1

For some reason I cannot get CSF's LFD (/etc/csf/csf.pignore) to ignore amavisd-new running via perl. The daemon runs via /usr/bin/perl /usr/sbin/amavisd-new (some mode) however it seems that when I use regex based pcmd:, LFD won't ignore it. Is there something up with LFD and/or the regex used with pcmd: that I am not understanding? The other stuff I have used with pcmd: has worked fine. I do not want to ignore the amavis user, nor ignore perl. I am reloading changes with csf -ra.

Various ways I have tried:

pcmd:/usr/bin/perl\s/usr/sbin/amavisd-new.*
pcmd:.*/usr/bin/perl\s/usr/sbin/amavisd-new.*
pcmd:/usr/bin/perl.*/usr/sbin/amavisd-new.*
pcmd:.*/usr/bin/perl.*/usr/sbin/amavisd-new.*
pcmd:.*\s/usr/sbin/amavisd-new\s.*
pcmd:.*/usr/sbin/amavisd-new.*
pcmd:.*/usr/sbin/amavis.*

CSF: v9.24 (generic) on Ubuntu 16.04.1 - x86_64

Executable: /usr/bin/perl
Command Line (often faked in exploits): /usr/sbin/amavisd-new (master)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (virgin child)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (ch3-avail)
Command Line (often faked in exploits): /usr/sbin/amavisd-new (ch4-avail)
dhaupin
  • 123

2 Answers2

1

Try not to use regexp. Just do

exe:/usr/sbin/amavisd-new

in csf.pignore and see what happens. According to their forums this is the way to go for perl daemons. They're admitting it's unclear, since their lfd alarm speaks of a different executable (i.e. perl).

Julius
  • 173
0

There can be many reasons if CSF's LFD doesn't ignore your processes. This blog article mentions a lot of factors and solutions.

To sum up:

  1. Restart both CSF and LFD, not only CSF (sudo service lfd restart)
  2. Don't use inline comments (looks good in your case)
  3. Check RegEx syntax (also looks good in your case)
  4. Check your system and side effects (logs, updates, file formatting, ...)
mhellmeier
  • 161