June 14th, 2013· Modified MaxMind City Database lookup code to be more resilent.
May 31st, 2013· Fixed SMTP_ALLOWLOCAL not functioning correctly. Added IPv6 support for SMTP_ALLOWLOCAL
· Removed SMTP_BLOCK restriction for IPv6 requiring port 25 to be present in TCP6_OUT
May 25th, 2013· Modified csf UI to detect Webmin install and symlink script and images directory so as to no longer require Webmin module update on a new csf version
· Tidied up csf UI html
· Fixed System Statistics graph display when using Webmin
· Modified Server Security check to only perform GENERIC test when using Webmin to prevent hanging processes
· Added CLI options --car, --carm. This removes an allowed IP in a Cluster and removes it from /etc/csf.allow
· Added new options LF_WEBMIN, LF_WEBMIN_PERM. This feature adds login failure detection for Webmin in WEBMIN_LOG
· Added new option LF_WEBMIN_EMAIL_ALERT. This feature sends an email if a successful login to Webmin is detected in WEBMIN_LOG
· Modified LF_SCRIPT_ALERT text in csf.conf for cPanel servers
· Modified proftpd regex to cope with non-standard format and to remove trailing colons from account name
· Modified LF_SCRIPT_ALERT regex to cater for paths containing spaces
· Improvements to LF_SCRIPT_ALERT memory usage and possible script detection
· Added alternative LF_SCRIPT_ALERT regex for specific 1H.com exim logging ACL
April 25th, 2013· Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that do not support IPv6 connection tracking by opening ephemeral port range 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the same workaround implemented by RedHat in the sampe default IPv6 rules.
April 4th, 2013· Fixed issue with processing /proc/PID/stat for process information.
March 25th, 2013· Prevent csf/lfd from failing to run if a non-critical configuration file does not exist
· In webmin, force table stylesheet to override webmin css. Requires webmin module reinstall on existing installations
March 22nd, 2013· Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary
· Modified lfd perl module loading to be conditional where possible to reduce lfd memory footprint
· Modify initial file processing to reduce lfd memory footprint
· Modify PS_PORTS processing to reduce lfd memory footprint
· Moved init of Geo::IP::PurePerl into iplookup subroutine
· Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to false-positives
· Modify LF_DIRWATCH_DISABLE so that only files are added to suspicious.tar and removed. Suspicious directories will no longer be removed
· Removed File::Path - no longer required
March 19th, 2013· Modify MESSENGER HTML header to return code 403 instead of 200
· Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled
· Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables detection of repeated Apache symlink race condition triggers from the Apache patch provided by: http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
· This patch has also been included by cPanel via the easyapache option: "Symlink Race Condition Protection"
March 13th, 2013· Ensure all binaries are called with their full paths for the scheduled Server Security Check reports
· Allow csf -u/-uf/--update and -c/--check when csf is disabled
· Make RT_* checks IPv6 compatible
· Added dns query caching for ip lookups during lfd process lifetime
· Modify TOR rule loading to use FASTSTART in lfd if enabled
· Added iptables locking to FASTSTART code
· LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts
· Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion
· Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries
· Added "DEFERRED" login failure checking to CPANEL_LOG regex
February 26th, 2013Changes:
Major new option - FASTSTART:
This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways:
· 1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence
· 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled
· [*] Not supported on all OS platforms
· FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously
· FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually
Other Changes:
· Improvements to csf and lfd init routines
· LF_QUICKSTART renamed to LFDSTART, setting value preserved
· Fixed a problem with scheduled Server Security Check reports
· Crypt::CBC upgraded to v2.32
February 21st, 2013· Modified csf error routine to store failing error in csf.error and display an instructional message
· Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
· Modified the Server Report proxysubdomains check on cPanel servers
· Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries
February 19th, 2013· Due to issues that some are experiencing with the switch from the state to the conntrack module a new settings has been added USE_CONNTRACK which is disabled by default except on servers running kernel 3.7+ where on new installations it will be enabled.
February 11th, 2013There is currently an issue with the ASL delayed rules on cPanel servers that become apparent when attemping to rebuild via easyapache. It can fail with the error:
Syntax error on line 42 of /usr/local/apache/conf/modsec/10_asl_rules.conf:
· ModSecurity: Metadata actions (id, rev, msg, tag, severity, ver, accuracy, maturity, logdata) can only be specified by chain starter rules.
· This can be resolved in our ASL delayed rule implementation by editing /usr/local/apache/conf/modsec/10_asl_rules.conf and commenting out (with a #) line 42 and the preceeding 3 lines.
February 8th, 2013· Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations
· Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36
· Additional entries in csf.logignore on new installations
· Try harder to get a CPU temperature if lm_sensors is installed for System Statistics
· Enforce PORTFLOOD setting restrictions and issue warning if entry discarded
· Correct location of CC_ALLOWF in LOCALINPUT after update from lfd
· Make CC_[chain] actions more verbose in lfd.log
· Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries
· Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature
· Modified SMTP_PORTS to include ports 465 and 587 on new installations
· Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent
January 12th, 2013· Fixed issue with crontab line for TESTING option not being detected and removed when TESTING mode is disabled
January 11th, 2013· Added missing DD setting in DA and generic installations for ST_DISKW
· Modified IPv6 port settings to reflect IPv4 port settings for new installs in csf.conf
· If a deleted executable process is detected and reported then do not further report children of the parent (or the parent itself if a child triggered the report) if the parent is also a deleted executable process
· Parent PID added to PT_DELETED_ACTION parameters
· In the Server Report allow for spaces before Apache directives
· Updated instructions for modifying log_selector for exim configurations in readme.txt and Server Report
· Modify DD calculation for ST_DISKW for disks that report in GB/s
· Updated to use the new cPanel 11.36+ integrated perl binary if exists
November 15th, 2012· Fixed problem processing dd output for ST_DISKW on some systems
· Fixed dovecot imap login failure regex processing
· Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog)
November 2nd, 2012· Fixed an issue with PERMBLOCK introduced in v5.68
October 31st, 2012· Fixed duplicate entries in csf.conf on GENERIC installations
October 31st, 2012· New feature added - LF_DIST_INTERVAL. This option provides a separate timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is set to 300 seconds
· Implemented better handling of repeat blocks when an IP is already temporarily or permanenetly blocked
· Added missing inclusion of Time::HiRes in csf.pl
· Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log unless DEBUG enabled
· Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled
· RELAYHOSTS setting now defaults to "0" to improve security on cPanel servers
· Increased default value of DENY_IP_LIMIT to 200
October 29th, 2012· Fixed a problem with permanent IP blocking when using LF_SELECT
Find us on Google+
