Updated to 1.2 now loads of error messages

bubblecatcher · July 27, 2020, 10:38am

Since updating to 1.2 i have been getting lots of error messages, mainly from lfd concerning excessive usage and suspicious processes.

I edit csf.conf to increase

PT_USERMEM = “512”
PT_USERTIME = “150000”

example of errors reported by email

Mail failure - no recipient addresses
A message that you sent contained no recipient addresses, and therefore no delivery could be attempted. ------ This is a copy of your message, including all the headers. ------ From: root To: Subject: lfd on server.mydomain.com: blocked 45.229.107.81 (BR/Brazil/81.107.229.45.cgn.atplus.com.br) From: [email protected] Message-Id: [email protected] Date: Mon, 27 Jul 2020 11:12:20 +0100 Time: Mon Jul 27 11:12:20 2020 +0100 IP: 45.229.107.81 (BR/Brazil/81.107.229.45.cgn.atplus.com.br) Failures: 5 (XMLRPC) Interval: 3600 seconds Blocked: Permanent Block [LF_CUSTOMTRIGGER]

Excessive resource usage: dovenull
Time: Mon Jul 27 11:13:14 2020 +0100
Account: dovenull
Resource: Process Time
Exceeded: 1811 > 1800 (seconds)
Executable: /usr/lib/dovecot/imap-login
Command Line: dovecot/imap-login
PID: 19459 (Parent PID:1185)
Killed: No

Suspicious process running under user dovenull
Time: Mon Jul 27 11:24:15 2020 +0100
PID: 16632 (Parent PID:1185)
Account: dovenull
Uptime: 3717 seconds

Executable:

/usr/lib/dovecot/imap-login

Command Line (often faked in exploits):

dovecot/imap-login

Network connections by the process (if any):

tcp: 176.9.49.21:993 → 52.97.169.133:47077

Files open by the process (if any):

/dev/null
/run/dovecot/login-master-notify50ac07c62dadbd5d (deleted)
/dev/null
anon_inode:[eventpoll]

I should note i currently cannot send any mail, it just sits in the mailq?

Never had these issues with 1.1

Thanks

falzo · July 27, 2020, 2:38pm

most likely nothing do with Hestias new version.

educated guess: someone is using or at least trying to use your wordpress to either gain access to your server or make it send (spam?) mails - which could also drain your ressource and have csf and lfd and whatever else you installed there create alerts. these could add to the load on top, if they are set to be send out via mail and so on.

I suggest to not install things like csf and lfd in the first place unless you know exactly what you are doing. rather focus on securing your wordpress first from inside out. no fuzzy plugins or themes from questionable origins, disable unneeded stuff (xmlrpc being one of these) and so on and so forth.

bubblecatcher · July 27, 2020, 2:56pm

That part message is fine as csf is blocking an attempted xmlrpc attack, i also have limit on failed WP logins, the part of that message that causing the error email is:

Mail failure - no recipient addresses
A message that you sent contained no recipient addresses, and therefore no delivery could be attempted. ------ This is a copy of your message, including all the headers. ------ From: root To: Subject: lfd

I believe “no recipient addresses” is why i am getting the email?

Note the the other error messages refer to:

/usr/lib/dovecot/imap-login
/usr/lib/dovecot/imap
/usr/local/hestia/nginx/sbin/hestia-nginx
/usr/sbin/zabbix_agentd

These are not WP attacks?

thanks

bubblecatcher · July 27, 2020, 2:58pm

Also why would an WP attack prevent email from being sent from the server?

AlwaysSkint · July 27, 2020, 3:48pm

Open your /etc/csf/csf.conf and include an email address:
LF_ALERT_TO = “”

SMTP_ALLOWGROUP = “mail” - you may have to additionally add specific users, for example…
SMTP_ALLOWUSER = “postfix,dovecot”

/etc/csf/csf.pignore…
user:dovenull
exe:/usr/lib/dovecot/imap-login
cmd:dovecot/imap-login

Don’t, just don’t! 3600 or 14400 at most. Wouldn’t surprise me if 150000 is out of range - seems excessive.

Can also be edited using the official CSF GUI.

bubblecatcher · July 27, 2020, 4:16pm

@AlwaysSkint

Thanks for reply, i made the csf.conf suggestions, i had already edited /etc/csf/csf.pignore and added:

exe:/usr/lib/dovecot/imap-login
exe:/usr/lib/dovecot/imap
exe:/usr/local/hestia/nginx/sbin/hestia-nginx
exe:/usr/sbin/zabbix_agentd
exe:/usr/sbin/zabbix_server
exe:/usr/sbin/nginx
exe:/usr/bin/freshclam
exe:/usr/lib/dovecot/stats

this helped reduce error emails.

Thing is, i have been running csf/lfd for a few months with getting any of these issues, they have only started since updating to 1.2 possible a coincidence?

thanks

AlwaysSkint · July 27, 2020, 4:20pm

Perhaps CSF wasn’t properly “hooked in” before and is now. Just a thought. Also, I wonder if the upgrade triggered something with the inbuilt firewall.

bubblecatcher · July 27, 2020, 4:41pm

possible, but why am i getting messages regarding things like ngix, freshclam?

AlwaysSkint · July 27, 2020, 4:48pm

Because process tracking is on (the CSF default).

falzo · July 27, 2020, 10:03pm

I never said that. I just pointed out, that you might be spiraling up here because you try to block things with a software you don’t fully understand instead of handling that on the wordpress level in the first place.

see the other thread and @AlwaysSkint comments above. you should not mess around with CSF if you don’t know how to configure it properly. maybe that’s still what is blocking you from sending mails…

could be you went overboard with the notification mails and stuff and therefore csf triggered a block on the sending IP. oh, wait that’s your server…

how about setting up a clean install and making sure everything OOB works before you start implementing additional stuff that are not directly supported and need a lot of custom settings and knowledge

bubblecatcher · July 28, 2020, 7:35am

Wordpress is secure, csf is a secondary security level.

csf had been working fine blocking attacks as they happened.

It is only mail sent from domains on server that are not sending, I am receiving system emails such as csf notifications fine.

Disabling csf does not resolve email sending
csf -dr (server ips) returns nothing so my server is not blocked!!!

As to going overboard with notifications, prior to 1.2 upgrade i did not receive and had actually set csf to receive no notifications.

Not sure if a csf update or something in 1.2 triggered these additional notifications.

Note AlwaysSkint is also having email sending issues on a server, there is also a patch to help solve sending to gmail, which hopefully is in 1.2.1, though after upgrading email still stuck in que.

AlwaysSkint · July 28, 2020, 10:21am

Which isn’t down to Wordpress/CSF - it’s primarily down to a lack of rDNS/PTR which I have no control over. I’m seeking an alternative by using an external mail server, when I find some time/energy. Refer to my above, with respect to SMTP allowed users/group; CSF notifications will use a different mail path to that of higher level applications.

falzo · July 28, 2020, 10:34am

as Hestia doesn’t provide anything for CSF yet, there is nothing that could be triggered or changed by the update. however, if you removed/changed iptables rules manually from the system to make CSF work, most likely the update for Hestia would have restored things.
that’s the same as with editing templates and configs… so maybe check if iptables is (again) in place and maybe interferes or the likes?

bubblecatcher · July 28, 2020, 5:39pm

i have not enabled firewall in hestia, my first line of defence is the hertzer firewall, but that is not the issue as have tried turning that off.

i have not messed with iptables, any ips added has been done via csf.

i have disabled csf as well, to no avail.