Uninstall,remove or disable p0f/cpanelconnecttrack

shadowone

Member
Feb 25, 2015
10
1
3
cPanel Access Level
Root Administrator
When we updated cPanel to 11.50 on one of our servers we ticked the new p0f feature. Now we want it gone.

We untick the p0f-cpanelsync options Enabled and Monitor in WHM->Service Configuration->Service Managerbut but nothing happened. When we kill the processes it restores it self. Also we are still receiving Excessive resource usage: cpanelconnecttrack (315802 (Parent PID:315802)).

So how can we uninstall /remove/disable it?
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I am aware of what you're looking to do, there really should be no reason to though.

Passive OS fingerprinting (p0f) - cPanel Release Notes
In cPanel & WHM version 11.50, we improved the GeoIP identifier and added operating system and other information to email notifications. This information helps you quickly identify users that trigger events.

Service Manager Service daemons - cPanel Documentation
Passive OS Fingerprinting Daemon
The Passive OS Fingerprinting daemon reports the visitor's operating system and other information for email notifications. This information helps you quickly identify visitors that trigger events that cause alerts.
More Info:
Intrusion Detection FAQ: What is p0f and what does it do? sans.org


...we ticked the new p0f feature. Now we want it gone.
With the above details in mind, why would you want it "gone"?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello,

Can you try going through the feature showcase again to see if this will remove it for you? It did work for me to disable it in WHM's Service Manager (unchecking enabled and monitor), although the rpm is still existing on my system after that:

Code:
# rpm -qa | grep -i p0f
p0f-3.08b-4.cp1150.x86_64
Now, to see if disabling it in the feature showcase works, you can get the feature showcase to show on WHM new login again by doing the following:

Code:
cd /var/cpanel/activate && mv features features.bak.`date +%F`
This will cause the next WHM new login to show the feature showcase again. Then you should be able to select to not enable it this time and Save the settings. If that does not work, you can try removing the rpm for p0f entirely and setting it to uninstalled:

Code:
rpm -qa | grep -i ^p0f-3 | xargs rpm -e --nodeps --justdb
/usr/local/cpanel/scripts/update_local_rpm_versions --edit target_settings.p0f uninstalled
/scripts/check_cpanel_rpms--fix --targets=p0f
This ensures that p0f cannot be reinstalled on cPanel updates. If this still does not work to fix the issue for you, please submit a ticket using WHM's Support >> Support Center area for the Contact cPanel >> Submit a Support Request link.

Thanks!
 
Last edited by a moderator:
  • Like
Reactions: Infopro

shadowone

Member
Feb 25, 2015
10
1
3
cPanel Access Level
Root Administrator
Thanks for posting. It was a smart move to provoke feature showcase to pop up again.
Anyway, we disabled the feature from the Service Manager.
Everyone is saying (uncheck enabled and monitor p0f-cpanelsync), but there is another thick --> Passive OS Fingerprinting Daemon. That is the most important :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
I'm happy to see you were able to determine how to successfully disable the feature. Thank you for updating us with the outcome.
 

wswd

Well-Known Member
Aug 9, 2005
144
16
168
cPanel Access Level
Root Administrator
I agree with the OP. This uses a ridiculous amount of resources on our servers as well. Probably time for us to disable it too until the issues are fixed.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello :)

Internal case CPANEL-699 aims to improve the performance for passive OS fingerprinting:

Fixed case CPANEL-699: Avoid p0f watching port 80 and 443 for performance reasons.

It's included with cPanel version 11.52, which is currently only available in the "Edge" build tier.

Thank you.