{"id":2168,"date":"2021-06-25T10:47:26","date_gmt":"2021-06-25T07:47:26","guid":{"rendered":"https:\/\/www.scalahosting.com\/kb\/?p=2168"},"modified":"2023-03-01T16:54:19","modified_gmt":"2023-03-01T14:54:19","slug":"common-notifications-from-csf-lfd","status":"publish","type":"post","link":"https:\/\/www.scalahosting.com\/kb\/common-notifications-from-csf-lfd\/","title":{"rendered":"Common Notifications from CSF\/LFD"},"content":{"rendered":"<p><b>CSF and <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD <\/span>often come pre-installed <\/b><span style=\"font-weight: 400;\">to enable you to keep tabs on activities happening on your servers. They send valuable notifications to help you <\/span><b>keep track of potentially important events on the server.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The feature <\/span><b>enables users to detect server events<\/b><span style=\"font-weight: 400;\"> that might be indicative of security issues. Some of these notifications could be difficult to decipher by the uniformed. So this article guides you on everything you need to know about CSF and <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD <\/span>and their common notifications.<\/span><\/p>\n<h2><b>Understanding CSF and LFD<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">CSF and LFD offer features that help users secure their servers. Let\u2019s examine quickly what these terms mean and what they do.<\/span><\/p>\n<h3><b>ConfigServer Security and Firewall (CSF)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">CSF, short for <\/span><b>ConfigServer Security and Firewall<\/b><span style=\"font-weight: 400;\">, is a <\/span><b>Stateful Packet Inspection (SPI) firewall <\/b><span style=\"font-weight: 400;\">that helps keep servers secure.\u00a0 Stateful inspection analyzes packets down to the application layer, unlike static inspection that checks only the <\/span><b>packet\u2019s header<\/b><span style=\"font-weight: 400;\">, which leaves a <\/span><i><span style=\"font-weight: 400;\">tiny <\/span><\/i><span style=\"font-weight: 400;\">window for attackers to exploit.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The stateful firewall uses SPI to determine the packets to allow through the firewall. <\/span><b>ConfigServer Security and Firewall <\/b><span style=\"font-weight: 400;\">provides an intuitive web-based interface for managing your server firewall settings, though you can also manage the settings via <\/span><a href=\"https:\/\/www.scalahosting.com\/blog\/what-is-ssh-and-how-to-use-it\/\"><b>Secure Shell (SSH)<\/b><\/a><span style=\"font-weight: 400;\">.\u00a0\u00a0<\/span><\/p>\n<p><b>The firewall helps users to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Control traffic to their server space <\/b><span style=\"font-weight: 400;\">by closing all connections and allowing them to open the connection to receive traffic<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Prevent <\/span><a href=\"https:\/\/www.scalahosting.com\/blog\/cyber-attack-guide-ddos-attacks\/\"><b>DDOS attack<\/b><\/a><span style=\"font-weight: 400;\"> by closing outgoing ports, allowing only those authorized for outgoing traffic<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Track network connections<\/b><span style=\"font-weight: 400;\">, notifying them of those that made a suspicious number of failed attempts\u00a0\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Only root users (system admins) can access and manage CSFs.<\/span><\/p>\n<h3><b>Login Failure Daemon (LFD)<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Login Failure Daemon is a critical component of the CSF process. It periodically checks for potential threats against a server, such as <\/span><a href=\"https:\/\/www.scalahosting.com\/blog\/cyber-attack-guide-brute-force-attacks\/\"><b>brute force login attempts<\/b><\/a><span style=\"font-weight: 400;\">, and blocks the <\/span><b>IP address to protect the server from inbound attacks.\u00a0<\/b><\/p>\n<p><b>Brute force attackers often guess usernames and passwords<\/b><span style=\"font-weight: 400;\">, thereby generating many authentications and login failures within a short time. LFD scans the latest authentication log files to identify these patterns. If found, the daemon responds quickly by using <\/span><b>CSF to block the offending IP address.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">LFD is a daemon. It works as a background process, monitoring log files to respond immediately to threats.<\/span><\/p>\n<h2><b>Common CSF and LFD Notifications<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Enabling email alerts for LFD, though this is on by default, lets you receive notifications when the<\/span><b> daemon blocks an IP address<\/b><span style=\"font-weight: 400;\">. Here\u2019s a quick rundown of the common CSF and LFD notifications.<\/span><\/p>\n<h3><b>IP Blocks Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">LFD sends email notifications any time it blocks an IP address. This alert is active by default; however, you can disable it if you\u2019re confident your<\/span><b> firewall configuration only blocks the IPs you want blocked.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Too many notifications might distract your attention from other important things. Some of the reasons LFD blocks IP addresses include:<\/span><\/p>\n<h4><b>Login Failures<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The <\/span><b>LFD blocks an IP address when it fails too many login attempts<\/b><span style=\"font-weight: 400;\"> within a short space and sends you an email alert that looks thus:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-2172 size-full\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image4-6.png\" alt=\"Common Notifications from CSF\/LFD, Login Failures\" width=\"347\" height=\"247\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image4-6.png 347w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image4-6-300x214.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h4><b>Temp to Perm Block<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">LFD has a feature that <\/span><b>lets users enable a trigger that permanently blocks an IP address<\/b><span style=\"font-weight: 400;\"> after stopping it temporarily for a certain number of times over a specified period.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You\u2019d receive an LFD alert whenever this happens. The email alert looks thus:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2180\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image12.png\" alt=\"Common Notifications from CSF\/LFD, Temp to Perm Block\" width=\"413\" height=\"184\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image12.png 413w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image12-300x134.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h4><b>Too Many Connections<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Simultaneous connections from the same IP could cause the daemon to block the IP. Besides <\/span><b>being indicative of a DDOS attack<\/b><span style=\"font-weight: 400;\">, this type of connection could also cause load issues.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here\u2019s how the email looks.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2174\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image6-5.png\" alt=\"Common Notifications from CSF\/LFD, Too Many Connections\" width=\"492\" height=\"202\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image6-5.png 492w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image6-5-300x123.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><b>Other reasons the daemon blocks IP addresses include:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Too many attempted connections to closed ports<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">When an IP address tries to log into the same email account more than expected<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The LFD can also block an entire netblock and the associated IP addresses due to previously blocking a lot of its<\/span><b> IPs many times within a specific interval<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Successful Logins Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The <\/span><b>daemon sends email notifications<\/b><span style=\"font-weight: 400;\"> for successful logins. This notification helps system admins track the people logging into their servers to <\/span><b>ensure only authorized users access the server.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Some of the login alerts LFD include:<\/span><\/p>\n<h4><b>Port Knocking<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">LFD notifies users when people<\/span><b> access the server using a port knocking sequence<\/b><span style=\"font-weight: 400;\">\u2014a technique that externally opens ports the firewall keeps closed by default.\u00a0 Port knocking helps keep a server secure by closing firewall ports, even those available for use.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Network administrators use the authentication method to control access to a server or other network devices behind a firewall. <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD <\/span>can<\/span><b> detect when a user gains access via the method and sends you an alert.<\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2178\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image10-2.png\" alt=\"Common Notifications from CSF\/LFD, Port Knocking\" width=\"451\" height=\"129\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image10-2.png 451w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image10-2-300x86.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h4><b>Secure Shell Access (SSH)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">SSH allows users to access a server as if they are physically in front of the server. LFD sends notifications when a user<\/span><b> successfully logs in to the server via SSH<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2179\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image11-2.png\" alt=\"Common Notifications from CSF\/LFD, Secure Shell Access (SSH)\" width=\"528\" height=\"147\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image11-2.png 528w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image11-2-300x84.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><b><span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD <\/span>also sends successful login alerts for:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Logins to <\/span><b>WHM or cPanel<\/b><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">When someone accessed the server using the <\/span><b>SU command<\/b><span style=\"font-weight: 400;\">\u2014the substitute user command helps a user execute commands with the privileges of another user account.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">If a user logins via the <\/span><b>CSF user interface.<\/b><\/li>\n<\/ul>\n<h3><b>Excessive Resource Usage Alerts<\/b><\/h3>\n<p><b>LFD<\/b><span style=\"font-weight: 400;\"> watches the running processes to detect if they are using too many resources, and you can configure what counts as<\/span><i><span style=\"font-weight: 400;\"> too many<\/span><\/i><span style=\"font-weight: 400;\"> for some of the resources.<\/span><\/p>\n<p><b>The notification text, by default, looks thus:<\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2182\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image14-1.png\" alt=\"Common Notifications from CSF\/LFD, Excessive Resource Usage Alerts\" width=\"509\" height=\"225\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image14-1.png 509w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image14-1-300x133.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><b>Here\u2019s the meaning of some of the placeholders:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>PID<\/b><span style=\"font-weight: 400;\"> shows the Process ID<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Time<\/b><span style=\"font-weight: 400;\"> signals when <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD<\/span> detected the process as using too many resources<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Resources<\/b><span style=\"font-weight: 400;\"> point the resource the process seems to be exceeding<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Exceeded<\/b><span style=\"font-weight: 400;\"> shows how much of the resources the daemon detected the process of using<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Executable<\/b><span style=\"font-weight: 400;\"> logs the executable the process is running from<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Killed<\/b><span style=\"font-weight: 400;\"> indicates whether or not <span data-sheets-value=\"{&quot;1&quot;:2,&quot;2&quot;:&quot;LFD&quot;}\" data-sheets-userformat=\"{&quot;2&quot;:637,&quot;3&quot;:{&quot;1&quot;:0},&quot;5&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;6&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;7&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;8&quot;:{&quot;1&quot;:[{&quot;1&quot;:2,&quot;2&quot;:0,&quot;5&quot;:{&quot;1&quot;:2,&quot;2&quot;:0}},{&quot;1&quot;:0,&quot;2&quot;:0,&quot;3&quot;:3},{&quot;1&quot;:1,&quot;2&quot;:0,&quot;4&quot;:1}]},&quot;9&quot;:0,&quot;12&quot;:0}\">LFD <\/span>attempted to kill the process<\/span><\/li>\n<\/ul>\n<h3><b>Email Script Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">LFD watches the <\/span><b>mail log to detect emails with scripts.<\/b><span style=\"font-weight: 400;\"> It notifies you when this activity happens repeatedly. You might get an email showing the scripts and the number of emails involved.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2176\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image8-3.png\" alt=\"Common Notifications from CSF\/LFD, Email Script Alerts\" width=\"412\" height=\"274\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image8-3.png 412w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image8-3-300x200.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">LFD guesses the likely email script, so the email alert <\/span><b>might report an inaccurate script<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Excessive Processes Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The daemon also watches whether a user is running numerous processes simultaneously. If it <\/span><b>detects excessive processes<\/b><span style=\"font-weight: 400;\">, the daemon sends a notification letting you know that a user runs more processes than the configured threshold.\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2173\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image5-3.png\" alt=\"Common Notifications from CSF\/LFD, Excessive Processes Alerts\" width=\"539\" height=\"198\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image5-3.png 539w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image5-3-300x110.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Excessive processes could be indicative of server security or resource issues.<\/span><\/p>\n<h3><b>Suspicious Process Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Enabling <\/span><b>Process Tracking<\/b><span style=\"font-weight: 400;\"> examines <\/span><b>all running processes for suspicious, deleted executable files or open network ports<\/b><span style=\"font-weight: 400;\">. It sends an email notification when it identifies a suspicious process running on the server.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You might receive this kind of <\/span><b>email alert<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"> <img decoding=\"async\" class=\"aligncenter size-full wp-image-2177\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image9-3.png\" alt=\"Common Notifications from CSF\/LFD, Suspicious Process Alerts\" width=\"536\" height=\"515\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image9-3.png 536w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image9-3-300x288.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/span><\/p>\n<h3><b>System Integrity Alert<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">LFD comes with features that watch for changes in specific system files, helping detect compromised files. The daemon also sends alerts when <\/span><b>routine system updates change the files<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><b>The email notification looks thus:<\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2169\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image1-5.png\" alt=\"Common Notifications from CSF\/LFD, System Integrity Alert\" width=\"624\" height=\"221\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image1-5.png 624w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image1-5-300x106.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Always check your server log when you receive this alert to determine if the file changes are due to system updates, intentional changes, or suspicious activity.\u00a0<\/span><\/p>\n<h3><b>Email Queue Size Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Whenever you send emails, the<\/span><b> SMTP server places the email on a queue <\/b><span style=\"font-weight: 400;\">where they await processing. Often, the server delivers the email immediately without it accumulating in the email queue.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some of the common things causing email accumulation are indicative of security issues. So, the LFD watches the length of the <\/span><b>email queue and sends notifications<\/b><span style=\"font-weight: 400;\"> when too many emails accumulate in the queue.<\/span><\/p>\n<p><b>Here\u2019s how the email alerts look like:<\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2175\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image7-2.png\" alt=\"Common Notifications from CSF\/LFD, Email Queue Size Alerts\" width=\"376\" height=\"131\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image7-2.png 376w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image7-2-300x105.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h3><b>Log File Flooding Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">LFD relies heavily on <\/span><b>various server logs to watch server activities and could become ineffective <\/b><span style=\"font-weight: 400;\">if the logs get flooded with too many similar lines in a row.\u00a0 The daemon sends notifications whenever it detects log file flooding.\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2181\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image13-1.png\" alt=\"Common Notifications from CSF\/LFD, Log File Flooding Alerts\" width=\"336\" height=\"117\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image13-1.png 336w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image13-1-300x104.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h3><b>Account Modification Alerts<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">LFD sends email alerts for <\/span><b>certain types of account modification and the detected changes<\/b><span style=\"font-weight: 400;\">. The alert helps users keep a tab on account modifications and take immediate actions to address suspicious activity.<\/span><\/p>\n<p><b>The text of the notification, by default, looks thus:<\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2171\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image3-5.png\" alt=\"Common Notifications from CSF\/LFD, Account Modification Alerts\" width=\"411\" height=\"167\" srcset=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image3-5.png 411w, https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image3-5-300x122.png 300w\" sizes=\"(max-width: 361px) 660px, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 910px, 1140px\" \/><\/p>\n<h2><b>Disabling All LFD Notifications Via the Command Line<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Enabling all these alerts lets you take complete charge of your server security. However, you can <\/span><b>deactivate all the LFD notifications.\u00a0<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Take these steps to get it done via the command line.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Log in via SSH to access your server remotely and open the CSF configuration file.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Locate <\/span><b>LF_PERMBLOCK_ALERT<\/b><span style=\"font-weight: 400;\"> in the file and set the value to zero (0).\u00a0<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-2170\" src=\"https:\/\/www.scalahosting.com\/kb\/wp-content\/uploads\/2021\/06\/image2-6.png\" alt=\"Common Notifications from CSF\/LFD, Disabling All LFD Notifications Via the Command Line\" width=\"185\" height=\"89\" \/><\/p>\n<p><span style=\"font-weight: 400;\">That\u2019s it. Just restart the LFD and CSF services to enable the changes.<\/span><\/p>\n<h2><b>Wrapping It Up<\/b><\/h2>\n<p><b>Config Security Firewall with Login failure Daemon<\/b><span style=\"font-weight: 400;\"> offers valuable features that help keep your server secure.\u00a0 And you could set up notifications to stay updated on the activities happening on your servers which helps you track <\/span><b>all the events that could compromise the server.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">You can switch off the notifications (or any of them) when you feel overwhelmed. <\/span><a href=\"https:\/\/www.scalahosting.com\/contact-us.html\"><b>Our support<\/b><\/a><span style=\"font-weight: 400;\"> is always available to help when you need assistance.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CSF and LFD often come pre-installed to enable you to keep tabs on activities happening on your servers. They send valuable notifications to help you keep track of potentially important events on the server. The feature enables users to detect server events that might be indicative of security issues. Some of these notifications could be [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"CSF and LFG often come pre-installed to enable you to keep tabs on activities happening on your servers. They send valuable notifications to help you keep track...","_seopress_robots_index":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-2168","post","type-post","status-publish","format-standard","hentry","category-web-hosting"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/2168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/comments?post=2168"}],"version-history":[{"count":5,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/2168\/revisions"}],"predecessor-version":[{"id":5420,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/2168\/revisions\/5420"}],"wp:attachment":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/media?parent=2168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/categories?post=2168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/tags?post=2168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}