| Current File : //usr/local/bin/csf/changelog.txt |
ChangeLog:
12.06 - Removed new regex for LF_EXIMSYNTAX
12.05 - Removed rbl.jp RBLs from csf.rbls
Modify Project Honey Pot blocklist URLs to use https
Ignore $SIG{PIPE} when running ipset
Ensure csf shows ipset warnings
Added osmd to lfd restart routine when cPanel upgrades
Modified Server Check to look for underscore as well as dash settings
Added test in lfd to ensure the pidfile is open before attempting to
close it
Added new regex for LF_EXIMSYNTAX
Added new option: URLPROXY. If you need csf/lfd to use a proxy, then
you can set this option to the URL of the proxy
12.04 - Updated license terms for GDPR compliance
12.03 - Make CC_IGNORE check case-insensitive
Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*,
PT_* and PT_SSHDKILL)
Updated cxs FontAwsome to v5
Added fixes for additional Include line processing
Fixed race condition when processing CC_* zip files that could
sometimes prevent the csv files from being extracted
Updated HTTP::Tiny to v0.070
12.02 - Removed CC_OLDGEOLITE and associated code so that all installations
will now use the MaxMind GeoLite2 databases
Added more CLI options that work if csf is disabled
Added Include line support to 20 more /etc/csf/csf.* configuration
files. See /etc/csf/readme.txt under "Include statement in
configuration files" for the list of supported files
Added mangle and raw tables to csf --grep [IP] and modified output to
show a new column with the table then the chain that a rule is in
Added mangle and raw tables to csf --status output and modified output
to show a new header line with the table that a rule is in
Added new option USE_FTPHELPER. This enables the ftp helper via the
iptables CT target on supporting kernels instead of the current method
via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of
RELATED state
Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other
ICMP traffic is allowed (which can help network performance) unless
otherwise blocked. This is for IPv4, it does not affect IPv6
Improved rule placement to prevent existing connections bypassing
ICMP_IN_RATE/ICMP_OUT_RATE limits
Updated csf.conf documentation relating to the ICMP/PING settings
Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance
tools that state that ICMP timestamps should be dropped, you can enable
this option. Otherwise, there appears to be little evidence that it has
anything to do with a security risk but can impact network performance,
so should be left disabled by everyone else
csf and lfd now exit with status 1 on error or if disabled. However,
this will not happen with csf if the CLI option used still works while
disabled
USE_CONNTRACK is now enabled by default on new installations
Fixed DOCKER IPv6 warning message when DOCKER not enabled
Modified csf.blocklists for GREENSNOW to use https on existing and new
installations
12.01 - Added missing DOCKER_DEVICE setting from the generic and directadmin
csf.conf files
Ensure iptables/ip6tables mangle and raw tables are flushed on
stop/start if they exist
CC_OLDGEOLITE set to "0" on new servers and those upgrading to v12.*
for the first time. This enables MaxMind GeoLite2 by default unless
already set
Note: The old MaxMind Geolite v1 database code will be removed in the
near future, before the end of March, in favour of the v2 databases
12.00 - Added support for GeoLite2 databases from Maxmind for CC_*. These
databases are significantly larger than the soon to be deprecated
GeoLite ones stored in /var/lib/csf/
Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and
CC6_LOOKUPS.
Added new option: CC_OLDGEOLITE. This option is enabled by default to
continue using the old GeoLite databases. See csf.conf for more
information. This option will be removed in the near future so that all
installations use the new GeoLite2 databases
GeoLite2 lookups now use the CSV files instead of the formatted Data
files because the Perl dependencies for the MaxMind Perl modules that
access the Data files are prohibitively excessive. We have developed
our own fast binary search module to perform the required lookups on
the CSV files for both IPv4 and IPv6
An advantage of the new GeoLite2 databases is that IPv6 lookups can now
be done to the same level as IPv4: Country Code; Country; Region; City;
ASN
Unified storage of GeoLite2 database to avoid duplication between
CC_LOOKUPS and CC_* databases
Added new CC_LOOKUPS value of "4". This option does not use the MaxMind
databases directly for lookups. Instead it uses a URL-based lookup from
a third-party provider at https://freegeoip.net and so avoids having to
download and process the large databases. See csf.conf for more
information and limitations
Modified CC_INTERVAL default to 14 days on new installations
Ensure MESSENGERV2 service will not start if using a valid cPanel
account in MESSENGER_USER (must be non-cPanel account)
Create entry in /etc/aliases for "csf" if MESSENGERV2 is enabled on
cPanel servers to reserve the account name
Added new feature: DOCKER support. This configures iptables rules to
allow Docker containers to communicate through the host. This is
currently in BETA testing. See csf.conf for more information. Thanks to
Marcele for the rules
Removed redundant nat table check for ip6tables in Config.pm
Replaced all remaining bareword file handles
11.07 - Added missing WAITLOCK to iptables when processing advanced port
filters in csf and lfd and checking csf status in UI
Added WAITLOCK, if enabled, to iptables-restore commands during
FASTSTART
Server Check Report - removed ini_set check as so many scripts use
ini_set nowadays. Updated text on various checks
Updated the postfix SMTP AUTH regex
Added new SSHD "maximum authentication attempts exceeded" regex
Set basic PATH before running csfpre.sh/csfpost.sh to avoid binary
location issues
csf now runs csfpre.sh/csfpost.sh directly without forcing it through
/bin/sh. If present, csf chmods the script 0700 and checks for a
shebang. If the shebang is missing #!/bin/bash is added to the top. The
script is then run
Added seventh parameter to regex.custom.pm to allow Cloudflare blocking
if a CUSTOM regex is triggered (see latest regex.custom.pm in distro)
Rearranged UI tabs and shortened tab names. Moved quick actions to the
top of the "csf" tab pane
Added "AUTH command used when not advertised" to the LF_EXIMSYNTAX
regex check
Added new csf CLI cluster option: -ci, --cignore ip [comment]
This will add the IP to each remote /etc/csf/csf.ignore member and then
restart lfd. This has also been added to the UI
Fixed cluster grep output in UI
Modified MESSENGERV2 to support combined certificates+keys in cPanel
v68+
Added triggered setting and, if applicable, temporary TTL to the
"Blocked:" status in block alert emails
Added "wildcard" option to "Search System Logs" UI to use ZGREP to
search the specified log with a wildcard suffix. ZGREP option added to
csf.conf which must point to the zgrep binary
Added git binaries to csf.pignore on cPanel servers for upcoming v72/74
features
11.06 - Modified Integrated UI to use new cxs UI perl modules
Added custom redirect line for webmin UI when STYLE_CUSTOM enabled
Ensure ip6tables nat table is flushed if present whether MESSENGER is
enabled or not
11.05 - Added new configuration option PT_SSHDKILL. This option will terminate
the SSH processes created when blocking an IP
Added a "Fix Common Problems" section to the csf UI for various common
configuration issues
Ensure application ports are always defined in lfd
11.04 - Added new configuration option LF_APACHE_ERRPORT. This option is used
to determine if the Apache error_log format contains the client port
after the client IP. By default it is set to autodetect
11.03 - Improvements to ajax output in integrated UI
11.02 - Integrated UI fix for CloudFlare page
Removed non-participated deny options for cxs reputation service
Changed PT_SSHDHUNG to use a regex for process cmdline detection
Fixed issue with IPv6 client detection in Apache logs
11.01 - Corrections to readme.txt
In UI, display long output into fixed height divs with scrollbars and
font size changer
Modified Server Check to not display the mod_cloudflare warning if
CF_ENABLE enabled
Modified Server Check to display a single warning for each PHP check
listing affected versions instead of multiple warnings
Additional exim check added to Server Check
Improvements to ajax output in UI
11.00 - New Feature: CloudFlare Firewall integration. This feature provides
blocking and unblocking functionality with the CloudFlare Firewall from
within lfd, together with new CLI commands for direct access. See
documentation for CF_ENABLE in csf.conf, information in readme.txt as
well as the csf man page
Added UI elements for CloudFlare Firewall integration
New CLI command --trace [ip]. This replaces the --w, --watch CLI
command to Log SYN packets for an IP across iptables chains by using
the iptables TRACE module
New Feature: Check the size of the ModSecurity IP D/B. This option will
send an alert if the ModSecurity IP persistent storage grows
excessively large. This is enabled on cPanel by default. See csf.conf
for more information
New Feature: Allow use of comma separated list of ports in Advanced
Allow/Deny Filters
WATCH_MODE in csf.conf and --w, --watch CLI commands removed in favour
of the new --trace [add/remove] [ip] CLI command
Restrict the scope of Perl shebang replacement when installing on
cPanel servers
Modifications and fixes for the example MESSENGERV2 templates
Ensure /proc/sys/net/netfilter/nf_conntrack_helper is enabled at
startup to allow connection tracking to continue working on newer
kernels
Stop needlessly setting <head> and <body> elements in Ajax returns
Various corrections and updates to readme.txt
Tweaks to the Mobile View UI button arrangement and spacing
10.25 - CSS change to UI configuration page
Remove refresh timer from UI log file grep
10.24 - On webmin servers, added csf.body file to UI skinning (STYLE_CUSTOM).
See readme.txt for more information
10.23 - On cPanel servers, ensure that the csf driver for WHM is removed on
uninstall
Added hooks for upcoming cxs IP Reputation Service
On webmin servers, added csf.htmltag and csf.bodytag files to UI
skinning (STYLE_CUSTOM). See readme.txt for more information
MESSENGERV2 released as stable on cPanel servers. This uses the Apache
http daemon to provide the web service for MESSENGER HTML and HTTPS
Additions to csf.logignore on new installs
Added IPv6 support to BLOCKLISTS
Added Spamhaus DROPv6 and Stop Forum Spam IPv6 blocklists to
csf.blocklists
Removed Spamcannibal and added all.s5h.net from/to csf.rbls
Fixed issues with IPv6 rule creation attempts when IPV6 disabled
Automatically enable WAITLOCK on initial installation if supported
10.22 - Fixed issue with the ModSecurity regex modification in v10.20
10.21 - Ensure /etc/logrotate.d/lfd is overwritten on upgrade
10.20 - Prevent lfd logrotate from erroring if log files missing
Modified Apache ModSecurity regex to cater for changes in logging
format on cPanel servers with ModSecurity v2.9.2
Modified Apache cxs regex to cater for changes in logging format on
cPanel servers with ModSecurity v2.9.2
Ensure destination files are owned by root during installation
10.19 - MESSENGERV2: Take a copy of the live certs and keys and use these in
csf.messenger.conf to work around changing filenames for keys and certs
when they are regenerated which causes httpd to fail. This is done each
time lfd restarts
Added CLI option csf --mregen: MESSENGERV2
/etc/apache2/conf.d/csf_messenger.conf regeneration. This will also
gracefully restart httpd
10.18 - Stability improvements to the UI daemon
Fixed MESSENGER log entry spelling
10.17 - Prevent Cluster and UI daemons from terminating the main process if
they themselves terminate
Modify Cluster and UI daemons to restart if they are stopped or fail
Modify Cluster and UI daemons to be more verbose about reasons for
stopping
Fixed typos in readme.txt and csf.conf
Added MESSENGER child logging to /var/log/lfd_messenger.log, also for
MESSENGERV2 via a new index.recaptcha.php
Modified logrotate configuration to include /var/log/lfd_messenger.log
10.16 - Fixed issue in 10.15 which was causing the Cluster daemon to exit
unexpectedly
10.15 - New EXPERIMENTAL feature on cPanel servers: MESSENGERV2. This uses the
Apache http daemon to provide the web service for MESSENGER HTML and
HTTPS
Added new option LF_APACHE_401 that works in a similar way to
LF_APACHE_404 and LF_APACHE_403
Added new option RECAPTCHA_ALERT. This will send an email when a
recaptcha unblock request is attempted by lfd. This option is enabled
by default
Stability improvements to UI, MESSENGER and CLUSTER daemon processes
Added memory usage information to lfd log when using MESSENGER_HTTPS
Add limiter to enforce MESSENGER_CHILDREN when connections are waiting
for a child process
Modify MESSENGER HTML examples for new installs to use inline images to
improve page load speed and reduce lfd overheads
Modified network interface detection to allow dash (-) in name
URL updates in Server Check
Increased the default value for MESSENGER_RATE to 100/s (from 30/m)
and MESSENGER_BURST to 150 (from 5) for all installations to alleviate
slow MESSENGER response times
Set the SELinux security context for systemd and executable files
Ensure firewalld is masked on systemd servers
10.14 - Made configuration checks on iptables more fault tolerant to avoid
unnecessary failures while loading
Removed openbl.org from csf.blocklists for new and existing installs
More generic binaries added to csf.pignore
10.13 - Fixed looping/timeout of integrated UI children when Chrome client is
used
10.12 - Configured UI to fully integrate with cPanel templates without using
iframes
Configured UI to display full cPanel breadcrumbs
Configured UI to support cPanel v66 WHM UI changes
10.11 - Modified username regex for csf.syslogusers
Fixed issue with /var/lib/csf/lfd.stats excessive growth
10.10 - Modified HTML to cater for major change in cPanel v66
10.09 - Added new option DROP_OUT which is set to "REJECT" by default. This
option sets the default target for blocked outgoing ports. See csf.conf
for more information
Added improved detection of xtables lock and recommend enabling
WAITLOCK on error
Improved csf down detection when xtables lock in effect and WAITLOCK is
not enabled
Added support for listing ASNs in CC_IGNORE
10.08 - Added cpanel.allow and cpanel.ignore Include files for the cPanel
authentication servers. These are included on new installations and
added to existing files on cPanel installations
If running cPanel 1:1 NAT, use the contents of /var/cpanel/cpnat to
whitelist/ignore the external IP addresses
10.07 - Fixed bug when using RECAPTCHA_NAT where the listed IP's were not
correctly processed
Server Check now follows includes in dovecot.conf
Server Check now reports RHEL/CentOS/CloudLinux v5.* as EOL
10.06 - Added new entry in csf.pignore on cPanel servers for:
exe:/usr/libexec/dovecot/indexer
exe:/usr/libexec/dovecot/indexer-worker
Croak if IPTABLES is not set, incorrect or not present in csf.conf
Set SELinux context for /etc/logrotate.d/lfd on new generic installs
10.05 - Fixed table header html/css
Added workaround for adding superusers listed in
/etc/csf/csf.syslogusers to the RESTRICT_SYSLOG_GROUP if the log socket
is not accessed via the owner permissions
Changes for cPanel v64 template
Updated text description in csf.dirwatch for new installs
10.04 - Added error message to RECAPTCHA_* if the non-priveleged user cannot
write to its home directory
Further improvements to RECAPTCHA_* hostname check
10.03 - Added new option MESSENGER_HTTPS_SKIPMAIL on cPanel installations. This
option ignores ServerAlias definitions that begin with "mail.". This
can help with memory usage on systems that do not require the use
of MESSENGER_HTTPS on those subdomains. The option is enabled by
default on cPanel servers
Improved RECAPTCHA_* hostname check
Cluster CLI can now block CIDRs, e.g LF_NETBLOCK blocks will be applied
cluster-wide
10.02 - Modified Messenger HTTPS to cater for a wider range of Apache
VirtualHost formatting
Added Messenger HTTPS workaround for servers using PEM but a version
of IO::Socket::SSL that does not yet support it (pre v1.988)
Added Messenger HTTPS warning in csf.conf regarding memory usage on
some servers using the option
Added java binary for cPanel solr process to csf.pignore on new and
existing servers
10.00 - Added new feature to MESSENGER: MESSENGER_HTTPS*. See /etc/csf/csf.conf
for more detail. This option redirects blocked IP addresses that
connect over an HTTPS connection (port 443) to the HTML MESSENGER
service. The option uses existing SSL certificates on the server for
each domain to maintain a secure SSL SNI connection without browser
warnings. The setting is disabled by default
Note: The perl module IO::Socket::SSL (v1.83+) with support for SNI
must be available to use MESSENGER_HTTPS* otherwise it will be disabled
Added new feature to MESSENGER: Google ReCAPTCHA (v2) to allow those
blocked in the firewall to unblock themselves. See RECAPTCHA_* in
/etc/csf/csf.conf for more details and limitations
Added MESSENGER procedure to restart listening sub-process if it has
died
Moved MESSENGER processes to a separate module
Ensure that all forked processes terminate appropriately
On cPanel servers, use the cPanel WHM Template to support the new v64
UI layout (as best we can to maintain the look that we want)
Modified the cPanel csf ACL metadata and driver Perl modules to match
new requirements for v64 and also maintain backwards compatibility
9.30 - Fix to try and resolve cluster send/recv issues (Note: _All_ members of
the cluster need to be running v9.30 for clustering to function
correctly)
9.29 - Fixed issue that was breaking LF_DISTSMTP
Fixed issue in UI lfd Stats. Note: The lfd stats data file has been
renamed from /var/lib/csf/stats/lfdmain to /var/lib/csf/stats/lfdstats
Additionally, the stats for 2016-12-31 will reset to 0 due to this bug
Corrected text in readme.txt
Added new csf CLI cluster option:
-ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]
This sends a temporary deny request to the cluster
Added new csf CLI cluster option:
-cta, --ctempallow ip ttl [-p port] [-d direction] [comment]
This sends a temporary allow request to the cluster
Added new csf CLI cluster option:
-cg, --cgrep ip
This requests the --grep output for [ip] from each cluster member
Modified cluster requests to respond with an acknowledgment to the
sender
Modified --cdeny [ip] and --callow [ip] to include optional comment
Added separate tab for Cluster options in UI if enabled and added new
cluster temp allow/deny commands to UI
Modified Port Scan Tracking. UDP packets destined for the network
broadcast address(es) will now be ignored in Port Scan Tracking unless
BRD is added to PS_PORTS. The broadcast address(es) include the those
listed in IP or IFCONFIG plus the default (255.255.255.255) unless one
of the servers IPs
Added new feature: PT_USERRSS. This User Process Tracking option sends
an alert if any user process exceeds the RSS memory limit set - RAM
used, not virtual. PT_USERRSS is set to 256 (MB) and PT_USERMEM is now
set to 512 (MB) by default on new installations. On existing installs
PT_USERRSS is set to the same value as PT_USERMEM
9.28 - New logo added and configured for cPanel plugins
HTML fixes
STYLE_CUSTOM is now set to 0 by default on all new installations. If
you want to choose custom styling this option can be enabled
9.27 - Fix for UI Quick Unblock button
Fix for UI main page [ENTER] not working on all forms
9.26 - Fix for webmin UI when watching logs
Various UI html syntax fixes
Reduced UI banner padding
Port 23 added to DROP_NOLOG for new installations
WAITLOCK taken out of beta
Modified UI View Listening Ports
Reworked main UI table to produce syntactically correct HTML
Fixed duplicate HTML top and bottom page elements
9.25 - Correct csf lookup failure message
Converted UI icon for temp allow removal to new format
Simplified Configuration display of radio toggles to help screen
readers
Added patch to send message text for CLUSTER blocks
9.24 - UI html fixes
9.23 - Added upgrade note to the top of the UI if available
UI improvements for integrated cse and interface to cxs
Added Scroll to Top/Bottom buttons
Consolidate images, css and javascript into a common directory in the
installer
9.22 - Modify UI temporary IP deny buttons to not wrap in table
Modified UI Statistics images to be responsive
Modified readme.txt to detail additional UI styling options
Added two new options STYLE_CUSTOM and STYLE_MOBILE relating to UI
styling
Globalised SIGNALs where needed to help prevent zombie children
Modified UI to use container-fluid to improve whitespace use
Modified pre tags to wrap on whitespace
9.20 - Redesigned UI based on Bootstrap
New functionality: Added integrated mobile device view with subset of
functions
Modified csf to not warn about the SENDMAIL binary if LF_ALERT_SMTP is
enabled
Added use of the ace editor if present on cPanel installs to edit
files. Added toggle to switch back to textarea. Added buttons to
decrease and increase font size in editor
Modified readme.txt to include information regarding changing styles
and disabling Mobile View
9.14 - Fixed LOGSCANNER logging to only report to the log if DEBUG enabled
Added new BETA options WAITLOCK and WAITLOCK_TIMEOUT which provide
support for the iptables --wait option
Added UI support for cxs with Bootstrap
9.13 - Modify Server Check to prevent hanging process for CloudLinux PHP
versions prior to v5.2
9.12 - Improved LOGSCANNER accuracy of hourly and daily runs between restarts
Added more binaries on cPanel servers to csf.pignore for cPanel v60
Fixed repeated check for PHP open_basedir in Server Check
Do not perform suexec check if mod_ruid2 enabled in Server Check
Corrected text description of IPv6 port lists in non-cPanel csf.conf
Export ConfigServer::Logger::logfile
Detect mpm_itk_module and treat in a similar manner to ruid2_module in
Server Check
Removed use of Cpanel::cPanelFunctions as it is now being withdrawn
Updated common ConfigServer UI
Fix instance where cluster block timeout for temporary blocks was not
being sent
Check for EOL PHP v5.5 in Server Check
Added detection of alt-php versions provided by CloudLinux, but do
not check them for EOL version status
9.11 - Fixed issue with csf.allow Include checks when allowing an IP
Added the Greensnow blocklist to csf.blocklists for new installs
Fixed display of ports in CLI temporary blocks
Fixed issue removing CIDR blocks via the CLI from csf.deny
9.10 - Fix profile diff in the CLI
Fixed issue with deny removal by IP address of advanced rules in the
CLI
9.09 - Additional fix for ip6tables MESSENGER service when LF_IPSET not
enabled (ip6tables nat)
9.08 - AUTOSHUN list removed from csf.blocklists as the public list is no
longer available
Added support for ip6tables MESSENGER service when LF_IPSET not
enabled (ip6tables nat)
9.07 - Fixed removal of complex allow and deny rules
Fixed IPv6 implementation of CC_ALLOW_PORTS_* and CC_DENY_PORTS_*
Fixed file upload in cse via the integrated UI
Fixed "csf --cfile [file]"
Removed setting: OLD_REAPER
Localised SIGNALs
Localised uid and gid change in MESSENGER
Removed Bareword file handles
Where ip6tables <= v1.3.5 and IPV6 is enabled, disable USE_CONNTRACK if
enabled as ip6tables does not support the conntrack module in older
versions. This will force the use of the state module instead
9.06 - Fixed incorrect inclusion of cPanel Free SSL service include entries
on new non-cPanel installations
9.05 - Fixed RT_AUTHRELAY_LIMIT detection
9.04 - Fixed issue with custom regex rules where log hash was not being
passed to regex.custom.pm
Fixed issue with custom regex rules where "use strict" was used
incorrectly
9.03 - Fixed issue with LF_ALERT_TO and LF_ALERT_FROM not being used when set
9.02 - Fixed Reseller UI command execution
9.01 - Fixed graph display when using integrated UI
9.00 - Convert csfui.pl, csfuir.pl and cseui.pl to perl modules and modify
the calling UI specific scripts
Updated cseUI so that is passes perl strict module checks
Fixed issue with deny removal of some IPv6 addresses
Ensure /etc/chkservd/lfd is recreated when lfd is enabled via csf -e
on cPanel servers
Added exes to csf.pignore on existing and new cPanel server:
/usr/libexec/dovecot/lmtp
/usr/local/cpanel/3rdparty/php/54/bin/php-cgi
/usr/local/cpanel/3rdparty/php/56/bin/php-cgi
/usr/local/cpanel/3rdparty/php/56/sbin/php-fpm
Ensure all file opens are properly flocked
Switch to using require instead of eval/use to load runtime modules
where possible
Code review - started addressing perl critic suggestions in all
scripts and modules
Moved regex.pm to a seperate perl module
Moved email sending to a seperate perl module
Moved lfd logging to a seperate perl module
Add allow and ignore Include files for the cPanel Free SSL service
from Comodo in cPanel v58+. These are included on new installations
and added to existing files on cPanel installations
Fixed spurious Include error in lfd for csf.ignore
8.26 - Added more dovecot binaries to csf.pignore for new and existing cPanel
servers
Updated lfd-cron to use the csf startup routines to restart lfd on
systemd servers correctly, existing cron jobs are also modified
HTTP::Tiny upgraded to v0.058
8.25 - Modified Config loading to check for valid ip6tables location before
attempting to use it
Modify Server Report to support checking of cPanel MultiPHP
configurations when using EasyApache v4
Removed PHP check for suhosin from Server Report
Improved cipher check for pure-ftpd in Server Report
Added password reset check for subaccounts in Server Report on cPanel
servers
Added cPanelID check in Server Report on cPanel servers
8.23 - On cPanel servers ensure the lfd service is always correctly appended
to chkservd.conf on csf installation
8.22 - Fix csf --tempdeny from allowing blocking of local IPs
Fix problem where LF_NETBLOCK was no longer affective after blocking
a its first netblock until it timed out from csf.tempip
Modify UI table spacing
8.21 - Modified cPanel version check to avoid restart loop if GENERIC set to
1 in csf.conf
8.20 - Modify Relay Alert email to specify "localhost" rather than "Local
Account" when localhost IPv6 address detected as it currently does for
IPv4 localhost
Improvement to lfd restart routine for MailScanner and pure-ftpd when
cPanel upgrades on RHEL/CentOS/CloudLinux v7+ servers
8.19 - Move SMTP_BLOCK rules to a separate chain to avoid conflicts with
other control panels deleting required rules
8.18 - Reversed csf.tempip changes to avoid a possible locking issue in
csf.pl, lfd.pl changes retained
8.17 - Fixed 12 month statistics pie chart rendering
Increased default value and sanity range for PT_USERMEM
Modified SMTP_BLOCK to use iptables multiport
Added new feature: SMTP_REDIRECT. This redirects non-authorised
outbound SMTP connections to the local SMTP server
Ensure LF_PERMBLOCK IP's are removed from csf.tempip when rotating
csf.deny after reaching DENY_IP_LIMIT
Remove stale csf.tempip entries on lfd startup
Added IPv6 support to RT_LOCALHOSTRELAY tracking
Update binary locations for new installations on DirectAdmin Debian
Improved fix for detection of ip6tables nat chains
Added UI Firewall Configuration On/Off buttons
Added UI Firewall Configuration dropdowns for some value ranges
Updated UI restricted list
Updated sanity checks
Various UI updates and modifications
Added a warning when using mod_cloudflare to Server Check Report
8.16 - Removed UI integration from CentOS Web Panel as recent permission
changes break the implementation. The csf installer will restore the
original functionality
8.15 - Added new configuration option IP to point to the IP binary. This will
be used in preference to IFCONFIG, the latter is no longer required
when the IP binary is correctly configured and executable
Added full UI integration into CentOS Web Panel (CWP). To disable
integration:
Rename: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.orig.php
to: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.php
create: /etc/csf/cwp.disable
Updated Postfix SMTP AUTH regex (thanks to Marcele)
Added support for /etc/csf/csf.blocklists in ZIP format. The zip file
MUST only contain a single text file of a single IP/CIDR per line
Added Stop Forum Spam (ZIP) example to csf.blocklists
Added IPV6 support to csf.sips
Fixed detection of ip6tables nat
Removed development code for ispconfig from distribution as this
should NOT be used. It has never been implemented nor released as a
supported solution and is likely to be insecure. Upgrading will remove
any installations of this development code
8.13 - Added /usr/local/cpanel/3rdparty/php/54/sbin/php-fpm to csf.pignore
for cPanel installs
Clarify cluster CLI commands that refer to remote server actions
Added number of failures to the RBL check Subject field
Modified Port Scan checks for more kernel log line formats in regex.pm
8.12 - Additional Feature: Added support for listing ASNs in all Country Code
(CC_*) options
Fixed GLOBAL_ALLOW and GLOBAL_DENY when LF_IPSET is enabled
Fixed GLOBAL_DYNDNS when LF_IPSET and LF_IPV6 are enabled
IPSET binary location set to /sbin/ipset for Debian/Ubuntu new
installs
Additional regex included for vsftp login failures
8.11 - Fixed issue on non-RedHat OS installations that failed due to problems
whitelisting the installers IP address
8.10 - Fixed issues with new non-RedHat OS installations by reasserting perl
module check to the start of the installation process but removing
included modules from checks
Ports 2079 and 2080 added to TCP_IN for new cPanel installs to allow
CalDAV/CardDAV access
8.09 - Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or
/sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow
higher settings for PORTFLOOD than the default of 20 if configured
Added LimitNOFILE to lfd.service on servers using systemd to allow for
large numbers of open files
Cater for full stops (.) in ethernet device names
Moved Perl module checks until after csf installation has completed so
that all included modules exist in /usr/local/csf/lib/
8.08 - Fixed csf.sips modification via UI on Redhat/CentOS v7.1
Raised csf.blocklist names from 9 to 25 characters long. This cannot
be greater due to limits on ipset names on some OS's and the use of
prepended names for new ipset list swapping
Added output from netstat for PT_LOAD to loadalert.txt for new
installs. For existing installs, latest file copied to
/usr/local/csf/tpl/loadalert.txt.new
8.07 - Ensure spaces are stripped from values in /etc/cpanel/ea4/paths.conf
on cPanel servers
Fixed issue with csf --add [ip] not always removing [ip] if present
from csf.deny
Modified the LF_QOS regex to cater for additional log formats
8.06 - Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel
servers for Pyzor that was added by cPanel in v11.52
Support added for EasyApache4 log locations in cPanel from
/etc/cpanel/ea4/paths.conf
Added more executable files to csf.pignore on cPanel servers for
cPanel EasyApache4
Modify Server Check to support cPanel EasyApache4
Added regex to support cPanel/WHM login failures with the new log
format in v11.52+
If mod_ruid2 is enabled do not check for mod_userdir in Server Check
Always ensure binary exists and is executable before performing
processing during Server Check
Modified ProFTPD regex to support more formats
vsftpd inbuilt log file format regex added
Modified cPanel antirelayd Server Check to also support popbeforesmtp
added in v11.52
Added dbus and time systemd regexes to csf.logignore for new installs
8.05 - Added alarms to HOST binary calls
Added new csf CLI option: --rbl [email]. This generates the report
checking IP addresses against a set of RBLs. Optional configuration is
available through /etc/csf/csf.rblconf
Added UI to utilise the new --rbl [email] option
Added systemd status output after lfd restart via the csf CLI
Modified Server Check to only report bind if a named configuration
file exists
Require cPanel resellers to enter a Comment when allowing or denying
an IP
Added new option UI_IP to allow binding to a specific IP address for
the integrated UI
8.04 - Added more executable files to csf.pignore on cPanel servers for
cPanel v11.5*+
Added warning to both csf output and Server Check report if
PT_USERKILL is enabled
8.03 - Fixed bug where iptables nat tables were not being flushed or grepped
correctly
8.02 - Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available
for more reliable IPv4 and IPv6 reverse lookups
Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS
Added new csf CLI option: --lfd [stop|start|restart|status]. Actions
to take with the lfd daemon
Added new csf CLI option: -ra, --restartall. Restart firewall rules
(csf) and then restart lfd daemon
Fixed several output message typos for "FASTSTART"
Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided
by the local kernel
Improve IPv6 detection on installation
Implemented more efficient csf.conf loading in ConfigServer::Config
8.01 - Modify ConfigServer::CheckIP to cope with entries not passed by reference
8.00 - Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code
and Country lookups
Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for
LF_NETBLOCK
Modified LF_LOOKUPS to use the host binary if available for more
reliable IPv4 and IPv6 reverse lookups
Added IPv6 support for LF_IPSET
Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER,
CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH
(Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled)
Added IPv6 support for X_ARF report where found in the Abusix Contact
DB
Added IPv6 nameserver support for /etc/resolv.conf
Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and
perl module IO::Socket::INET6 is installed
Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3
Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3
Added IPv6 support for SYNFLOOD
Added flush of ip6tables nat table if ip6tables version >= 1.4.17
Standardise all IPv6 addresses and networks to use the short form for
consist representation
Added FASTSTART support to LF_IPSET
Increased ulimit -n to 4096 in /etc/init.d/lfd
Included Net::IP for IP address manipulation
Included version perl module for version comparisons
Added missing csf.allow search to csf --grep
Added Server Check report for LF_IPSET when using Country Code filters
7.73 - Fix for temporary denies allowing duplicate IP/Port blocks/allows
Speedup csf --grep [ip] when searching IPSET sets. Note: This does
mean that partial IP queries will no longer match IPSET entries
Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for
larger ipset sets
Added option HOST as the location of the "host" binary for DNS TXT
record lookups
Modified X_ARF report to include the abuse contact for a reported IP
address where found in the Abusix Contact DB
Added new option X_ARF_ABUSE. This option allows for automatic sending
of X_ARF reports to the IP addresses abuse contact. See csf.conf for
warnings about using this option
Added binary location checking in csf and issue warnings if incorrect,
not installed or not executable
7.72 - Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under
an SSHD login attack, SSHD processes are often left hung after their
connecting IP addresses have been blocked. This option will terminate
such processes. See csf.conf for more info
Added new binaries to csf.pignore on existing cPanel installations to
cater for v11.50 and CentOS v7
LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for
new installations
Updated Server Check ipv6 detection
Updated sanity checks
7.71 - Added warning on cPanel servers for GreyListing
Fixed issue with RedHat/CentOS/CloudLinux v7 where local IPs were not
being successfully detected from IFCONFIG
7.70 - Removed PayPal Donation buttons due to recent abuse
7.69 - Modified LF_CSF on cPanel servers to detect a change in the cPanel
version and then trigger a restart of ConfigServer scripts (added
cxs pure-uploadscript restart)
7.68 - Added Debian v8 and Ubuntu v15 support
HTTP::Tiny upgraded to v0.054
7.67 - Added a workaround for Plesk sendmail wrapper SIGCHLD problem
7.66 - Fixed UI status form tags
Added new option LF_SPI. This option configures csf iptables as a
Stateful Packet Inspection (SPI) firewall - the default. If the server
has a broken stateful connection tracking kernel then this setting can
be set to 0 to configure csf iptables to be a Static firewall, though
some funtionality and security will be inevitably lost
Added common systemd logs to csf.logignore for new installs
Modify LF_IPSET in csf to print failure messages instead of aborting
on error
On servers using systemd if firewalld found to be active, csf and lfd
will not start until is is stopped and disabled as csf cannot be used
with firewalld
Added option SYSTEMCTL to csf.conf as the location of the systemctl
binary for use with servers using systemd
7.65 - Fixed csf.blocklist for new installs which incorrectly had OPENBL
enabled by default
7.64 - UI HTML updates and fixes
Modified openbl.org URLs in csf.blocklist to use https - this will
likely need URLGET set to 2 (LWP)
7.63 - Modified Server Check to highlight PHP v5.3.* as EOL and therefore a
security risk
Port 587 added to TCP_OUT/TCP6_OUT on all new installations (previously
only on cPanel)
Added new CLI option to csf, -i --iplookup will lookup IP address
geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
Manually allowed/denied permanent/temporary IPs through the csf CLI
now include the CC information if no comment is used
Renamed csf and lfd cron jobs in /etc/cron.d/ to cater for non-LSB
compliant Linux cron managers
Modified Server Check report to cater for servers running systemd
More Server Check fixes for out of date checks
Added 2 new alert settings for FTP and SMTP distributed attacks:
LF_DISTFTP_ALERT and LF_DISTSMTP_ALERT
7.62 - Modified ModSecurity regexes to be more generic
7.61 - Fix issues with lfd restart via integrated UI and DA UI
7.60 - Ensure that /usr/lib/systemd/system/ is created on install on systemd
servers
7.59 - Fix sanity check for SMTPAUTH_RESTRICT
Fixed incorrect reference to cxs in the generic csf installer
Modified csf.conf to show that LWP::Protocol::https is needed for LWP
to retrieve https URLs and added examples of how to install these perl
modules
Implemented native systemd support for startup and shutdown of csf and
lfd
Added recommendation in csf.conf to use IPSET if wanting to set
DENY_IP_LIMIT to a high value
If IPSET is enabled, no sanity warnings are issued for DENY_IP_LIMIT
Also add SSH port to TCP6_IN on new installations
7.58 - Display warning and revert to HTTP::Tiny if URLGET is set to use LWP
but the perl module is not installed
7.57 - URLGET now set to "2" to use LWP by default on new installations
instead of HTTP::Tiny
If URLGET set to use LWP, csf will perform upgrades over SSL to
https://download.configserver.com
Added check for URLGET to Server Check
Added option "3" for CC_LOOKUPS to also include IP ASNs via the
MaxMind GeoIPASNum database
Updated SSH login regexes
Updated named regex
Added 30 second timeout for ST_IPTABLES iptables stats writing to
prevent a child creation loop
Modified lfd to restart if more than 200 children are currently active
to prevent child creation loops
7.56 - Fixed issue with Restricted UI item sanity checks failing
Modified LF_CSF on cPanel servers to detect a change in the cPanel
version and then trigger a restart of ConfigServer scripts (lfd,
MailScanner cxs Watch). Restart triggers are limited to every 12 hours
and will only trigger if upcp is not running
7.55 - If LF_SELECT is enabled the port(s) listed in PORTS_* can now be
specifed as port;protocol,port;protocol, e.g. "53;udp,53;tcp" to allow
for protocol specific port blocks. This port format can also now be
used in regex.custom.pm and csf --td/--ta to allow udp port blocks
PORTS_bind now defaults to "53;udp,53;tcp" on new installations
PORTS_directadmin added for DA installs to allow for per port blocks
if LF_SELECT is enabled
Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs
LF_IPSET taken out of BETA as it is proving stable
Modified Server Check to skip checking xinetd on Plesk servers
Modified UI_SSL_VERSION for new installations to use the new
IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so
that SSLv3 is disabled
If systemd is running the installer disables firewalld using systemctl
7.54 - Added IPv4/IPv6 column to show whether the port in the csf --ports
option is listed in *_IN (e.g. TCP_IN)
Added Conn column to show the number of ESTABLISHED connections to the
port in the csf --ports
Modified Server Check text from "SMTP Tweak" to "SMTP Restrictions"
for cPanel/WHM UI
Added the following to LF_IPSET for IPv4 IPs and CIDRs:
/etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW,
DYNDNS, GLOBAL_DYNDNS, MESSENGER.
IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional
iptables
Modified ipset information in csf.conf including that only ipset v6+
is supported
Modified ConfigServer::Slurp to carp instead of croak
Improvements to Server Check nameserver checking to include IPv6
servers and better determine how many are local nameservers
Modified csf --graphs to append a trailing slash if missing to
directory name
7.53 - Modified Slurp.pm to use O_RDONLY instead of O_RDWR
7.52 - Fixed issue with Restricted UI items sanity checks failing
7.51 - Removed duplicate "Search System Logs" button from the UI
7.50 - Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and
csf.blocklist bulk list matching. See csf.conf for more info
Added new UI option to view ports on the server that have a running
process behind them listening for external connections
Added new CLI option (csf -p, csf --ports) to view ports on the server
that have a running process behind them listening for external
connections
Added new CLI option (csf --graphs) to Generate System Statistics html
pages and images for a given graph type into a given directory. See
ST_SYSTEM for requirements
If using DYNDNS and the FQDN has multiple A records then all IP
addresses will now be allowed
IPv6 support added to DYNDNS. Requires the Perl module Socket6 from
cpan.org to be installed
On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be
scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin
if installed and logging enabled via CustomBuild v2+. Failures will
contribute to the LF_DIRECTADMIN trigger level for that IP
On DA servers, FTPD_LOG now defaults to /var/log/messages on new
installs
Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs
on DA
Added to UI count of entries in /etc/csf/csf.allow
Added blocklist.de to csf.blocklists for new installs, latest file
copied to /etc/csf/csf.blocklists.new on existing installs
Started moving common functions to separate modules within csf
HTTP::Tiny upgraded to v0.050
Fixed csf stop/start routines on reboot for servers using systemd
Modified integrated UI to display die errors to browser
Modified X_ARF report to use a self-published schema:
http://download.configserver.com/abuse_login-attack_0.2.json
Modified X_ARF to lowercase the Source-Type field
Modified X_ARF template to use the v0.2 "X-XARF: PLAIN" header field
Updated restricted UI items
Geo::IP upgraded to v1.45
Crypt::CBC upgraded to v2.33
7.15 - Updated installer to fix generic installs on some Redhat/CentOS setups
Fixed issue with temporary allow/deny not applying individual port
rules for outgoing connections
7.14 - Updated scripts to use download.configserver.com
7.13 - Fixed issue with temporary allow/deny when issued through the UI
7.12 - Reverted PACKET_FILTER rule changes
OPEN added as an option to PS_PORTS so that TCP_IN and UDP_IN ports
will be ignored by Port Scan Tracking by default, but can be added if
desired
7.11 - DROP_PF_LOGGING disabled by default on new installs as enabling by
default will just cause confusion
7.10 - Removed debugging code from Port Scan Tracking
7.09 - Set scripts (.pl,.cgi,.php,.sh,.py) in /etc/csf/ to chmod 700
Simplified PACKET_FILTER rules for dropping INVALID connection
tracking states. This feature now only applies a single rule for
incoming INVALID packets
DROP_PF_LOGGING enabled by default on new installs
INVALID added as an option to PS_PORTS so that PACKET_FILTER logs will
be ignored by Port Scan Tracking by default, but can be added if
desired
Modified ST_ENABLE locking
Regex updates to cater for Plesk 12 - thanks to Marcel Evenson
Fixed issue with temporary allow/deny comment not being parsed
correctly when port * specified
7.08 - Withdrawn
7.07 - Modified lfd to silently drop ST_ENABLE lock queue entries unless
DEBUG is enabled
Modified ST_ENABLE logging to append to data file and only truncate
when needed
7.06 - Added locking to ST_ENABLE and ST_SYSTEM to prevent child process
queues
7.05 - Fix SMTPAUTH_RESTRICT where IPv6 addresses need to be quoted for exim
7.04 - Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is
triggered, then if LF_DIST_ACTION is a path to a script, it will run
the script and pass arguments to it. See csf.conf for more info
Added limit check on VPS servers when using FASTSTART to ensure there
are sufficient numiptents available for all of the iptables rules in
that block
Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to
/etc/exim.smtpauth
Fixed LF_BIND - BIND_LOG was not being added to the log list to watch
On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option
scans DIRECTADMIN_LOG for failed logins and blocks accordingly
Fixed typo in csf.conf
7.03 - Added new option DROP_UID_LOGGING which allows UID logging to be
disabled for outgoing connections. This option is enabled by default
and can be disabled on OS's that do not support --log-uid
Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for
use with the csf --profile option
Updates to sanity.txt for new options
Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to
www.dshield.org/block.txt for new and existing installs
7.02 - Make auto.pl scripts more resilient to avoid leaving an incomplete
configuration file after upgrades
Improved output errors if FASTSTART fails
Ensure UNZIP binary exists before attempting to process GeoLite CSV
Country database
Corrected FASTSTART description in Server Report check
Modified auto.pl to not automatically enable IPV6 on Virtuozzo/OpenVZ
Report all errors after csf starts in case they were missed in the
main output
7.01 - Fixed issue with FASTSTART and DROP_PF_LOGGING
7.00 - New feature SMTPAUTH_RESTRICT - This option will only allow SMTP AUTH
to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth
on EXIM mail servers. The additional option CC_ALLOW_SMTPAUTH can be
used with this option to additionally restrict access to specific
countries. See csf.conf and readme.txt for more information
New FASTSTART procedures in csf and lfd to centralise functions and
add error reporting
FASTSTART added to GLOBAL_ALLOW, GLOBAL_DENY, GLOBAL_DYNDNS, csf.deny,
csf.allow, Port Settings, PACKET_FILTER, DROP_NOLOG, SMTP Block, DNS
Remove duplicate IP addresses from individual blocklists
Remove duplicate IP addresses (not CIDRs) across blocklists as they
are newly retrieved
Ensure /usr/local/bandmin/bandminstart exists and is executable on
cPanel servers before using it
Removed MySQL version check as it is currently redundant from Server
Report
Improve Net::CIDR::Lite use integrity to prevent unnecessary lfd
failures
Ensure GeoIPCountryWhois.csv is removed before processing a new d/b
download
Add /etc/csf/csf.smtpauth to UI if SMTPAUTH_RESTRICT is enabled
Fixed issue with IPv6 generation of SMTP_ALLOWUSER rules
6.48 - Fixed csf --ta/d not accepting comma separated port list
Modified csf -t multi-port reporting
Modified csf UI to support specifying port list in temporary
allow/deny
Modified integrated UI call to perform separate calls to
IO::Socket::SSL to use the appropriate AF_INET(6) call depending on
the setting for IPV6
Updates to integrated cse UI CSS
Added regular expressions for courier-imap, Qmail SMTP AUTH and
Postfix SMTP_AUTH for Plesk servers
Removed RBN from csf.blocklist for new installs as it is now obsolete
Check for an apply correct permissions on /var/lib/csf and
/usr/local/csf in addition to /etc/csf
6.47 - Overhaul of Apache regexes to cater for Apache v2.4 formats
Fail with an appropriate error if attempting to use an IPv6 address
but IPV6 is not enabled
Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT
when DROP_OUT_LOGGING is disabled
Strip leading and trailing spaces from form IP in csf UI
DROP_OUT_LOGGING is now enabled by default on new installations
ST_ENABLE is now enabled by default on new installations
CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This
provides a more consistent approach and quicker lookups with reduced
memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE
6.46 - HTTP::Tiny reverted to v0.041 as it breaks on some installations
6.45 - Modified LF_SCRIPT_ALERT to only report detected lines
Modified Server Check for sshd_config port to be case-insensitive
Modified PORTS_sshd check of sshd_config port to be case-insensitive
HTTP::Tiny upgraded to v0.042
Reverse sort temp bans in UI
6.44 - File globbing is now allowed for logs listed in csf.logfiles and
csf.syslogs
Added Server Reports recommendation for CloudLinux if running CentOS
or RedHat
Added Server Reports CloudLinux security feature checks
Modified Server Report check for dovecot v2
Updated Server Report version checks for Fedora, MySQL and Apache
Added missing bracket to regex.custom.pm example
Added new PORTS_* options to csf.conf to allow custom modification of
LF_SELECT application ports
Added Cached memory to the System Statistics
Added full pseudo-breadcrumbs to cPanel csf UI
Added new CLI and UI commands to backup/restore csf.conf and to apply
preconfigured csf.conf profiles. See "man csf" and UI for more details
of the "csf --profile [OPTIONS]" commands
HTTP::Tiny upgraded to v0.041
6.43 - Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and
/usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog
process is not found and also to cater for systems using systemd (e.g.
Fedora, RHEL v7, etc)
RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and
effective. Setting RESTRICT_SYSLOG to "3" is the recommended option
Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux
method to disable access to caged /dev/log
csf --dr modified to remove matching IPs from csf.tempip
File globbing is now allowed for all *_LOG file settings in csf.conf.
However, be aware that the more files lfd has to track, the greater
the performance hit
6.42 - New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new
RESTRICT_SYSLOG option "3" which restricts write access to the
syslog/rsyslog unix socket(s). See csf.conf and the new file
/etc/csf/csf.syslogusers for more information
Those running our MailScanner implementation, you must be running
at least ConfigServer MailScanner Script v2.91 for logging to work
with RESTRICT_SYSLOG_GROUP
csf UI option added for editing csf.syslogusers
Fixed a bug in PT_LOAD not producing PS output
6.41 - SECURITY WARNING:
Unfortunately, syslog and rsyslog allow end-users to log messages to
some system logs via the same unix socket that other local services
use. This means that any log line shown in these system logs that
syslog or rsyslog maintain can be spoofed (they are exactly the same
as real log lines).
Since some of the features of lfd rely on such log lines, spoofed
messages can cause false-positive matches which can lead to confusion
at best, or blocking of any innocent IP address or making the server
inaccessible at worst.
Any option that relies on the log entries in the files listed in
/etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
vulnerable to exploitation by end-users and scripts run by end-users.
There is a new RESTRICT_SYSLOG option that disables all those features
that rely on affected logs. This option is NOT enabled by default.
See /etc/csf/csf.conf and /etc/csf/readme.txt for more information
about this issue and mitigation advice
NOTE: This issue affects all scripts that process information from
syslog/rsyslog logs, not just lfd. So you should use other such
scripts with care
Our thanks go to Rack911.com for bringing this issue to our attention
UI design updates and fixes
Modify Apache regex to support log lines containing thread ID
Prevent lfd from blocking CIDRs triggered from log lines
6.40 - Fix for LF_INTEGRITY which was non-functional after changes in v6.38
6.39 - Added error output from IO::Socket::INET for CLUSTER_* commands from
csf if present
UI HTML fixes and form design elements added
Improved error report for invalid csf.conf lines
Removed Server Check tmp mountpoint checks
6.38 - Parameterise calls to system and Open3 where possible
HTTP::Tiny upgraded to v0.039
Modifications to csftest.pl
Removed the UI "Pre-configured settings for Low, Medium or High" as
they are outdated and meaningless. Users should go through the csf
configuration and setup the firewall for their individual server needs
Translate ampersand for HTML output
Modified csf.blocklist for new installations to use the SSL URL for
the TOR exit list now that they have forced redirection from the
non-SSL URL, with a note to change URLGET to use LWP
Modified csf.blocklist for new installations to specify an alternative
TOR exit node list
6.37 - Fixed issue that produced false-positive failures for IP address
actions through UI when checking for a valid IP address
Modified lfd to support the use of either "password" or "pass" in
/root/.my.cnf for ST_MYSQL
Updated CLUSTER information in readme.txt
6.36 - Removed VPS PASV check from Server Check in UI
Added new option URLGET - This option can be used to select either
HTTP::Tiny or LWP::UserAgent to retrieve URL data. HTTP::Tiny is
faster than LWP::UserAgent and is included in the csf distribution.
LWP::UserAgent may have to be installed manually, but it can better
support https:// URL's. HTTP::Tiny is selected by default
Removed extraneous bracket in UI output when reporting errors in user
supplied data
Added new options LF_EXIMSYNTAX, LF_EXIMSYNTAX_PERM - These will block
IP addresses producing repeated exim syntax errors, typically seen
from: spammers, hackers and broken MUAs and MTAs. This option is
enabled by default
HTTP::Tiny upgraded to v0.036
6.35 - Security fix with included cse when using inbuilt User Interface:
prevent XSS due to malicious directory/file names
6.34 - Load DYNDNS and GLOBAL_DYNDNS from last known values when restarting
csf instead of waiting for lfd to load the initial rules
Improved performance of file slurping
Cluster documentation correction in readme.txt
UI button style modifications
Added specific check for Spamhaus drop lists so that retrieval is
never attempted before 2 hours elapses between attempts whether those
retrieval attempts are successful or not
Improvements to SSHD regexes
Modified mod_security logging to include the last triggered rule id if
present
6.33 - Modified LF_PERMBLOCK to perform IP lookup on blocked IP
Perform modprobe when using FASTSTART on server boot to ensure
iptables modules are loaded
Modified migration detection for particularly old csf installations
Check that TAIL and GREP exist and are executable in UI
6.32 - Applied UI changes to inbuilt cse and Reseller UI's
Improvements to Virtuozzo/OpenVZ system detection where
/proc/vz/veinfo does not exist
Added System Check on cPanel servers for disable-security-tokens
If /etc/csuibuttondisable exists then the UI buttons will revert for
those that cannot cope with the themed ones
6.31 - Fixed "Deny Server IPs" option in UI
Additional SSHD regex
Enable account tracking for LF_CPANEL login failures to allow for
LF_DISTATTACK detection
Ignore Server Check for register_globals for PHP v5.4+
Added new option UI_SSL_VERSION, to allow the setting of the SSL
protocol version that the UI server allows
Added window Detach option to UI search system logs
UI display changes
Fixed files permissions issue affecting System Graphs and lfd Graphs
in DA
6.30 - Prevent HTML rendering of watch and search system log file output
6.29 - Removed CLUSTER_PORT from sanity checking
Modified changelog to state that HTACCESS_LOG needs to be correct for
nginx LF_HTACCESS regexes
Added new UI option to watch (tail) system log files listed in
/etc/csf/csf.syslogs
Added new UI option to search (grep) system log files listed in
/etc/csf/csf.syslogs
Improvements to "View iptables Log" output in UI
Enable "SSL_honor_cipher_order" for UI IO::Socket::SSL sessions
6.28 - Fixed sanity check for UID_INTERVAL
6.27 - Modified Apache regexes for Apache v2.4+
Fixed UI configurable lines display for lfd.log
Fixed length display text for CLUSTER_KEY in csf.conf
Ignore suspendedpage.cgi triggers for LF_SYMLINK on cPanel servers
Updated sanity checks and ranges for csf.conf settings
Added RESTRICT_UI to Server Check recommended options
Modified Virtuozzo/OpenVZ FTP port check to verify kernel version
before issuing PASV port warning
Added new setting PS_DIVERSITY. To specify how many different ports
qualifies as a Port Scan you can increase this value. The risk in
doing so will mean that persistent attempts to attack a specific
closed port will not be detected and blocked. The setting defaults to
the original setting of 1
Added 3 LF_HTACCESS regexes for nginx. Remember to set HTACCESS_LOG
correctly for the location of the nginx error log
6.26 - Fixed UI issue with some settings sent via the Cluster Config option
Modified CONNLIMIT_LOGGING rule insertion point
Added new feature: Outgoing UDP Flood Protection. This option limits
outbound UDP packet floods. These typically originate from exploit
scripts uploaded through vulnerable web scripts. The feature is
controlled by: UDPFLOOD, UDPFLOOD_LIMIT, UDPFLOOD_BURST,
UDPFLOOD_LOGGING, UDPFLOOD_ALLOWUSER
Update the TOR URL in existing /etc/csf/csf.blocklists file if still
set to the old URL
6.25 - Fixed UI "Temporary IP entries > Flush all temporary IP entries"
Fixed UI_USER and UI_PASS being emptied on saving the firewall
configuration through the UI
Fixed CLUSTER_KEY not displaying when RESTRICT_UI is disabled
6.24 - Security - Removed items from Cluster Config UI option if RESTRICT_UI
enabled
6.23 - Security - added new option RESTRICT_UI. This options restricts the
ability to modify settings within csf.conf from the csf UI. Should
the parent control panel be compromised, these restricted options
could be used to further compromise the server. This option is enabled
by default on all installations
Added entries to csf.pignore on new installations on cPanel servers
for Dovecot v2.2 (cPanel v11.40+)
Fixed UI Template validation error message
6.22 - Security Fix - Sanitised user data input to prevent running
unauthorised commands via the UI. A user would require root access to
exploit this, so vulnerability is probably low. Thanks to Steven at
Rack911.com for reporting this issue
Added Password ENV variable check to Server Check on cPanel servers
Update cPanel ACL Driver installations to change force cache update
using "touch" instead of removing the cache
Modified TOR URL in /etc/csf/csf.blocklists to use:
http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
6.21 - Modified auto-update logic to only create the /etc/cron.d/csf_update
file if it does not already exist
Fix permissions on csf man file and directory
Modified webmin module paths to be relative rather than absolute so
that webmin via mod_proxy works correctly
Fixed "in" direction --tempallow/--tempdeny leaking into [comment]
Added nginx regex for ModSecurity rule detection. Remember to set
MODSEC_LOG correctly for the location of the nginx error log
Fixed file permission/ownership problem on DirectAdmin servers for the
/plugins directory
6.20 - Introduced a new directory structure to get closer to the Linux
Filesystem Hierarchy Standard (FHS):
/etc/csf/ - (mostly) configuration files
/var/lib/csf/ - temporary data files
/usr/local/csf/bin/ - scripts
/usr/local/csf/lib/ - perl modules and static data
/usr/local/csf/tpl/ - email alert templates
Existing data and templates files are migrated into the new structure
automatically. Some files and directories are symlinked to /etc/csf/
for backwards compatibility and ease of use. See the following for
individual file locations in the new configuration:
http://blog.configserver.com/?p=7
CC_LOOKUPS rDNS reporting improvements
HTTP::Tiny upgraded to v0.033
Removed Security Token check from Server Check Report now that it is
implicitly set in v11.18.0+
Switched the location of the csf.pl and lfd.pl binaries with their
symlinks
Code tidy for servercheck.pm, csfui.pl
Allow comments to be appended to csf --tempdeny and csf --tempallow in
the same way as csf --deny and csf --allow. Also made the options more
flexible in usage of optional elements
Added Comments field to UI for Quick Allow, Quick Deny, and Temporary
Allow/Deny
Added csf(1) man page and changed csf --help to use a text version of
the new man page
Fixed unnecessary open of csf.fignore
6.15 - Modified MaxMind City Database lookup code to be more resilent
6.14 - Added support for cPanel v11.38.1+ AppConfig addon registration
NOTE: In accordance with the new conventions for v11.38.1+ AppConfig
the url to the csf WHM plugin will change from /cgi/addon_csf.cgi to
/cgi/configserver/csf.cgi. This will only happen with csf v6.14+ and
cPanel v11.38.1+. Older version of csf will continue to use the old
URL. This has no particular relevance to users accessing through WHM,
but will affect direct URL access by users or third party
applications
Added support for cPanel v11.38.1+ Custom ACL driver. This creates an
ACL (software-ConfigServer-csf) which must be used to grant resellers
access via "WHM > Edit Reseller Nameservers and Privileges > Third
Party Services > ConfigServer Security & Firewall (Reseller UI)" when
running cPanel v11.38.1+
Added Server Check for AppConfig restrictions for cPanel v11.38.1+
Switched from using Geo::IP::PurePerl to Geo::IP perl module
Added MaxMind GeoIP Anonymous Proxies to csf.blocklists for new
installs
Added new setting CSFDATADIR. This is the location of the csf and lfd
temporary data. By default it is set to the current value of /etc/csf
with the intention of moving this data to /var/lib/csf in the future
in a move towards the Linux Filesystem Hierarchy Standard (FHS)
Moved the default location for ST_DISKW_DD to /var/lib/dd_test for new
installations
6.13 - Fixed Server Check for dhclient
6.12 - Added iptables UID logging for dropped outgoing packets
New feature - DROP_OUT_LOGGING. Enables iptables logging of dropped
outgoing connections. Where available, these logs will also include
the UID connecting out which can help track abuse. Note: Only outgoing
SYN packets for TCP connections are logged. The option is not enabled
by default, but we recommend that it is enabled
Option DROP_ONLYRES now only applies to incoming port connections
New feature - User ID Tracking. This feature tracks UID blocks logged
by iptables to syslog. If a UID generates a port block that is logged
more than UID_LIMIT times within UID_INTERVAL seconds, an alert will
be sent. Requires DROP_OUT_LOGGING to be enabled
Modified Port Scan Tracking regexes to ensure only incoming
connections are tracked
Added Server Check for dhclient running
Added Server Check on cPanel servers for antirelayd
Added Server Check for a swap file (don't bother on Virtuozo)
Added Server Check for xinetd, qpidd, portreserve and rpcbind in
Services Check since most people won't use them
6.11 - Fixed SMTP_ALLOWLOCAL not functioning correctly. Added IPv6 support
for SMTP_ALLOWLOCAL
Removed SMTP_BLOCK restriction for IPv6 requiring port 25 to be
present in TCP6_OUT
6.10 - New feature - separate Blocklist configuration file to allow for
expansion of the available block lists. The following options have
been removed from csf.conf and a new csf.blocklists file added to
configure blocklists:
LF_DSHIELD, LF_SPAMHAUS, LF_TOR, LF_BOGON
During the upgrade if those options were enabled, then they will be
enabled in the new csf.blocklists file. If you used a custom blocklist
URL in one of those options you will have to manually add it to the
new configuration.
Modified UI to provide edit function for csf.blocklists
6.09 - Modified csf UI to detect Webmin install and symlink script and images
directory so as to no longer require Webmin module update on a new csf
version
Tidied up csf UI html
Fixed System Statistics graph display when using Webmin
Modified Server Security check to only perform GENERIC test when using
Webmin to prevent hanging processes
Added CLI options --car, --carm. This removes an allowed IP in a
Cluster and removes it from /etc/csf.allow
Added new options LF_WEBMIN, LF_WEBMIN_PERM. This feature adds login
failure detection for Webmin in WEBMIN_LOG
Added new option LF_WEBMIN_EMAIL_ALERT. This feature sends an email
if a successful login to Webmin is detected in WEBMIN_LOG
Modified LF_SCRIPT_ALERT text in csf.conf for cPanel servers
Modified proftpd regex to cope with non-standard format and to remove
trailing colons from account name
Modified LF_SCRIPT_ALERT regex to cater for paths containing spaces
Improvements to LF_SCRIPT_ALERT memory usage and possible script
detection
Added alternative LF_SCRIPT_ALERT regex for specific 1H.com exim
logging ACL
6.08 - Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that
do not support IPv6 connection tracking by opening ephemeral port
range 32768:61000. This is only applied if IPV6_SPI is not enabled.
This is the same workaround implemented by RedHat in their sample
default IPv6 rules
6.07 - Fixed issue with processing /proc/PID/stat for process information
6.06 - Prevent csf/lfd from failing to run if a non-critical configuration
file does not exist
In webmin, force table stylesheet to override webmin css. Requires
webmin module reinstall on existing installations
6.05 - Improvements to minimal perl module detection on new installs
Bugfix for default lfd.pl perl shebang
6.04 - Implement slurp routine for configuration files to cater for incorrect
linefeeds
Ignore leading and trailing spaces from lines in configuration files
Fixed Include statements in csf.ignore not implemented in lfd
Additional debug logging for RT_*_LIMIT added
Replaced call to Time::HiRes::sleep with standard sleep
Additional dovecot entries in csf.pignore for new installations
6.03 - Switched from using LWP to HTTP::Tiny to reduce memory footprint and
reliance on the LWP perl module. The HTTP::Tiny module is included in
the distribution, so no further action is necessary
Modified lfd perl module loading to be conditional where possible to
reduce lfd memory footprint
Modify initial file processing to reduce lfd memory footprint
Modify PS_PORTS processing to reduce lfd memory footprint
Moved init of Geo::IP::PurePerl into iplookup subroutine
Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to
false-positives
Modify LF_DIRWATCH_DISABLE so that only files are added to
suspicious.tar and removed. Suspicious directories will no longer be
removed
Removed File::Path - no longer required
6.02 - Modify MESSENGER HTML header to return code 403 instead of 200
Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled
Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables
detection of repeated Apache symlink race condition triggers from the
Apache patch provided by:
http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
This patch has also been included by cPanel via the easyapache option:
"Symlink Race Condition Protection"
6.01 - Ensure all binaries are called with their full paths for the scheduled
Server Security Check reports
Allow csf -u/-uf/--update and -c/--check when csf is disabled
Make RT_* checks IPv6 compatible
Added dns query caching for ip lookups during lfd process lifetime
Modify TOR rule loading to use FASTSTART in lfd if enabled
Added iptables locking to FASTSTART code
LF_INTERVAL now defaults to 3600 on new installations to better cope
with slow brute force login attempts
Removed references to .cpanel.net being ignored from the changelog as
they no longer apply and could cause confusion
Fix csf.rignore loader regex causing unnecessary DNS lookups if file
has no entries
Added "DEFERRED" login failure checking to CPANEL_LOG regex
6.00 - Major new option - FASTSTART:
This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
IP6TABLES_RESTORE in two ways:
1. On a clean server reboot the entire csf iptables configuration is
saved and then restored, where possible, to provide a near instant
firewall startup[*] during the boot sequence
2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS,
DSHIELD, BOGON, TOR are loaded using this method in a fraction of
the time than if this setting is disabled
[*] Not supported on all OS platforms
FASTSTART allows for very quick startup at reboot and during
uptime. If the Country Code blocking options (CC_*) are used, their
tables are loaded by csf and lfd almost instantly, compared to many
minutes for large countries previously
FASTSTART is enabled on new installations (or those in TESTING
mode). Existing installations will need to enable it manually
Other Changes:
Improvements to csf and lfd init routines
LF_QUICKSTART renamed to LFDSTART, setting value preserved
Fixed a problem with scheduled Server Security Check reports
Crypt::CBC upgraded to v2.32
5.79 - Modified csf error routine to store failing error in csf.error and
display an instructional message
Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
Modified the Server Report proxysubdomains check on cPanel servers
Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP,
CC_DENY_PORTS_UDP. This feature denies access from the countries
listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using
this FTP access port 21 could be blocked to only the specified
countries
5.78 - Due to issues that some are experiencing with the switch from the
state to the conntrack module a new settings has been added
USE_CONNTRACK which is disabled by default except on servers running
kernel 3.7+ where on new installations it will be enabled
5.77 - Add an exception for the useless Virtuozzo kernels iptables
implementation so that csf uses the deprecated state module instead of
conntrack
5.76 - Only add the /128 IPv6 bound address per NIC instead of the whole /64
to the local IPv6 addresses
Modify SSHD and SU regexes to allow for empty hostname field in log
file
Added new option UNBLOCK_REPORT. This option will run an external
script when a temporary block is unblocked
Additional entries in csf.logignore on new installations
Switched from using the iptables state module to using the conntrack
module in preparation of the formers obsolescence
Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so
that new tests can be easily added and then ignored desired
Added new LF_EXPLOIT check SSHDSPAM to check for the existence of
/lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See:
http://www.webhostingtalk.com/showthread.php?t=1235797
5.75 - Fixed issue with single quotes appearing in CC lookup names leading to
lfd IP blocks to fail
5.74 - Additional entries in csf.pignore for the cPanel installation to cater
for v11.36 processes on new installations
Added workaround for cPanel /etc/cpupdate.conf check in Server Report
for changes in v11.36
Additional entries in csf.logignore on new installations
Try harder to get a CPU temperature if lm_sensors is installed for
System Statistics
Enforce PORTFLOOD setting restrictions and issue warning if entry
discarded
Correct location of CC_ALLOWF in LOCALINPUT after update from lfd
Make CC_[chain] actions more verbose in lfd.log
Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP,
CC_ALLOW_PORTS_UDP. This feature allows access from the countries
listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using
this FTP access port 21 could be restricted to only the specified
countries
Moved temporary and csf.allow/csf.deny rules from
LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new
CC_ALLOW_PORTS feature
Modified SMTP_PORTS to include ports 465 and 587 on new installations
Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks
the number of processes with the same session id and if greater than
the value set, the whole session tree is terminated and an alert sent
5.73 - Fixed issue with crontab line for TESTING option not being detected
and removed when TESTING mode is disabled
5.72 - Added missing DD setting in DA and generic installations for ST_DISKW
Modified IPv6 port settings to reflect IPv4 port settings for new
installs in csf.conf
If a deleted executable process is detected and reported then do not
further report children of the parent (or the parent itself if a child
triggered the report) if the parent is also a deleted executable
process
Parent PID added to PT_DELETED_ACTION parameters
In the Server Report allow for spaces before Apache directives
Updated instructions for modifying log_selector for exim
configurations in readme.txt and Server Report
Modify DD calculation for ST_DISKW for disks that report in GB/s
Updated to use the new cPanel 11.36+ integrated perl binary if exists
5.71 - Fixed problem processing dd output for ST_DISKW on some systems
Fixed dovecot imap login failure regex processing
Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog)
5.70 - Fixed an issue with PERMBLOCK introduced in v5.68
5.69 - Fixed duplicate entries in csf.conf on GENERIC installations
5.68 - New feature added - LF_DIST_INTERVAL. This option provides a separate
timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is
set to 300 seconds
Implemented better handling of repeat blocks when an IP is already
temporarily or permanenetly blocked
Added missing inclusion of Time::HiRes in csf.pl
Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log
unless DEBUG enabled
Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled
RELAYHOSTS setting now defaults to "0" to improve security on cPanel
servers
Increased default value of DENY_IP_LIMIT to 200
5.67 - Fixed a problem with permanent IP blocking when using LF_SELECT
5.66 - Implemented a new locking system to try to mitigate an iptables bug
when issuing concurrent iptables commands
Implement flushing on the lfd pid file so that it is always accurate
Improvements to csf --grep [ip] to escape regular expression matching
New feature added - LF_REPEATBLOCK. This option instructs csf to deny
an already blocked IP address the number of times set. See csf.conf
for more information
New feature added - LF_BLOCKINONLY. This option instructs csf to only
block inbound traffic from those IP's and so reduces the number of
iptables rules, but at the expense of effectiveness. See csf.conf for
more information
New feature added - ST_DISKW. This option adds disk write performance
statistics to the stats graphs. See csf.conf for more information
Fixed file location for Debian and derivative OS's for
/etc/mysql/my.cnf in Server Check
5.65 - Removed some of the command locking as it was causing hangs
5.63 - Implemented a locking and retry system to try to mitigate an iptables
bug when issuing concurrent iptables commands
5.62 - Added ModSecurity connection dropping to the LF_MODSEC regex
Added new option - ETH6_DEVICE. By adding a device to this option,
ip6tables can be configured only on the specified device. Otherwise,
ETH_DEVICE and then the default setting will be used
Added new option - LF_SCRIPT_ACTION. On cPanel servers, this can
contain the path to a script that is run whenever LF_SCRIPT_ALERT is
triggered
Fixed stats graph average calculation and display if average equals 0
Split Slow MySQL Queries stats graphs from MySQL Queries
Improvements to Apache CPU Usage stats graphs
5.61 - On Debian systems, check for my.cnf in /etc/mysql/my.cnf in Server
Check
Add missing/changed images in the DA/Webmin installs. For webmin, the
csf webmin module will need to be reinstalled
Another fix for LF_NETBLOCK to skip IPv6 addresses
Fixed csf --tempallow where -d [direction] was performing inout when
in requested
Fixed UI option "Edit the Log Scanner file (csf.logfiles)" which was
incorrectly overwriting csf.dyndns instead of writing to csf.logfiles
Changed ETH_DEVICE_SKIP device check from a failure to a warning
Skip checks for register_globals and suhosin if running PHP v5.4.* in
Server Check report
5.60 - Added new options to include the Spamhaus Extended DROP list. These
additional netblocks are included in the main Spamhaus chain. The
feature uses LF_SPAMHAUS_EXTENDED and LF_SPAMHAUS_EXTENDED_URL which
are enabled by default, but used only if LF_SPAMHAUS is enabled. To
force a reload of the SPAMHAUS list to include the Extended list,
delete /etc/csf/csf.spamhaus file after upgrading to this version and
then restart lfd
Added new options to allow blocking of TOR Bulk Exit nodes. This works
in the same manner as the LF_SPAMHAUS and LF_DSHIELD options. The
feature uses LF_TOR and LF_TOR_URL and is disabled by default.
Warning: This could block legitimate users who are trying to protect
their anonymity, so use with caution
Fix LF_NETBLOCK to skip IPv6 addresses as it is unsupported as has
long been stated in csf.conf
Added missing </pre> html elements in UI
Added unblock button to UI IP searches when results is either in
csf.deny or a temporary block
Implemented a locking system to mitigate iptables stability issues
when loading concurrent iptables chains in lfd
Fixed bug in the display of the 30 days ST_SYSTEM stats
Added new option ST_SYSTEM_MAXDAYS. This allows you to define the
maximum number of days of stats to collect (default 30 days)
Increased stats graph sizes
Added CIDR checking of csf.allow to the CLI command csf --deny
Added checking of csf.ignore to the CLI command csf --deny
5.59 - Fixed a loop which caused high load when using GLOBAL_IGNORE
Improvements to GLOBAL_IGNORE load speed and effectiveness
Improvements to CC_IGNORE load speed
5.58 - Corrected ST_APACHE error message return text
Add meaningful message if stats graph generation fails in UI
Added new icon in UI for "Quick Allow" that inserts the current
visitors IP address
Added new icon in UI for "Quick Ignore" that inserts the current
visitors IP address
Replaced some of the included icons
5.57 - Added new option PT_APACHESTATUS to configure the URL to the Apache
Status URL during PT_LOAD alert report
Added Apache Statistics to ST_SYSTEM. A new option ST_APACHE must be
set to collect these statistics and PT_APACHESTATUS must be correctly
set. ST_APACHE is disabled by default
Modification to SYSLOG option to remove the later introduced "nofatal"
option to improve backwards compatibility, also enable the "pid"
option to log the process ID
Added new options SYSLOG_CHECK and SYSLOG_LOG to check whether syslog
is running. See csf.conf for more information. This option is disabled
by default, but we recommend that it is enabled on all servers
Added SYSLOG_CHECK to Server Check Report recommended settings
5.56 - Improvements to ST_MYSQL password detection in /root/.my.cnf where the
password is quoted
Improvements to the SMTP AUTH regex to cope with differing settings in
exim log_selector
Removed debugging code in SMTP AUTH regex detection
5.55 - Update Fedora version check now that v17 has been released
Added MySQL Connection and Thread statistics to ST_MYSQL/ST_SYSTEM
Modified Server Check Report for cPanel servers see whether mod_ruid2
has been enabled making the Apache suEXEC check moot
Improvements to the SMTP AUTH regex to cope with differing settings in
exim log_selector
5.54 - Modified ST_MYSQL connection errors to advise disabling ST_MYSQL if it
is not used
ST_MYSQL now disabled by default on new csf installations
5.53 - Added Email Usage to the ST_SYSTEM System Statistics feature when RT_*
options are enabled
Fixed incorrect Min/Max calculations in System Statistics
Improvements to Disk Usage stats in System Statistics for some virtual
environments
Added CPU Temperature to the ST_SYSTEM System Statistics feature when
lm-sensors/coretemp installed and enabled (highest core temp recorded)
Added MySQL graphs to the ST_SYSTEM System Statistics feature when
ST_MYSQL is installed and enabled - requires DBI and DBD::mysql perl
modules. Authentication is via new ST_MYSQL* options. The option is
enabled on cPanel servers by default, disabled on others
Modified stats collection routine to append data to the stats file on
each minute interval and to clean up only on lfd startup. This is to
help minimise the risk of the stats file being incomplete due to
process termination
Added new options LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM.
This option will keep track of successful SMTP logins. If the number
of successful logins to an individual account is at least LF_DISTSMTP
in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all
of the IP addresses will be blocked. This option can help mitigate the
common SMTP account compromise attacks that use a distributed network
of zombies to send spam (exim MTA only). Not enabled by default
Modified Server Check Report for cPanel servers see whether mod_ruid2
has been enabled making the PHP Handler check moot
Modified the ModSecurity regex to cater for the paid Atomic rules
Apache error log non-standard format
Modified non-cPanel new installs to disable ST_SYSTEM by default
5.52 - Alternative kill and status methods employed for lfd init process on
Debian/Ubuntu
Added new feature: System Statistics. This option will gather basic
system statstics. Through the UI it displays various graphs for disk,
cpu, memory, network, etc usage. The feature requires the perl module
GD::Graph. It is enabled by default with the ST_SYSTEM option
5.51 - Updated Donation buttons
5.50 - Removed check for Melange on cPanel servers from Server Check Report
Improvements to the cPanel exim SMTP AUTH login failure regex after
changes in cPanel v11.32
Added exe:/usr/local/cpanel/3rdparty/sbin/mydns to csf.pignore for new
installs on cPanel servers
Additional cmd/pcmd suggestions added to csf.pignore for new installs
on cPanel servers (not enabled)
5.49 - Remove atd from Service Check in Server Check Report
Ensure all DNS traffic between non-local IP addresses in
/etc/resolv.conf is allowed through the firewall when DNS_STRICT_NS is
not enabled
Added exim to example script pt_deleted_action.pl
Added /var/log/cxswatch.log to csf.logfiles for new installations
Added new option LF_ALERT_SMTP which allows lfd to be configured to
send alert emails via SMTP instead of through the SENDMAIL binary.
LF_ALERT_SMTP needs to be set to the name or IP address of the SMTP
server to use this feature
Added new option CC_DROP_CIDR. Set this option to a valid CIDR to
ignore CIDR blocks smaller than this value when implementing
CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of
CC entries and may improve iptables throughput
Improved installation procedure for checking required perl modules
5.48 - New option LF_QOS added which matches hits against the mod_qos Apache
module
New option LF_CXS added which matches hits against the mod_security
Apache module rule for cxs if implemented
5.47 - Improvements to non-core perl module loading
Improvements to PT_LOAD Apache Status retrieval and messages
Regex modifications to cater for Dovecot v2.1+
On cPanel servers, block additional ports that exim uses in the WHM >
Service Manager for RT_*_BLOCK
5.46 - Modified upgrade warning for integrated UI to not use the DA warning
text
Validate local IP addresses
Only check local IPv6 addresses if IPV6 is enabled in config
Separate IPv4 from IPv6 ignore CIDRs due to Net::CIDR::Lite
restrictions
Improvements to ignore files IP address validation
Add server check for PHP v5.2.* to the obsolete/security risk list
Add server check for RedHat/CentOS v4.* and Fedora < v15 to the
obsolete/security risk list
Removed server checks for RLimitMEM/RLimitCPU
5.45 - Only log Log Scanner in lfd.log if DEBUG set to 2 to allow empty
reports if monitoring lfd.log
Added new option LF_BOGON_SKIP. If you don't want BOGON rules applied
to specific NICs, then list them in a comma separated list
Added new option LF_CONSOLE_EMAIL_ALERT which will send an email if
there is a root login to the server console. This is enabled by
default
5.44 - New feature - Log Scanner. This feature will send out an email summary
of the log lines of each log listed in /etc/csf/csf.logfiles. All
lines will be reported unless they match a regular expression in
/etc/csf/csf.logignore
Set LWP::UserAgent agent to "csf/[version]" instead of the default
5.43 - csf and lfd modified to better handle !lo interface for compatibility
with newer iptables versions
Removed use of Sys::Hostname::Long
Added new options LF_APACHE_403 and LF_APACHE_403_PERM. This option
will keep track of the number of "client denied by server
configuration" errors in HTACCESS_LOG. If the number of hits is more
than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be
blocked. See csf.conf for more information
5.42 - SECURITY FIX. Anyone running csf on a DirectAdmin server should
upgrade to this release immediately:
Add check for successful open of admin.list on DA servers to avoid
a segfault, which could lead to a buffer overflow
5.41 - Added text description of allow/deny made by cPanel Resellers via UI
in csf.allow and csf.deny
If cPanel UI Resellers email alerts are enabled, a csf grep will be
performed before an IP adress is unblocked and the output included in
the alert email, together with the results of the UNBLOCK
If cPanel UI Resellers email alerts are enabled, the results of an
ALLOW or DENY will be included in the alert email
Added logging of cPanel UI Reseller actions ALLOW/DENY/UNBLOCK to
/var/log/lfd.log
Update to urlget to not fail on empty file if successfully retrieved
Take Integrated UI out of BETA as no reported issues
Take csf.redirect out of BETA as no reported issues
5.40 - Added new feature - csf UI Reseller functions for cPanel. See
/etc/csf/csf.resellers and WHM UI
Improvements to cse Integrated UI
Modified redundant cPanel function calls in UI
Removed ModSecurity functionality in UI
Modified WHM UI "Remove Deny" to be "Quick Unblock" that now removes
a specified IP address entries from csf.deny and/or temporary blocks
5.39 - Fixed detection of the nat tables on some Virtuozzo VPS servers
5.38 - Modification to the Integrated UI to allow access to cxs if it is
installed via UI_CXS
Include an updated cse with csf for use with the Integrated UI via
UI_CSE
Added option UI_CIPHER to allow the SSL cipher suite to be set
manually for the Integrated UI
Added HTTP request internal memory limits to the Integrated UI
5.37 - Added new BETA feature - User Interface. This feature provides a HTML
UI to csf and lfd, without requiring a control panel or web server.
The UI runs as a sub process to the lfd daemon. See csf.conf and
readme.txt for information and requirements
Fixed issue with RT_* regex routine ignoring 127.0.0.1
Fixed detection of DNSONLY cPanel installs
Added Security Check on cPanel server checks for disabled "Proxy
subdomains" and "Proxy subdomain creation"
Added new option LF_CPANEL_ALERT_ACTION. If a LF_CPANEL_ALERT event is
triggered, then if LF_CPANEL_ALERT_ACTION contains the path to a
script, it will run the script and passed the ip and username and the
DNS IP lookup result as 3 arguments
5.36 - Fix for the lfd child lock mechanism effectiveness
5.35 - Added new BETA feature - Port/IP address Redirection. This feature
uses the file /etc/csf/csf.redirect to redirect connections from/to
IP/port combinations to alternative IP/ports. See readme.txt for more
information
Updated syslog daemon checking in Server Report
Set PT_DELETED to 0 by default on new installations
Improvements to csf startup locking within lfd
Improvements to error trapping between csf and lfd
Check minimum values for interval settings and set to recommended
values if too low during lfd startup to improve stability
Added lfd child locks to improve stability due too server or network
resource issues or too low an interval setting
Updated Sanity Checks for settings
lfd will now not start if TESTING is enabled
Do not require write permissions to /etc/crontab when no changes
required for TESTING mode enable/disable
Prevent parricide by lfd children unless required
Added nat table check in csf
Fixed bug in csf --grep not matching the nat table
5.34 - Improvement to dovecot account name sanitisation checks in lfd
Modified cronjobs for new installs to be compatible with anacron
Added new option CLUSTER_BLOCK which is enabled by default. This
allows you to disable automatic sharing of lfd blocks around a csf
cluster, e.g. if you only wish to use the CLUSTER option to share
settings and manual blocks and allows
Added new option RT_ACTION. If an RT_* event is triggered,
then if RT_ACTION contains the path to a script, it will be run in a
child process and be passed a list of items (see csf.conf - for cPanel
and DA only)
Fix to DYNDNS Advanced Allow/Deny Filters using pipe separator
Set permissions to 700 on *.sh, *.pl and *.php in /etc/csf/ instead of
a blanket 600 of non-csf scripts
5.33 - Add link to the Changelog when csf is upgraded
Extended urlget timeout to 300 seconds to help cope with the large
MaxMind City Database download where enabled
Include cpdavd login failures for LF_CPANEL. Added port 2077 and 2078
to the cPanel block ports when LF_SELECT enabled
Disable ftp Server Check reports if ftp server disabled in cPanel
Added regex validation to any specified csf.pignore or csf.figonre
entries to lfd
Updated cPanel tier checks to cope with old STABLE and DNSONLY
releases and newer v11.30+
Improvement to account name sanitisation checks in lfd
5.32 - AUTO_UPDATES enabled for new installations in csf.conf
Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still
set in csf.conf it will be ignored
Check MESSENGER service to ensure privileges are dropped before
starting the daemon
Drop privileges when performing removal during LF_DIRWATCH_DISABLE
For new installations, IPV6 enabled if IP6TABLES exists and an IPv6
address is found in the output from IFCONFIG. IPV6_SPI is set
according to the kernel version (i.e. whether SPI is supported or not)
5.31 - Updated the LF_TRIGGER_PERM explaination in csf.conf to properly
reflect the possible settings of LF_TRIGGER
Perform account name sanitisation checks in lfd
5.30 - Fixed a SECURITY BUG that can be exploited remotely via log file
spoofing resulting in root privilege escalation. Our thanks to Jeff
Petersen for reporting this issue
All csf users should upgrade to this release immediately
5.22 - New feature: Connection Limit Protection (CONNLIMIT,
CONNLIMIT_LOGGING). This option configures iptables to offer more
protection from DOS attacks against specific ports. It can also be
used as a way to simply limit resource usage by IP address to specific
server services. This option limits the number of concurrent new
connections per IP address that can be made to specific ports. See
csf.conf and readme.txt for more information and about the format of
the CONNLIMIT option and its limitations
Minor csf UI Firewall Configuration virtual pagination improvements
Updated cPanel Server Check update settings for v11.30+
Removed cPanel Server Check for new versions due to changes in the
v11.30+ versioning system making this redundant
Updated MySQL Server Check for v5.1.*
Added a warning to csf.conf for SYNFLOOD to only enable the option if
you know you are under a SYN flood attack as it will restrict all new
connection to the server if triggered
5.21 - Added port 500 to DROP_NOLOG for new installations
Corrected the LF_APACHE_404 lfd log line output
Added startup failure on invalid PORTFLOOD settings
Make csf.pignore item selector case-insensitive (e.g. exe: and EXE:)
All user: item selector examples removed from the default csf.pignore
for all new installations (e.g. user:mailman). csf.pignore examples
for some common processes can be found here:
http://forum.configserver.com/viewtopic.php?f=6&t=2059
Updated DA and GENERIC default csf.pignore files for new installations
csf UI Firewall Configuration virtual pagination improvements
Updated Sanity checks for settings in csf.conf
Modified Sanity checks for settings in csf.conf to always show the
recommended range in the UI
Set LF_GLOBAL to 0 instead of an empty string by default on new
installations
Added new option LF_LOOKUPS to toggle rDNS IP address lookups
5.20 - Updated installation scripts to distinguish between IPv4 and IPv6 port
report
Modified Virtuozzo VPS numiptent check to distinguish between host and
client servers
Added exe:/usr/sbin/ntpd to csf.pignore on new installations
Don't perform the runlevel check on Debian/Ubuntu servers as it isn't
indicative of a potential security issue as with other Linux distros
Added new option PT_DELETED_ACTION which if defined with an executable
script will run if PT_DELETED is triggered passing the process PID,
executable and account. An example script is provided in:
/etc/csf/pt_deleted_action.pl
If CC_LOOKUPS enable for the MaxMind City Database then also display
the Region, where available
Added csf UI Firewall Configuration virtual pagination
Rearranged csf.conf for csf UI Firewall Configuration virtual
pagination
Re-instated sanity check highlights in csf UI Firewall Configuration
Improved Server Check recursion checking in included configuration
files
Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option
will keep track of the number of "File does not exist" errors in
HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in
LF_INTERVAL seconds then the IP address will be blocked. See csf.conf
for more information
5.19 - Added stats workaround for February/March calculations
Added new option CC_IGNORE - this Country Code list will prevent lfd
from blocking IP address hits for the listed CC's
Reduced CC_* memory usage when loading zones
Modified lfd logging for regex.pm and regex.custom.pm login failures
to lfd.log to use the return reason from the regex match instead of a
generic message. This does mean that the format for these messages has
changed
DA Server Check for proftpd - check whether pureftp=1 in DA config
Replaced IP::Country and Geography::Countries with Geo::IP::PurePerl
using the MaxMind GeoLite Country database for CC_LOOKUPS
Added new option GUNZIP which is required to expand the MaxMind
GeoLite Country database
Extended CC_LOOKUPS which can now be configured to report Country Code
and Country and City using the MaxMind City Database. See csf.conf for
more information
Added Donation buttons to csf UI main page
5.18 - Remove RT_POPRELAY_* from csf.conf on DA servers as it does not apply
Improved Server Check for cPanel Update configuration check
Modifed csf restart to not start bandmin during the stop phase
Modified LF_DIRWATCH to remove dependency on File::Type
Modified LF_DIRWATCH for speedups and removed the need for a file size
limit
Debian v6 support confirmed
Added /etc/bind/named.conf.options to the list of named.conf files to
check for recursion settings (for Debian)
5.17 - Updated Server Check for cPanel Update configuration check to cater
for the new format
Disable LFD service in DA on uninstall of csf using SED instead of
REPLACE
5.16 - Fixed missing perm.png from DA install
Fixed Temporary IP Entries table headers in UI
If DENY_IP_LIMIT is reached, remove excess IPs from iptables as well
as csf.deny (previously only removed from csf.deny)
csf on cPanel servers automatically re-enables the cPanel Bandwith
chains after iptables is configured. If bandmin is not functioning, or
you don't use the bandmin stats you can disable this new option
LF_CPANEL_BANDMIN (enabled by default on cPanel servers)
5.15 - Check for multiple Ports settings for sshd in /etc/ssh/sshd_config
when the LF_SELECT option is enabled
Updated SMTPAUTH regex to detect more login authentication methods
Updated AUTHRELAY regex to detect more login authentication methods
Added option to UI to permanently block temporarily blocked IP's
5.14 - Updated RELAY regex to detect the dovecot/courier login authentication
methods on cPanel servers
Updated Server Check Report to reflect cPanel/WHM changes in v11.28,
including additional checks and updating reference text
Added checks to LF_DIRWATCH_FILE to ensure watched resources exist on
startup and while running a check. Those that do not exist are ignored
and logged in lfd.log
5.13 - Added obsolete OS checks for Fedora v11 and v12, plus RedHat/CentOS v2
and v3 in Server Check
Fixed broken reference URL's in Server Check for cPanel servers
Modified statistics to not display pie chart if no data is available
Sort LF_DIRWATCHFILE output by time to improve the reported results
Added new setting for AT_ALERT to only trigger on modification to the
root account (i.e. not all superuser accounts)
Tested successfully for support on Fedora v14 and Ubuntu v10.10
5.12 - Added some lfd blocking statistics which can be viewed via the UI.
Requires gd graphics library and the GD::Graph perl module with all
dependent modules
Added 8th argument to BLOCK_REPORT for the setting that triggered the
block
Added setting that triggered a block to lfd log lines
5.11 - Removed erroneous Port Knocking messages in lfd.log when
PORTKNOCKING_ALERT not enabled
Added 'exe:/usr/bin/postgres' to the cPanel csf.pignore for new
installations
Added retry timeout in WHM UI for checking www.configserver.com for
new version information (to avoid repeated hangs when unreachable)
Fixed LF_PERMBLOCK issue that flushed all temporary IP blocks, not
just the IP being permanently blocked
Added check to PHP Server Check that php -i output is complete
5.10 - Always report UID:GID of a DIRWATCH file incase the user account
owning a reported file no longer exists
Report error gracefully on CIDR->add failures and continue
Added "query (cache)" check to BIND flooding regex
Fix issue with killing Advanced Port blocks using the pipe separator
Update warning messages to include xt_owner with ipt_owner
Replace URL in Server Check for instructions on disabling IPv6
Fixed a bug in LF_CPANEL_ALERT ip address tracking
Added new option LF_CPANEL_ALERT_USERS to be used with LF_CPANEL_ALERT
to alert for a specified list of WHM/cPanel account logins. See
csf.conf for more information
Added new feature: Port Knocking. See csf.conf and readme.txt for more
information on the PORTKNOCKING, PORTKNOCKING_LOG and
PORTKNOCKING_ALERT options
Added new UI option: Quick Ignore, for IP addresses
5.09 - Added Server Check report check that klogd is running if using syslogd
or that klog module is loaded if running rsyslogd
Added Server Check report, checks for apache settings: TraceEnable,
ServerSignature, ServerTokens and FileETag on cPanel servers
Fixed ip6tables IPV6_SPI check warning for older kernels
Added instruction to open outgoing TCP6 and UDP6 ports when using an
older kernel for ip6tables
IPv6 Final (no longer Beta)
Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you
do not want this to apply to LT_POP3D/LT_IMAPD, then enable this
option
Added new option PT_USER_ACTION. If a PT_* event is triggered, then
PT_USER_ACTION will be run in a child process and passed the PID(s) of
the process(es)
5.08 - New option CLUSTER_MASTER which is the IP of the master node in a
cluster allowed to send CLUSTER_CONFIG changes. This must be set in
order to use CLUSTER_CONFIG options
Added new Cluster CLI option --cfile (-cf) for sending a file to
cluster members. The file will only be uploaded to the /etc/csf/
directory
Added new Cluster CLI option --crestart (-crs) to initiate a restart
of csf and lfd on all cluster members
Removed CLI option -ccr, --cconfigr [name] [value] in favour of the
new --crs, --crestart option
Modified regular expressions to cater for RFC3339 date format in log
files. For example, RFC3339 date format used by default in rsyslog on
CentOS v5.5
5.07 - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup
rules that could affect servers where iptables connection tracking
isn't working correctly
5.06 - Increased PT_USERMEM default to 200 from 100 for new installations
Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for
report generation in lfd which caused lfd to fail in Net::CIDR::Lite
5.05 - Updated the Server Check report IPv6 text
Fixed ip6tables command execution in iptables firewall during startup
5.04 - Added BETA IPv6 support. See csf.conf for more information on the new
settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT
UDP6_IN UDP6_OUT
New CLI option csf --status6 (csf -l6) added to list ip6tables rules
Changed temporary DENY and ACCEPT working file formats to use a
different record separator to cater for future IPv6 support
Advanced Allow/Deny Filters now use | as the separator character to
cope with IPv6 addresses. Legacy support remains for the old :
separator for IPv4 addresses, though these should also now use | as
the field separator
In Server Check report, don't issue IPv6 warning if only ::1/128 is
bound to a NIC (i.e. loopback)
Upgraded Net::CIDR::Lite to v0.21
Upgraded from IP::Countries to Geography::Countries
5.03 - Added new option LF_DISTATTACK_UNIQ so that you can specify how many
unique IP addresses are required to trigger LF_DISTATTACK
Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM.
This option will keep track of successful FTP logins. If the number of
successful logins to an individual account is at least LF_DISTFTP in
LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of
the IP addresses will be blocked. This option can help mitigate the
common FTP account compromise attacks that use a distributed network
of zombies to deface websites
Changed DA default configuration of FTPD_LOG to "/var/log/secure"
5.02 - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending
X_ARF reports (see http://www.x-arf.org/specification.html). See
csf.conf for more information
Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and
groups that can bypass SMTP_BLOCK can be easily added. These default
to the original values previously hard-coded
Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of
127.0.0.1 to cater for multiple loopback devices and allows connection
to locally configured IPs as well
Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1
Added new option CLUSTER_LOCALADDR to send out cluster requests on an
IP other than the default IP
Added lfd check to enforce 0600 permissions on /etc/csf/
5.01 - Added a new 7th argument to BLOCK_REPORT that includes the log lines
that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK)
Added new CLI option csf --tempallow (csf -ta) which works in exactly
the same way as csf --tempdeny (csf -td) except it provides a method
of temporary IP allows for a given duration. csf -t, csf -tf and
csf -tr now apply to both deny and allow entries
Allow the use of a duration suffix in csf -ta and csf -td for m, h and
d (minutes, hours and days). Only one suffix allowed and only integers
Updated UI entry for adding and removing temporary allows and blocks
Display temporary block TTL in days hours minutes and seconds
Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration
option WATCH_MODE. This new option logs SYN packets from a specified
source as they traverse the iptables chains. This can be extremely
useful in tracking where that IP is being DROPed or ACCEPTed by
iptables. See readme.txt for more information
Modified csf and lfd init scripts to be LSB-compliant
Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download
the list if it has not already been retrieved within the configured
interval. This is to help prevent blacklisting by the list provider
for repeated downloads after frequent lfd restarts
Fixed problem with csf -q and csf -sf not restarting the firewall if
there was a previous startup error
5.00 - lfd Clustering, final release. This new set of options (CLUSTER*) in
csf.conf allows the configuration of an lfd cluster environment where
a group of servers can share blocks and, via the CLI, configuration
option changes, allows and removes. See the readme.txt file for more
information and details, setup and security implications
Added new option LF_DISTATTACK. Distributed Account Attack detection.
This option will keep track of login failures from distributed IPs to
a specific application account. If the number of failures matches the
trigger value, ALL of the IP addresses involved in the attack will be
blocked. This option is currently disabled by default - see csf.conf
for more information
Added new option PT_USERKILL_ALERT if you want to disable email alerts
for PT_USERKILL triggers. This option is enabled by default, i.e.
alerts are sent
Added new options LF_QUICKSTART in csf.conf and CLI options -q,
--startq, -sf, --startf to allow deferral of csf startup to lfd
instead of waiting for the CLI to perform the work. See the CLI help
and csf.conf for more information
Added UI option for "Firewall Quick Restart" which uses csf -q,
"Firewall Restart" uses csf -sf
lfd now restarts csf (if stopped and LF_CSF enabled) within the main
process to enhance the integrity of the firewall
Multiple login failure regex detection improvements
Fixed typos in permblock.txt
4.99 - Improved csf locking to enhance the integrity of the firewall
Log lfd csf deny failures
New SSHD regex added
Improved the dovecot regex's
New Beta option: lfd Clustering. This new set of options (CLUSTER*) in
csf.conf allows the configuration of an lfd cluster environment where
a group of servers can share blocks and, via the CLI, configuration
option changes, allows and removes. See the readme.txt file for more
information and details, setup and security implications
4.89 - New SSHD regex added
Added Server Check to check whether SSHD UseDNS is set to "no" - it
should be disabled
Added an Important Note to the readme.txt regarding the sshd UseDNS
setting
Speedup for LF_DIRWATCH regex matching
4.88 - Fixed URL's in Server Check report for cPanel if Security Tokens are
enabled in v11.25+
Added ipv6 explanation that the information is determined from the
output from ifconfig and display ipv6 addresses found
Added the ability to use Include statements in csf.deny and csf.allow,
see readme.txt for information and restrictions
4.87 - Ignore csf.rignore for LT_POP3D and LT_IMAPD
Removed unnecessary csf.locks during some GLOBAL list updates
Updated Copyright notice
Modified the block message for LF_MODSEC and LF_SUHOSIN to be more
appropriate (i.e. not "login failures")
Added new block options for BIND denied requests: LF_BIND,
LF_BIND_PERM, BIND_LOG. This works in the same way as the other
similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have
had BIND (named) requests denied more than LF_BIND times in
LF_INTERVAL seconds. Currently named client denied log lines for
"update" and "zone transfer" trigger the option
Modified GLOBAL_ routines to continue if retrieval for one fails
instead of immediately exiting
Added IPv6 check to Server Check
Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled
on single line comments (lfd.log, csf.deny, etc)
Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the
respective email alerts can be disabled
Updated IP::Country
4.86 - Added Dovecot regex checking for LT_POP3D and LT_IMAPD
Modified Server Check for Fedora v10 EOL now that Fedora v12 has been
released
Improved Dovecot IMAP and POP3D login failure regex
Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD
Fixed TLSCipherSuite Server Check for proftpd
Added SSHD regex for "Did not receive identification string from IP"
failures
4.85 - Further improvements to ICMP rule filters
- Added backup mod_security log viewer for non-cPanel servers
4.84 - Mod_security log viewer removed from csf in favour of cmc
Improved ICMP rule filters. This could help some hosts that experience
connection issues with csf
Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS
to include this, i.e. to Port Scan for all ports use:
PS_PORTS = "0:65535,ICMP"
This is now the default on new installations
4.83 - Added multiple checks to the Server Check for new cPanel v11.25
security settings
Tidied up and rearranged the main UI
Removed redundant UI options
Added total perm bans to UI
4.82 - Removed the need for UI lfd cron restart jobs on Direct Admin
4.81 - Fixed case sensitivity issue introduced in v4.80 with port specific
lfd deny lines being ignored
4.80 - Modified WHM login regex to only trap successful root page displays
for LF_CPANEL_ALERT
Apache status for PT_LOAD now checks http://127.0.0.1/server-status on
GENERIC/DA servers. You need to ensure that the server-status page
has access from 127.0.0.1 in the apache server-status Location
container
Extended SU log file regex for Debian servers
Sanitise UI file edit HTML output
Improvements to the removal of alternative firewalls script
Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and
GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS
list via URL
Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE,
especially on Debian
Improved detection of already blocked IP addresses
4.79 - Withdrawn
4.78 - Modified DA installation to overcome permissions problems on some
systems preventing the UI from working
4.77 - Expanded dovecot regex matching
Fixed the generic installation to install regex.custom.pm
4.76 - Added check for FrontPage extensions to Server Check as they should be
considered a security risk as they were EOL in 2006
Added support for the impending cPanel v11.25 Security Tokens feature
4.75 - Added a [block] section to the Login Failure alert.txt template. This
new report template will be copied to /etc/csf/alert.txt.new on
existing installations, rename it to alert.txt to use it
Modified existing lfd alerts to use currently used tags instead of
appending block information to the IP address (alert.txt modified as
above)
Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for
email sent via a local IP addresses, separating the trigger from
RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf
for more information
Added Relay Tracking to Direct Admin running exim. See RT_* and
SMTPRELAY_LOG in csf.conf for more information
Added csf.mignore to allow ignoring of specified usernames or local IP
addresses from RT_LOCALRELAY_ALERT
Modified csf UI to use a single dropdown for all lfd ignore files
Added proftpd regex matching for "UseReverseDNS on" in proftpd config
4.74 - Removed FUSER from csf.conf as it is no longer used
Added UNZIP to csf.conf which is required for Country Code to CIDR
functions
Modified the Country Code allow/deny/allow_filter feature to generate
CC CIDRs from the Maxmind GeoLite Country database instead of using
iplocationtools.com. Note: GeoLite is much more accurate that the
previous zones used. This also means that there are usually more CIDRs
for each CC which adds to the burden of using this feature
4.73 - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's
to prevent module failures
New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses
WHM via root. An IP address will be reported again 1 hour after the
last tracked access (or if lfd is restarted)
4.72 - Modified mail sending code to use a common procedure that copes better
with differing combinations and variations of From:, To:, LF_ALERT_TO
and LF_ALERT_FROM settings for lfd alerts
4.71 - Code speedups in csf --grep
Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note
added to alert if ip match found
Modified Server Check for Fedora v9 EOL now that Fedora v11 has been
released
Modified iptables output from csf.pl to exclude the Fedora v11
intrapositioned negation messages
Fixed typo in integrity.txt alert template for new installations
Modified the email header for csf --mail
Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY
Modified lfd output filehandle names to avoid read/write conflicts
Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for
an example
Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where
only listed Country Codes are allowed, however normal port and packet
filter rules are still applied to those connections. All other
connections are dropped
4.70 - Modified UI access to csf.sips to display checkboxes instead of direct
editing, for ease of use
Fixed problem where RELAYHOSTS setting wasn't always being honoured
Modified mod_security configuration editor to handle HTML elements
Rewritten RT_*_ALERT regex and counting code to better deal with a
variety of exim log output formats
Added recipient count to RT_*_ALERT to include emails sent to multiple
recipients. This option requires that the exim log_selector setting in
the exim configuration includes the option: +received_recipients
So, the recommended log_selector setting is now:
log_selector = +subject +arguments +received_recipients
Modified Server Check cPanel version check to cater for x86_64 OS's
Added check to prevent Server Check mail report cron duplicates
Added abbreviated UI for mobile phone access to Quick Allow, Quick
Deny and Remove Deny. Direct URLs:
cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1
DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1
Webmin: https://1.2.3.4:10000/csf/?mobi=1
4.69 - Added Gentoo (generic) support
Added Server Check for MySQL LOAD DATA LOCAL
Modified Server Check for enable_dl to also check whether dl is in
disable_functions
4.68 - Added ipv6 IP detection for proftpd login failures
Removed ossec and webmin from the Server Check services section
4.67 - Modified the Country Code allow/deny feature to use
iplocationtools.com now that ipdeny.com has gone offline
4.66 - Modified OS version check to prevent Fedora v10 obsolete
false-positive in Server Check
Modified the exim SMTP AUTH regex to use the latest cPanel/exim format
Added failure notification for DYNDNS entry lookups in lfd if they
fail to resolve or timeout
4.65 - Modified Firewall Security Level UI to set PS_LIMIT within range
Fixed problem processing template for SU_ALERT
Empty csf.dshield on upgrade to work around problem where DSHIELD
blocked themselves in their own BLOCK list
4.64 - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work
if SMTP_BLOCK isn't actually enabled
Added new CLI option (csf -uf) which forces an update of csf+lfd
Added new CLI option (csf -df) which removes and unblocks all entries
in /etc/csf.deny (excluding those marked "do not delete")
Added new UI option to that removes and unblocks all entries in
csf.deny (excluding those marked "do not delete") and all temporary IP
bans
Added csf file names to the csf UI options
4.63 - New feature - Added new CLI option: csf --mail (or csf -m) which can
take an email address as an argument. It will display the Server Check
in HTML or send the output to the email address if present
Added option to UI Server Check to schedule csf to generate the report
and email the results to the address specied at the interval specified
Removed MySQL check from cPanel DNSOnly Server Check
Updated the perl v5.8.8 Server Check comment
Fixed sanity check for RT_*_BLOCK
Fixed copy of install.txt for generic installs and upgrades
Modified UI for Deny Servers IPs > Change to indicate that csf needs
restarting, not lfd
Added built-in replacement function for the Messenger Service message
files for [HOSTNAME] which will be replaced by the servers FQDN
hostname. Updated the sample Messenger index templates
Updated the uninstall scripts to remove the cronjob and logrotate
files
Added colour highlights to the Quick Allow and Quick Deny UI boxes
4.62 - Fixed problem with SU_ALERT alert report in v4.61
Modified the Server Check for cPanel update settings to check for
daily updates more accurately
Added Server Check for cPanel tree
Upgraded IP::Country
New feature - Added sanity check to configuration values in csf, UI
Server Check and UI Firewall Configuration. In the UI Firewall
Configuration: lines highlighted in red fall outside the recommended
range; lines highlighted in pale green differ from the default on
installation
Added cPanel Security Check to check that at least one configured
nameserver is on a different server
Added proftpd checks to csf (for VPS servers) and in Server Check
Added DirectAdmin Checks to UI Server Check for: SSL login to DA;
proftpd cipher; nameserver on a different server; PHP version and
configuration checks; Apache version; dovecot cipher
Removed resolv.conf localhost check
4.61 - Modified lfd iptables command error handling to log errors and
continue instead of terminating when in TESTING mode
Removed loading of iptables modules from csftest.pl to avoid modprobe
problems with some OS kernels
Added Connection Tracking check for pre-existing block to cater for
linux connection status timeouts
Moved LF_CSF check to the start of the lfd processing interval
New option LF_ALERT_FROM. If set, the value of this option will
override the From: field in all of the lfd alert templates. This
change also uses the From: field in the template (or this option if
set) as the value for the SENDMAIL -f option
Modified POP/IMAP Server Checks for the chosen mail server only on
cPanel servers
Modified FTP Server Checks for the chosen ftp server only on cPanel
servers
Added SMTP Tweak to Server Check on cPanel servers and removed block
on csf starting if enabled
4.60 - Modified cipher checks to strip out quotes
Modified Apache cipher message to remoind that you have to rebuild the
Apache configuration and restart for changes to be effective
4.59 - Added proftpd regex for Plesk server log file format
Modifed the Server Check cipher checks for pure-ftpd and Apache to use
openssl to ensure SSLv2 is disabled
Added cPanel Server Check checks for dovecot, courier-imap IMAP and
POP3D SSL cipher list
New option SAFECHAINUPDATE added. If enabled, all dynamic update
chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY,
ALLOWDYN) will create a new chain when updating, and insert it into
the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the
old dynamic chain and rename the new chain. See csf.conf for more
information. This option is disabled by default, but we do recommend
that it is enabled on non-VPS servers with restrictive numiptent
values
Added SAFECHAINUPDATE to the firewall Server Check (except for
Virtuozzo VPS servers)
Modified Server Check on cPanel to make the PHP v4 warning clear and
to warn where PHP v5 and v4 have both been compiled (PHP v4 is
obsolete and should not be used at all anymore)
Added WHM checks for skipparentcheck and cpsrvd-domainlookup to
Security Check
New option LF_ALERT_TO. If set, the value of this option will override
the To: field in all of the lfd alert templates
4.58 - Modified exim cipher check in Server Check to use openssl to test the
expanded configured cipher suites to ensure SSLv2 is disabled
4.57 - Improved exim configuration option detection in Server Check
Added Exim Configuration checks to DirectAdmin Server Check
Modified csftest.pl to perform a modprobe on all used iptables modules
before testing
Added PASV port hole warning on VPS servers to the output of csf on
start and to the cPanel (if using pure-ftpd) Server Check
Added lfd to the DirectAdmin Service Monitor
Added back a revised Firewall Security Level option to UI
4.56 - Added TCP_OUT port 2222 for the DA default configuration for new
installations
Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for
more information and examples
Updated readme.txt to reflect the Control Panel UI availability for
cPanel, DirectAdmin and Webmin
Modified mod_security configuration file check to the TLD only of
/usr/local/apache/conf/ and only files ending in .conf
4.55 - Fixed issue with csf.conf not being loaded for the Server Check Report
Removed erroneous chkconfig check from Server Check Report
Disabled various checks in Server Check Report for non-cPanel servers
Modified Debian/Ubuntu init entry creation and removal procedure
Modified Server Check to search for multiple named.conf locations
4.54 - Bug fix to Exploit Check code
Fixed problem with iptables logs not being collated if PS_INTERVAL is
disabled but ST_ENABLE is enabled
Fixed potential problem with SMTPRELAY_LOG not being scanned when
RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled
4.53 - Upgraded the csf Webmin UI module to the new csf UI and added
installation/upgrade instructions to the install.txt for Webmin
Fixed image locations and javascript in DA and webmin UI
Updated the uninstall scripts and the uninstall section of install.txt
4.52 - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd
Added warning in DA UI to upgrade csf from the root shell due to
restrictions in DirectAdmin
NOTE: DA users should upgrade csf to this version from the root shell
using "csf -u" and not use the Upgrade button in the UI
4.51 - Fixed csf --upgrade (csf -u) for DA installations
4.50 - Added restrictions information regarding the PORTFLOOD setting and
ipt_recent to readme.txt (i.e. hit count max is 20)
Modular development of csf UI
Added DirectAdmin UI and installation support for csf/lfd
Added Statistics options (ST_ENABLE, etc) to generic csf installation
Added SMTP options (SMTP_BLOCK, etc) to generic csf installation
Removed pre-configured firewall settings through UI for redevelopment
as it has become out-dated
Modify csf UI to signal lfd to start/restart/enable only. A one
minute cron job will actually perform the signalled function. The CLI
is unaffected and performs the command immediately. This is introduced
to overcome fork issues from within an Apache session
4.41 - Added information about runing external iptables commands using
csfpre.sh and/or csfpost.sh to readme.txt
Added new CLI option csf --addrm (csf -ar) to remove an IP address
from csf.allow and delete the associated iptables rules
Removed the need for the MONOLITHIC_KERNEL option and made modprobe
perform silently on csf startup. Added the relevant information
regarding some Monolithic kernels and the need for a PASV port range
hole to readme.txt
Added timeout to csf modprobe to avoid startup hanging on buggy
kernels
4.40 - Added workaround for php --info bug in Server Report when checking PHP
configuration settings
Modified LF_INTEGRITY to regenerate the md5sum comparison file
immediately after a match is found instead of waitng for the next
cycle
Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty
4.39 - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and
LF_NETBLOCK_COUNT with act if more than the number of hits are
detected, not on the exact number set
Modified csf WHM UI to use csf -u to upgrade csf when a new version is
available
Added new script /etc/csf/csftest.pl which will test the servers
iptables modules for functionality. The tests are for the required
iptables modules and the optional modules for the SMTP_BLOCK,
PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool
for kernel/iptables problems and to check whether the features above
will function
Added csf WHM UI option to run csftest.pl
Updated the csf install.txt to run csftest.pl before running up csf
4.38 - Improved detection of working ipt_owner iptables module on VPS servers
such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks
will be automatically disabled and csf will continue to start
4.37 - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended
setting for cPanel servers which use ping times to determine fastest
mirrors for various update functions
Modified PT_LOAD_ACTION code to stop duplicate load emails from being
send by lfd
Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains
Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter
rules on VPS Servers for as ipt_owner is now apparently supported on
the latest kernels. However, if the latest kernel isn't being used or
the VPS host hasn't included the ipt_owner iptables module for the
client VPS, then csf will fail with an error
4.36 - Modified Process Tracking to allow regex exceptions in csf.pignore for
deleted executable processes
4.35 - Modified regex.pm detection of iptables kernel log lines to cater for
alternative formatting
Restored the substitution of the NULL separator with spaces for the
/proc/PID/cmdline in Process Tracking
4.34 - Added code to Process Tracking to translate non-printable characters to
especially help detect and report deleted executable file processes
WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd
and awstats.pl from lfd.pl. If you want to ignore such processes for
Process Tracking, you will need to add appropriate ignore rules to
csf.pignore for them
4.33 - Disable ST_LOOKUP by default on new installations
Modified lfd stats performance when ST_LOOKUP is enabled and added a
warning for this setting to csf.conf for when DROP_IP_LOGGING is
enabled
4.32 - Modified the su tracking regex to better trap RHE/CentOS v5 su login
attempts
Added a Server Check for "FTP Logins with Root Password"
Added new WHM UI option to display Last X iptables Log Lines. Note
that the report will only display log lines since this update. The
new statistics will be expanded in future developments. Added new ST_*
options to the cPanel csf.conf to control the recording of stats
Removed fwlogwatch from distro and will use self-produced reports
4.31 - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It
is not a good idea to use that option
Modified PT_USERKILL to not kill (deleted) processes (these should be
restarted manually after investigation) as per the documentation
4.30 - If you add the text "do not delete" to the comments of an entry in
csf.deny then DENY_IP_LIMIT will ignore those entries and not remove
them. Updated csf.deny information text for new installations
Made the (deleted) process text even more explicit for those that are
not reading csf.conf or the FAQ for their explanation
Updated DSHIELD information URL in csf.conf
Added new feature - csf.rignore is an ignore file that lists domains
and partial domains that lfd should ignore. Read /etc/csf/csf.rignore
for more information
Option GOOGLEBOT removed. This feature is now performed using
csf.rignore. If GOOGLEBOT was previously enabled it will be added to
csf.rignore
4.29 - Added Slackware support (tested on v12.2.0)
Added Fedora v10 support
Added new option GOOGLEBOT - Prevent *.googlebot.com from being
blocked by lfd. See csf.conf for more information
Added csf version from/to to output from csf --update when upgrading
4.28 - Fixed GENERIC csf problem with csf.pl perl modules
4.27 - New Feature - Port Flood Protection. This option configures iptables
to offer protection from DOS attacks against specific ports. This
option limits the number of connections per time interval that new
connections can be made to specific ports. See csf.conf and readme.txt
for more information. This option is only available on servers with
the ipt_recent kernel module
cPanel DNSONLY compatibility added - Thanks to JJ for the assistance
Improved Cipher suite checking and advice for Apache and FTP in Server
Check
Remove md5sum check from JS exploit check as it is covered by
LF_INTEGRITY and causes confusion
Added new option LOGFLOOD_ALERT which will send an email alert based
on logfloodalert.txt if lfd skips logs lines due to log file
processing problems
Added new option PT_DELETED together with the FAQ explaination as to
why lfd reports deleted processes. The option can be disabled to
ignore such processes
Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow
exceptions to SMTP_BLOCK
4.26 - New Feature - Country Code to CIDR allow/deny. This feature can allow
or deny whole country CIDR ranges. The CIDR blocks are downloaded from
http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW,
CC_DENY and CC_INTERVAL in csf.conf
Expanded the dovecot regex to include more login failure permutations
Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel
servers
SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default
4.25 - Fixed bug in csf --grep when CIDRs used in advanced port filters
Fixed problems with aborted Server Check Report
Fixed position of the lo device rule in the OUTPUT chain which broke
SMTP_BLOCK
Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all
listed ports (not just port 25). This is populated on installation or
when TESTING = 1 if an additional port is listed in "WHM > Service
Manager > exim on another port". Otherwise, SMTP_PORTS needs to be
updated manually. The default setting contains port 25
SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled
4.24 - Added workaround for issue with WHM image display in the addon header
for cPanel v11.24
*Added cPanel v11.24 FTP Anonymous Upload checks in Server Report
*Added cPanel v11.24 FTP Cipher Suite checks in Server Report
*Added cPanel v11.24 Apache Cipher Suite checks in Server Report
*Added cPanel v11.24 Exim Cipher Suite checks in Server Report
Added Fedora v8 to the obsolete OS list now that v10 is out
Updated dovecot regex in regex.pm for v1.1.6 used by cPanel
* Will only display if cPanel version is >= 11.24
4.23 - Added skip to connection and process tracking for empty tcp6
connection data
Fixed PT_LOAD email output of ps and vmstat
4.22 - Additional fixes for an issue on VPS servers where temporary block
removal from csf.tempban failed
4.21 - Fixed an issue on VPS servers where temporary block removal from
csf.tempban failed
4.20 - Modified csf.tempban processing code in lfd to perform more stringent
file locking to preserve temporary bans if lfd is writing during
shutdown
Modified Port Scan tracking of IP's to not attempt multiple blocks on
the same IP address in the same log line processing batch
Fixed broken timestamp in lfd.log for dates < 10th of the month
Various code modifications to improve performance and stability
4.19 - Reverted the tied file changes as they were causing a deadlock
situation locking csf.tempban
Improved the process tracking detection of deleted executables of
running processes
4.18 - Modified temporary IP address storage to use a tied file to preserve
temporary bans if lfd is writing during shutdown
4.17 - Replaced the use of backticks in csf, lfd and the WHM UI with calls to
IPC::Open3
Various lfd and csf code improvements and tidy up
Ensure lfd parent dies cleanly on error
Debug information improved and timer modified to use Time::HiRes for
more accuracy
4.16 - Removed port 953 from the TCP and UDP allow lists for new csf
installations as it's not necessary to whitelist as bind listens on
the localhost device for such control connections by default
Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login,
exe:/usr/libexec/dovecot/imap-login to new and old cPanel
installations csf.pignore to cater for cPanel support for both nsd and
dovecot (currently in EDGE)
Only use Cpanel::Rlimit if it's available in WHM UI
4.15 - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing
connections from blocked IP addresses in csf.deny or temporary blocks.
The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN,
GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct
this. Many thanks to Brian for his help in tracking this issue down.
4.14 - Implemented the use of cPanel routine Cpanel::Rlimit to remove process
resource limit restrictions as the cPanel memory limitation setting
was causing the Server Check to abort with memory allocations problems
through WHM on some servers
Modified port checking for 23 and 53 in Server Check to no longer use
the fuser binary and use the port mappings directly from /proc
Modified lfd and Server Check to check for IPv6 bound processes as the
IPv4 and IPv6 connections are stored in a different file to IPv4 only
bound processes
4.13 - Updated various comments in csf.conf
Fixed call to csfpost.sh from csf
4.12 - Modified lfd Login Failure tracking to use a per IP address rolling
LF_INTERVAL window rather than a static one for all tracked IPs. This
makes login failure counting more accurate and blocking more
responsive
Added new feature - Block Reporting. lfd can run an external script
when it performs and IP address block following for example a login
failure. BLOCK_REPORT is to the full path of the external script. See
readme.txt for format details
If csf is installed or upgraded via an SSH session the connecting IP
address will now be automatically added to csf.allow (note: it is not
added to csf.ignore so lfd may still block it). This IP can be removed
after testing if desired
Modified the lfd.log format to the standard:
<mon> <mday> <hour>:<min>:<sec> <host> lfd[<pid>]: <text>
If you parse lfd.log you will need to update your scripts!
Added DEBUG option - for internal use only
4.11 - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore
for existing installations
Modified the calculation for the position of LOCALOUTPUT in the OUTPUT
chain
Added /etc/cron.d/lfdcron.sh to restart lfd daily
Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3
and exe:/usr/sbin/mysqld_safe to csf.pignore
Modified SCRIPT_ALERT regex to cope with exim log format changes in
FC8+
As per RFC5322, adding port 587 to the default TCP_IN list of ports
for new installations (i.e. it is now recommended for SMTP servers to
offer port 587 access for MUA to MTA traffic rather than port 25 which
is for MTA to MTA traffic)
Added informational text to Process Tracking email report if a process
is running an executable that has been deleted
Added csf version to the daemon startup log line in lfd.log
4.10 - Added /usr/libexec/hald-addon-keyboard to csf.pignore
Modified the static DNS port rules to always allow all OUTGOING (only)
connections to/from port 53 udp/tcp. This should help the situation
where some servers iptables block outgoing port 53 udp connections
despite the port being open
Added new option DNS_STRICT which will remove all static DNS rules and
allow access only through SPI. For stability reasons, it would be
advisable to leave this option disabled (default)
4.09 - Modification to cPanel version to restart chkservd using
/scripts/restartsr_chkservd instead of the init script as the latter
is removed in the latest EDGE release that puts chkservd under the
control of tailwatchd (/scripts/restartsrv_chkservd is a stub for
restarting tailwatchd in the latest EDGE instead of a direct restart
script in older cPanel versions). chkservd is restarted when csf
is installed/uninstalled/upgraded/disabled/enabled
4.08 - Added a new timing system to more accurately trigger lfd tasks. This
should alleviate timing issues such as those seen with LT_POP3D and
LT_IMAPD and improve the overall effectiveness and performance of lfd
Added new method for reaping child processes. If you find that zombie
lfd processes start to build up you can revert to the old reaper by
enabling new option OLD_REAPER
4.07 - Messenger service now supports advanced filter permanent port block
redirection
4.06 - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the
LOCALxxPUT chains so that the entries can be correctly listed with
ACCEPT's at the top and DENY's at the bottom of the chain
Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and
OUTPUT chains so that bandwidth accounting is kept accurate
Fixed a problem processing advanced port filters in GLOBAL_ALLOW and
GLOBAL_DENY
4.05 - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains
4.04 - Fixed problem with rule placement for ETH_DEVICE_SKIP
Ensure all ALLOW requests are inserted before DENY requests after csf
has been restarted
Ensure that fwlogwatch stats creation uses IPTABLES_LOG file
Only perform operations on the nat table if MESSENGER service is
enabled
lfd Process Tracking will now ignore MESSENGER_USER messenger services
Added new option PT_ALL_USERS so that all Linux accounts on a cPanel
server are checked in Process Tracking, not just cPanel users. This
option is disabled by default on cPanel servers. Enabling this option
may require adding exceptions to csf.pignore
Additional exceptions added to csf.pignore for cPanel servers for the
new PT_ALL_USERS option
PT_SKIP_HTTP now disabled by default for new installations
Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check
4.03 - Fixed problem where the new LOCALxxPUT chains were only processing tcp
requests
Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule
count in the OUTPUT chain under certain circumstances
4.02 - If csf fails with an error lfd will now die and require a restart
after the issue with csf is resolved. csf commands apart from start
and restart are also disabled
Released from BETA
4.01 - Allow the Messenger Service to be used on VPS servers. However, if the
ipt_REDIRECT module is missing csf will fail to start correctly and
abort
HTML Messenger service server now only reads a limited line length
instead of unlimited input to prevent overflows
4.00 - New feature - Messenger Service. This feature allows the display of a
message to a blocked connecting IP address to inform the user that
they are blocked in the firewall. This can help when users get
themselves blocked, e.g. due to multiple login failures. The service
is provided by two daemons running on ports providing either an HTML
or TEXT message. See csf.conf and readme.txt for more information
(not available on VPS platforms and others missing the ipt_REDIRECT
kernel module)
Moved INPUT and OUTPUT chain rules for blocks and allows to their own
respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP
blocks will be listed in the INPUT or OUTPUT chains, but in the new
ones
Re-organised all of the INPUT and OUTPUT chain rules to give
precedence to the LOCALINPUT rules before invoking other chains and
port ALLOW rules
Moved the SYNFLOOD protection chain rule to be the first chain rule
after the LOCALINPUT chain rule
Moved the lo device rules to the always be at the top of the INPUT and
OUTPUT chains
Modified the syslog regex matches to only match on local entries to
cope with centralised syslog configurations
3.43 - Improved application IP block checking
Restored the option LF_SCRIPT_PERM with additional checks for
directories within the cPanel homedirs and for symlinks. Warning
added to csf.conf for this option
Added random query-source port setting for BIND to the Server Report
3.42 - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to
be the same as the cPanel csf.conf
If LF_SELECT is enabled make sure all cPanel ports are blocked on
cpanel login failure. This was only doing ports 2082,2083 and will now
block 2082,2083,2086,2087,2095,2096
3.41 - Added new mechanism to allow custom regular expression matching with
individual settings for lfd login failure detection. See
/etc/csf/regex.custom.pm for details
Modified all timestamps in lfd reports to also include the standard
timezone offset (i.e. from GMT)
Added new setting CC_LOOKUPS to control the new Country Code lookups
(enabled by default)
DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled
PS_INTERVAL enabled by default on new installations
Doubled the number of lines before log file flooding detection will be
triggered
3.40 - Added queuealert.txt to the WHM UI dropdown list for editing
Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the
check
Added Country Code lookups for IP addresses. Any reported IP addresses
will include the international CC where available. It should be noted
that with international ISPs this may not be wholly accurate. Where
possible the CC will be translated into the associated country name
3.39 - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP
addresses listed in the csf.allow file and not block them
Added new option LF_QUEUE_ALERT, which will send an email alert using
queuealert.txt if the exim queue length exceeds the value it is set
to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the
ConfigServer MailScanner configuration is being used, both the
MailScanner pending and exim delivery queues will be checked. This is
a cPanel only option
Added new option CT_PORTS to Connection Tracking so that you can
specify which ports you want to count towards CT_LIMIT, e.g. 80,443
Modified Server Report check for register_globals in cPanel's php.ini
incase the new cPanel WHM setting is being bypassed
3.38 - Additional SSHD regex added to regex.pm
Improved the WHM UI reporting of the csf status: disabled, running,
testing mode
Added Enable/Start buttons to WHM UI next to the csf status if
disabled/stopped
Updated Server Report checks for csf status
Changed the destination of the ConfigServer Services link at the
bottom of the WHM UI to go to the csf web page
3.37 - Fixed an issue currently in cPanel EDGE that affects the use of the
cPanel SafeFile module in WHM scripts
3.36 - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds
Improved lfd internal timing system for event triggers
Added new feature - Account Tracking. The new AT_* options configure
an alert system for account modifications which will send an email if
there are new accounts added, existing accounts deleted plus password
uid gid login dir and login shell changes. Each of these changes can
be enabled or disabled. You can also enable tracking for superuser
accounts only. That latter is the default setting. This feature uses
the email template accounttracking.txt
Added reason text to temporary IP bans
Added Server Report check for ini_set in PHP disable_functions
Added ossec to list of processes to disable as it will conflict and
duplicate csf functionality
Changed Server Check scoring text to instead show a coloured table
indicating score
3.35 - Changes to WHM UI script for cPanel v11
Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer
supported
Added # of temp blocks to WHM UI "Temporary IP Bans" on main page
Modified Server Report check for register_globals in cPanel's php.ini
to use the new cPanel WHM setting
Added Server Report check for passwords in WHM email setting
Added Server Report check for WHM root/reseller login to users cPanel
Modified Server Report nobody cron check to only fail on non-zero cron
file
Modified Server Report check for Fedora now that Fedora 7 is EOL
(2008-06-13)
Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd
blocking
3.34 - Modified regex matching to allow for trailing spaces in log lines
Modified PT_LOAD routine to prevent multiple triggers resulting in
more than one alert being email sent
Removed the need for NETSTAT from lfd to reduce overheads and improve
performance allowing CT_INTERVAL to be set lower. Now uses
/proc/net/[protocol]
3.33 - Modified skip for su login checking from root to cater for (uid=0)
Added option SYNFLOOD_BURST to allow configuration of --limit-burst
when SYNFLOOD is enabled. Changed default values
Added to --grep searches to csf.deny and temporary blocks in addition
to iptables
Modified SSH regex to improve login failures detection further
Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
Added vsftpd regex for ftp login failures
3.32 - Modified SSH regex to check for ipv6 addresses
Added another regex to improve SSH matching
3.31 - Modified -denyrm to abort if left blank instead of clearing all blocks
Added lfd check for existing temporary block to avoid duplicates
Fixed regex handling for courier-imap POP and IMAP login failures
Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use
this option, LF_DIRWATCH_FILE will likely trigger due to the changed
output the first time you restart lfd after upgrading
Fixed typo in Suhosin description in the Server Check Report
Added Referrer Security to the Server Check Report
Added register_globals check in cPanel php.ini to Server Check Report
3.30 - Security Fix: lfd vulnerabilities found which could lead to Local and
Remote DOS attacks against the server running csf+lfd
The DOS attacks could make lfd block innocent IP addresses and one
attack could cause lfd to deplete server resources
Modified the regular expressions in regex.pm to prevent them from
being triggered by spoofed log line entries
Option LF_SCRIPT_PERM removed
Our thanks to Jeff Petersen for the detailed information describing
these issues
We recommend that all users of csf upgrade to this new version
3.28 - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke
login tracking
Modified relay tracking to not ignore RELAYHOST IP's
Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's
LF_SUHOSIN will now skip matches for "script tried to increase
memory_limit"
3.27 - Modified csf -dr option to delete advanced filter IP matches as well
as simple matches in csf.deny
3.26 - Added new CLI option to csf, -g --grep will search the iptables chains
for a specified match which is either explicit or part of a CIDR
Added WHM UI option for csf --grep
Added new CLI option to csf, -dr --denyrm will remove an IP address
from csf.deny and unblock it
Added WHM UI option for csf --denyrm
3.25 - Added csf.suignore file where you can list usernames that are ignored
during the LF_EXPLOIT SUPERUSER test
New option PT_LOAD_ACTION added that can contain a script to be run if
PT_LOAD triggers an event. See csf.conf for more information
Added SUPERUSER check to Server Check Report
Added Suhosin check to Server Check Report
3.24 - Allow comments after IP addresses in csf.dyndns
Added new login failure option LF_SUHOSIN which detects alert messages
and blocks the attacker IP after the configured number of matches
Added a new exploit check for non-root superuser accounts
Added a new configuration option LF_EXPLOIT_CHECK which allows you to
configure which tests are performed by LF_EXPLOIT
3.23 - Modified the Server Report code for checking PHP variables to be more
lenient when checking the output from /usr/local/bin/php -i
Modified lfd calculation of Jiffies to use the POSIX::sysconf function
to obtain the clock ticks instead of assuming 100 ticks for Linux
Fix duplicate LF_INTEGRITY emails
3.22 - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this
setting if you use Port Scan Tracking as it will cause redundant
blocks
Added tag [hostname] to all of the alert reports. You will need to add
this manually to the report text Subject: line (or anywhere else in
the report that you would like it) for existing installations
Added "A note about FTP over TLS/SSL" to readme.txt
3.21 - Fixed problem in Server Check that caused an error in some situations
Modified netblock caching code to prevent repeated block attempts
3.20 - Corrected net block logic so that after a net or perm block occurs,
subsequent log entries that would incur the same block are ignored
3.19 - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have
had X temporary blocks in the last Y seconds. Uses email template
permblock.txt
New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or
C) if more than X IP addresses in a specified class have been blocked
in the last Y seconds. This may help within some DDOS attacks launched
from within a specific network class. Uses email template netblock.txt
Modified MD5SUM comparision code to better reset md5sum checks after a
hit
Only issue Random JS Tookit warning if all the MD5SUM checks fail for
the relevant files
Removed POP flood Protection setting check from Server Report as it's
no longer relevant to courier-imap
Rewritten the Apache Check code for the Server Report to better
detect the current running settings on all Apache and PHP versions
Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they
aren't relevant (as they apply to the host VPS configuration) for the
Server Report
3.18 - Fixed bug in the generic csf release where the default csf.conf was
missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim
for the help in tracking the issue down
3.17 - Rewritten the update code so that a new csf.conf is creating when
upgrading. It now uses the latest csf.conf and transfers the existing
settings to the new configuration file. This way all installations are
sure to have all new settings and the latest comments. It also makes
the release process for new builds much simpler
Other installation/update improvements
Updated APF/BFD removal procedure
3.16 - Fixed bug introduced in v3.14 for generic installation only
3.15 - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf
Modified csf.conf text for new installations to account for
auto-configuration of ETH_DEV which has been the case for some time:
# By default, csf will auto-configure iptables to filter all traffic except on
# the local (lo:) device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""
# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""
3.14 - Added new format for cPanel (v11.18.3) login failures to regex.pm
Added exe:/usr/libexec/gam_server to the default list of ignored
binaries
Fixed problem with SCRIPT_ALERT not picking up alternative /home
directories from wwwacct.conf
3.13 - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans
held in the temporary IP ban list to prevent iptables flooding. If the
limit is reached, the oldest bans will be removed/allowed by lfd on
the next unblock cycle regardless of remaining TTL for the entry
Added LF_FLUSH for the flush interval of reported usernames, files and
pids so that persistent problems continue to be reported. Default is
set to the previously hard-coded value of 3600 seconds
Fixed uw-imap ipop3d regex
Added check for TESTING mode when using csf -a or csf -d to only add
to the respective csf.allow or csf.deny files and not insert into
iptables to prevent errors if iptables has been flushed after reaching
TESTING_INTERVAL
3.12 - Added SMTP AUTH failure regex for Kerio MailServers
Fixed an issue where a permanent Port Scanning alert would report as
a temporary block, eventhough a permanent block was performed
Added regex for failed SSH key authentication logins (thanks to Paul)
3.11 - Use /proc for Process Tracking instead of ps output incase of
exploited system binaries and to better determine resource usage of
each process
3.10 - Modified INPUT and OUTPUT chain rules to always specify the ethernet
device
csf now re-applies temporary IP blocks on restart
Added new CLI command to add temporary IP bans. See csf -h for the
new csf -td command
Added new options to WHM csf UI to unblock temporary IP bans
Added new option to WHM csf UI to block IP temporarily for a specified
TTL
3.09 - Fixed missing copy for the portscan.txt report for generic
installations
Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking
email alerts
Added a sample of the port blocks that trigger the Port Scan to the
report. This new report will be copied to /etc/csf/portscan.txt.new on
existing installations, rename it to portscan.txt to use it
Added Port Scan Tracking to WHM UI Firewall Security Level
Added cPAddon update email setting check to Server Security Report
Modified the SuEXEC link location to the cPanel v11 location in Server
Security Report
Added portscan.txt template to editable list in WHM UI
Updated readme.txt
3.08 - Modified Port Scan Tracking to ignore blocked IP addresses incase
DROP_IP_LOGGING is enabled
3.07 - Added Apache Server Status report to PT_LOAD for load average report
monitoring. To benefit from this feature you will need to rename the
new report file /etc/csf/loadalert.txt.new to loadalert.txt. The
reports (ps, vmstat and apache) are now included as MIME attachments
in the email report instead of inline text
New feature: Port Scan Tracking. This feature tracks port blocks
logged by iptables to syslog. It can help block hackers attempting to
scan the server for open ports, or to block them while trying to
access blocked standard ports, e.g. SSH. See csf.conf for more
information
Upgraded the urlget module
3.06 - Added System Exploit Checking. This enables lfd to check for the
Random JS Toolkit and may check for others in the future:
http://www.cpanel.net/security/notes/random_js_toolkit.html
It compares md5sums of the binaries listed in the exploit above for
changes and also attempts to create and remove a number directory. The
open is enabled by default. The report is generated from the
exploitalert.txt template file
3.05 - Added perl regex checking to csf.pignore with the new options puser,
pexe and pcmd. Text added to csf.pignore for new installations:
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
3.04 - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you
to set the incoming and outgoing ICMP rate limits independently, or to
disable rate limiting in either direction completely for ICMP packets
3.03 - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of
"ls -laAR"
Modified rules so that only icmp ping is blocked and all other icmp
packets allowed if ping disabled in csf configuration. This may well
help improve iptables performance if ping was disabled
Added rate-limiting for all icmp packets to prevent inbound flooding
New option SYNFLOOD configures iptables to offer some protection from
tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet
rate per IP so the option can be tailored
Added SYN flag checking of state NEW tcp connections if PACKET_FILTER
is enabled. NEW tcp connections should always starts with a SYN
Moved PACKET_FILTER rules to their own iptables chain called INVALID
Fixed issue where some drops were not logging when logging enabled
Added hourly flush interval of reported usernames, files and pids so
that persistent problems continue to be reported
Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI
3.02 - Modified the text comments at the top of csf.allow for new installs:
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
Removed RELAYHOSTS check from Server Check report
Don't show SMTP_BLOCK check if on a VPS in Server Check report
PT_USERKILL, if set, will now also kill user processes that exceed
PT_USERPROC
Fixed problem where csf.tempusers was not being cleared down on an lfd
restart
Added two new csf command line options to flush IP's from the
temporary ban list: -tr -tf (see csf -h for more information)
3.01 - Tightened DNS port configuration restrictions as the old rules were
being catered for by iptables connection
Added Kerio Mailserver POP3/IMAP regex's
3.00 - Added progress information to LWP downloads within csf
Added numiptent checking for VPS servers. csf will flush iptables and
lfd will stop blocking IP's if numiptent is nearly depleted. This
should help prevent VPS lockouts due to insufficient server
resources. If this happens, you will either need to reduce the number
of iptables rules (e.g. disable Block List usage) or have the VPS
provider increase numiptent. A value of ~700-1000 should be fine for
most SPI firewall applications with full Block List configuration
Added support for the BOGON List (Block List) with LF_BOGON -
http://www.cymru.com/Bogons/
See link and csf.conf for more information
Fixed problem with RELAYHOSTS not working
Removed use of the replace binary
2.95 - Reduced memory overhead and added large file skipping for LF_DIRWATCH
Improved performance of LF_DIRWATCH trigger checks
Fixed problem with LF_SELECT temporarily blocking outbound access on
all ports. Now now only the relevant inbound only port(s) will be
blocked if triggered
2.94 - Fixed linux line-endings in some configuration files from v2.93 -
doesn't affect existing installations
2.93 - Improved mod_security v2 regex for filter triggers
Added MySQL v5 check
2.92 - Improved the cPanel version check for < v11 and whether up to date
Added new CLI option -t (--temp) which lists the temporary IP bans and
the TTL before the IP is flushed from iptables
Added "View Temporary IP Bans" to WHM UI
Changed WHM UI lfd Log auto-refresh default to unchecked
Added regex for dovecot "Aborted login" messages in /var/log/maillog
Added support for displaying mod_security v2 logs in WHM UI
2.91 - Added Fedora Core v6 to the obsolete OS check
Added php v4 check
Added apache v2.2 check
Added Perl v5.8.8 check
Added cPanel v11 check
Modified Sys::Syslog use to utilise the ndelay and nofatal options
Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in
a globally located ignore file
Added new option CT_STATES to Connection Tracking so that you can
specify which connection states you want to count towards CT_LIMIT,
e.g. SYN_RECV
2.90 - Ensured that Process Tracking doesn't affect processes running under
root
Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and
existing installations
Added Apache v2 checks to Server Checks Report
Removed mod_evasive from Server Checks Report as it appears to be less
relevant, especially with Apache v2
2.89 - Fixed the csf webmin module
Added updates to the webmin module
Completely removed use of cat in the WHM module and wget/cat from the
webmin module
2.88 - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD
Modified the courier IMAP and POP3D regex's to include connections
over SSL in lfd
Modified lfd to ignore cpdavd processes
Modified the cPanel regex's to include cPanel v11 variants in lfd
2.87 - Fixed duplication of settings during generic configuration upgrade
procedure
Only display version confirmation update message when running csf -u
interactively (Thanks to Brian Coogan for the perl tip)
Fixed issue with temporary files not being truncated before being
written to, which caused problems e.g. with global allow/deny files
Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from
connection tracking
Updated the csf webmin module to use the &ReadParse() routine to
overcome problems when running through SSL (Thanks to Tim Ballantine
for this tip)
2.86 - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive"
on RedHat
2.85 - Fixed a problem with v2.84 which broke permanent IP blocking in lfd -
it's been a long week :-/
2.84 - Fixed problem with permanent LF blocks in lfd for individual
application port blocks when set to permanent
Added new SYSLOG option to csf.conf to allow additional lfd logging to
SYSLOG (requires perl module Sys::Syslog)
Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh
interval of 3600 to prevent getting yourself blocked!
2.83 - Fixed broken Server Check from v2.82
2.82 - Fixed a documentation for LF_TRIGGER_PERM
Fixed issue where RT_[relay]_ALERT set to "0" was being ignored
Fixed condition from v2.80 which prevented SCRIPT_ALERT from working
If killproc.conf does not exist the Server Check now links to the
Background Process Killer page instead of issuing a file missing error
2.81 - Added exe:/usr/local/cpanel/cpdavd to csf.pignore
Added option to disable refresh in WHM csf UI when viewing lfd.log
Removed debug code that prevented IP blocking -- oops
2.80 - Added new lfd feature - Relay Tracking. This allows you to track email
that is relayed through the server (cPanel only). It tracks general
email sent into the server, email sent out after POP before SMTP and
SMTP_AUTH authentication, local email sent from the server (e.g. web
scripts). There are also options to send alerts and block IP addresses
if the number of emails relayed per hour exceeds configured limits.
The blocks can be either permanent or temporary. Currently blocking
does not function for LOCALRELAY email.
Introduced a new blocking mechanism in lfd that allows a choice of
permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for
details on how to configure the various blocking options to use
temporary instead of permanent blocks, e.g. for Login Failure blocking
Modified new installations to default to using seperate triggers for
login failures, instead of the global LF_TRIGGER value
2.79 - Bug fixes
Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK
is enabled for the new cPanel Webmail configuration in v11
Added new configuration option DROP that allows you to choose the drop
target for rejected packets (see csf.conf for more information)
Remove /etc/cron.d/csf_update on uninstall
2.77 - Closed vulnerability with temporary file checking
Tighted log file regex's to prevent spoofed remote IP block attacks
2.76 - Improved file checking in Server Check script to prevent WHM failures
2.75 - Modified Server Check to only look at pure-ftpd settings if installed
Simplified throttling mechanism
2.74 - Modified PHP Server Checks to use the php binary output instead of
trying to find the active php.ini file
Added PHP Server Check for register_globals
Improvements to the Server Check code
Fixed bug in TCP port 23 check in Server Check
Added new option --check (-c) to check whether the installed verison
of csf is the latest, no update is performed
Added multiple csf configuration checks to the Server Check report
Added throttling to LF_INTEGRITY and increased the timeout
proportionally
2.73 - Modified SMTP_BLOCK warning on VPS servers to only display if the
option is enabled
Modifed the Server Services Check text to omit using -del with
chkconfig and better explain that a process is enabled even if it is
not currently running and needs to be disabled to prevent startup on
boot
Removed reliance on wget for updates and version checks
Coding improvements in csf.pl and addon_csf.cgi
Added /var/log/lfd.log tail automatic refresh to WHM UI
2.72 - Fixed problem with DENY_IP_LIMIT not counting all IP entries in
csf.deny correctly
Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS
since the Virtuozzo VPS kernel does not support ipt_owner
Remove Shell/Fork Bomb Protection check in Server Check as the option
breaks a Virtuozzo VPS if enabled
Added more processes to check in Server Services Check
Removed restriction on outbound source port rule construction
2.71 - Added CSS settings to support pre-v11 cPanel installations
2.70 - Modified to adopt cPanel v11 WHM theme
Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new
installations for v11 cPanel
Added FC5 to the list of (or soon to be) unsupported OS's
Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading
2.69 - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where
a suspicious directory would not be removed
Added perl module check for File::Path
Added path configuration to tar and chattr in csf.conf
Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login
failures. When upgrading the new setting will be set to whatever you
have LF_FTPD set to
2.68 - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead
to arbitray code being executed in the context of the user running lfd
, i.e. root. This option has been disabled in the code until further
notice. You will have to manually remove any reported files.
Tightened csf file ownerships on installation
2.67 - Security fix - A major security issue has been found in the
LF_DIRWATCH code that can lead to arbitrary code being executed in the
context of the user running lfd, i.e. root, if that option is enabled
and a hacker has access to create a crafted filename in one of the
watched directories. This update closes this hole.
*ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL
EXPLOITATION*
2.66 - Modified LF_CPANEL text in csf.conf for new installations to reflect
the change in the SSL login handling by cPanel (i.e. it does now log
SSL login IP's)
Modified the log line monitoring in lfd to cope with log line flooding
to prevent looping/excessive resource usage. Also recoded without the
use of the POSIX routines
lfd process name now shows which log file it is scanning
2.65 - New Feature: System Integrity Checking. This enables lfd to compare
md5sums of the servers OS binary application files from the time when
lfd starts. If the md5sum of a monitored file changes an alert is
sent. This option is intended as an IDS (Intrusion Detection System)
and is the last line of detection for a possible root compromise. See
csf.conf for more information
2.64 - Modified lfd check for rotated system logs to re-open a log file if
logs are emptied instead of rotated
2.63 - Added regex support for uw-imap (imap and pop3) login failures
Added regex support for proftpd login failures
Timeout version check incase version server is unavailable
2.62 - Fixed CIDR support issue with csf.ignore only recognising the first
listed entry
2.61 - Fixed problem with lfd not being killed by /etc/init.d/lfd
2.60 - Added log file locations to csf.conf
openSUSE v10 compatible (generic)
Debian v3.1 (sarge) compatible (generic)
Unbuntu v6.06 LTS compatible (generic)
Added installation check for the LWP (libwww-perl) perl module
Ran spell checker against the readme.txt file
2.59 - Fixed mod_security report not displaying if only 1 entry
2.58 - Tweaked the mod_security entry layout
2.57 - New feature: WHM UI mod_security v1 display last X entries in the
audit_log
New feature: WHM UI mod_security v1 edit files or directories in
/usr/local/apache/conf/ that are prefixed with modsec or mod_sec
Tweaked the pre-configured Firewall Security Level settings
2.56 - Fixed v2.55 fix for non-EDGE versions
2.55 - Fix to to support current EDGE in csf WHM UI
2.54 - Tightened the mod_security v1 regex after the changes in v2.52
2.53 - Modified Server Check to reflect withdrawn FedoraLegacy support for
FC3 and FC4 which should now be considered insecure
2.52 - Separated the log file regex's into regex.pm for those feeling brave
to tailor them for non-cPanel servers
Unified installer for cPanel and non-cPanel installations - so that
only install.sh needs to be run (checks for the existence of:
/usr/local/cpanel/version
If you install on a server intending to use cPanel before cPanel is
installed, run the install.cpanel.sh script instead
Added mod_security v2 regex when running Apache2 to lfd
Added [iptext] tag for connectiontracking.txt to list all the
connections of an offending IP. Add this manually for existing
installations
2.51 - Major Enhancement: csf+lfd can now be installed and used on a generic
Linux OS without cPanel using install.generic.sh - see readme.txt for
more information
PF INVDROP entries made bi-directional if PF logging enabled (reduces
the number of INVDROP LOG rules by half)
Fixed Process Tracking throttle control to correctly use PT_INTERVAL
2.50 - Removed option ALLOW_RES_PORTS from new installs, setting is ignored
Check for LF at the end of form data for files edited through the WHM
UI and append one if omitted
Following the changes in 2.48 the LOGDROP chain doesn't distinguish
between incoming and outgoing blocks. So, LOGDROP has now been split
into LOGDROPIN and LOGDROPOUT
2.49 - Fixed issue if ETH_DEVICE was set and from changes in 2.48
2.48 - csf will now specify ! lo as the main ethernet device unless otherwise
defined in ETH_DEVICE. This will mean that the firewall is applied to
all ethernet devices on the server unless otherwise specified in the
configuration
2.47 - Modified DYNDNS code to set listed domains IP addresses to be ignored
as if they were listed in csf.ignore
If adding an IP address to csf.allow that is already in csf.deny, the
IP address will now be removed from csf.deny first and the DROP
removed from iptables. It will then be added to csf.allow as normal
2.46 - Added auto-detection of additional exim port (same as SSH port) which
will be added to TCP_IN on csf installation (or if in TESTING mode)
Only report PT_USERMEM and PT_USERTIME PIDs once
2.45 - Added workaround to restart the bandmin acctboth chains if csf is
stopped or (re)started
Rewritten the way RELAYHOSTS works so instead of using an iptables
chain a check is done at block time on the IP address and if it is in
/etc/relayhosts then it will be treated as if it is listed in
csf.ignore
Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0)
instead of a time interval
Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore
Added new options PT_USERMEM and PT_USERTIME to report excessive user
process usage and optionally PT_USERKILL to kill such processes. An
alert is sent using resalert.txt
2.44 - Added new option PT_LOAD which will detect if the server load average
of choice exceeds a set threshold and send an alert
Reduced the DROP_NOLOG default setting to not include ephemeral ports
for new installations
Moved DROP_NOLOG rules to the LOGDROP chain
2.43 - Added new option DROP_PF_LOGGING which will give detailed iptables log
information on dropped packets that are INVALID or out of sequence.
This can help tracking down why iptables may be blocking certain IP
connections
2.42 - Improved the csf locking mechanism to avoid deadlocks
2.41 - Fixed syntax in lfd procedure for csf locking
Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it
will be run before any of the csf iptables rules are applied. If
/etc/csf/csfpost.sh exists it will be run after all of the csf rules
have been applied. This allows you run your own iptables commands
within those files. Each file is passed through /bin/sh
Added two new command line options to completely enable and disable
csf and lfd
Added Enable and Disable options to WHM UI
2.40 - Added csf lock procedure to avoid iptables race conditions if multiple
/simultaneous instances of csf or lfd are executed
Added check for child reaper looping to dramatically reduce lfd load
2.39 - Added OS check to Security Check to warn if using RH7/9 FC1/2 which
are no longer supported (or about to be retired)
Made lfd more lenient when it cannot open a log file (reports the
error but continues to function)
PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for
php settings
Added new option RELAYHOSTS to csf.conf which allows you to
automatically allow access to IP's listed in /etc/relayhosts at a
specified interval
2.38 - Fixed DYDNS (forgot to add the rule to redirect packets to the
ALLOWDYN iptables chain)
2.37 - Added canna to the Security Check
New feature - added support for dynamic dns (DYNDNS) records. See
csf.conf for more information
Added dyndns file edit to WHM UI
2.36 - Added runlevel check to Security Check
Added nobody cron check to Security Check
Added melange server check to Security Check
Modified the regex for the php.ini disable_functions check
Added timing function to lfd that logs how long each stage takes. This
can be enabled by editing lfd.pl and setting $timing=1 - this can help
in tracking down performance issues with lfd
2.35 - Added specific exclusion for proftpd in lfd.pl process tracking
Fixed bug with LF_GLOBAL being ignored
2.34 - Added a new option (beta for now) PT_SMTP. This option will check for
outgoing connections to port 25, ecluding root, exim and mailman. The
purpose of the feature is to log SMTP connections if you believe you
have a spammer on the server who is bypassing exim to send out spam
emails - this is traditionally a very difficult form of spam to track
down. The option currently logs relevant process information to
lfd.log to avoid an email alert flood.
2.33 - Code modification to allow csf+lfd to run without erroring on cPanel
DNS-Only installations
Added forced error checking on SMTP blocking iptables commands
Added check in csf and lfd for duplicate settings in csf.conf
2.32 - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25
for web scripts, etc, if SMTP_BLOCK is enabled
Added check to csf startup to fail if "WHM > Tweak Security > SMTP
Tweak" is enabled otherwise it can break SMTP traffic completely. The
SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used
instead
2.31 - Added automatic throttling code to help prevent lfd using excessive
resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If
the sub process takes too long to run, the interval between its next
run is increased temporarily (for the duration lfd runs for, a restart
will reset it) and will continue to extend this time to prevent
excessive server load. However, it will also proportionately increase
the time given for the sub process to complete so that it can at least
attempt to get the check done. If you see throttling messages
appearing in the lfd.log you should consider increasing the process
interval as indicated permanently (i.e. within csf.conf)
Added throttling to CT_INTERVAL
2.30 - Modified PT_USERPROC to respect all ignore entries in csf.pignore
2.29 - New feature - User Process Tracking. This option enables the tracking
of the number of process any given cPanel account is running at one
time. If the number of processes exceeds the value of the PT_USERPROC
setting an email alert is sent with details of those processes. A user
is only reported once, so lfd must be restarted to reinstate checking
of all users. If you specify a user in csf.pignore it will be ignored.
The alert file is useralert.txt
Added useralert.txt for editing through the WHM UI
Added PT_USERPROC to the Firewall Security Level settings
2.28 - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to
csf.pignore
Only perform strict iptables error checking when in TESTING mode
2.27 - Fixed another mis-configuation for outgoing global deny rule - Thanks
again to Marie from Jagwire Hosting
2.26 - Fixed a mis-configuation for outgoing global deny rule - Thanks to
Marie from Jagwire Hosting
Allow advanced allow and block filters using the -a and -d options
when running csf in CLI
Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the
application trigger levels set, you can now set LF_SELECT to "1" if
you only want to block IP access to that application instead of a
complete block
Changed installer behaviour to only add SSH port to TCP_IN if TESTING
is set to "1" - done to help those that don't want to always have the
SSH port opened
2.25 - Modified lfd init procedure to use the init functions
Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd
will instead trigger blocks based on the value of the application
trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3
mod_security alerts. Or if LF_POP3D is set to "10" then it will
trigger on 10 pop3d login failures. When in this mode, i.e. with
LF_TRIGGER set to "0", login failures for different triggers are not
cumulative, whereis LF_TRIGGER set to a number > "0" they are
cumulative as before
Modification to csf.conf to reflect the changes to LF_TRIGGER - only
applied to new installations
Rewrite of the iptables command invocation in lfd.pl to trap iptables
errors and shutdown firewall if any found - should help prevent
lockouts
Allow advanced rules in Global Allow and Deny lists. Input and Output
direction support included.
Added Global Allow and Deny lists to the OUTPUT chain as well as the
INPUT chain
Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to
ignore. Updated WHM UI to allow easy file edits
2.24 - Fixed global allow/deny lists so that you can correctly not have to
specify both an allow and a deny file
2.23 - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH
from the cPanel configuration
Added maildir check to Security Check
Fixed a typo in advanced rules - Thank you to Victor from Touch
Support for pointing this out
Added binary executable check for LF_DIRWATCH files
Added core dump check in cron directories to LF_DIRWATCH
Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match
Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still
find it timing out, make sure that you have been clearing down your
tmp directories
2.22 - Added CIDR recognition to csf.ignore
Rewrite of the iptables command invocation in csf.pl to trap iptables
errors and shutdown firewall if any found - should help prevent
lockouts
2.21 - Fixed a problem on some installations where the update process emptied
out csf.conf. If this has happened, you will need to remove
/etc/csf/csf.conf and then rerun the installation procedure and
reconfigure the firewall. If you're already running at least v2.18 you
can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf
and then upgrade to this release
2.20 - Added workaround for different output from the fuser application in
different OS's
2.19 - Added Security Check for recurions restrictions in named.conf
Modified port 23 check to be quicker
Added Security Check for localhost/127.0.0.1 entry in resolv.conf
Added Security Check for webmin if running
Added 3 more WHM Security Checks for domain parking
Added Security Check for boxtrapper
Added a Run Again button to the Security Check page
Added Security Checks for cPanel and security package updates
2.18 - Fixed an issue with checking the /var/tmp symlink by comparing the
inodes of /tmp and the symlink destination of /var/tmp
Added checking of /usr/tmp
Added checking of SSH PasswordAuthentication
Modified update routine to take a copy of csf.conf before upgrading -
the backup file is /etc/csf/csf.conf.preupdate
Added check in /etc/cron.daily/logrotate for /tmp noexec workaround
2.17 - Fixed installation process where duplicate entries were being added to
csf.conf for new settings. Routine added to remove duplicates and
redundant settings
Added logrotate script for for the lfd.log file
2.16 - Fixed syntax issue with the csf.deny application feature added in
v2.15 that prevents csf adding the IP to csf.deny
2.15 - Added a list of the applications that lfd blocks a login failure for
into csf.deny, e.g. (ftpd,mod_security)
Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature
will watch for changes in directories and files listed in csf.dirwatch
using an md5sum for the ls output. If the md5sum changes between
checks an email alert is sent using watchalert.txt
Modified pid file locking for the lfd process to ensure duplicate
processes won't run
Completely reworked the child reaper code to prevent SIG_CHLD kernel
errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs
Added new option to csf.fignore that allows you to ignore files owned
by a specific user by adding an entry in the format user:bob
Fixed bug in LF_DSHIELD timer code
Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch
their respective data
New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to
specify a URL where csf can grab a centralised copy of an IP allow
and/or deny block list of your own. They are both retrieved after a
LF_GLOBAL interval in seconds by lfd
Added WHM UI changes for LF_DIRWATCH_FILE
2.14 - Modification to /var/tmp check to cater for symlinks with a trailing
slash
Added check for native SSL support in cPanel in Server Check for those
versions that now support it
Added MySQL port check to Server Check
Added missing comments when clickcing Display All Comments
2.13 - Added cPanel version check to Security Check
Added suspicious symlink checking to LF_DIRWATCH
Added a Display All Comments to Security Check
Added hyperlinks to WHM URLs in Security Check comments
Fixed the Apache Limits comments of the Security Check
Added shell limit checks to Security Check
Added Background Process Killer to Security Check
2.12 - Removed duplicate /var/tmp tests
Fixed another typo
2.11 - Typo corrections in output text
Removed dependencies on external modules for the Server Check report
2.10 - Fixed /dev/shm test
2.09 - Removed the nodev check on /tmp etc
2.08 - Changed app name to ConfigServer Security & Firewall
New Feature - Added Server Security Check report to WHM UI
2.07 - Improved suspicious directory detection
2.06 - Document update
Change directory watching to only check for suspicious sub directories
2.05 - Fixed log file error if DShield or Spamhaus block list retrieval fails
Added perl regex matching in csf.fignore (see updated readme.txt)
2.04 - Added /tmp/.horde/* to csf.fignore
2.03 - Fixed a looping issue with the temporary Connection Tracking block
code
Added a 10 second timeout for the LF_DIRWATCH child to prevent looping
2.02 - In LF_DIRWATCH, allow wildcard matching at the end of a file name in
csf.fignore, such that /tmp/clamav* will ignore any files starting
with /tmp/clamav, e.g. /tmp/clamav-1234
Added a throttle to LF_DIRWATCH - if more than 10 emails are being
emailed in one pass, LF_DIRWATCH will create the file
/etc/csf/csf.dwdisable and then disable itself. To get it watching
again, either restart lfd or delete that file
Fixed a bug where LF_DIRWATCH always reported the same file when
different files had been detected in a pass
2.01 - Added an LF_DIRWATCH exception for postgres /tmp files
Prevent a file being reported more than once in an LF_DIRWATCH run
Removed LF_DIRWATCH check for files being excecutable since too many
apps set temporary files with the flag set, e.g. mod_gzip
2.00 - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp
and /dev/shm and other pertinent directories for suspicious files,
i.e. script exploits. These can optionally be moved into a tarball
Directory Watching false-positives can be listed in csf.fignore which
is accessible from the WHM UI
1.99 - Bug fix for multiple NICs in the lfd code
1.98 - Modified code to allow for multiple ethernet NICs so that all rules
are applied to all NICs, for example, if you have IP's spread over
eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+"
1.97 - Tightened DNS port 53 connections in accordance with:
http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07
Moved no log dropping to the end of the chains
Moved allowed IP's to before Block Lists
1.96 - Liberalised connections allowed to and from DNS port 53
1.95 - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to
update from shell to get to v1.95 using:
csf -u
1.94 - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic
Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore
1.93 - Fixed problem where external resolvers were being used and responses
from them were being dropped because they were coming back on
ephemeral ports - added a scan of /etc/resolv.conf and external
nameservers now have whitelisted source port 53 to ephemeral ports
Drop logging of failed attempts to access port 53 so they don't
consume syslog
Moved update from /tmp do /usr/src
1.92 - Fixed bug where the DShield and Spamhaus block lists weren't being
periodically updated by lfd
1.90 - Minor fix to pre-configured settings
1.89 - Added Pre-configured settings for Low, Medium or High firewall security
to WHM UI
1.88 - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain
1.87 - Modified drop list chains to use their own drop logging to
differentiate from normal drop - if drop logging enabled
1.86 - Modified lfd connection tracking to drop udp as well as tcp packets
when blocking
Added support for the DShield Block List with LF_DSHIELD -
http://www.dshield.org/block_list_info.php
See csf.conf for more information
Added support for the Spamhaus DROP List with LF_SPAMHAUS -
http://www.spamhaus.org/drop/index.lasso
See csf.conf for more information
1.85 - Workaround for spam PT false-positives
Added exe:/usr/bin/spamc to csf.pignore
Added csf version to title bar in WHM
1.84 - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native
cPanel setup (currently in EDGE)
1.83 - Enhanced lfd.log logging for application failure detection lines
Set lfd to ignore child processes to get rid of zombie children. If
you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can
revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE,
but you are likely to see harmless <defunct> lfd zombie processes
1.82 - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled
Extended the Advanced Allow/Deny Filters to allow use of UID and GID
filtering for outgoing packets - see readme.txt for more details
Modified code to deal with modprobe command output more cleanly
1.81 - Further modification for the newer xt iptables modules
1.80 - Modified iptables LKM modprobe code to cater for newer xt_* module
naming scheme
1.79 - Added new feature to send an alert email if su is used to login from
one account to another. Alerts are sent whether the attempt was
successful or failed
1.78 - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd
process tracking
1.77 - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels,
e.g. RH9/FC1
Modified WHM UI textareas to expand to fit file contents
1.76 - Changed WHM interface to restart csf before lfd when restarting both
1.75 - Fix to prevent duplicates in csf.deny
Added a slight pause between stop and start when restarting
Code fix for TESTING mode crontab entry removal
1.74 - Fixed lfd to when reading csf.ignore when comments present
1.73 - Added new option LF_CSF to restart csf if iptables appears to have
been flushed (i.e. stopped)
Added new option LF_SCRIPT_PERM to disable directories identified by
LF_SCRIPT_ALERT - see csf.conf for more information
Workaround to child reaper when 2 children die at the same time
Added workaround for PT spamd false-positives
1.72 - Fixed bug in (deleted) lfd checks
1.71 - Added some more exceptions to csf.pignore
Lowered the default setting for LF_SCRIPT_LIMIT to 100
Modified PT to check for deleted binaries on exemptions which happen
when upcp runs and the binaries are replaced
1.70 - PT now only reports processes with open ports
1.69 - lfd tweaks
1.68 - Additions to csf.pignore
Added new option PT_SKIP_HTTP - see csf.conf/readme.txt
Updated readme.txt regarding unavoidable false-positives and possible
mitigation.
1.67 - More tweaks to PT with additions to csf.pignore
1.66 - Updated csf.pignore file with additional executables
lfd code tweaks
1.65 - Added very simple ASCII obfuscation for lfd PT skip lines
Fixed port typo for entropychat port
1.64 - Updated CLI help and readme.txt for new csf -u command from v1.63
Changed the format of the email templates for new installations -
if you want to use the new format remove /etc/csf/*.txt and then
install csf
Added mechanism to prevent multiple email/block attempts from login
attacks in lfd
Added new feature - Process Tracking. This option enables tracking of
user and nobody processes and examines them for suspicious executables
or open network ports. Its purpose is to identify potential exploit
processes that are running on the server, even if they are obfuscated
to appear as system services. If a suspicious process is found an
alert email is sent with relevant information - readme.txt for details
1.63 - Added feature to WHM UI to enable editing of the email templates
Modified WHM UI to use fixed-width larger font for command output and
edit boxes
Added notice to install.txt and readme.txt about enabling klogd (on
VPS systems in particular)
Added autoupdates system using AUTO_UPDATES - see csf.conf for details
1.62 - Added to APF/BFD removal in WHM UI the logrotate configuration files
Added comments system to csf.allow and csf.deny - see readme.txt for
more information
1.61 - Tighten up some of the csf rules
Added new fature - LF_SCRIPT_ALERT when enabled will scan
/var/log/exim_mainlog for extended exim logging lines that show the
cwd= line for paths in /home which indicate emails sent from scripts.
If LF_SCRIPT_LIMIT emails from the same path are sent within an hour,
an email alert is sent using scriptalert.txt containing the first 10
probably exim mainlog line matches and also likely mailing scripts
within the identifed path - an ideal tool to help identify spamming
scripts sending out email through exim. The option is disabled by
default as you do need to enable extended exim logging first as
explained in the csf.conf file
1.60 - Modified lfd to use a child reaper instead of ignoring the CHLD signal
Added login failure detection of cpanel, webmail and whm connections -
this will only work for access to non-secure ports as cPanel doesn't
know the IP address of the user when connection are over SSL due to
the way stunnel works
1.59 - Added workaround to ethernet device detection for VPS servers
1.58 - Fixed problem where SSH port detection on installation would add an emtpy , if
the SSH port had not been explicitly defined in sshd_config
Modified csf and lfd ethernet device detection so that if specified in either
csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded
ethernet devices on some OS's
1.57 - Removed erroneous <CR>'s in lfd.log
csf start automatically does a restart to avoid problems with any
existing iptables rules or chains
Added new option "Deny Server IPs" and associated file csf.sips to
allow blocking of all traffic on server configured IP's if they're
not in use
Added notification to CLI and WHM UI if TESTING still enabled
1.56 - lfd modification to avoid a race condition with the ALRM calls
Added new feature - /etc/csf/csf.ignore can contain IP addresses that
are ignored by lfd. If an event is triggered it may be logged in
lfd.log but will not result in an email alert - e.g. you could list
your own IP address to avoid alerts from when you login over SSH, etc
Added WHM UI option to edit the ignore file
1.55 - Fixed a strict refs issue in lfd
1.54 - Fixed IP DNS lookup routine to avoid empty () when no host found
Added local DIE for ALRM calls for IP lookups and netstat commands
Removed chkservd restart from /etc/init.d/lfd so that it behaves like
other monitored services
Improved error trapping routines to better report to lfd.log if the
process dies
1.53 - Optimised logging in lfd
Improved error handling and reporting in lfd
Modified WHM UI report to include all data, not just a single day
Improved DROP logging to SYSLOG
Added logging of dropped ICMP connections
Added new option DROP_IP_LOGGING to log IP addresses that have been
blocked in csf.deny or by lfd with temporary connection tracking
blocks
1.52 - beta test release
1.51 - Added DNS lookups for IP addresses in all lfd alert emails
1.5 - Added new feature - Connection Tracking. Enables tracking of all
connections from IP addresses to the server. If the total number of
connections is greater than CT_LIMIT then the offending IP address is
blocked in csf, or temporarily blocked in iptables. This can be used
to help prevent some types of DOS attack
Added new feature - SSH login alerts. An email is sent if a successful
SSH login is detected
Fixed a descriptive issue with the WHM UI
Modified so that lfd checks that it doesn't block a server IP
1.42 - Modified lfd login tracking to check the csf.allow file for an
offending IP address and to skip it if it's allowed - note this only
works for specified full IP addresses (not CIDRs or advanced port/IP)
1.41 - Added an exception for 127.0.0.1 when checking ethernet interfaces as
VPS servers are setup with that IP on both the loopback and main
interface
1.4 - Fixed error routine iptables flush command typo
Modified interface checking for non-english Linux distributions
Modified interface checking for IP addresses assigned to multiple
interfaces by mistake (I've just seen this happen!)
Set FORWARD chain to ACCEPT on stopping firewall
Reorganised csf.pl code
Added advanced port+ip filtering within csf.allow and csf.deny with
the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info)
Added link to readme.txt in WHM interface
Added iptables status (Running/Stopped) to WHM interface
Added Quick Allow and Quick Deny IP address options to WHM interface
1.33 - Added blocking of SSL POP3 and IMAP ports to LT (993/995)
Added option to Restart csf+lfd within WHM interface when appropriate
Added buttons to WHM interface to remove APF or BFD if still installed
Removed csf nat and mangle chain actions
1.32 - Modified log line checking to deal with syslog compression. This is
where syslog will add a line "last message repeated X times" if the
next line it were to add is identical to the last. This could lead to
login attempts being missed. But no more - lfd now checks for that
line and repeats the processing of the previous log line X times to
count all the login failures
1.31 - Removed some redundant code from csf
Display error in csf if IP already in allow/deny file
Stopped install.sh from overwriting email templates
Added email notification for login tracking including a new email
template tracking.txt
Added mod_security apache module IP blocking in lfd
1.3 - Fixed a problem with the tick time in the alert report
Changed the way allow and deny IP addresses are inserted into iptables
so that using the command line -a or -d doesn't require a firewall
restart
csf -l now shows iptables line numbers
Added login tracking (LT) options to keep track of POP3 and IMAP
logins and limit them to X connections per hour per account per IP
address. Uses iptables to block offenders to the appropriate protocol
port only and flushes them every hour. All of these blocks are
temporary and can be cleared by restarting csf
1.21 - Added the real log file failure entry matches to the alert email. Existing
installations will need to add a [text] variable into
/etc/csf/alert.txt
Added link in WHM to the ChangeLog if a new version is available
1.2 - Fixed uninstall script to remove lfd from chkservd
Fixed lfd so that checks were not made on options where a log file is
shared
Fixed lfd stop/start to dis/enable chkservd option
Added upgrade feature to WHM when a new version of csf is available
1.11 - Use full paths to chkconfig within the csf installation scripts
Documentation improvements
1.1 - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks
an IP address. lfd now forks a child process to handle the IP blocking
and email so that it doesn't hinder the daemon process from scanning
the logs. It uses a template file for the email.
1.0 - Initial public release
Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading
Check /var/log/messages and /var/log/secure for SSHD logins
Clarified in the configuration file that only courier-imap/pop3
connections are trapped in lfd
1.0RC2 - Added filtering out of \r in WHM interface for allow and deny
Fixed typo in WHM addon
Added new configuration option ALLOW_RES_PORTS
1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch:
http://sourceforge.net/projects/fwlogwatch/
This processes /var/log/messages and extracts the iptables log entries
(if logging is enabled) and produces a simple HTML summary report
0.2b - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat
module installed
Modified lfd to use asterix in the log message when blocking to
highlight in Thunderbird in the same way as the kernel log messages if
you use the "Quote Colors" extension - http://quotecolors.mozdev.org/
Added list of TCP and UDP ports currently being listened on to install
Set DNS_ZONE to default to 1
Removed backups of csf.conf files as the WHM interface is stable
Added ipt_owner module load for SMTP Tweak on LKM kernels
Added ipt_LOG to the required module list for LKM kernels to ensure
drop logging to syslog
Added new configuration option DENY_IP_LIMIT
0.1b - Initial beta release (24 May 2006)