Page 1 of 1

Ignore a spesific user in csf.pignore

Posted: 07 Sep 2022, 14:46
by Ayzeta
Hello, we want exclude a spesific user or spesific process for mail notification with csf.pignore.

Mail Notifications:
1
Excessive resource usage: "username"
Time: Tue Jun 29 15:59:06 2021 +0300
Account: username
Resource: Process Time
Exceeded: 1818 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/php/73/sbin/php-fpm
Command Line: php-fpm: pool user_username
PID: 6898 (Parent PID:24551)
Killed: No
2
lfd on linux.server.net: Suspicious process running under user "username"
Time: Wed Sep 7 16:02:17 2022 +0300
PID: 19516 (Parent PID:19514)
Account: username
Uptime: 270134 seconds

Executable:

/home/virtfs/username/opt/cpanel/ea-php73/root/usr/bin/php

Command Line (often faked in exploits):

/opt/cpanel/ea-php73/root/usr/bin/php /home/username/public_html/dir/file.php
(Sometimes the last line changes to:)
Command Line: jailshell (username) [init] ell -c /usr/local/bin/php /home/username/public_html/dir/file.php

----------------------------------------

The desired thing might be to turn off all notifications for a particular user. Or turn off notifications for certain actions of a particular user.

We try add to csf.pignore this line;

Code: Select all

user:username
but it isnt work.

Or we try add to csf pignore;

Code: Select all

exe:/home/virtfs/username/opt/cpanel/ea-php73/root/usr/bin/php
pcmd:/opt/cpanel/ea-php73/root/usr/bin/php /home/username/public_html/dir/*
(Wildcards are required for all files in this directory. But I'm not sure if the wildcard usage style is correct.)

or try;

Code: Select all

user:username
exe:/usr/local/cpanel/3rdparty/php/73/sbin/php-fpm
pcmd:/usr/local/bin/php /home/username/public_html/dir/file.php
But they are not work.

Thanks in advance for any help.