CSF/LFD reports virtual memory size exceeded

If you use CSF (ConfigServer firewall) on a CPanel system, you may occasionally get messages that tell you of ‘Excessive resource usage’. The particular one I was getting related to the virtual memory size being exceeded for php-fpm and a message would be emailed to me that would look like this:

Time:         Sat Mar 17 22:22:15 2018 +0000
Account:      account-name
Resource:     Virtual Memory Size
Exceeded:     511 > 500 (MB)
Executable:   /opt/cpanel/ea-php56/root/usr/sbin/php-fpm
Command Line: php-fpm: pool domain_com                    
PID:          12353 (Parent PID:13671)
Killed:       No

What it’s actually saying is that a setting in CSF’s ‘Process Tracking’ section has been exceeded and the firewall is just letting you know.

In my case, it was talking about the PT_USERMEM setting. That was set to 500 (MB) on my system and if you look at the emailed message I received (above) you’ll see it says 511 > 500 (MB).

The firewall is doing its job and just warning me a CSF limit has been exceeded.

If you start getting this, it might be worth doing some investigation as to why you’re getting it. It may well be that the process in question genuinely needs the additional resources or it many be that you have a problem. There are a wide range of possibilities and I can’t diagnose them all for you.

What I can do, however, is tell you how to silence that message if, after your investigations, you feel that’s the best option. There are two ways.

Solution 1 - Change the Limit

You can just increase the PT_USERMEM setting in the CSF config.

To do this, just go into WHM and go to Plugins > ConfigServer Security & Firewall and the click the Firewall Configuration button.

From the drop-down box at the top, select Process Tracking.

Scroll down until you see the PT_ limit you have exceeded (it was PT_USERMEM in my case) and change it as you require.

Scroll to the bottom and click Change and then click Restart csf+lfd.

This will change the limit for every process on your system. However you might just prefer to suppress the message for this particular instance of exceeding the limit, in which case read on.

Solution 2 - Suppress the Message

To suppress the message, go to Plugins > ConfigServer Security & Firewall and scroll down to the lfd - Login Failure Daemon section.

The option you want is the third one in that section (as I write this). There should be a drop-down box and you want to select the csf.pignore, Process Tracking option and then hit the Edit button next to it.

The email warning CSF sent you should have a Command Line line. In my case that line was:

Command Line: php-fpm: pool domain_com

So I’m copying the bit after the ‘Command Line: ‘ bit: php-fpm: pool domain_com

And then pasting it at the bottom of the csf.pignore file with cmd: prefixed to it, so it looks like this:

cmd:php-fpm: pool domain_com

Then click the Change button at the bottom and finally click Restart lfd.

For preference I prefer this solution because it’s more targeted to the specific error.