http://devopera.com/module/docsf ConfigServer Firewall (csf) and Login Failure Daemon (lfd) are designed to protect online servers by providing an adaptive firewall and access/process monitoring service. CSF in turn uses IPtables to actually implement the firewall rules. This module also includes Linux Malware Detect (maldet) for detecting malware. CSF is used on live and staging builds to protect servers that run on open networks. Puppet Forge module | Open-source project on GitHub | Issue tracker en http://devopera.com/blog/2013/10/07/what-lfd-emails-really-mean <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="http://devopera.com/sites/52_devop7/files/field/image/lfd_alert_message_meaning_heartbeat.jpg"><img typeof="foaf:Image" src="http://devopera.com/sites/52_devop7/files/field/image/lfd_alert_message_meaning_heartbeat.jpg" width="939" height="370" alt="" /></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>Our live server builds use ConfigServer Firewall (CSF) and Login Failure Daemon (LFD) to firewall your servers and monitor activity on them. LFD is particularly effective at monitoring the system to identify anything unusual. It's a little cryptic sometimes and the tone of the emails can be dramatic, but on balance it's always telling you useful stuff about what's happening in a data centre, far far away.</p> <h3>Excessive resource usage</h3> <p>This depends on the process. If the process is /bin/bash, it means someone logged into the server then left their login window open for a long time. That's easily done and rarely a concern. If on the other hand you see other processes running for a long term, it's a good indicator that something has crashed or isn't running properly, so worth investigating.</p> <h3>System Integrity checking detected a modified system file</h3> <p>System files should only change as part of an upgrade. If this message is preceded by an upgrade notice, then it makes logical sense that those binaries will be flagged by System Integrity checking. e.g. Following CSF upgrading from 6.35 to 6.36 these two failure warnings were to be expected</p> <p>/usr/sbin/csf: FAILED<br /> /usr/sbin/lfd: FAILED</p> <h3>Regular misplaced warnings </h3><p>Every upgrade of CSF will trigger a warning email like the one above. This leads to pairs of emails (the original upgrade message, followed by the warning) that are safe to ignore because they occur together. Now that's a very difficult challenge for an email filter!</p> </div></div></div><div class="field field-name-field-modules field-type-taxonomy-term-reference field-label-above"><div class="field-label">Modules:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/module/docsf" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">docsf</a></div></div></div> Mon, 07 Oct 2013 12:49:52 +0000 admin 59 at http://devopera.com http://devopera.com/blog/2013/10/07/what-lfd-emails-really-mean#comments