Login Failure Daemon(LFD) is a daemon process which runs on VPS or Dedicated servers that uses Config Server Firewall(CSF) for server security. LFD scans the server logs and sends notifications every time when the process uses more memory or takes more time than the value assigned in your CSF configuration file.
LFD considers recent failed login attempts as Brute Force Attacks and blocks those IPs using CSF.
A Brute Force Attacks is a trial-and-error method used to crack server password. The software used by the hacker generates consecutive guesses on the desired data. CSF is capable of spotting this type of hacking attempts with the help of LFD and blocks the IPs temporarily from accessing the server. All these actions are managed in CSF configuration. You can access the CSF configuration in WHM by using the following steps.
1. Login to your WHM
2. Go to Home >> select Plugins
3. Click ‘ConfigServer Security & Firewall’
4. Choose ‘Firewall Configuration’
LFD excessive resource usage alert
LFD service sends excessive resource usage alerts to the email address which is assigned to it, normally to root user account. This notification points out a particular process or service using excessive server resources. This helps in identifying the resource eating process/service. We can either kill the process/service to free the resource or allocate more resource to it, if required.
Example email alert from LFD when memory is exceeded
—Time: Mon Nov 14 09:41:10 2018 +0530
—Account: xxxxxx
—Resource: Virtual Memory Size
—Exceeded: 205 > 200 (MB)
—Executable: /usr/bin/php
—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php
—PID: xxxxx (Parent PID:xxxxx)
—Killed: No
This alert is send by LFD when a process uses more memory resources than defined in the CSF configuration file.
Example email alert from LFD when time is exceeded
—Time: Mon Nov 14 09:41:10 2018 +0530
—Account: xxxxxx
—Resource: Virtual Memory Size
—Exceeded: 125389 > 1800 (seconds)
—Executable: /usr/bin/php
—Command Line: /usr/bin/php /home/xxxxxx/public_html/index.php
—PID: xxxxx (Parent PID:xxxxx)
—Killed: No
This alert is send by LFD when a process takes more time to execute than defined in the CSF configuration file.
Disable these alerts
Disabling these alerts is not a good method to be performed. This email alerts are critical for monitoring the usage of server resources by the user accounts. If you find this particular process/service is necessary, you can enable them to continue using the server resources and disable the LFD notifications. You can disable LFD excessive memory usage notifications by using three methods given below. You can access the CSF configuration via WHM/terminal as descried above.
Method 1
This method will permanently disable the LFD excessive resource usage alert. Performing this method will pose a security issue.
1. Login to your WHM
2. Open the CSF Firewall configuration
3. Modify the value of directives PT_USERMEM and PT_USERTIME to 0.
PT_USERMEM = 0
PT_USERTIME = 0
4. Save the settings.
Method 2
In this method, we will increase the values of both memory and time to disable the LFD alerts. This method is a temporary one. If any process/service uses more resources than defined, you will continue to receive the LFD alerts.
1. Login to your WHM
2. Open the CSF Firewall configuration
3. Modify the value of directives PT_USERMEM and PT_USERTIME to desired.
PT_USERMEM = 500
PT_USERTIME = 150000
4. Save the settings
Method 3
This is a standard technique to disable the LFD alerts. In this method, you will include the particular process/service in pignore of CSF. The pignore of CSF will ignore the particular process/service included in it and hence disables the LFD alerts.
1. Login to your server as root user.
2. Using your favorite editor open pignore of CSF. The common location of pignore is /etc/csf/csf.pignore.
3. Add the command line path specified in the alert to the pignore of CSF.
4. Save changes.
