Want to subscribe to topics you're interested in?
Become a Member

BUG: netstat output in lfd email truncates ipv6 addresses

Discussion in 'Bug Reports' started by pjrobertson, Feb 22, 2022.

  1. pjrobertson

    pjrobertson New Member

    20
    4
    3
    Feb 7, 2021
    Ratings:
    +8
    Local Time:
    6:55 AM
    The emails that get sent out by lfd titled "lfd on XXXX: High 15 minute load average alert - XX.XX"

    include a netstat.txt file, but this output truncates the list of ipv6 addresses, which makes debugging a pain. It would be helpful if the command was called with:

    netstat -W (wide)

    so that the full IPs can be seen.


    Thanks for all the great work on centminmod!

    -----

    Please fill in any relevant information that applies to you:
    • CentOS Version: i.e. CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.19.6
    • When was last time updated Centmin Mod code base ? : 1 week ago
    • Persistent Config:
      Code (Text):
      PHP_PGO='y'
      NGXDYNAMIC_NGXPAGESPEED='y'
      NGINX_PAGESPEED='y'
      LETSENCRYPT_DETECT='y'
      PHPGEOIP_ALWAYS='n'
      PUREFTPD_DISABLED='y'
      



     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:55 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting issue. I believe those alerts are the default config templates provided by CSF Firewall themselves at /etc/csf/alerts/ according to section 5 of CSF Firewall readme docs at https://download.configserver.com/csf/readme.txt
    Code (Text):
    ls -lAh /etc/csf/alerts/
    total 160K
    -rw-------. 1 root root  124 Feb  1  2013 accounttracking.txt
    -rw-------. 1 root root  181 Feb  1  2013 alert.txt
    -rw-------  1 root root 1.1K Feb 29  2020 apache.https.txt
    -rw-------  1 root root  770 Feb 29  2020 apache.http.txt
    -rw-------  1 root root    0 Feb 29  2020 apache.main.txt
    -rw-------. 1 root root  192 Feb  1  2013 connectiontracking.txt
    -rw-------. 1 root root   76 Feb  1  2013 consolealert.txt
    -rw-------. 1 root root  136 Feb  1  2013 cpanelalert.txt
    -rw-------. 1 root root  129 Feb  1  2013 exploitalert.txt
    -rw-------. 1 root root  151 Feb  1  2013 filealert.txt
    -rw-------. 1 root root  132 Feb  7  2013 forkbombalert.txt
    -rw-------. 1 root root  374 Feb  1  2013 integrityalert.txt
    -rw-------  1 root root 1.2K Feb 29  2020 litespeed.https.txt
    -rw-------  1 root root  262 Feb 29  2020 litespeed.http.txt
    -rw-------  1 root root    0 Feb 29  2020 litespeed.main.txt
    -rw-------. 1 root root 1.2K Nov  8  2015 loadalert.txt
    -rw-------  1 root root 1.2K Nov  8  2015 loadalert.txt.new
    -rw-------. 1 root root  103 Feb  1  2013 logalert.txt
    -rw-------. 1 root root  101 Feb  1  2013 logfloodalert.txt
    -rw-------  1 root root  211 Oct  5  2017 modsecipdbalert.txt
    -rw-------. 1 root root  191 Feb  1  2013 netblock.txt
    -rw-------. 1 root root  209 Feb  1  2013 permblock.txt
    -rw-------. 1 root root  129 Feb  1  2013 portknocking.txt
    -rw-------. 1 root root  175 Feb  1  2013 portscan.txt
    -rw-------. 1 root root  391 Feb  1  2013 processtracking.txt
    -rw-------. 1 root root   97 Feb  1  2013 queuealert.txt
    -rw-------  1 root root  143 Jul 22  2017 recaptcha.txt
    -rw-------. 1 root root  196 Feb  1  2013 relayalert.txt
    -rw-------. 1 root root  260 Feb  1  2013 resalert.txt
    -rw-------. 1 root root  181 Feb  1  2013 reselleralert.txt
    -rw-------. 1 root root  200 Feb  1  2013 scriptalert.txt
    -rw-------. 1 root root  176 Feb  1  2013 sshalert.txt
    -rw-------. 1 root root  159 Feb  1  2013 sualert.txt
    -rw-------  1 root root  161 Feb  4  2020 sudoalert.txt
    -rw-------. 1 root root  194 Feb  1  2013 syslogalert.txt
    -rw-------. 1 root root  298 Feb  1  2013 tracking.txt
    -rw-------. 1 root root  129 Feb  1  2013 uialert.txt
    -rw-------. 1 root root  150 May 31  2013 uidscan.txt
    -rw-------. 1 root root  192 Feb  1  2013 usertracking.txt
    -rw-------. 1 root root  129 Feb  1  2013 watchalert.txt
    -rw-------. 1 root root  146 May 23  2013 webminalert.txt
    -rw-------. 1 root root 1.2K Aug 12  2019 x-arf.txt
    

    Code (Text):
    ls -lAh /etc/csf/alerts/loadalert.txt*
    -rw-------. 1 root root 1.2K Nov  8  2015 /etc/csf/alerts/loadalert.txt
    -rw-------  1 root root 1.2K Nov  8  2015 /etc/csf/alerts/loadalert.txt.new
    

    for /etc/csf/alerts/loadalert.txt template
    Code (Text):
    From: root
    To: root
    Subject: lfd on [hostname]: High [loadavg] minute load average alert - [reportload]
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
     boundary="------------[boundary]"
    
    This is a multi-part message in MIME format.
    --------------[boundary]
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    
    Time:                    [time]
    1 Min Load Avg:          [loadavg1]
    5 Min Load Avg:          [loadavg5]
    15 Min Load Avg:         [loadavg15]
    Running/Total Processes: [totprocs]
    
    --------------[boundary]
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
     filename="ps.txt"
    
    Output from ps:
    [processlist]
    
    --------------[boundary]
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
     filename="vmstat.txt"
    
    Output from vmstat:
    [vmstat]
    
    --------------[boundary]
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
     filename="netstat.txt"
    
    Output from netstat:
    [netstat]
    
    --------------[boundary]
    Content-Type: text/html;
     name="apachestatus.html"
    Content-Transfer-Encoding: 7bit
    Content-Disposition: attachment;
     filename="apachestatus.html"
    
    [apache]
    
    --------------[boundary]--
    

    Code (Text):
    grep -in -C10 netstat /etc/csf/csf.conf
    2588-IPTABLES_SAVE = "/sbin/iptables-save"
    2589-IPTABLES_RESTORE = "/sbin/iptables-restore"
    2590-IP6TABLES = "/sbin/ip6tables"
    2591-IP6TABLES_SAVE = "/sbin/ip6tables-save"
    2592-IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
    2593-MODPROBE = "/sbin/modprobe"
    2594-IFCONFIG = "/sbin/ifconfig"
    2595-SENDMAIL = "/usr/sbin/sendmail"
    2596-PS = "/bin/ps"
    2597-VMSTAT = "/usr/bin/vmstat"
    2598:NETSTAT = "/bin/netstat"
    2599-LS = "/bin/ls"
    2600-MD5SUM = "/usr/bin/md5sum"
    2601-TAR = "/bin/tar"
    2602-CHATTR = "/usr/bin/chattr"
    2603-UNZIP = "/usr/bin/unzip"
    2604-GUNZIP = "/bin/gunzip"
    2605-DD = "/bin/dd"
    2606-TAIL = "/usr/bin/tail"
    2607-GREP = "/bin/grep"
    2608-ZGREP = "/usr/bin/zgrep"
    

    But I am not seeing anywhere that would support adding the -W flag right now. You could try in /etc/csf/csf.conf changing
    Code (Text):
    NETSTAT = "/bin/netstat"
    

    to
    Code (Text):
    NETSTAT = "/bin/netstat -W"
    

    and see if that works
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    6:55 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    okay think I found the place in CSF Firewall's /etc/csf/lfd.pl file
    Code (Text):
    grep -in -C5 netstat /etc/csf/lfd.pl
    3385-                           alarm(0);
    3386-                   };
    3387-                   alarm(0);
    3388-                   if ($@) {push @vmstat, "Unable to obtain vmstat output within 10 seconds - Timed out"}
    3389-
    3390:                   my @netstat;
    3391-                   eval {
    3392-                           local $SIG{__DIE__} = undef;
    3393-                           local $SIG{'ALRM'} = sub {die};
    3394-                           alarm(10);
    3395:                           @netstat = &syscommand(__LINE__,$config{NETSTAT}, "-autpn");
    3396-                           alarm(0);
    3397-                   };
    3398-                   alarm(0);
    3399:                   if ($@) {push @netstat, "Unable to obtain netstat output within 10 seconds - Timed out"}
    3400-
    3401-                   my $url = $config{PT_APACHESTATUS};
    3402-                   my ($status, $apache) = $urlget->urlget($url);
    3403-                   if ($status) {$apache = "Unable to retrieve Apache Server Status [$url] - $apache"}
    3404-
    --
    3412-                           $line =~ s/\[loadavg\]/$config{PT_LOAD_AVG}/ig;
    3413-                           $line =~ s/\[reportload\]/$reportload/ig;
    3414-                           $line =~ s/\[totprocs\]/$load[3]/ig;
    3415-                           $line =~ s/\[processlist\]/@proclist/ig;
    3416-                           $line =~ s/\[vmstat\]/@vmstat/ig;
    3417:                           $line =~ s/\[netstat\]/@netstat/ig;
    3418-                           $line =~ s/\[apache\]/$apache/ig;
    3419-                           $line =~ s/\[boundary\]/$boundary/ig;
    3420-                           push @message, $line;
    3421-                   }
    3422-                   ConfigServer::Sendmail::relay("", "", @message);
    

    line 3395 shows netstat command uses -autpn flags by default
    Code (Text):
    @netstat = &syscommand(__LINE__,$config{NETSTAT}, "-autpn");

    so probably need to change it to
    Code (Text):
    @netstat = &syscommand(__LINE__,$config{NETSTAT}, "-autpnW");

    but that gets overwritten on CSF Firewall daily updates

    As such probably best to make a suggestion with CSF Firewall developers at https://forum.configserver.com/viewforum.php?f=5
     
  4. pjrobertson

    pjrobertson New Member

    20
    4
    3
    Feb 7, 2021
    Ratings:
    +8
    Local Time:
    6:55 AM
    Thanks for the info eva2000. That makes sense, it's a CSF upstream issue. I'll report it to them and see what they say.

    I'll try changing the /etc/csf/csf.conf file first to see what happens.