What in the heck does this mean???

I just received an email from knownhost (I think???).... and I'm clueless what it means (but it sounds bad...).

The subject line is:
lfd on host.sewlycrafts.com: Excessive resource usage: dovecot (22083 (Parent PID:22077))
The content is:
Time: Tue Nov 5 17:29:16 2013 -0500
Account: dovecot
Resource: Process Time
Exceeded: 1858 > 1800 (seconds)
Executable: /usr/libexec/dovecot/anvil
Command Line: dovecot/anvil
PID: 22083 (Parent PID:22077)
Killed: No

If it helps any, 30 minutes before that I also received another email from knownhost (not sure if there's any connection???)
Subject line:
The clamavconnector plugin is now an RPM on host.sewlycrafts.com
Content:
cPanel & WHM now includes ClamAV Scanner as an RPM. This upgrade has appended .old to the names of the binaries in the /usr/sbin directory. They will be replaced with a symlink that points to the new binaries installed in the /usr/local/cpanel/3rdparty/bin directory.

I have NO idea what either of these are about... or what they might mean for me (good or bad).
Can some kind person take pity on me and explain in kindergarten language what either/both mean? Is there anything I need to do.... or worry about???

Thanks guys!! :)

P.S. I can say that when I saw "Killed: No" I was a little bit relieved. "Killed" sounds like a very very bad thing...
 

Dave G

Member
I just received an email from knownhost (I think???).... and I'm clueless what it means (but it sounds bad...).

The subject line is:
lfd on host.sewlycrafts.com: Excessive resource usage: dovecot (22083 (Parent PID:22077))
The content is:
Time: Tue Nov 5 17:29:16 2013 -0500
Account: dovecot
Resource: Process Time
Exceeded: 1858 > 1800 (seconds)
Executable: /usr/libexec/dovecot/anvil
Command Line: dovecot/anvil
PID: 22083 (Parent PID:22077)
Killed: No
Not much to worry about here I believe some not so nice person was hammering on your email server(dovecot)

If it helps any, 30 minutes before that I also received another email from knownhost (not sure if there's any connection???)
Subject line:
The clamavconnector plugin is now an RPM on host.sewlycrafts.com
Content:
cPanel & WHM now includes ClamAV Scanner as an RPM. This upgrade has appended .old to the names of the binaries in the /usr/sbin directory. They will be replaced with a symlink that points to the new binaries installed in the /usr/local/cpanel/3rdparty/bin directory.
I think this may have something to do with Centos/WHM update I had read they were doing something with ClamAV
 
Dave... thank you!
That sort of makes me feel better, except I just got another one of those "excessive usage" emails. This one shows:
Exceeded: 5459 > 1800 (seconds)

Is there any way to stop this? I looked up dovecot and it says it's "Dovecot is an opensourceIMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind." And then it also says this (including anvil):
  • dovecot process is the Dovecot master process which keeps everything running.
  • anvil keeps track of user connections
How would someone have access to my email server??? I am so uninformed and clueless about how any of this works...
:(
 

KH-DanielP

KH-COO
Staff member
Deep breath, all is ok.

Anvil is another process that runs 24/7, this has been installed due to an update from cPanel, however cPanel does not update the Firewall (CSF/LFD) to tell it this is an OK process. That's why you're getting these emails.

If you open a support ticket one of our techs can add this process to the ignore list so LFD will stop emailing you about it.

The process is perfectly normal someone just needs to tell that to the firewall is all ;)
 
Well... I just did a search for "libexec/dovecot/anvil" and found a forum thread about excessive usage emails starting after a WHM upgrade to WHM 11.40.0 (Build 6).... No idea if that applies to us or not. I don't touch the WHM, so any changes there I would guess originate with knownhost???? Here's a link to the forum thread I found:
http://forum.configserver.com/viewtopic.php?f=6&t=7054

I do try to educate myself... but sometimes all I end up doing is either confusing myself more, or finding out more information that means nothing to me. **sigh**
 
Thank you thank you thank you!!! **practicing deep breathing**

I'm off to send in a support ticket. That forum thread I found said something similar to what you're saying here. MUCH relieved!!!

Deep breath, all is ok.

Anvil is another process that runs 24/7, this has been installed due to an update from cPanel, however cPanel does not update the Firewall (CSF/LFD) to tell it this is an OK process. That's why you're getting these emails.

If you open a support ticket one of our techs can add this process to the ignore list so LFD will stop emailing you about it.

The process is perfectly normal someone just needs to tell that to the firewall is all ;)
 

Dan

Moderator
Hey TexasPrarieGal,

I'm not so sure you want to be on Edge updates for cPanel...that's kind of like testing beta software and I'm not sure that's what you want to be doing with your website(s). Some people like to but for a production server it's probably not a great idea...
 
Oh lordy Dan.... I have no clue what you're talking about "Edge updates for cPanel". Whatever I have is just how the hosting was set up for me. I sure didn't ask for anything special (and I hate beta testing... I leave that sort of thing to people who actually KNOW what they're doing). Have I been opted in for something unusual?

I will say that support has taken care of this issue for me. Here's what they told me those excessive usage emails were all about:
"Thats a result of recent Cpanel update. They added two new dovecot binaries which are not in CSF/LFD whitelist. Let us know, if you want us to add them in csf.allow to avoid such mails."

So was this a cPanel update that was not done for everyone??? Shoot, I don't even have a clue what the update does....

Hey TexasPrarieGal,

I'm not so sure you want to be on Edge updates for cPanel...that's kind of like testing beta software and I'm not sure that's what you want to be doing with your website(s). Some people like to but for a production server it's probably not a great idea...
 

Dave G

Member
TPG
Not to worry I don't think your WHM/cPanel is set for "Edge updates" I just received a notice that my WHM is going to be updated in a day or two to version 11.40 and my auto update is set for "RELEASE" as I'm sure yours is.
If you want to check just go to "Home » Server Configuration » Update Preferences" in your WHM.
 

Dan

Moderator
Hmmm...ok well I think the egg on my face might just be overhard now ;)

I am set to Release as well and if I look at the Change log in WHM the latest version listed there is 11.38.2.12. But if I look at Update Preferences it shows the latest version as 11.40.0.16. However I run updates manually so I can see things like this coming LOL

Last I'd heard 11.40 was still in Beta lol sorry about that TexasPrarieGal!
 

Dan

Moderator
I just updated and ran into not only this issue but also another. For others here's how to fix it:

Edit csf.pignore:
Code:
pico /etc/csf/csf.pignore
Add these lines to the list:
Code:
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
Save and exit:
Code:
<ctrl>x then y to save
Restart LFD:
Code:
lfd -r
 
Thanks Dave... I checked exactly as you said and I'm set for "RELEASE", too. Also, all updates are set at automatic (if that makes any difference?).

And to Dan.... You don't have any egg on your face at all. The fact that y'all jump in with help and advice means the world to me. I honestly don't think I'll ever understand any of this. All I want is for my little ol' websites to work so I can sell my little ol' vintage stuff. :)
Also, I think those updates you posted are what Support did for me. No way, no how am I going to be touching or mucking with any files. I could probably bring knownhost down if I did....LOL

You guys are all awesome!!! For true!!

TPG
Not to worry I don't think your WHM/cPanel is set for "Edge updates" I just received a notice that my WHM is going to be updated in a day or two to version 11.40 and my auto update is set for "RELEASE" as I'm sure yours is.
If you want to check just go to "Home » Server Configuration » Update Preferences" in your WHM.
 

Nicki

Member
I updated mine today to 11.40 and started receiving similar emails immediately after, so you're definitely not alone. From time to time, you may have to update your CSF config to ignore new processes that are added in updates, as Daniel suggested above. :)
 

KH-Jonathan

Director of Managed Services
Staff member
We're in the process of pushing out a network-wide patch so if it hasn't stopped already, it will shortly :)
 

Nicki

Member
Oh nice! I had just made myself a note to edit my config tonight after I got home, but if y'all beat me to it, that's good too! :D
 

Dan

Moderator
It will be good to see if that actually helps. I added the indicated lines to the csf.pignore file and am still getting messages for anvil :/
 

KH-Jonathan

Director of Managed Services
Staff member
It will be good to see if that actually helps. I added the indicated lines to the csf.pignore file and am still getting messages for anvil :/
Did you restart LFD?

Code:
csf -r
doesn't restart LFD. You have to do:

Code:
lfd -r
 

Dave G

Member
So now that I'm home from visiting the in laws in North Carolina!!!!
This is what I see in my WHM when I click the "Details" link, I get the box you see "Reasons for blocked updates" this is why I think a update is coming.

WHM.jpg
 

Dan

Moderator
Dave G,

It looks to me like they are just saying you will be updated after the 8th.
 
Top