SOLVED: CSF/LFD Suspicious Process Running Under User X

One of the steps you can take to secure your VPS is by installing CFS. Whenever there is a suspicious process on your server, CFS/LDF will send you an email. Here is a common email you might get:

Excessive resource usage: avahi

Time:         Wed Apr 18 12:19:00 2018 +0300
Account:      avahi
Resource:     Process Time
Exceeded:     71239 > 1800 (seconds)
Executable:   /usr/sbin/avahi-daemon
Command Line: avahi-daemon: chroot helper
PID:          647 (Parent PID:639)
Killed:       No

Depending on the applications you have on your server, you can end up with hundreds of such and related alerts forwarded to your email, which can be quite annoying. If you do not want to receive such alerts, you can disable them on CSF. Read on for common ways of stopping CSF/LFD notification alerts.

Excessive resource usage: avahi

This alert is about the avahi-daemon.  On most servers, avahi-daemon is not needed and should be stopped and disabled from starting if it is not required. This service is currently enabled in init and can usually be disabled by running the following commands through the console

$ service avahi-daemon stop

$ chkconfig avahi-daemon off

Alternatively, open you csf.pignore file at /etc/csf/csf.pignore and add the following line, so that CSF will ignore this process and you will not get any alert for this process.

exe:/usr/sbin/avahi-daemon

You can also add other lines on the file that will disable notifications for other processes. Here are some more alerts and the lines you can add to the csf.pignore file to disable the notification

Alert: Excessive resource usage: avahi

exe:/usr/sbin/avahi-daemon

Alert: Suspicious process running under user nobody

exe:/usr/sbin/dnsmasq

Alert: Excessive resource usage: apache

exe: /usr/sbin/httpd

Alert: Suspicious process running under user apache

exe: /usr/sbin/httpd

Disable CSF/LFD Email Alerts about permanent blocked IP

If you want to disable CSF LFD  alerts about permanent blocking of an IP, go csf.conf file and edit the value at

LF_PERMBLOCK_ALERT  from “1” to “0”. Make sure you restart CSF for the change to take effect. To restart CSF, enter the following command on your console:

sudo csf -r

Written By
I Cozens
More from I Cozens

SOLVED: CSF/LFD Suspicious Process Running Under User X

One of the steps you can take to secure your VPS is...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.