What LFD emails really mean

Our live server builds use ConfigServer Firewall (CSF) and Login Failure Daemon (LFD) to firewall your servers and monitor activity on them. LFD is particularly effective at monitoring the system to identify anything unusual. It's a little cryptic sometimes and the tone of the emails can be dramatic, but on balance it's always telling you useful stuff about what's happening in a data centre, far far away.

Excessive resource usage

This depends on the process. If the process is /bin/bash, it means someone logged into the server then left their login window open for a long time. That's easily done and rarely a concern. If on the other hand you see other processes running for a long term, it's a good indicator that something has crashed or isn't running properly, so worth investigating.

System Integrity checking detected a modified system file

System files should only change as part of an upgrade. If this message is preceded by an upgrade notice, then it makes logical sense that those binaries will be flagged by System Integrity checking. e.g. Following CSF upgrading from 6.35 to 6.36 these two failure warnings were to be expected

/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED

Regular misplaced warnings

Every upgrade of CSF will trigger a warning email like the one above. This leads to pairs of emails (the original upgrade message, followed by the warning) that are safe to ignore because they occur together. Now that's a very difficult challenge for an email filter!