LFD : is the abbreviation of Login Failure Daemon. It is a daemon process running on a server which has CSF for server security. LFD scans the server logs files periodically (every X seconds) for resent login failures and consider such attempts like “Brute Force Attacks” and block that IPs with the help of CSF.
LFD also send emails from server for excessive resource usage. In LFD we can set different resource usage limits.
You can refer here for more details on Process tracking with the help of csf.
How to disable Lfd excessive resource usage alert?
Example email alert from LFD.
Time: Tue Nov 25 09:15:10 2012 +0520
Account: crybit
Resource: Virtual Memory Size
Exceeded: 205 > 200 (MB)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/crybit/public_html/index.php
PID: 11254 (Parent PID:11254)
Killed: No
From the above email example you can see that, here the alert is for excessive memory usage from the server for a particular user. You can avoid this email alert by different ways.
Method I
You can disable this particular feature from CSF configuration. That’s not a good method to solve this issue. This email alert is actually much useful for monitoring user’s resource usage under your server.
How to disable it?
Step 1: Login to your server via SSH as root user.
Step 2: Open the CSF configuration file (/etc/csf/csf.conf) with your favorite editor and search the directive ‘PT_USERMEM‘. By considering the above example, the PT_USERMEM is 200.
You can set the value of PT_USERMEM to ‘0’ to disable this feature from CSF.
[root@server #] vim /etc/csf/csf.conf ----- # This User Process Tracking option sends an alert if any linux user process # exceeds the memory usage set (MB). To ignore specific processes or users use # csf.pignore # # Set to 0 to disable this feature PT_USERMEM = "200" -----
Method II
You can increase the PT_USERMEM limit. By setting the value of PT_USERMEM to a higher value than 200 may help you.
Method III
This is the simplest and standard way to stop such alerts from CSF and LFD. There is a file in csf directory ‘csf.pignore‘. You can add the process or the user which you want to ignore this type of alert in to this file.
File location:
[root@server #] vim /etc/csf/csf.pignore
Note:
This type of alerts are useful for monitoring your server.
Restart the services CSF and LFD
csf -r
That’s it. 🙂
Related topics:
Install and configure csf on CentOS
CSF commands for Unix/Linux servers
thank you for this information. exactly i needed this.
I am really happy to know that 🙂
Thanks Arun
Thank you 🙂
It was nice…. and worked…. Thank you.
As a suggestion please restart the lfd and csf after the tweak
Thanks for your suggestion. Updated 🙂
Hi,
I’ve translated it into Persian:
blog..jeyserver.com/lfd-excessive-resource-usage-alert/
Ohh 🙂
Very useful post. However did spend quite some time because changes were not taking effect. In my case I had restart lfd service as well in order to stop the high resource e-mails coming; type “service lfd restart” in linux without quotes. PS. I went for method II, and set up 400 MB limit.
Nice, It’s really good info. Thanks you!!!
Thank you 🙂
Thanks! Method 2 seems like the right way forward. Resource is not really being churned.
Thanks!
Method 2 seems like the right way forward. Thanks. for share.
Great tutorial , helped our support team to resolve this issue.
Thanks and best wishes PnS Hostings!
thank you. this page is bookmarked prominently.
You’re most welcome, Marc!!
Bookmarked 😉
Thanks for this tips
You’re welcome, Abdessamd!
Hi can you give me a clear details on how to do method 2? Thanks
Open configuration file with your favorite text editor and search for the entry “PT_USERMEM” and increase it value.
Don’t forget restart csf&lfd.
Muchas gracias por el tutorial, fue de gran ayuda.
De nada, Cyberlion!!
Hello,
The problem is even you increase PT_USERMEM after a few days the emails will came back again and the virtual memory will need more. This solution it is not good. maybe it is another way to resolve this Excessive resource usage.
Disabling the alert is not a good one anyway. Need to analyse the alert and try to fix it, that’s the correct way!!
this is an interesting sites and i like this sites, thank you sharing knowledge with us
vary good