Deal Ends In:
00 Days
00 Hours
00 Mins
00 Secs
Memorial Day


Hosting Question? Find the Solution - Browse our Guides, Articles, and How-To's

Managing Login Failure Daemon (LFD) from WHM

Category: cPanel
Tags: # # # #

The Login Failure Daemon (LFD) is a part of the ConfigServer Security & Firewall (CSF) application that is available for Linux servers. It’s the firewall that comes preinstalled on any Managed KnownHost server and it’s a product that we’re very familiar with. This particular part of the application handles the tracking and logging of what goes on in the server and what CSF needs to be informed of, should action be required.

Tracking information such as:

  • Processes running longer than X seconds
  • Processes utilizing too much memory
  • Processes from specific user higher than X allowed
  • Invalid login attempts against SSH, FTP, IMAP, SMTP, and more
  • Various other blocking configurations from integrations such as mod_security

In this article, we’ll walk you through the various different LFD settings within WHM.

Accessing the LFD Plugin

First thing you’ll want to do is login to your WHM interface with your associated root username and password. Secondly, find the ‘Plugins’ section as highlighted.

showing the plugin icon

Click the Plugins icon

Inside the ‘Plugins’ section, you will then see ‘ConfigServer Security & Firewall’

showing configserver icon

Click the ConfigServer Security & Firewall icon

Within this section, you can click the ‘lfd’ tab at the top which will show you only options and configurations related to the Login Failure Daemon.

  • lfd Status
  • lfd Restart
  • lfd Ignore file
  • lfd Directory File Watching
  • lfd Dynamic DNS
  • lfd Alert templates
  • lfd Log Scanner Files
  • lfd Blocklists
  • lfd Syslog Users
showing lfd tab
showing lfd section options

lfd Status

The ‘lfd Status’ provides the systemd details of the ‘lfd.service’ running on your server. You’ll see whether or not it’s actively running, recent log entries regarding it and whether or not the service is experiencing issues. i.e; not starting

showing lfd status

lfd Restart

The ‘lfd Restart’ issues a reboot to the ‘lfd.service’ running on your server. This is recommended after any sort of adjustment to the lfd configuration to ensure that the service has updated with the new config parameters.

lfd Ignore File

The ignore section of the Login Failure Daemon allows you to whitelist things such as IP Addresses, processes, directories, scripts and more. It allows detailed control over what shouldn’t be of concern.

  • csf.ignore — Allows the ignoring of IP Addresses that experience incidents such as password failures.
  • csf.pignore — Allows the ignoring of processes that shouldn’t be tracked (such as long-running processes, i.e mongod)
    • Example path such as ‘exe:/usr/local/bin/mongod’
    • Example user such as ‘user:nobody‘ which would then ignore all processes by the nobody user.
  • csf.fignore — Allows the ignoring of directories should Directory Watching be configured for a specific file path
    • Requires full path or perl regular expression pattern matching.
  • csf.signore — Allows the ignoring of specific scripts that are going to be knowingly ran (i.e smtp mail scripts)
  • csf.rignore — Allows the ignoring of Reverse DNS Lookups if CSF is blocking crawlers (such as googlebot, bing, etc)
  • csf.suignore — Allows the ignoring of superusers against the LF_EXPLOIT SUPERUSER check.
  • csf.migore — Allows list of users and local IPs to be ignored by the RT_LOCALRELAY_ALERT check.
  • csf.logignore — Allows usage of regex to match logs to be ignored by LOGSCANNER
  • csf.uidignore — Allows list of User ID’s(UID) to be ignored by the User Tracking Function.

lfd Directory File Watching

Modifying this file (csf.dirwatch) allows for you to set a list of files and/or directories that you want to watch for changes. Any modifications made to the files listed will send an alert to the notification contact on the server (usually root contact).

showing directory watch file

Full paths must be specified in as outlined in the above image.

lfd Dynamic DNS

Any listed domains within this file (csf.dyndns) will be resolved and allowed through the firewall. This is useful for those situations where you are using a dyndns service such as and don’t want to constantly whitelist your IP Address.

showing dyndns file

lfd Alert Templates

The Login Failure Daemon provides templates for each alerts and tracking notifications that it sends in regards to login attempts and failures. You can edit these templates to remove or include information that you may or may not find necessary. Clicking the drop down will provide a list of the template files.

showing list of alert templates

lfd Log Scanner Files

This file (csf.logfiles) lists the log files that you wish to have scanned by LOGSCANNER. If enabled, the lfd service would then send a periodic report based on what was scanned.

showing logscanner file

lfd Blocklists

This file (csf.blocklists) allows the modifying of specified blocklists within lfd/csf. Allowing for the automatic blocking of IP’s within those blocklists. i.e; spamhaus, tor clients, maxmind, etc

showing blocklist file

lfd Syslog Users

This file (csf.syslogusers) allows the modification which users are allowed to login to syslog/rsyslog. Users added here get added to the system group. This file doesn’t generally need to be touched.


Managing the Login Failure Daemon section from within WHM isn’t that hard thanks to the UI provided by the plugin developer. Given what we’ve gone over, you should have a general idea of what everything is and what each feature does. We hope that this was helpful in

KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team ready to help you with requests should you need our assistance. You’re not using KnownHost for the best webhosting experience? Well, why not? Check with our Sales team to see what can KnownHost do for you in improving your webhosting experience.