Process tracking with the help of csf
Process Tracking. This option enables tracking of user and nobody processes and examines them for suspicious executable or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information. It is then the responsibility of the recipient to investigate the process further as the script takes no further action.
Important Process Tracking directive of CSF.
Here I am explaining all of the directive with its default values. You can alter all of it with your own requirements.
1. PT_LIMIT = “60”
This iss the number of seconds a process has to be active before it is inspected. If you set this time too low, then you will likely trigger false-positives with CGI or PHP scripts. # Set the value to 0 to disable this feature
2. PT_INTERVAL = “60”
How frequently processes are checked in seconds
3. PT_SKIP_HTTP = “0”
While enabling this setting will reduce false-positives, having it set to 0 does provide better checking for exploits running on the server
4. PT_DELETED = “0”
lfd will report processes, even if they're listed in csf.pignore, if they're tagged as (deleted) by Linux. This information is provided in Linux under /proc/PID/exe. A (deleted) process is one that is running a binary that has the inode for the file removed from the file system directory. This usually happens when the binary has been replaced due to an upgrade for it by the OS vendor or another third party (e.g. cPanel). You need to investigate whether this is indeed the case to be sure that the original binary has not been replaced by a rootkit or is running an exploit. Note: If a deleted executable process is detected and reported then lfd will not report children of the parent (or the parent itself if a child triggered the report) if the parent is also a deleted executable process. To stop lfd reporting such process you need to restart the daemon to which it belongs and therefore run the process using the replacement binary (presuming one exists). This will normally mean running the associated startup script in /etc/init.d/ # If you do want lfd to report deleted binary processes, set to 1
5. PT_DELETED_ACTION = “”
If a PT_DELETED event is triggered, then if the following contains the path to a script, it will be run in a child process and passed the executable, pid, account for the process, and parent pid. The action script must have the execute bit and interpreter (shebang) set. An example is provided in /usr/local/csf/bin/pt_deleted_action.pl WARNING: Make sure you read and understand the potential security implications of such processes in PT_DELETED above before simply restarting such processes with a script
6. PT_USERPROC = “10”
User Process Tracking. This option enables the tracking of the number of process any given account is running at one time. If the number of processes exceeds the value of the following setting an email alert is sent with details of those processes. If you specify a user in csf.pignore it will be ignored. # Set to 0 to disable this feature
7. PT_USERMEM = “200”
This User Process Tracking option sends an alert if any linux user process exceeds the memory usage set (MB). To ignore specific processes or users use csf.pignore . # Set to 0 to disable this feature
8. PT_USERTIME = “1800”
This User Process Tracking option sends an alert if any linux user process exceeds the time usage set (seconds). To ignore specific processes or users use csf.pignore . # Set to 0 to disable this feature
9. PT_USERKILL = “0”
If this option is set then processes detected by PT_USERMEM, PT_USERTIME or PT_USERPROC are killed Warning: We don't recommend enabling this option unless absolutely necessary as it can cause unexpected problems when processes are suddenly terminated. It can also lead to system processes being terminated which could cause stability issues. It is much better to leave this option disabled and to investigate each case as it is reported when the triggers above are breached Note: Processes that are running deleted excecutables (see PT_DELETED) will not be killed by lfd
10. PT_USERKILL_ALERT = “1”
If you want to disable email alerts if PT_USERKILL is triggered, then set this option to 0
11. PT_USER_ACTION = “”
If a PT_* event is triggered, then if the following contains the path to a script, it will be run in a child process and passed the PID(s) of the process(es) in a comma separated list. The action script must have the execute bit and interpreter (shebang) set.
PT_LOAD = “30”
PT_LOAD_AVG = “5”
PT_LOAD_LEVEL = “6”
PT_LOAD_SKIP = “3600”
Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the load average is greater than or equal to PT_LOAD_LEVEL then an email alert is sent. lfd then does not report subsequent high load until PT_LOAD_SKIP seconds has passed to prevent email floods. # Set PT_LOAD to "0" to disable this feature
PT_APACHESTATUS = “http://127.0.0.1/server-status”
This is the Apache Server Status URL used in the email alert. Requires the Apache mod_status module to be installed and configured correctly.
14. PT_LOAD_ACTION = “”
If a PT_LOAD event is triggered, then if the following contains the path to a script, it will be run in a child process. For example, the script could contain commands to terminate and restart httpd, php, exim, etc incase of looping processes. The action script must have the execute bit an interpreter (shebang) set
15. PT_FORKBOMB = “0”
Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent. You can see an example of common session id processes on most Linux systems using: "ps axf -O sid" On cPanel servers, PT_ALL_USERS should be enabled to use this option effectively. This option will check root owned processes. Session id 0 and 1 will always be ignored as they represent kernel and init processes. csf.pignore will be honoured, but bear in mind that a session tree can contain a variety of users and executables Care needs to be taken to ensure that this option only detects runaway forkbombs, so should be set higher than any session tree is likely to get (e.g. httpd could have 100s of legitimate children on very busy systems). A sensible starting point on most servers might be 250
These are the Process Tracking(PT) directives for CSF.