Uninstall,remove or disable p0f/cpanelconnecttrack

[shadowone]

When we updated cPanel to 11.50 on one of our servers we ticked the new p0f feature. Now we want it gone.

We untick the p0f-cpanelsync options Enabled and Monitor in WHM->Service Configuration->Service Managerbut but nothing happened. When we kill the processes it restores it self. Also we are still receiving Excessive resource usage: cpanelconnecttrack (315802 (Parent PID:315802)).

So how can we uninstall /remove/disable it?

 

[Infopro]

Also we are still receiving Excessive resource usage

exe:/usr/local/cpanel/3rdparty/sbin/p0f

That should fix the resource usage alerts for you easy enough.

 

[shadowone]

exe:/usr/local/cpanel/3rdparty/sbin/p0f

That should fix the resource usage alerts for you easy enough.

I am aware of the resource usage alerts and removing them is not my goal.
I want to completely disable/remove this service from my system.

 

[Infopro]

I am aware of what you're looking to do, there really should be no reason to though.

Passive OS fingerprinting (p0f) - cPanel Release Notes

In cPanel & WHM version 11.50, we improved the GeoIP identifier and added operating system and other information to email notifications. This information helps you quickly identify users that trigger events.

Service Manager Service daemons - cPanel Documentation

Passive OS Fingerprinting Daemon
The Passive OS Fingerprinting daemon reports the visitor's operating system and other information for email notifications. This information helps you quickly identify visitors that trigger events that cause alerts.

More Info:
Intrusion Detection FAQ: What is p0f and what does it do? sans.org

...we ticked the new p0f feature. Now we want it gone.

With the above details in mind, why would you want it "gone"?

 

[shadowone]

With the above details in mind, why would you want it "gone"?

I am aware of the Documentation but i don't need it, so please post only if you know how to remove/disable it.

 

[cPanelTristan]

Hello,

Can you try going through the feature showcase again to see if this will remove it for you? It did work for me to disable it in WHM's Service Manager (unchecking enabled and monitor), although the rpm is still existing on my system after that:

# rpm -qa | grep -i p0f
p0f-3.08b-4.cp1150.x86_64

Now, to see if disabling it in the feature showcase works, you can get the feature showcase to show on WHM new login again by doing the following:

cd /var/cpanel/activate && mv features features.bak.`date +%F`

This will cause the next WHM new login to show the feature showcase again. Then you should be able to select to not enable it this time and Save the settings. If that does not work, you can try removing the rpm for p0f entirely and setting it to uninstalled:

rpm -qa | grep -i ^p0f-3 | xargs rpm -e --nodeps --justdb
/usr/local/cpanel/scripts/update_local_rpm_versions --edit target_settings.p0f uninstalled
/scripts/check_cpanel_rpms--fix --targets=p0f

This ensures that p0f cannot be reinstalled on cPanel updates. If this still does not work to fix the issue for you, please submit a ticket using WHM's Support >> Support Center area for the Contact cPanel >> Submit a Support Request link.

Thanks!

 

[shadowone]

Thanks for posting. It was a smart move to provoke feature showcase to pop up again.
Anyway, we disabled the feature from the Service Manager.
Everyone is saying (uncheck enabled and monitor p0f-cpanelsync), but there is another thick --> Passive OS Fingerprinting Daemon. That is the most important

 

[cPanelMichael]

I'm happy to see you were able to determine how to successfully disable the feature. Thank you for updating us with the outcome.

 

[wswd]

I agree with the OP. This uses a ridiculous amount of resources on our servers as well. Probably time for us to disable it too until the issues are fixed.

 

[cPanelMichael]

Hello

Internal case CPANEL-699 aims to improve the performance for passive OS fingerprinting:

Fixed case CPANEL-699: Avoid p0f watching port 80 and 443 for performance reasons.

It's included with cPanel version 11.52, which is currently only available in the "Edge" build tier.

Thank you.