Help with CSF Firewall — removing LFD process check for WF

  • Resolved bluebearmedia

    (@bluebearmedia)


    8 years, 1 month ago

    I know it’s not directly a WordFence thing, but is there a way I can stop the server LFD from flagging these valid WordFence-related processes as “suspicious”?


    Suspicious process running under user XXXX

    Executable:
    /usr/bin/php

    Command Line (often faked in exploits):
    /usr/bin/php /home/WEBSITEPATH/public_html/wp-admin/admin-ajax.php

    Files open by the process (if any):
    /var/cpanel/locale/en.cdb.2666 (deleted)
    /dev/urandom
    /home/WEBSITEPATH/public_html/wp-content/wflogs/ips.php
    /home/WEBSITEPATH/public_html/wp-content/wflogs/config.tmp.Tn7EbT (deleted)
    /home/WEBSITEPATH/public_html/wp-content/wflogs/attack-data.php

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi Bruce,
    In general, you can whitelist executable binaries, users and commands in /etc/csf/csf.pignore file and then restart CSF and LFD, check this link for more details. (search for “8. Process Tracking”).
    In your case, it’s not recommended to whtielist /usr/bin/php process, or /usr/bin/php /home/WEBSITEPATH/public_html/wp-admin/admin-ajax.php command, as this may cause some false negatives results, I’m not sure if there is an option to exclude specific files from being reported by CSF/LFD in “Files open by the process” or not.

    Thanks.

    Thread Starter bluebearmedia

    (@bluebearmedia)

    OK, perfect – thanks for the clarification!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Help with CSF Firewall — removing LFD process check for WF’ is closed to new replies.