cPanel sends excessive amount of warning emails

If you installed cPanel and get an excessive amount of emails with warnings similar to the one below, there is a solution!

The problem:

You get tenths (sometimes hundreds or even more) emails per day with warnings similar to this:

Resource: Virtual Memory Size
Exceeded: 241 > 200 (MB)
Executable: /opt/cpanel/ea-php70/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php70/root/usr/bin/php-cgi
PID: 16297 (Parent PID:16100)
Killed: No

The warnings can vary, for example the executable may be /opt/cpanel/ea-php72/root/usr/bin/php-cgi if you use PHP 7.2 instead of PHP 7.0 in the example above. Also the executable may be a different one, and the line ‘exceeded’ may show different values.

What causes the emails:

cPanel has a plugin “ConfigServer Security & Firewall” or in short “CSF”.

This plugin has settings which triggers warning messages to the email you set in cPanel. The warning triggered in the above problem is the value in the field ‘PT_USERMEM’ which is set at 200 MB RAM, whilst the executable actually used 241 MB RAM.

Solution 1: Change the trigger value

By changing the value at which the emails are triggered in CSF’s settings, you can ensure you get less warnings.

  • Login to your server via WHM as root
  • Go to the bottom of the left menu to the Plugins section
  • Select “ConfigServer Security & Firewall”.
  • Click on the ‘CSF’ tab
  • Click on “Firewall Configuration”
  • Go to the field “PT_USERMEM’
  • Change the value from 200 (in our example, yours could be set differently) to anything between 0 and 1024. Setting 0 means no more emails will be sent as a consequence of this trigger. Setting the trigger to 1024 means you will still get warnings if there are truly excessive usages, which may be interesting to know. What value to set depends (sorry, I hate that too) on your systems resources such as the amount of RAM. I set mine at 1024 as I have plenty of RAM.
  • Restart CSF by scrolling down to the bottom and clicking “Change”, waiting until the changes are confirmed, and then clicking the button which then shows “Restart csf+lfd”

Solution 2: Ignore the executable, no more warnings

To completely ignore the executable that triggered the warning from now on, and receive no more emails, do this:

  • Log in via SSH using root as user
  • Find the file csf.pignore
    • In my case (CENTOS) this is at etc/csf/csf.pignore
    • In other Linux distributions this might be elsewhere
  • Add the executable to be ignored (if it is not already present):
    • In our example the executable was as follows: /opt/cpanel/ea-php70/root/usr/bin/php-cgi
    • Therefore we will add the following line in csf.pignore:
      • exe:/opt/cpanel/ea-php70/root/usr/bin/php-cgi
    • If your executable was different, add the one that caused the emails to be sent
      • For example if you use PHP 7.2 instead of PHP 7.0 as in the example, the executable in the warning would have been:
        • /opt/cpanel/ea-php72/root/usr/bin/php-cgi
      • And therefore the line to add to csf.pignore would be:
        • exe:/opt/cpanel/ea-php72/root/usr/bin/php-cgi
    • Restart CSF (see above at Solution 1, or find the SSH command appropriate for your Linux distribution)