{"id":1004,"date":"2021-07-16T06:43:35","date_gmt":"2021-07-16T11:43:35","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=1004"},"modified":"2026-01-23T06:16:00","modified_gmt":"2026-01-23T12:16:00","slug":"common-csf-lfd-false-positives-and-how-to-stop-the-notifications","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/","title":{"rendered":"Common CSF\/LFD False Positives and How to Stop The Notifications"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#ignoring_processes_via_ssh\" >Ignoring Processes Via SSH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#ignoring_processes_via_whm\" >Ignoring Processes Via WHM<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#the_csfpignore_file_and_common_processes_that_trigger_false_positives_alerts\" >The csf.pignore File and Common Processes That Trigger False Positives Alerts<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#spamd_child\" >spamd child<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#jailshell\" >Jailshell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#passenger\" >Passenger<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#litespeed\" >Litespeed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#ruby\" >ruby<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#awstats\" >awstats<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#nagios\" >nagios<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#mailscanner\" >MailScanner<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#cpanellogd\" >cpanellogd<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#mailman\" >mailman<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#nginx\" >nginx<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#memcached\" >memcached<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#rsync_via_backup_plugins\" >rsync (via backup plugins)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#redis\" >redis<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#sftp\" >sftp<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#node\" >Node<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#python\" >Python<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#php-fpm\" >PHP-FPM<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#varnish\" >Varnish<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#postgres\" >Postgres<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#clamav\" >ClamAV<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#elasticsearch\" >ElasticSearch<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#any_third_party_software_that_you_have_installed\" >Any Third Party Software That You Have Installed<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#system_integrity_has_detected_modified_files\" >System Integrity has detected modified file(s)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#the_following_list_of_files_have_failed_the_md5sum_comparison_test\" >The following list of files have FAILED the md5sum comparison test<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#the_csffignore_file_and_legitimate_directory_content_alerts\" >The csf.fignore file and Legitimate Directory Content Alerts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#the_csfignore_file_and_legitimate_ip_blocks\" >The csf.ignore File and Legitimate IP Blocks<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#other_ignore_files\" >Other Ignore Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#other_false_positives\" >Other False Positives<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#conclusion_%e2%80%93_csflfd_false_positives\" >Conclusion &#8211; CSF\/LFD False Positives<\/a><\/li><\/ul><\/nav><\/div>\n<div class=\"kb-shortcode kb-shortcode_info\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-info-circle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_info\">\n<p>CSF Notifications 101:<\/p>\n<ol>\n<li><a href=\"https:\/\/www.knownhost.com\/kb\/introduction-to-csf-lfd-notifications\/\">Common Notifications from CSF\/LFD<\/a><\/li>\n<li>Common CSF\/LFD False Positives and How to Stop The Notifications<\/li>\n<\/ol>\n<\/div>\n                <\/div>\n\n\n\n<p>It is worrisome when you receive a notification from the firewall regarding a suspicious process, especially for those processes that you do not readily recognize. That is why KnownHost has compiled a list of some common alerts that are mostly false positives and provided the instructions for stopping the notifications. This list is specific to cPanel servers running <a href=\"https:\/\/support.cpanel.net\/hc\/en-us\/articles\/360051879394-How-to-enable-disable-ConfigServer-Firewall\">CSF\/LFD firewalls<\/a>.<\/p>\n\n\n\n<p>The good thing is that you don&#8217;t have to continue to receive these alerts. In fact, it is best to disable them so that when alerts are sent from the firewall, your inbox won&#8217;t be inundated with false positives making you less likely to notice those important alerts that could indicate something more serious.<\/p>\n\n\n\n<p>To stop the notifications, all you need to do is add either the executable, the command, or the user (depending on the type of notification received) to the firewall&#8217;s process ignore file located at \/etc\/csf\/csf.pignore and then restart the firewall. You can either do this from SSH or via WHM.<\/p>\n\n\n\n<p>To determine whether it is best to ignore the user, the executable, or the command, you should know a little bit about the process. If the process is one of those that will under run under its own user, such as postgres, then it should be fine to add the postgres username to the ignore file. The executable is usually best to whitelist when considering the executable versus the command, but if the executable changes often, you may be better to whitelist the command. One such case of this is with SpamAssassin (see spamd below).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ignoring_processes_via_ssh\"><\/span>Ignoring Processes Via SSH<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>You would first log into the server as the root user via SSH:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  ssh root@hostname  -p2200<\/code><\/pre>\n\n\n\n<p>Be sure to replace&nbsp;<em>hostname<\/em>&nbsp;in the previous command with your actual IP address or hostname (I prefer the IP just in case the A record is not set or set incorrectly for the hostname).<\/p>\n\n\n\n<p>Next, edit the process ignore file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  nano \/etc\/csf\/csf.pignore<\/code><\/pre>\n\n\n\n<p>For some of these alerts, like the &#8216;spamd child\/mailman&#8217; alert, an entry already exists in the file, but is disabled. In this case, just locate the entry and remove the leading &#8216;#&#8217;. If an entry does not exist in the csf.pignore file, you will need to scroll to the bottom of the file and add it there. Then, you will hit Ctrl X + y + Enter to exit and save.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"800\" height=\"629\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png\" alt=\"check csf for false positives\" class=\"wp-image-1011\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png 800w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs-300x236.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs-768x604.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>Lastly, restart the firewall so that these edits take effect:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  csf -ra<\/code><\/pre>\n\n\n\n<p>Now, you should no longer receive notifications regarding the false positive.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ignoring_processes_via_whm\"><\/span>Ignoring Processes Via WHM<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Login to WHM at the following&nbsp;URL&nbsp;(replace&nbsp;<em>hostname<\/em>&nbsp;with your actual hostname or your server IP):<\/p>\n\n\n\n<p><strong>https:\/\/hostname\/whm<\/strong><\/p>\n\n\n\n<p>Search and select the option \u201cConfigServer Security &amp; Firewall\u201d from WHM<\/p>\n\n\n\n<p>Locate and click \u201ccsf.pignore \u2013 Process Tracking\u201d if you are using an older version of CSF\/LFD. If your version is current, you will select the csf.pignore file from the drop-down menu located under the &#8216;lfd&#8217; tab as shown below and then click &#8220;Edit&#8221;:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"464\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csf.pignore-dropdown-1024x464.png\" alt=\"\" class=\"wp-image-1012\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csf.pignore-dropdown-1024x464.png 1024w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csf.pignore-dropdown-300x136.png 300w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csf.pignore-dropdown-768x348.png 768w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csf.pignore-dropdown.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Add the line containing the executable, user, or command to the bottom of the list. In some cases, the entry may already exist but be commented out. If so, just locate the entry and remove the leading &#8216;#&#8217; to enable the process ignore feature for it.<\/p>\n\n\n\n<p>Now click &#8220;Change&#8221; and restart lfd using the &#8220;Restart lfd&#8221; button<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"the_csfpignore_file_and_common_processes_that_trigger_false_positives_alerts\"><\/span>The csf.pignore File and Common Processes That Trigger False Positives Alerts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"spamd_child\"><\/span>spamd child<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This particular notification is so common that CSF\/LFD actually provides a disabled entry for it. It isn&#8217;t ignored by default, so one must configure the firewall to ignore it using the instructions above. For this process, just locate it in the list and remove the leading &#8216;#&#8217;, then restart the firewall. The line you will look for in the \/etc\/csf\/csf.pignore file is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  #cmd:spamd child<\/code><\/pre>\n\n\n\n<p>You just need to change it as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  cmd:spamd child<\/code><\/pre>\n\n\n\n<p>Now restart the firewall.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"jailshell\"><\/span>Jailshell<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The following alert is one that you may not necessarily want to disable completely. The following is a cron executed via a user&#8217;s crontab that is using jailed shell. You may actually want to know about this process in case there is occasionally and error with the cron completing. Otherwise, it may be that you expect the process to take a while and this process is legitimate, but is causing your mailbox to be flooded with alerts. In that case, you would likely want to ignore the process.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:jailshell (user) &#091;init] ell -c \/usr\/local\/bin\/php \/path\/to\/file\/index.php cron\n\n\\\\<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"passenger\"><\/span>Passenger<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The following process is one that you would want to configure the firewall to ignore. The Passenger process is actually due to the installation of the Apache module Passenger. This module would be installed for serving NodeJS, Ruby, and Python applications via Apache. You would simply add the command to the end of the file and restart the firewall to disable this alert.<\/p>\n\n\n\n<p>exe:\/usr\/bin\/node<\/p>\n\n\n\n<p>OR<\/p>\n\n\n\n<p>Aug 4 23:34:43 xander lfd[4367]: *User Processing* PID:4251 Kill:0 User:scriptkittie Time:72087 EXE:\/usr\/bin\/node CMD:Passenger NodeApp: \/home\/scriptkittie\/tools<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"litespeed\"><\/span>Litespeed<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Depending on whether Litespeed is installed on CentOS or on Cloudlinux determines which entries should be added to the process ignore file.<\/p>\n\n\n\n<p>CentOS servers with EasyApache 3:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:lsphp\nexe:\/usr\/local\/bin\/lsphp<\/code><\/pre>\n\n\n\n<p>CentOS Servers with EasyApache 4:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:lsphp\npexe:^\/opt\/cpanel\/ea-php\\d\\d\/root\/usr\/bin\/lsphp\npexe:^\/usr\/local\/lsws\/bin\/lshttpd.*<\/code><\/pre>\n\n\n\n<p>Cloudlinux with EasyApache 3:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:lsphp\nexe:\/usr\/selector\/lsphp<\/code><\/pre>\n\n\n\n<p>Cloudlinux with EasyApache 4:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:lsphp\npexe:^\/opt\/alt\/php.*\/usr\/bin\/lsphp<\/code><\/pre>\n\n\n\n<p>Cloudlinux servers with CageFS enabled:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:lsphp\npexe:^\/opt\/cpanel\/ea-php\\d\\d\/root\/usr\/bin\/lsphp\\.cagefs<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ruby\"><\/span>ruby<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you install Ruby on your EasyApache 4 cPanel server, it will cause firewall alerts unless you configure the firewall to ignore it. You will add the executable below to accomplish this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/opt\/cpanel\/ea-ruby24\/root\/usr\/bin\/ruby<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"awstats\"><\/span>awstats<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This is another entry that exists by default in the process ignore file, though disabled. It simply needs to be enabled by removing the leading &#8216;#&#8217; from each entry in the csf.pignore file and then issuing a firewall restart:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pcmd:\/usr\/bin\/perl \/usr\/local\/cpanel\/3rdparty\/bin\/awstats\\.pl.*\npcmd:\/usr\/bin\/perl \/usr\/local\/cpanel\/base\/awstats\\.pl.*<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"nagios\"><\/span>nagios<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you install Nagios on your server, the following can be used to stop the firewall process alerts regarding it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user:nagios\nexe:\/usr\/sbin\/nrpe\ncmd:\/usr\/sbin\/nrpe -c \/etc\/nrpe.cfg -d<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"mailscanner\"><\/span>MailScanner<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>MailScanner is yet another default entry that is disabled, but can be enabled by removing the leading &#8216;#&#8217; and restarting the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pcmd:MailScanner:.*<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"cpanellogd\"><\/span>cpanellogd<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This is another one that the firewall foreseen as a legitimate false positive and has added the disabled entry for us. We just need to remove the leading &#8216;#&#8217; from the entry to enable it and restart the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pcmd:\/cpanellogd - (http|ftp) logs for .*<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"mailman\"><\/span>mailman<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Mailman is another one that could be one of the false positives that the firewall developers predicted we&#8217;d want to ignore, so they&#8217;ve added the entry for us. Just locate the following entries and remove the leading &#8216;#&#8217;s from each and restart the firewall:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pcmd:\/usr\/local\/cpanel\/3rdparty\/bin\/python \/usr\/local\/cpanel\/3rdparty\/mailman\/bin\/qrunner.*\npcmd:\/usr\/local\/cpanel\/3rdparty\/bin\/python \/usr\/local\/cpanel\/3rdparty\/mailman\/bin\/mailmanctl.*<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"nginx\"><\/span>nginx<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you&#8217;ve installed Nginx on your server, you will need to manually add the process ignore for it. Your path may differ from the one below depending on how you installed the service as there is no support for Nginx at this time via cPanel, but the process is the same. Add the executable, command, or user and restart the firewall.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/local\/sbin\/nginx<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"memcached\"><\/span>memcached<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Memcached is often manually installed as no official cPanel support exists for it yet, though it is currently in the Experimental EA4 repositories. Adding the following to the csf.pignore file and issuing a firewall restart should stop the LFD notifications concerning it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/bin\/memcached<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"rsync_via_backup_plugins\"><\/span>rsync (via backup plugins)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Rsync is often used by backup plugins to back up a site. Personally, I would prefer a cPanel backup over a site backup made via plugin for many reasons, but, if for some reason you decide you must continue to use the backup plugin, you may find that you want to disable alerts regarding the rsync process. If so, you can add the following to the csf.pignore file and restart the firewall to accomplish this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/bin\/rsync<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"redis\"><\/span>redis<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Redis caching can be ignored via the firewall by adding the following entries to the csf.pignore file. Do note that, if you&#8217;re Redis installation is using different specifications, that you may need to actually examine the alerts sent and add that command to the csf.pignore file instead of the command below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/bin\/redis-server\ncmd;\/usr\/bin\/redis-server 127.0.0.1:6379<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"sftp\"><\/span>sftp<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Whether or not to add SFTP to the process ignore file is more or less a matter of personal preference. If you&#8217;d rather be alerted every time one of your users on your server is uploading\/downloading files via SFTP, then you wouldn&#8217;t want to add this to the process ignore file. On the other hand, if you feel that the user wouldn&#8217;t have SFTP access if they weren&#8217;t already trusted, then you would add the following to the process ignore file and restart the firewall to ignore these alerts (ensure that you replace&nbsp;<em>user<\/em>, not&nbsp;<em>usr<\/em>, with the actual cPanel user&#8217;s name):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/home\/virtfs\/user\/usr\/libexec\/openssh\/sftp-server\ncmd: \/usr\/libexec\/openssh\/sftp-server<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"node\"><\/span>Node<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you&#8217;ve installed NodeJS on your server, you will need to configure the firewall to ignore it by adding the following executable to the bottom of the csf.pignore file and then restarting the firewall:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/bin\/node<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"python\"><\/span>Python<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you have any Python applications running via Apache&#8217;s Passenger module, then you will likely start getting these false positives. You can ignore them by adding the command to the process ignore file and restarting the firewall.<\/p>\n\n\n\n<p>Command Line: python \/opt\/cpanel\/ea-ruby24\/root\/usr\/share\/passenger\/helper-scripts\/wsgi-loader.py<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"php-fpm\"><\/span>PHP-FPM<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>PHP FPM for a specific user can be ignored via the following (be sure to replace&nbsp;<em>username<\/em>&nbsp;below with the actual cPanel username), though you will want to check the user&#8217;s resource usage and make sure no abuse is occurring for their sites if these are sudden:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd:php-fpm: pool username<\/code><\/pre>\n\n\n\n<p>Before adding this line to the ignore file, you would need to check the scripts running under the user and confirm whether or not those scripts should be using so much resources and are legitimate or not.<\/p>\n\n\n\n<p>A reason to whitelist a user&#8217;s PHP-FPM processes would be if the user has backup scripts that take a long time to run. I would advise only whitelisting such processes as long as certain conditions are met, including 1) runs frequent malware scans on the site, and 2) uses a web application firewall.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"varnish\"><\/span>Varnish<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Varnish caching daemon can often be ignored using the following entry, though your path may be different depending on the 3rd party installation instructions you used to install it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/sbin\/varnishd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"postgres\"><\/span>Postgres<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Depending on the age of your server, you may or may not need to add Postgres to the firewall&#8217;s process ignore file. You can check using the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  grep postgres \/etc\/csf\/csf.pignore<\/code><\/pre>\n\n\n\n<p>If you don&#8217;t get any output from that command, or you get output that is preceded with &#8216;#&#8217;, then you will need to enable postgres to be ignored by either removing the existing &#8216;#&#8217;, or by adding the entry.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/bin\/postgres<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"clamav\"><\/span>ClamAV<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>ClamAV is a malware scanner plugin in cPanel. If you choose to enable this, you will also need to ignore the process in the firewall. Since ClamAV runs under its own user, you can ignore the user:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user:clamav<\/code><\/pre>\n\n\n\n<p>If you&#8217;d rather ignore the executable or command, they are as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe::\/usr\/local\/cpanel\/3rdparty\/bin\/freshclam\ncmd:\/usr\/local\/cpanel\/3rdparty\/bin\/freshclam --quiet --no-warnings<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"elasticsearch\"><\/span>ElasticSearch<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>ElasticSearch is yet another common installation on cPanel servers that can cause false positives. This service also runs under its own user and can be added to the process ignore file via the username:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user:elasticsearch<\/code><\/pre>\n\n\n\n<p>If you prefer to use the executable or command, they are listed below for reference:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/share\/elasticsearch\/modules\/x-pack-ml\/platform\/linux-x86_64\/bin\/controller\ncmd:\/usr\/share\/elasticsearch\/modules\/x-pack-ml\/platform\/linux-x86_64\/bin\/controller<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"any_third_party_software_that_you_have_installed\"><\/span>Any Third Party Software That You Have Installed<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Centovacast isn&#8217;t really a very common software that we see these types of alerts for. It is an example of a 3rd-party software installations that would cause LFD notifications but can be ignored via the firewall to stop such notifications. Here are the executable lines that had to be whitelisted in a recent Centovacast installation that caused such alerts to be sent:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exe:\/usr\/local\/centovacast\/liquidsoap\/bin\/liquidsoap\nexe:\/usr\/local\/centovacast\/sbin\/cc-comet\nexe:\/usr\/local\/centovacast\/sbin\/cc-web\nexe:\/usr\/local\/centovacast\/sbctrans2\/sc_trans\nexe:\/usr\/local\/centovacast\/shoutcast2\/sc_srv\nexe:\/usr\/local\/centovacast\/sbin\/cc-control\nexe:\/usr\/local\/centovacast\/sbin\/cc-appserver<\/code><\/pre>\n\n\n\n<p>The LFD alert you receive will contain the executable and the command line values that you would need to add to the process ignore list.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"system_integrity_has_detected_modified_files\"><\/span>System Integrity has detected modified file(s)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n<div class=\"kb-shortcode kb-shortcode_warning\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-exclamation-triangle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_warning\">This is not always a false positive, so please don&#8217;t automatically ignore this alert!<\/div>\n                <\/div>\n\n\n\n<p>This mostly is one of the false positives results of updates that have updated packages. One must first determine if this is the case before ignoring the email.<\/p>\n\n\n\n<p>Please see the next section regarding md5sum comparison failures for more information on how to deal with these types of alerts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"the_following_list_of_files_have_failed_the_md5sum_comparison_test\"><\/span>The following list of files have FAILED the md5sum comparison test<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>This is not always a false positive, so please don&#8217;t automatically ignore this alert!<\/strong>&nbsp;This mostly is a false positive and the results of updates that have updated packages. One must first determine if this is the case before ignoring the email.<\/p>\n\n\n\n<p>An example email may be one such as the following, which one may receive following an automatic cPanel update:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:\n\n\/usr\/bin\/ea-php56: FAILED\n\/usr\/bin\/ea-php70: FAILED\n\/usr\/bin\/ea-php71: FAILED\n\/usr\/bin\/ea-php72: FAILED\n\/bin\/ea-php56: FAILED\n\/bin\/ea-php70: FAILED\n\/bin\/ea-php71: FAILED\n\/bin\/ea-php72: FAILED\n\/usr\/local\/bin\/ea-php56: FAILED\n\/usr\/local\/bin\/ea-php70: FAILED\n\/usr\/local\/bin\/ea-php71: FAILED\n\/usr\/local\/bin\/ea-php72: FAILED<\/code><\/pre>\n\n\n\n<p>You must determine if these binaries were changed due to updates or via some other means. You can search the yum update log and the cPanel update logs for entries suggesting updates to these binaries just prior to these alerts having been sent.<\/p>\n\n\n\n<p>The yum update log is located here:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/log\/yum.log<\/code><\/pre>\n\n\n\n<p>The cPanel update logs are located here:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/cpanel\/updatelogs\/<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"the_csffignore_file_and_legitimate_directory_content_alerts\"><\/span>The csf.fignore file and Legitimate Directory Content Alerts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>CSF\/LFD also contains a csf.fignore file that can be accessed the same way that the csf.pignore file is. This file&#8217;s purpose is to list directories that the LFD directory watching feature should ignore. For example, a recent cPanel update temporarily changed where PHPMyAdmin temporary files were stored. The case reads as follows:<\/p>\n\n\n\n<p><em>Internal case CPANEL-23314 is open to address an issue in cPanel &amp; WHM version 76 where accessing phpMyAdmin as a cPanel user leads to the creation of pma_template_compiles_$user files in the system&#8217;s \/tmp directory. While this doesn&#8217;t lead to any direct issues with cPanel &amp; WHM itself, it&#8217;s contrary to the behavior seen in applications such as Horde and Roundcube where temporary files are stored in the \/home\/$user\/tmp\/ directory.<\/em><\/p>\n\n\n\n<p>Because CSF\/LFD monitors the \/tmp directory for suspicious files, this change resulted in false positives alerts with the subject &#8220;Suspicious File Alert&#8221; referencing files located under the directory matching the pattern &#8220;\/tmp\\\/pma_template_compiles_*&#8221; where * represents the cPanel account username that accessed PHPMyAdmin via cPanel.<\/p>\n\n\n\n<p>Since all of these files were being created under a directory used solely for them, and because nothing else requiring monitoring existed under that directory, ignoring the entire directory recursively was the best option. Doing so meant adding the process to the csf.fignore file like so:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"\/tmp\\\/pma_template_compiles_*\" &gt;&gt; \/etc\/csf\/csf.fignore; csf -ra<\/code><\/pre>\n\n\n\n<p>This command added the process and restarted the firewall with the new rules.<\/p>\n\n\n\n<p>Another similar case involved Litespeed&#8217;s stats plugins dumping to a dedicated \/tmp directory \/tmp\/lshttpd\/.rtreport. In this case, the following directory was ignored:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/tmp\/lshttpd\/.rtreport*<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"the_csfignore_file_and_legitimate_ip_blocks\"><\/span>The csf.ignore File and Legitimate IP Blocks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This file is useful for IPs that you don&#8217;t want to bypass closed ports but you don&#8217;t want to block, either. For example, and PCI scan provider. You will need to add the IPs for the PCI Compliance testing company in your firewall to ensure they are not blocked for port scanning when scanning your site. Adding their IPs to csf.ignore instead of csf.allow ensures that they do not get blocked, but still can\u2019t bypass closed ports, which would result in a failure of the PCI scan. If you were to add their IPs to csf.allow instead, they could still become blocked by certain LFD checks and would be able to bypass closed ports, which would likely lead to inevitable PCI scan failure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"other_ignore_files\"><\/span>Other Ignore Files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Other Ignore files that can be used in the case of far less common false positives include the following:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>File<\/strong><\/td><td><strong>Purpose<\/strong><\/td><\/tr><tr><td>csf.logignore<\/td><td>regex to match logs to be ignored by LOGSCANNER<\/td><\/tr><tr><td>csf.mignore<\/td><td>list of users and local IPs to be ignored by the RT_LOCALRELAY_ALERT<\/td><\/tr><tr><td>csf.rignore<\/td><td>list of rDNS domains to be ignored by LFD process tracking such as bots<\/td><\/tr><tr><td>csf.signore<\/td><td>list of files that LF_SCRIPT_ALERT will ignore<\/td><\/tr><tr><td>csf.suignore<\/td><td>list of usernames that are ignored during the LF_EXPLOIT SUPERUSER check<\/td><\/tr><tr><td>csf.uidignore<\/td><td>list of user ID&#8217;s (UID) that are ignored by the User ID tracking feature<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Here is some information that is useful when reading the table above:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>LOGSCANNER This feature will send out an email summary of the log lines ofeach log listed in \/etc\/csf\/csf.logfiles<\/li>\n\n\n\n<li>RT_LOCALHOST_RELAY Feature that triggers for excessive email sent via \/usr\/sbin\/sendmail or \/usr\/sbin\/exim<\/li>\n\n\n\n<li>LF_SCRIPT_ALERT Alerts when a limit of how many cwd= path emails are sent within an hour is exceeded.<\/li>\n<\/ul>\n\n\n\n<p>These are far less common and you are not likely to need to edit any of these listed in the table.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"other_false_positives\"><\/span>Other False Positives<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>There are obvious false positives, too, such as the login notifications that the firewall sends when you log in as the root user via SSH or or when you su from a cPanel user to the root user. You may also receive an alert regarding a block resulting from an authentication failure that you yourself are responsible for if you have forgotten a password.<\/p>\n\n\n\n<p>Another common false positive results when an active site administrator or developer is working in many different services at once and has more connections open than is allotted via the firewall&#8217;s connection limit, CT_LIMIT. This can cause the administrator to become blocked for no apparent reason while actively working on the sites. Though the firewall recommends a setting of 300 for this limit (via the csf.conf file), a more conservative but sane restriction of 200 concurrent connections from a single IP is likely suitable for most.<\/p>\n\n\n\n<p>The CT_LIMIT may also cause false positives when used in conjunction with sites that use Cloudflare if the Cloudflare IPs have not been added to the csf.ignore file. On busier sites, concurrent connections from Cloudflare proxy\/CDN IPs may easily exceed this limit and result in a false positive blocks against Cloudflare IPs. This can cause sites to have trouble loading and is why KnownHost configures your firewall accordingly to permit common services such as Cloudflare.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"conclusion_%e2%80%93_csflfd_false_positives\"><\/span>Conclusion &#8211; CSF\/LFD False Positives<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Your firewall is a piece of software that must be configured to work accordingly. The approach taken with CSF\/LFD is essentially a whitelist approach. You whitelist allowed processes, and then it sends warnings regarding any other processes that are found running and not on the whitelist (listed in the process ignore file). So, if you have recently installed a new service or daemon, and then receive an alert about this process that you know is legitimate, you may be able to safely whitelist it. If the process is one that you do not recognize, have it investigated.<\/p>\n\n\n\n<p>Honestly, it is best to have your server support investigate any that you receive because it is common for malware to name itself after normally legitimate processes to try to hide itself. For this reason, if you receive an alert that you are not 100% sure about, ask us! An example would be a malicious Perl process running as \/usr\/bin\/http. If you are just now starting to receive alerts, but Apache has been running on your server for months, then this would definitely be something to inquire support about.<\/p>\n\n\n\n<p>Remember, KnownHost is here to help!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is worrisome when you receive a notification from the firewall regarding a suspicious process, especially for those processes that you do not readily recognize. That is why KnownHost has compiled a list of some common alerts that are mostly false positives and provided the instructions for stopping the notifications. This list is specific to [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[93],"tags":[109,126,128,230,123],"class_list":["post-1004","post","type-post","status-publish","format-standard","hentry","category-courses","tag-cpanel","tag-csf","tag-directadmin","tag-firewall","tag-linux"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Stop CSF\/LFD False Positive Notifications: Complete Guide | KnownHost<\/title>\n<meta name=\"description\" content=\"Learn how to identify and resolve CSF\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stop CSF\/LFD False Positive Notifications: Complete Guide | KnownHost\" \/>\n<meta property=\"og:description\" content=\"Learn how to identify and resolve CSF\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-16T11:43:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-23T12:16:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"629\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"Common CSF\\\/LFD False Positives and How to Stop The Notifications\",\"datePublished\":\"2021-07-16T11:43:35+00:00\",\"dateModified\":\"2026-01-23T12:16:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/\"},\"wordCount\":3219,\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/csfcommonprocs.png\",\"keywords\":[\"cpanel\",\"csf\",\"directadmin\",\"firewall\",\"linux\"],\"articleSection\":[\"Courses\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/\",\"name\":\"Stop CSF\\\/LFD False Positive Notifications: Complete Guide | KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/csfcommonprocs.png\",\"datePublished\":\"2021-07-16T11:43:35+00:00\",\"dateModified\":\"2026-01-23T12:16:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"Learn how to identify and resolve CSF\\\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/csfcommonprocs.png\",\"contentUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/csfcommonprocs.png\",\"width\":800,\"height\":629},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Common CSF\\\/LFD False Positives and How to Stop The Notifications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stop CSF\/LFD False Positive Notifications: Complete Guide | KnownHost","description":"Learn how to identify and resolve CSF\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/","og_locale":"en_US","og_type":"article","og_title":"Stop CSF\/LFD False Positive Notifications: Complete Guide | KnownHost","og_description":"Learn how to identify and resolve CSF\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.","og_url":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/","og_site_name":"KnownHost","article_published_time":"2021-07-16T11:43:35+00:00","article_modified_time":"2026-01-23T12:16:00+00:00","og_image":[{"width":800,"height":629,"url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png","type":"image\/png"}],"author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"Common CSF\/LFD False Positives and How to Stop The Notifications","datePublished":"2021-07-16T11:43:35+00:00","dateModified":"2026-01-23T12:16:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/"},"wordCount":3219,"image":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png","keywords":["cpanel","csf","directadmin","firewall","linux"],"articleSection":["Courses"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/","url":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/","name":"Stop CSF\/LFD False Positive Notifications: Complete Guide | KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#primaryimage"},"image":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png","datePublished":"2021-07-16T11:43:35+00:00","dateModified":"2026-01-23T12:16:00+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"Learn how to identify and resolve CSF\/LFD false positive notifications. Discover whitelist configurations, ignore settings, and firewall optimization tips.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#primaryimage","url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png","contentUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/csfcommonprocs.png","width":800,"height":629},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/common-csf-lfd-false-positives-and-how-to-stop-the-notifications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"Common CSF\/LFD False Positives and How to Stop The Notifications"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=1004"}],"version-history":[{"count":1,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1004\/revisions"}],"predecessor-version":[{"id":8014,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1004\/revisions\/8014"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=1004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=1004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=1004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}