Feq quirks and CSF


#1

Hi good people.

The script is amazing and will definately donate!

I have a few smaller problems and some annojance with the CSF.

  1. I have set the Quota size for me, 1800gb but nothing is changing, nor can I see how much space have I used. After download of 300GB, interface is saying:
    Free: 1799.98 GB
    Used: 0.0180855 GB
    Size: 1800 GB
    Disk Space
    0% Used
    You have used 0% of your total disk space

  2. Second one is about the CSF. I have decided to install it yesterday evening, then I had to configure the port for znc and so on. When I was on the configuration page for CSF, my CPU usage was around 170%? I’ve edited few options and saved it and all that time in the control panel of the CSF, cpu usage was 150%+. Any reason why? I have a very weak Kimsufi, but it didnt have any problems with Rutorrent, Sonarr, Plex and so on.

  3. Ever since installing CSF, I have received around 100-150 Emails. Emails about the applications which are used and so on. Can I add those application to some ignore list?

Here are the examples:

> Time: Tue May 16 09:01:10 2017 +0200

Account: plex
Resource: Process Time
Exceeded: 61470 > 7200 (seconds)

Executable: /usr/lib/plexmediaserver/Plex Tuner Service
Command Line: /usr/lib/plexmediaserver/Plex Tuner Service /usr/lib/plexmediaserver/Resources/Tuner/Private /usr/lib/plexmediaserver/Resources/Tuner/Shared 1.5.6.3790-4613ce077 32600 /waitmutex
PID: 1493 (Parent PID:1031)
Killed: No

> Time: Tue May 16 09:01:10 2017 +0200

Account: xxx
Resource: Process Time
Exceeded: 61495 > 7200 (seconds)

Executable: /usr/bin/rtorrent
Command Line: /usr/bin/rtorrent
PID: 1054 (Parent PID:1052)
Killed: No

> Time: Mon May 15 23:26:38 2017 +0200

PID: 1493 (Parent PID:1031)
Account: plex
Uptime: 27000 seconds

Executable:

/usr/lib/plexmediaserver/Plex Tuner Service

Command Line (often faked in exploits):

/usr/lib/plexmediaserver/Plex Tuner Service /usr/lib/plexmediaserver/Resources/Tuner/Private /usr/lib/plexmediaserver/Resources/Tuner/Shared 1.5.6.3790-4613ce077 32600 /waitmutex

> Time: Mon May 15 23:41:40 2017 +0200

PID: 24149 (Parent PID:1020)
Account: nobody
Uptime: 110 seconds

Executable:

/usr/sbin/vsftpd

Command Line (often faked in exploits):

/usr/sbin/vsftpd /etc/vsftpd.conf


#2
  1. Are you using a /home or /(root) mounted partition? You can check with the command lsblk. If home mount you can do fix-disk_widget_home and if root fix-disk_widget_root. It could also be your quotas simply are not sticking/updating. You could try to either reinstall quotas again, or try to restart the quota service with service quota restart.

  2. Yes, the GUI of CSF is a resource hog, but this simmers down after the close of the GUI. I wouldn’t panic on this one.

  3. There is a csf.pignore file located at /etc/csf. Open it up and you will see where you can add these functions to silence them from scanning and email. Like this below:

###############################################################################
# Copyright 2006-2017, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/lsmd
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/polkit-1/polkitd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/mysqld
exe:/usr/local/apache/bin/httpd
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/sbin/chronyd
exe:/usr/sbin/exim
exe:/usr/sbin/exim4
exe:/usr/sbin/named
exe:/usr/sbin/nscd
exe:/usr/sbin/ntpd
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/sshd

[ QuickBox Additions - These are necessary to avoid noisy emails ]
exe:/usr/sbin/rsyslogd
exe:/lib/systemd/systemd-timesyncd
exe:/lib/systemd/systemd-resolved
exe:/lib/systemd/systemd
exe:/usr/sbin/apache2
exe:/usr/sbin/vnstatd
exe:/usr/sbin/atd
exe:/usr/sbin/php-fpm7.0
exe:/usr/bin/memcached
exe:/usr/sbin/uuidd
exe:/usr/lib/plexmediaserver/Plex Media Server
exe:/usr/lib/plexmediaserver/Resources/Plex Script Host
exe:/usr/lib/plexmediaserver/Plex Script Host
exe:/usr/lib/gvfs/gvfsd-trash
exe:/usr/bin/dbus-launch
exe:/usr/bin/thunar
exe:/usr/bin/ssh-agent
exe:/usr/bin/python2.7
exe:/usr/sbin/mysqld
exe:/usr/bin/znc
exe:/usr/lib/nx/bin/nxagent
exe:/usr/bin/xfsettingsd
exe:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
exe:/usr/bin/xfdesktop
exe:/usr/bin/xfce4-volumed
exe:/usr/lib/gvfs/gvfsd
exe:/usr/bin/xfwm4
exe:/usr/sbin/openvpn
exe:/usr/lib/gvfs/gvfs-udisks2-volume-monitor
exe:/usr/bin/quasselcore
exe:/usr/lib/gvfs/gvfsd-metadata
exe:/usr/bin/xfce4-panel
exe:/usr/bin/xfce4-session
exe:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0
exe:/usr/bin/xscreensaver
exe:/usr/bin/syncthing
exe:/usr/bin/screen
exe:/usr/bin/irssi
exe:/usr/bin/mono-sgen
exe:/usr/lib/openssh/sftp-server
exe:/usr/bin/shellinaboxd

You can add to the bottom of this file the executables that are being noisy, ie (exe:/usr/lib/plexmediaserver/Plex Tuner Service and exe:/usr/bin/rtorrent)
Then issue a restart to csf with csf -r


#3

Once again,thank you.

I will try it in the next few days.


#4

Absolutely. I know all too well these emails can be noisy and bothersome. I am having these default parameters reviewed and will have them updated. There really is no need to report constantly on ruTorrent processes as those will especially send out large volumes of alerts.

Thanks again for bringing these to our attention!


#5

I have added a few things to the file you mention @JMSolo and it solved those emails.

But now I get this constantly:

Time: Thu Nov 30 12:05:22 2017 +0100
File: /tmp/.rutorrent/.fman
Reason: Suspicious directory
Owner: www-data:www-data (33:33)
Action: No action taken

I have tried to add the user www-data but no luck and it might not be the best solution either as something else important may come from that user.

Mails vary between just /tmp/.torrent and then where the .fman is added. It seems to be something that has startede resently so it may actually be a thing with rtorrent but no idea what it could be.