4320 S  0.0  0.0   2505:20 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -
   4488 32011     20   0  9952 1856  336 S  0.0  0.0  68:27.29 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -
  17234 32011     20   0 13420 5388 4460 S  0.0  0.0  14:57.61 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -
716406 root      20   0  100m  864  752 S  0.0  0.0   0:00.00 grep p0f
 
Last edited by a moderator:
  • Like
Reactions: sonicthoughts

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
This is the kind of load p0f put on 4 VPS servers on one hardware node, mysql is the only other single piece of software consuming this much cpu power
Hello :)

Internal case CPANEL-699 aims to improve the performance for passive OS fingerprinting:

Fixed case CPANEL-699: Avoid p0f watching port 80 and 443 for performance reasons.

It's included with cPanel version 11.52, which is currently only available in the "Edge" build tier.

Thank you.
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
Is this documented anywhere? I'm trying to understand what this is used for, if it is useful, can it be configured, is it compatible with openvz? It's consuming a lot of CPU!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Yes, per the Service Manager document:

The Passive OS Fingerprinting daemon. This service reports the visitor's operating system and other information for email notifications. This information will help you quickly identify visitors that trigger events which cause alerts.

Thank you.
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,287
65
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Yes, per the Service Manager document:

The Passive OS Fingerprinting daemon. This service reports the visitor's operating system and other information for email notifications. This information will help you quickly identify visitors that trigger events which cause alerts.

Thank you.
So, if I don't use cpHulk, does p0f becomes useless or is it used in any other email notification? I do use CSF instead cpHulk, but not sure if by doing so, the p0f becomes useless and hence, I may deactivate it.

Can anybody from staff confirm this?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
So, if I don't use cpHulk, does p0f becomes useless or is it used in any other email notification? I do use CSF instead cpHulk, but not sure if by doing so, the p0f becomes useless and hence, I may deactivate it.
It's used in other email notifications (e.g. Password Change notifications, New Account notifications). However, note that it's not required so you can disable it and notifications will still work.

Thank you.