PDA

View Full Version : CSF: mailman/bin/qrunner - Exceeded: 120 > 60 (seconds) runtime" update



Fli
04-23-2014, 04:40 PM
Config Server Firewall can prevent various attack on the server. When CSF is installed on cpanel/WHM server and the Process Tracking / killing (http://internetlifeforum.com/reseller-hosting/1687-cloudlinux-alternative-whm-cpanel/) is enabled, then it can kill or report processes like

/usr/local/cpanel/3rdparty/mailman/bin/qrunner

Example email report 1:

Account: mailman
Resource: Process Time
Exceeded: 120 > 60 (seconds)
Executable: /usr/bin/python
Command Line: /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s

qrunner is legitimate process (when googling it) and it is usually running longer time than 120 seconds

if such process is found and reported by csf and one know its legitimate process that dont need to be monitored or killed, one can uncomment (remove #) appropriate line from file /etc/csf/csf.pignore , then save file and restart csf by command: csf -r

To disable emails (but still keep logs of it), lookup /etc/csf/csf.conf for "Process Tracking", csf -r to restart it after.

Example email report 2:

Email subject: lfd on vps: Excessive resource usage: mysql (5807 (Parent PID:1549))
email body: Time: Sun Sep 7 15:01:47 2014 -0400
Account: mysql
Resource: Virtual Memory Size
Exceeded: 561 > 400 (MB)
Executable: /usr/libexec/mysqld
Command Line: /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
PID: 5807 (Parent PID:1549)
Killed: Yes

in above email LFD tells that mysql process exceeded Memory value that i set in csf.conf file as a treshold for warning. But lets say i dont want to receive warnings regarding this mysql process. But i still want to receive excessive memory usage warnings about other processes. The solution is adding this mysql process into csf ignore list (its again in /etc/csf and file is named csf.pignore

example content of csf.pignore:

################################################## ############################## Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
################################################## #############################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex

# puser:username as a perl regex

# pcmd:command line as a perl regex

#
#
You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt


exe:/usr/libexec/mysqld
exe:/usr/libexec/postfix/smtpd
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login

so as you can see in email it reported me path to executable (exe):
Executable: /usr/libexec/mysqld

so i added it into csf.pignore and then i restart csf to reflect changes (csf -r), it might not be needed to restart im not sure.