0

For some reason I cannot get CSF's LFD (/etc/csf/csf.pignore) to ignore amavisd-new running via perl. The daemon runs via /usr/bin/perl /usr/sbin/amavisd-new (some mode) however it seems that when I use regex based pcmd:, LFD won't ignore it. Is there something up with LFD and/or the regex used with pcmd: that I am not understanding? The other stuff I have used with pcmd: has worked fine. I do not want to ignore the amavis user, nor ignore perl. I am reloading changes with csf -ra.

Various ways I have tried:

pcmd:/usr/bin/perl\s/usr/sbin/amavisd-new.*
pcmd:.*/usr/bin/perl\s/usr/sbin/amavisd-new.*
pcmd:/usr/bin/perl.*/usr/sbin/amavisd-new.*
pcmd:.*/usr/bin/perl.*/usr/sbin/amavisd-new.*
pcmd:.*\s/usr/sbin/amavisd-new\s.*
pcmd:.*/usr/sbin/amavisd-new.*
pcmd:.*/usr/sbin/amavis.*

CSF: v9.24 (generic) on Ubuntu 16.04.1 - x86_64

Executable: /usr/bin/perl
Command Line (often faked in exploits): /usr/sbin/amavisd-new (master)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (virgin child)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (ch3-avail)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (ch4-avail)
dhaupin
  • 113
  • 7

2 Answers2

1

Try not to use regexp. Just do

exe:/usr/sbin/amavisd-new

in csf.pignore and see what happens. According to their forums this is the way to go for perl daemons. They're admitting it's unclear, since their lfd alarm speaks of a different executable (i.e. perl).

Julius
  • 143
  • 3
  • The OP is asking to use a regex. Is there a bug or something that prevents that from working? – chicks Apr 10 '17 at 00:44
  • The OP asked why pcmd/regex was not letting him ignore CSF/LFD alerts for amavisd. I suffered from the exact same thing. Either way, this is more a question that needs to be asked at the Configserver Security & Firewall forum, since it's a software dev specific bug; https://forum.configserver.com/ – Julius Apr 10 '17 at 10:22
  • If somebody gets a chance to link to the specific bug that'd be nice. @julius: I deleted / hereby withdraw my review comment. Thanks for the additional info. – chicks Apr 10 '17 at 13:40
  • I didn't realize it was a bug -- figured it was syntax or something. It's been awhile so I'm not sure what I tried in the past, but `exe:` and `pexe:` both fail. I didn't see anything about this bug on their forums, although 2 other posts speak of the same issue ignoring stuff that runs under perl. – dhaupin Apr 11 '17 at 20:44
  • any updates on this? would be good to make use of regex on csf.pignore for processes that doesn't fully describe the command line – Leoncio Jan 11 '18 at 20:19
0

There can be many reasons if CSF's LFD doesn't ignore your processes. This blog article mentions a lot of factors and solutions.

To sum up:

  1. Restart both CSF and LFD, not only CSF (sudo service lfd restart)
  2. Don't use inline comments (looks good in your case)
  3. Check RegEx syntax (also looks good in your case)
  4. Check your system and side effects (logs, updates, file formatting, ...)
mhellmeier
  • 151
  • 4