ChangeLog: 14.10 - Fixed error message regarding location/permissions to the iptables binary in correctly referencing ip6tables Added PASV port range hole for VZ servers on cPanel for new installs Fixed MESSENGERV3 Apache tree search where ServerRoot is not configured so that csf defaults to /etc/apache2/ so that relative Includes are still defined correctly Modified LF_BIND regex to deal with new log field 14.09 - Improvements to CC IP lookup binary search Modified index.recaptcha.php and index.php to use square instead of deprecated curly brackets on array index for PHP v7.4+ Modified Server Check regex matching on include in dovecot config files in RHEL v8+ Added workaround for iOS issue with bootstrap modals Added EOL messages to Server Check report Modified dovecot.conf parsing on cPanel for include_try in Server Check Modified Apache 404 regex to check for either "info" or "error" Added two new CLI options: --temprma [ip], --temprmd [ip]. This allows distinction between allow and deny that does not exist for --temprm [ip] Updated UI to offer either --temprma [ip] or --temprmd [ip] instead of --temprm [ip] Added PHP v7.2 EOL notice to Server Report 14.08 - Added missing images/ subdir to webmin and interworx installers Added new option LF_TEMP_EMAIL_ALERT. This allows the disabling of temp IP block emails. It is enabled by default (send temp email alerts as before) 14.07 - Added missing images/ subdir to DA installer 14.06 - If DOCKER is enabled and the iptables nat table exists, csf now creates a DOCKER chain in the nat table for IPv4 cPanel additions to csf.pignore on new and existing installs Disable reputation service on error Added new options MESSENGERV3PERMS and MESSENGERV3GROUP for the creation of the MESSENGER_USER public_html directory. See csf.conf for information, defaults set for each install control panel type where possible Added exe:/sbin/rngd to csf.pignore for new installations 14.05 - Modified dovecot pop3d/imapd log line parsing to repeat single lines reporting multiple login failure attempts Additional entries in csf.pignore for new installs on CyberPanel v2 cPanel additions to csf.pignore on new and existing installs Convert embedded IPv4 addresses in /proc/net/tcp6 back to IPv4 14.04 - Added two new options: CC_MESSENGER_ALLOW, CC_MESSENGER_DENY. These options can control which Country Code IP blocks are redirected to the MESSENGER service, if it is enabled Fixed some typos in csf.conf Added DirectAdmin diagnostics to the admin UI for session security checks, together with a method to skip the checks if desired 14.03 - Updated DSHIELD blocklist to use https Updated Server Check PHP EOL information Improved DA session checking Improved DA Server Check report Modified cpanel.comodo.allow and cpanel.comodo.ignore with an additional IP address MESSENGERv3 now out of BETA testing Added UDP ports 80 and 443 to UDP_IN/UDP6_IN for new installations to support QUIC/HTTP3 Modified DA regex for Roundcube v1.4+ Modified DIRECTADMIN_LOG_R to point to /var/www/html/roundcube/logs/errors.log for Roundcube v1.4+ by default on new installs and change for old installs if not already set Added a new DA regex for phpMyAdmin Modified iframe resizer on DA, thank you to Martynas @ DirectAdmin Updated Integrated User Interface documentation to point to the latest Apache docs Added newly generated self-signed keys for lfd UI Updated Server Report descriptions for cPanel Updated Server Report for systemd processes Added back cPanel update check to the Server Report now that it has been reinstated by cPanel Removed outdated Server Report checks 14.02 - Added new BETA TESTING option: MESSENGERV3. This provides the MESSENGER service utilising the local webserver. It currently supports Apache v2.4+ and Litespeed/Openlitespeed. As the first iteration this likely contains bugs and may not be suitable for production environments. See csf.conf and readme.txt for more information Changed Country Code Lookup source to ipdeny.com Added CC_ALLOW_SMTPAUTH to all configurations for the benefit of servers other than cPanel running Exim Modify CC_ALLOW_FILTER to allow RELATED, ESTABLISHED connections through so that outgoing connection replies from remote sites not in CC_ALLOW_FILTER are accepted Added a note in csf.conf regarding MESSENGER_CHILDREN, that consideration needs to be made for local images displayed on the page. The default has also been increased to 20 for new installations Modifications to MESSENGER server to speed up connection response time and improve stability Modifications to LFD UI and CLUSTER server to improve stability Added SUDO login alerts: LF_SUDO_EMAIL_ALERT. This will send an email alert using the sudoalert.txt template whenever there is a failed or successful SUDO connection. SUDO_LOG must be set to the correct log file. LF_SUDO_EMAIL_ALERT is disabled by default Added new entry in csf.pignore on cPanel servers for v86+: exe:/usr/libexec/dovecot/imap-hibernate Added Server Check for EOL PHP v7.1 Removed cPanel update checks from the Server Report now that the options are no longer available in cPanel v86+ NOTICE: We are deprecating support for Virtuozzo/OpenVZ servers. Future releases will not take into consideration those platforms which have become onerous to support. The software application may continue to work but support and functionality is no longer guaranteed 14.01 - Changed mailman listings in csf.pignore on cPanel servers to cater for changes in python versions in RHEL v6/7 and 8 Fixed issue with CC_ALLOW_FILTER when not using IPSET but using SAFECHAINUPDATE would cause the new chain to be created in the wrong place by lfd when the zone is retrieved/updated Fixed issue when using CC_ALLOW_FILTER with IPSET enabled not adding the final DROP rule in lfd Further modifications to support RHEL/CentOS v8 Fixed issues with MESSENGER and CLUSTER server listeners terminating prematurely 14.00 - Added alternative database for Country Code Lists and Settings. These do not currently require logins/keys and in some cases are better optimised. A new setting CC_SRC allows switching between sources. For new installations these new sources are used. Existing installations are configured to continue to use the MaxMind databases. See the "Country Code Lists and Settings" section in /etc/csf/csf.conf for detailed information Added binary locations for CURL and WGET which will be tried if data retrieval fails when using the LWP perl module, e.g. on outdated OS's Added new option for URLGET setting "3". This allow the use of either CURL or WGET instead of the perl modules 13.12 - Modified CyberPanel installation to support move to python3 13.11 - Fixed interdependence issue between Country Code lookups and Country Code filters in lfd introduced in v13.09 Improved MM_LICENSE_KEY error messages 13.10 - Removed hard-coded date from MaxMind ASN url 13.09 - Due to MaxMind changing their free download policy to require signup and a license key, a new option MUST be configured to continue to use Country Code lookups (CC_LOOKUPS). The option MM_LICENSE_KEY must be set to the key obtained from the MaxMind site. See: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ https://www.maxmind.com/en/geolite2/signup Note: Existing installations will continue to use downloaded d/b's from before the MaxMind change, though may be cleared after CC_INTERVAL Changed CC_LOOKUPS option 4 from freegeoip.net to db-ip.com as the former no longer exists Fixed System Stats graphs not displaying on CyberPanel Updated csf control panel reporting in version display 13.08 - Added official CyberPanel integration and CyberPanel panel specific configuration (only tested on CentOS v7) More changes to support RHEL/CentOS v8 13.07 - Added format requirements for ASN entries in CC_* settings Removed SSHDSPAM exploit check as it's no longer critically relevant Modifications to support RHEL/CentOS v8 Modified systemd service to cater for RHEL/CentOS v7.7 pidfile symlink check changes Fixes and improvements to UI Ajax code Removed legacy bandmin code for cPanel servers and LF_CPANEL_BANDMIN setting Modified default InterWorx csf.conf to set SMTP_ALLOWGROUP appropriately for SMTP_BLOCK 13.06 - Removed debugging code from log file globbing routine Fixed reseller UI HTML text for each supported control panel Replaced the need in InterWorx for a custom Firewall.php with a preAction to intercept calls instead Moved csf in InterWorx to the Advanced section in Plugins UI Updated the InterWorx plugin.ini information to be more descriptive 13.05 - Added official CentOS Web Panel (CWP) integration and CWP panel specific configuration. See /etc/csf/readme.txt for more information (only tested on CentOS v7) Added official VestaCP integration and VestaCP specific configuration (only tested on CentOS v7) Additional entries to csf.pignore for new DirectAdmin installations Corrected DirectAdmin UI link text Fixed UI presentation HTML Fixed vsftpd regex for single character date of the month Modified Debian installation to detect ip(6)tables-legacy and use update-alternatives to switch to using them Modified InterWorx installation to not use chattr on /etc/apf/apf stub which was preventing apf upgrading. The lfd daemon will now reapply the stub if needed Modified Server Check on DA to get case-insensitive config from the binary rather than the directadmin.conf file Modified csf warning text on cPanel DNSONLY servers regarding the smtpgidonlytweak to disable it from CLI as it is not currently possible from the DNSONLY WHM UI 13.04 - Fixed issue with ConfigServer::CheckIP generating incorrect IPv6 addresses during validation using Net::CIDR::Lite Added UI entry for editing csf.reseller for DirectAdmin and InterWorx 13.03 - Fixed PATH issue in DirectAdmin installer when used from within the UI to upgrade 13.02 - Removed perl CGI::Carp module use from the DirectAdmin reseller UI as the module may not be present 13.01 - Added reseller support in InterWorx Added reseller support in DirectAdmin Added login failure detection on InterWorx (v6.3.16+). If LF_INTERWORX is enabled, INTERWORX_LOG will be scanned for login failures to NodeWorx and SiteWorx. This is enabled by default on all InterWorx installations Fixed text in Firewall.php stub in InterWorx Improved UI display in DA Improved UI display in InterWorx Fixed InterWorx UI issue with "Service Status" NodeWorx feature caused by Firewall.php stub Created cronjob to check for new product versions for the UI (/etc/cron.daily/csget). A manual check is still available if needed. This does not affect the daily upgrade check if enabled 13.00 - Added InterWorx integration and InterWorx panel specific configuration. See /etc/csf/readme.txt for more information (only tested on CentOS v7) Added InterWorx regex detection for proftpd, dovecot imap, dovecot pop3, and smtp auth login failures. Added regex detection for LF_DISTSMTP and LF_DISTFTP. Added regex detection for LF_CXS and LF_MODSEC. Added Login Tracking for LT_POP3D and LT_IMAPD Ensure UI errors are displayed in browser to avoid blank pages Display install.txt if perl module checks fail Reworked DirectAdmin UI to display within the parent template 12.12 - Updated CloudFlare code to use GET instead of POST to retrieve the id of an entry as POST in the API is no longer working, which affected entry deletion Modified --denyrm [ip] to not remove "do not delete" entries. This now must be done by editing /etc/csf/csf.deny to prevent unintentional unblocking, e.g. by MESSENGER reCAPTCHA or the UI MESSENGERv2: Set KeepAlive to Off Added new csf CLI cluster option: -cir, --cirm ip This will remove the IP from each remote /etc/csf/csf.ignore member and then restart lfd. This has also been added to the UI Added missing comment to cluster --ctempdeny entries Added missing timestamp to cluster --cignore entries Cluster command --cignore now checks for duplicates 12.11 - Added port 8443/tcp to cPanel server new installs to cater for the v80 calendar service. Existing installs will need to be modified manually if the service is used by adding the port to TCP_IN and TCP6_IN Updated various EOL version checks in Server Report Updated version modification system to check existing version before performing updates. Ensured that updates are applied chronologically 12.10 - Added routine to select from multiple download servers for script updates Added Sectigo (formerly Comodo) IPv6 DCV addresses to cpanel.comodo.allow and cpanel.comodo.ignore Added support to LF_CXS for litespeed logs on cPanel Added exception to csf.fignore for NodeJS yarn temporary files in cPanel v80 12.09 - Added new option CT_SUBNET_LIMIT. If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings. This option is disabled by default Removed ALTTOR from csf.blocklists on new installations as it has been discontinued Use ConfigServer::Slurp to read csf.resellers to avoid invalid line endings Modified CLUSTER_SENDTO and CLUSTER_RECVFROM so that they can be set to a file instead of listing IP's within the respective setting. See csf.conf for more details Removed open_basedir check on cPanel servers in Server Check Fixed csf.conf typo Updates to Courier IMAP regexes for Plesk 12.08 - Removed debugging code from lfd output Improvements for reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports 12.07 - Added commented out regex lines in csf.pignore on cPanel servers for the upcoming ubic implementation by cPanel Added port 53 filters in cpanel.comodo.allow on cPanel servers Added postfix support for LF_DISTSMTP Switched Sendmail and URLGET modules from using croak to carp to avoid unexpected parent death from child failure Double fork external commands in DA UI to work around DA mod_perl restrictions, allowing full functionality Added reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports and csf.deny entries 12.06 - Removed new regex for LF_EXIMSYNTAX 12.05 - Removed rbl.jp RBLs from csf.rbls Modify Project Honey Pot blocklist URLs to use https Ignore $SIG{PIPE} when running ipset Ensure csf shows ipset warnings Added osmd to lfd restart routine when cPanel upgrades Modified Server Check to look for underscore as well as dash settings Added test in lfd to ensure the pidfile is open before attempting to close it Added new regex for LF_EXIMSYNTAX Added new option: URLPROXY. If you need csf/lfd to use a proxy, then you can set this option to the URL of the proxy 12.04 - Updated license terms for GDPR compliance 12.03 - Make CC_IGNORE check case-insensitive Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, PT_* and PT_SSHDKILL) Updated cxs FontAwsome to v5 Added fixes for additional Include line processing Fixed race condition when processing CC_* zip files that could sometimes prevent the csv files from being extracted Updated HTTP::Tiny to v0.070 12.02 - Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases Added more CLI options that work if csf is disabled Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under "Include statement in configuration files" for the list of supported files Added mangle and raw tables to csf --grep [IP] and modified output to show a new column with the table then the chain that a rule is in Added mangle and raw tables to csf --status output and modified output to show a new header line with the table that a rule is in Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6 Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits Updated csf.conf documentation relating to the ICMP/PING settings Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled USE_CONNTRACK is now enabled by default on new installations Fixed DOCKER IPv6 warning message when DOCKER not enabled Modified csf.blocklists for GREENSNOW to use https on existing and new installations 12.01 - Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist CC_OLDGEOLITE set to "0" on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases 12.00 - Added support for GeoLite2 databases from Maxmind for CC_*. These databases are significantly larger than the soon to be deprecated GeoLite ones stored in /var/lib/csf/ Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and CC6_LOOKUPS. Added new option: CC_OLDGEOLITE. This option is enabled by default to continue using the old GeoLite databases. See csf.conf for more information. This option will be removed in the near future so that all installations use the new GeoLite2 databases GeoLite2 lookups now use the CSV files instead of the formatted Data files because the Perl dependencies for the MaxMind Perl modules that access the Data files are prohibitively excessive. We have developed our own fast binary search module to perform the required lookups on the CSV files for both IPv4 and IPv6 An advantage of the new GeoLite2 databases is that IPv6 lookups can now be done to the same level as IPv4: Country Code; Country; Region; City; ASN Unified storage of GeoLite2 database to avoid duplication between CC_LOOKUPS and CC_* databases Added new CC_LOOKUPS value of "4". This option does not use the MaxMind databases directly for lookups. Instead it uses a URL-based lookup from a third-party provider at https://freegeoip.net and so avoids having to download and process the large databases. See csf.conf for more information and limitations Modified CC_INTERVAL default to 14 days on new installations Ensure MESSENGERV2 service will not start if using a valid cPanel account in MESSENGER_USER (must be non-cPanel account) Create entry in /etc/aliases for "csf" if MESSENGERV2 is enabled on cPanel servers to reserve the account name Added new feature: DOCKER support. This configures iptables rules to allow Docker containers to communicate through the host. This is currently in BETA testing. See csf.conf for more information. Thanks to Marcele for the rules Removed redundant nat table check for ip6tables in Config.pm Replaced all remaining bareword file handles 11.07 - Added missing WAITLOCK to iptables when processing advanced port filters in csf and lfd and checking csf status in UI Added WAITLOCK, if enabled, to iptables-restore commands during FASTSTART Server Check Report - removed ini_set check as so many scripts use ini_set nowadays. Updated text on various checks Updated the postfix SMTP AUTH regex Added new SSHD "maximum authentication attempts exceeded" regex Set basic PATH before running csfpre.sh/csfpost.sh to avoid binary location issues csf now runs csfpre.sh/csfpost.sh directly without forcing it through /bin/sh. If present, csf chmods the script 0700 and checks for a shebang. If the shebang is missing #!/bin/bash is added to the top. The script is then run Added seventh parameter to regex.custom.pm to allow Cloudflare blocking if a CUSTOM regex is triggered (see latest regex.custom.pm in distro) Rearranged UI tabs and shortened tab names. Moved quick actions to the top of the "csf" tab pane Added "AUTH command used when not advertised" to the LF_EXIMSYNTAX regex check Added new csf CLI cluster option: -ci, --cignore ip [comment] This will add the IP to each remote /etc/csf/csf.ignore member and then restart lfd. This has also been added to the UI Fixed cluster grep output in UI Modified MESSENGERV2 to support combined certificates+keys in cPanel v68+ Added triggered setting and, if applicable, temporary TTL to the "Blocked:" status in block alert emails Added "wildcard" option to "Search System Logs" UI to use ZGREP to search the specified log with a wildcard suffix. ZGREP option added to csf.conf which must point to the zgrep binary Added git binaries to csf.pignore on cPanel servers for upcoming v72/74 features 11.06 - Modified Integrated UI to use new cxs UI perl modules Added custom redirect line for webmin UI when STYLE_CUSTOM enabled Ensure ip6tables nat table is flushed if present whether MESSENGER is enabled or not 11.05 - Added new configuration option PT_SSHDKILL. This option will terminate the SSH processes created when blocking an IP Added a "Fix Common Problems" section to the csf UI for various common configuration issues Ensure application ports are always defined in lfd 11.04 - Added new configuration option LF_APACHE_ERRPORT. This option is used to determine if the Apache error_log format contains the client port after the client IP. By default it is set to autodetect 11.03 - Improvements to ajax output in integrated UI 11.02 - Integrated UI fix for CloudFlare page Removed non-participated deny options for cxs reputation service Changed PT_SSHDHUNG to use a regex for process cmdline detection Fixed issue with IPv6 client detection in Apache logs 11.01 - Corrections to readme.txt In UI, display long output into fixed height divs with scrollbars and font size changer Modified Server Check to not display the mod_cloudflare warning if CF_ENABLE enabled Modified Server Check to display a single warning for each PHP check listing affected versions instead of multiple warnings Additional exim check added to Server Check Improvements to ajax output in UI 11.00 - New Feature: CloudFlare Firewall integration. This feature provides blocking and unblocking functionality with the CloudFlare Firewall from within lfd, together with new CLI commands for direct access. See documentation for CF_ENABLE in csf.conf, information in readme.txt as well as the csf man page Added UI elements for CloudFlare Firewall integration New CLI command --trace [ip]. This replaces the --w, --watch CLI command to Log SYN packets for an IP across iptables chains by using the iptables TRACE module New Feature: Check the size of the ModSecurity IP D/B. This option will send an alert if the ModSecurity IP persistent storage grows excessively large. This is enabled on cPanel by default. See csf.conf for more information New Feature: Allow use of comma separated list of ports in Advanced Allow/Deny Filters WATCH_MODE in csf.conf and --w, --watch CLI commands removed in favour of the new --trace [add/remove] [ip] CLI command Restrict the scope of Perl shebang replacement when installing on cPanel servers Modifications and fixes for the example MESSENGERV2 templates Ensure /proc/sys/net/netfilter/nf_conntrack_helper is enabled at startup to allow connection tracking to continue working on newer kernels Stop needlessly setting
and elements in Ajax returns Various corrections and updates to readme.txt Tweaks to the Mobile View UI button arrangement and spacing 10.25 - CSS change to UI configuration page Remove refresh timer from UI log file grep 10.24 - On webmin servers, added csf.body file to UI skinning (STYLE_CUSTOM). See readme.txt for more information 10.23 - On cPanel servers, ensure that the csf driver for WHM is removed on uninstall Added hooks for upcoming cxs IP Reputation Service On webmin servers, added csf.htmltag and csf.bodytag files to UI skinning (STYLE_CUSTOM). See readme.txt for more information MESSENGERV2 released as stable on cPanel servers. This uses the Apache http daemon to provide the web service for MESSENGER HTML and HTTPS Additions to csf.logignore on new installs Added IPv6 support to BLOCKLISTS Added Spamhaus DROPv6 and Stop Forum Spam IPv6 blocklists to csf.blocklists Removed Spamcannibal and added all.s5h.net from/to csf.rbls Fixed issues with IPv6 rule creation attempts when IPV6 disabled Automatically enable WAITLOCK on initial installation if supported 10.22 - Fixed issue with the ModSecurity regex modification in v10.20 10.21 - Ensure /etc/logrotate.d/lfd is overwritten on upgrade 10.20 - Prevent lfd logrotate from erroring if log files missing Modified Apache ModSecurity regex to cater for changes in logging format on cPanel servers with ModSecurity v2.9.2 Modified Apache cxs regex to cater for changes in logging format on cPanel servers with ModSecurity v2.9.2 Ensure destination files are owned by root during installation 10.19 - MESSENGERV2: Take a copy of the live certs and keys and use these in csf.messenger.conf to work around changing filenames for keys and certs when they are regenerated which causes httpd to fail. This is done each time lfd restarts Added CLI option csf --mregen: MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd 10.18 - Stability improvements to the UI daemon Fixed MESSENGER log entry spelling 10.17 - Prevent Cluster and UI daemons from terminating the main process if they themselves terminate Modify Cluster and UI daemons to restart if they are stopped or fail Modify Cluster and UI daemons to be more verbose about reasons for stopping Fixed typos in readme.txt and csf.conf Added MESSENGER child logging to /var/log/lfd_messenger.log, also for MESSENGERV2 via a new index.recaptcha.php Modified logrotate configuration to include /var/log/lfd_messenger.log 10.16 - Fixed issue in 10.15 which was causing the Cluster daemon to exit unexpectedly 10.15 - New EXPERIMENTAL feature on cPanel servers: MESSENGERV2. This uses the Apache http daemon to provide the web service for MESSENGER HTML and HTTPS Added new option LF_APACHE_401 that works in a similar way to LF_APACHE_404 and LF_APACHE_403 Added new option RECAPTCHA_ALERT. This will send an email when a recaptcha unblock request is attempted by lfd. This option is enabled by default Stability improvements to UI, MESSENGER and CLUSTER daemon processes Added memory usage information to lfd log when using MESSENGER_HTTPS Add limiter to enforce MESSENGER_CHILDREN when connections are waiting for a child process Modify MESSENGER HTML examples for new installs to use inline images to improve page load speed and reduce lfd overheads Modified network interface detection to allow dash (-) in name URL updates in Server Check Increased the default value for MESSENGER_RATE to 100/s (from 30/m) and MESSENGER_BURST to 150 (from 5) for all installations to alleviate slow MESSENGER response times Set the SELinux security context for systemd and executable files Ensure firewalld is masked on systemd servers 10.14 - Made configuration checks on iptables more fault tolerant to avoid unnecessary failures while loading Removed openbl.org from csf.blocklists for new and existing installs More generic binaries added to csf.pignore 10.13 - Fixed looping/timeout of integrated UI children when Chrome client is used 10.12 - Configured UI to fully integrate with cPanel templates without using iframes Configured UI to display full cPanel breadcrumbs Configured UI to support cPanel v66 WHM UI changes 10.11 - Modified username regex for csf.syslogusers Fixed issue with /var/lib/csf/lfd.stats excessive growth 10.10 - Modified HTML to cater for major change in cPanel v66 10.09 - Added new option DROP_OUT which is set to "REJECT" by default. This option sets the default target for blocked outgoing ports. See csf.conf for more information Added improved detection of xtables lock and recommend enabling WAITLOCK on error Improved csf down detection when xtables lock in effect and WAITLOCK is not enabled Added support for listing ASNs in CC_IGNORE 10.08 - Added cpanel.allow and cpanel.ignore Include files for the cPanel authentication servers. These are included on new installations and added to existing files on cPanel installations If running cPanel 1:1 NAT, use the contents of /var/cpanel/cpnat to whitelist/ignore the external IP addresses 10.07 - Fixed bug when using RECAPTCHA_NAT where the listed IP's were not correctly processed Server Check now follows includes in dovecot.conf Server Check now reports RHEL/CentOS/CloudLinux v5.* as EOL 10.06 - Added new entry in csf.pignore on cPanel servers for: exe:/usr/libexec/dovecot/indexer exe:/usr/libexec/dovecot/indexer-worker Croak if IPTABLES is not set, incorrect or not present in csf.conf Set SELinux context for /etc/logrotate.d/lfd on new generic installs 10.05 - Fixed table header html/css Added workaround for adding superusers listed in /etc/csf/csf.syslogusers to the RESTRICT_SYSLOG_GROUP if the log socket is not accessed via the owner permissions Changes for cPanel v64 template Updated text description in csf.dirwatch for new installs 10.04 - Added error message to RECAPTCHA_* if the non-priveleged user cannot write to its home directory Further improvements to RECAPTCHA_* hostname check 10.03 - Added new option MESSENGER_HTTPS_SKIPMAIL on cPanel installations. This option ignores ServerAlias definitions that begin with "mail.". This can help with memory usage on systems that do not require the use of MESSENGER_HTTPS on those subdomains. The option is enabled by default on cPanel servers Improved RECAPTCHA_* hostname check Cluster CLI can now block CIDRs, e.g LF_NETBLOCK blocks will be applied cluster-wide 10.02 - Modified Messenger HTTPS to cater for a wider range of Apache VirtualHost formatting Added Messenger HTTPS workaround for servers using PEM but a version of IO::Socket::SSL that does not yet support it (pre v1.988) Added Messenger HTTPS warning in csf.conf regarding memory usage on some servers using the option Added java binary for cPanel solr process to csf.pignore on new and existing servers 10.00 - Added new feature to MESSENGER: MESSENGER_HTTPS*. See /etc/csf/csf.conf for more detail. This option redirects blocked IP addresses that connect over an HTTPS connection (port 443) to the HTML MESSENGER service. The option uses existing SSL certificates on the server for each domain to maintain a secure SSL SNI connection without browser warnings. The setting is disabled by default Note: The perl module IO::Socket::SSL (v1.83+) with support for SNI must be available to use MESSENGER_HTTPS* otherwise it will be disabled Added new feature to MESSENGER: Google ReCAPTCHA (v2) to allow those blocked in the firewall to unblock themselves. See RECAPTCHA_* in /etc/csf/csf.conf for more details and limitations Added MESSENGER procedure to restart listening sub-process if it has died Moved MESSENGER processes to a separate module Ensure that all forked processes terminate appropriately On cPanel servers, use the cPanel WHM Template to support the new v64 UI layout (as best we can to maintain the look that we want) Modified the cPanel csf ACL metadata and driver Perl modules to match new requirements for v64 and also maintain backwards compatibility 9.30 - Fix to try and resolve cluster send/recv issues (Note: _All_ members of the cluster need to be running v9.30 for clustering to function correctly) 9.29 - Fixed issue that was breaking LF_DISTSMTP Fixed issue in UI lfd Stats. Note: The lfd stats data file has been renamed from /var/lib/csf/stats/lfdmain to /var/lib/csf/stats/lfdstats Additionally, the stats for 2016-12-31 will reset to 0 due to this bug Corrected text in readme.txt Added new csf CLI cluster option: -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment] This sends a temporary deny request to the cluster Added new csf CLI cluster option: -cta, --ctempallow ip ttl [-p port] [-d direction] [comment] This sends a temporary allow request to the cluster Added new csf CLI cluster option: -cg, --cgrep ip This requests the --grep output for [ip] from each cluster member Modified cluster requests to respond with an acknowledgment to the sender Modified --cdeny [ip] and --callow [ip] to include optional comment Added separate tab for Cluster options in UI if enabled and added new cluster temp allow/deny commands to UI Modified Port Scan Tracking. UDP packets destined for the network broadcast address(es) will now be ignored in Port Scan Tracking unless BRD is added to PS_PORTS. The broadcast address(es) include the those listed in IP or IFCONFIG plus the default (255.255.255.255) unless one of the servers IPs Added new feature: PT_USERRSS. This User Process Tracking option sends an alert if any user process exceeds the RSS memory limit set - RAM used, not virtual. PT_USERRSS is set to 256 (MB) and PT_USERMEM is now set to 512 (MB) by default on new installations. On existing installs PT_USERRSS is set to the same value as PT_USERMEM 9.28 - New logo added and configured for cPanel plugins HTML fixes STYLE_CUSTOM is now set to 0 by default on all new installations. If you want to choose custom styling this option can be enabled 9.27 - Fix for UI Quick Unblock button Fix for UI main page [ENTER] not working on all forms 9.26 - Fix for webmin UI when watching logs Various UI html syntax fixes Reduced UI banner padding Port 23 added to DROP_NOLOG for new installations WAITLOCK taken out of beta Modified UI View Listening Ports Reworked main UI table to produce syntactically correct HTML Fixed duplicate HTML top and bottom page elements 9.25 - Correct csf lookup failure message Converted UI icon for temp allow removal to new format Simplified Configuration display of radio toggles to help screen readers Added patch to send message text for CLUSTER blocks 9.24 - UI html fixes 9.23 - Added upgrade note to the top of the UI if available UI improvements for integrated cse and interface to cxs Added Scroll to Top/Bottom buttons Consolidate images, css and javascript into a common directory in the installer 9.22 - Modify UI temporary IP deny buttons to not wrap in table Modified UI Statistics images to be responsive Modified readme.txt to detail additional UI styling options Added two new options STYLE_CUSTOM and STYLE_MOBILE relating to UI styling Globalised SIGNALs where needed to help prevent zombie children Modified UI to use container-fluid to improve whitespace use Modified pre tags to wrap on whitespace 9.20 - Redesigned UI based on Bootstrap New functionality: Added integrated mobile device view with subset of functions Modified csf to not warn about the SENDMAIL binary if LF_ALERT_SMTP is enabled Added use of the ace editor if present on cPanel installs to edit files. Added toggle to switch back to textarea. Added buttons to decrease and increase font size in editor Modified readme.txt to include information regarding changing styles and disabling Mobile View 9.14 - Fixed LOGSCANNER logging to only report to the log if DEBUG enabled Added new BETA options WAITLOCK and WAITLOCK_TIMEOUT which provide support for the iptables --wait option Added UI support for cxs with Bootstrap 9.13 - Modify Server Check to prevent hanging process for CloudLinux PHP versions prior to v5.2 9.12 - Improved LOGSCANNER accuracy of hourly and daily runs between restarts Added more binaries on cPanel servers to csf.pignore for cPanel v60 Fixed repeated check for PHP open_basedir in Server Check Do not perform suexec check if mod_ruid2 enabled in Server Check Corrected text description of IPv6 port lists in non-cPanel csf.conf Export ConfigServer::Logger::logfile Detect mpm_itk_module and treat in a similar manner to ruid2_module in Server Check Removed use of Cpanel::cPanelFunctions as it is now being withdrawn Updated common ConfigServer UI Fix instance where cluster block timeout for temporary blocks was not being sent Check for EOL PHP v5.5 in Server Check Added detection of alt-php versions provided by CloudLinux, but do not check them for EOL version status 9.11 - Fixed issue with csf.allow Include checks when allowing an IP Added the Greensnow blocklist to csf.blocklists for new installs Fixed display of ports in CLI temporary blocks Fixed issue removing CIDR blocks via the CLI from csf.deny 9.10 - Fix profile diff in the CLI Fixed issue with deny removal by IP address of advanced rules in the CLI 9.09 - Additional fix for ip6tables MESSENGER service when LF_IPSET not enabled (ip6tables nat) 9.08 - AUTOSHUN list removed from csf.blocklists as the public list is no longer available Added support for ip6tables MESSENGER service when LF_IPSET not enabled (ip6tables nat) 9.07 - Fixed removal of complex allow and deny rules Fixed IPv6 implementation of CC_ALLOW_PORTS_* and CC_DENY_PORTS_* Fixed file upload in cse via the integrated UI Fixed "csf --cfile [file]" Removed setting: OLD_REAPER Localised SIGNALs Localised uid and gid change in MESSENGER Removed Bareword file handles Where ip6tables <= v1.3.5 and IPV6 is enabled, disable USE_CONNTRACK if enabled as ip6tables does not support the conntrack module in older versions. This will force the use of the state module instead 9.06 - Fixed incorrect inclusion of cPanel Free SSL service include entries on new non-cPanel installations 9.05 - Fixed RT_AUTHRELAY_LIMIT detection 9.04 - Fixed issue with custom regex rules where log hash was not being passed to regex.custom.pm Fixed issue with custom regex rules where "use strict" was used incorrectly 9.03 - Fixed issue with LF_ALERT_TO and LF_ALERT_FROM not being used when set 9.02 - Fixed Reseller UI command execution 9.01 - Fixed graph display when using integrated UI 9.00 - Convert csfui.pl, csfuir.pl and cseui.pl to perl modules and modify the calling UI specific scripts Updated cseUI so that is passes perl strict module checks Fixed issue with deny removal of some IPv6 addresses Ensure /etc/chkservd/lfd is recreated when lfd is enabled via csf -e on cPanel servers Added exes to csf.pignore on existing and new cPanel server: /usr/libexec/dovecot/lmtp /usr/local/cpanel/3rdparty/php/54/bin/php-cgi /usr/local/cpanel/3rdparty/php/56/bin/php-cgi /usr/local/cpanel/3rdparty/php/56/sbin/php-fpm Ensure all file opens are properly flocked Switch to using require instead of eval/use to load runtime modules where possible Code review - started addressing perl critic suggestions in all scripts and modules Moved regex.pm to a seperate perl module Moved email sending to a seperate perl module Moved lfd logging to a seperate perl module Add allow and ignore Include files for the cPanel Free SSL service from Comodo in cPanel v58+. These are included on new installations and added to existing files on cPanel installations Fixed spurious Include error in lfd for csf.ignore 8.26 - Added more dovecot binaries to csf.pignore for new and existing cPanel servers Updated lfd-cron to use the csf startup routines to restart lfd on systemd servers correctly, existing cron jobs are also modified HTTP::Tiny upgraded to v0.058 8.25 - Modified Config loading to check for valid ip6tables location before attempting to use it Modify Server Report to support checking of cPanel MultiPHP configurations when using EasyApache v4 Removed PHP check for suhosin from Server Report Improved cipher check for pure-ftpd in Server Report Added password reset check for subaccounts in Server Report on cPanel servers Added cPanelID check in Server Report on cPanel servers 8.23 - On cPanel servers ensure the lfd service is always correctly appended to chkservd.conf on csf installation 8.22 - Fix csf --tempdeny from allowing blocking of local IPs Fix problem where LF_NETBLOCK was no longer affective after blocking a its first netblock until it timed out from csf.tempip Modify UI table spacing 8.21 - Modified cPanel version check to avoid restart loop if GENERIC set to 1 in csf.conf 8.20 - Modify Relay Alert email to specify "localhost" rather than "Local Account" when localhost IPv6 address detected as it currently does for IPv4 localhost Improvement to lfd restart routine for MailScanner and pure-ftpd when cPanel upgrades on RHEL/CentOS/CloudLinux v7+ servers 8.19 - Move SMTP_BLOCK rules to a separate chain to avoid conflicts with other control panels deleting required rules 8.18 - Reversed csf.tempip changes to avoid a possible locking issue in csf.pl, lfd.pl changes retained 8.17 - Fixed 12 month statistics pie chart rendering Increased default value and sanity range for PT_USERMEM Modified SMTP_BLOCK to use iptables multiport Added new feature: SMTP_REDIRECT. This redirects non-authorised outbound SMTP connections to the local SMTP server Ensure LF_PERMBLOCK IP's are removed from csf.tempip when rotating csf.deny after reaching DENY_IP_LIMIT Remove stale csf.tempip entries on lfd startup Added IPv6 support to RT_LOCALHOSTRELAY tracking Update binary locations for new installations on DirectAdmin Debian Improved fix for detection of ip6tables nat chains Added UI Firewall Configuration On/Off buttons Added UI Firewall Configuration dropdowns for some value ranges Updated UI restricted list Updated sanity checks Various UI updates and modifications Added a warning when using mod_cloudflare to Server Check Report 8.16 - Removed UI integration from CentOS Web Panel as recent permission changes break the implementation. The csf installer will restore the original functionality 8.15 - Added new configuration option IP to point to the IP binary. This will be used in preference to IFCONFIG, the latter is no longer required when the IP binary is correctly configured and executable Added full UI integration into CentOS Web Panel (CWP). To disable integration: Rename: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.orig.php to: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.php create: /etc/csf/cwp.disable Updated Postfix SMTP AUTH regex (thanks to Marcele) Added support for /etc/csf/csf.blocklists in ZIP format. The zip file MUST only contain a single text file of a single IP/CIDR per line Added Stop Forum Spam (ZIP) example to csf.blocklists Added IPV6 support to csf.sips Fixed detection of ip6tables nat Removed development code for ispconfig from distribution as this should NOT be used. It has never been implemented nor released as a supported solution and is likely to be insecure. Upgrading will remove any installations of this development code 8.13 - Added /usr/local/cpanel/3rdparty/php/54/sbin/php-fpm to csf.pignore for cPanel installs Clarify cluster CLI commands that refer to remote server actions Added number of failures to the RBL check Subject field Modified Port Scan checks for more kernel log line formats in regex.pm 8.12 - Additional Feature: Added support for listing ASNs in all Country Code (CC_*) options Fixed GLOBAL_ALLOW and GLOBAL_DENY when LF_IPSET is enabled Fixed GLOBAL_DYNDNS when LF_IPSET and LF_IPV6 are enabled IPSET binary location set to /sbin/ipset for Debian/Ubuntu new installs Additional regex included for vsftp login failures 8.11 - Fixed issue on non-RedHat OS installations that failed due to problems whitelisting the installers IP address 8.10 - Fixed issues with new non-RedHat OS installations by reasserting perl module check to the start of the installation process but removing included modules from checks Ports 2079 and 2080 added to TCP_IN for new cPanel installs to allow CalDAV/CardDAV access 8.09 - Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or /sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow higher settings for PORTFLOOD than the default of 20 if configured Added LimitNOFILE to lfd.service on servers using systemd to allow for large numbers of open files Cater for full stops (.) in ethernet device names Moved Perl module checks until after csf installation has completed so that all included modules exist in /usr/local/csf/lib/ 8.08 - Fixed csf.sips modification via UI on Redhat/CentOS v7.1 Raised csf.blocklist names from 9 to 25 characters long. This cannot be greater due to limits on ipset names on some OS's and the use of prepended names for new ipset list swapping Added output from netstat for PT_LOAD to loadalert.txt for new installs. For existing installs, latest file copied to /usr/local/csf/tpl/loadalert.txt.new 8.07 - Ensure spaces are stripped from values in /etc/cpanel/ea4/paths.conf on cPanel servers Fixed issue with csf --add [ip] not always removing [ip] if present from csf.deny Modified the LF_QOS regex to cater for additional log formats 8.06 - Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel servers for Pyzor that was added by cPanel in v11.52 Support added for EasyApache4 log locations in cPanel from /etc/cpanel/ea4/paths.conf Added more executable files to csf.pignore on cPanel servers for cPanel EasyApache4 Modify Server Check to support cPanel EasyApache4 Added regex to support cPanel/WHM login failures with the new log format in v11.52+ If mod_ruid2 is enabled do not check for mod_userdir in Server Check Always ensure binary exists and is executable before performing processing during Server Check Modified ProFTPD regex to support more formats vsftpd inbuilt log file format regex added Modified cPanel antirelayd Server Check to also support popbeforesmtp added in v11.52 Added dbus and time systemd regexes to csf.logignore for new installs 8.05 - Added alarms to HOST binary calls Added new csf CLI option: --rbl [email]. This generates the report checking IP addresses against a set of RBLs. Optional configuration is available through /etc/csf/csf.rblconf Added UI to utilise the new --rbl [email] option Added systemd status output after lfd restart via the csf CLI Modified Server Check to only report bind if a named configuration file exists Require cPanel resellers to enter a Comment when allowing or denying an IP Added new option UI_IP to allow binding to a specific IP address for the integrated UI 8.04 - Added more executable files to csf.pignore on cPanel servers for cPanel v11.5*+ Added warning to both csf output and Server Check report if PT_USERKILL is enabled 8.03 - Fixed bug where iptables nat tables were not being flushed or grepped correctly 8.02 - Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS Added new csf CLI option: --lfd [stop|start|restart|status]. Actions to take with the lfd daemon Added new csf CLI option: -ra, --restartall. Restart firewall rules (csf) and then restart lfd daemon Fixed several output message typos for "FASTSTART" Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel Improve IPv6 detection on installation Implemented more efficient csf.conf loading in ConfigServer::Config 8.01 - Modify ConfigServer::CheckIP to cope with entries not passed by reference 8.00 - Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups Added IPv6 support for LF_IPSET Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled) Added IPv6 support for X_ARF report where found in the Abusix Contact DB Added IPv6 nameserver support for /etc/resolv.conf Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3 Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3 Added IPv6 support for SYNFLOOD Added flush of ip6tables nat table if ip6tables version >= 1.4.17 Standardise all IPv6 addresses and networks to use the short form for consist representation Added FASTSTART support to LF_IPSET Increased ulimit -n to 4096 in /etc/init.d/lfd Included Net::IP for IP address manipulation Included version perl module for version comparisons Added missing csf.allow search to csf --grep Added Server Check report for LF_IPSET when using Country Code filters 7.73 - Fix for temporary denies allowing duplicate IP/Port blocks/allows Speedup csf --grep [ip] when searching IPSET sets. Note: This does mean that partial IP queries will no longer match IPSET entries Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for larger ipset sets Added option HOST as the location of the "host" binary for DNS TXT record lookups Modified X_ARF report to include the abuse contact for a reported IP address where found in the Abusix Contact DB Added new option X_ARF_ABUSE. This option allows for automatic sending of X_ARF reports to the IP addresses abuse contact. See csf.conf for warnings about using this option Added binary location checking in csf and issue warnings if incorrect, not installed or not executable 7.72 - Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate such processes. See csf.conf for more info Added new binaries to csf.pignore on existing cPanel installations to cater for v11.50 and CentOS v7 LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for new installations Updated Server Check ipv6 detection Updated sanity checks 7.71 - Added warning on cPanel servers for GreyListing Fixed issue with RedHat/CentOS/CloudLinux v7 where local IPs were not being successfully detected from IFCONFIG 7.70 - Removed PayPal Donation buttons due to recent abuse 7.69 - Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (added cxs pure-uploadscript restart) 7.68 - Added Debian v8 and Ubuntu v15 support HTTP::Tiny upgraded to v0.054 7.67 - Added a workaround for Plesk sendmail wrapper SIGCHLD problem 7.66 - Fixed UI status form tags Added new option LF_SPI. This option configures csf iptables as a Stateful Packet Inspection (SPI) firewall - the default. If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost Added common systemd logs to csf.logignore for new installs Modify LF_IPSET in csf to print failure messages instead of aborting on error On servers using systemd if firewalld found to be active, csf and lfd will not start until is is stopped and disabled as csf cannot be used with firewalld Added option SYSTEMCTL to csf.conf as the location of the systemctl binary for use with servers using systemd 7.65 - Fixed csf.blocklist for new installs which incorrectly had OPENBL enabled by default 7.64 - UI HTML updates and fixes Modified openbl.org URLs in csf.blocklist to use https - this will likely need URLGET set to 2 (LWP) 7.63 - Modified Server Check to highlight PHP v5.3.* as EOL and therefore a security risk Port 587 added to TCP_OUT/TCP6_OUT on all new installations (previously only on cPanel) Added new CLI option to csf, -i --iplookup will lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf Manually allowed/denied permanent/temporary IPs through the csf CLI now include the CC information if no comment is used Renamed csf and lfd cron jobs in /etc/cron.d/ to cater for non-LSB compliant Linux cron managers Modified Server Check report to cater for servers running systemd More Server Check fixes for out of date checks Added 2 new alert settings for FTP and SMTP distributed attacks: LF_DISTFTP_ALERT and LF_DISTSMTP_ALERT 7.62 - Modified ModSecurity regexes to be more generic 7.61 - Fix issues with lfd restart via integrated UI and DA UI 7.60 - Ensure that /usr/lib/systemd/system/ is created on install on systemd servers 7.59 - Fix sanity check for SMTPAUTH_RESTRICT Fixed incorrect reference to cxs in the generic csf installer Modified csf.conf to show that LWP::Protocol::https is needed for LWP to retrieve https URLs and added examples of how to install these perl modules Implemented native systemd support for startup and shutdown of csf and lfd Added recommendation in csf.conf to use IPSET if wanting to set DENY_IP_LIMIT to a high value If IPSET is enabled, no sanity warnings are issued for DENY_IP_LIMIT Also add SSH port to TCP6_IN on new installations 7.58 - Display warning and revert to HTTP::Tiny if URLGET is set to use LWP but the perl module is not installed 7.57 - URLGET now set to "2" to use LWP by default on new installations instead of HTTP::Tiny If URLGET set to use LWP, csf will perform upgrades over SSL to https://download.configserver.com Added check for URLGET to Server Check Added option "3" for CC_LOOKUPS to also include IP ASNs via the MaxMind GeoIPASNum database Updated SSH login regexes Updated named regex Added 30 second timeout for ST_IPTABLES iptables stats writing to prevent a child creation loop Modified lfd to restart if more than 200 children are currently active to prevent child creation loops 7.56 - Fixed issue with Restricted UI item sanity checks failing Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (lfd, MailScanner cxs Watch). Restart triggers are limited to every 12 hours and will only trigger if upcp is not running 7.55 - If LF_SELECT is enabled the port(s) listed in PORTS_* can now be specifed as port;protocol,port;protocol, e.g. "53;udp,53;tcp" to allow for protocol specific port blocks. This port format can also now be used in regex.custom.pm and csf --td/--ta to allow udp port blocks PORTS_bind now defaults to "53;udp,53;tcp" on new installations PORTS_directadmin added for DA installs to allow for per port blocks if LF_SELECT is enabled Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs LF_IPSET taken out of BETA as it is proving stable Modified Server Check to skip checking xinetd on Plesk servers Modified UI_SSL_VERSION for new installations to use the new IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so that SSLv3 is disabled If systemd is running the installer disables firewalld using systemctl 7.54 - Added IPv4/IPv6 column to show whether the port in the csf --ports option is listed in *_IN (e.g. TCP_IN) Added Conn column to show the number of ESTABLISHED connections to the port in the csf --ports Modified Server Check text from "SMTP Tweak" to "SMTP Restrictions" for cPanel/WHM UI Added the following to LF_IPSET for IPv4 IPs and CIDRs: /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables Modified ipset information in csf.conf including that only ipset v6+ is supported Modified ConfigServer::Slurp to carp instead of croak Improvements to Server Check nameserver checking to include IPv6 servers and better determine how many are local nameservers Modified csf --graphs to append a trailing slash if missing to directory name 7.53 - Modified Slurp.pm to use O_RDONLY instead of O_RDWR 7.52 - Fixed issue with Restricted UI items sanity checks failing 7.51 - Removed duplicate "Search System Logs" button from the UI 7.50 - Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and csf.blocklist bulk list matching. See csf.conf for more info Added new UI option to view ports on the server that have a running process behind them listening for external connections Added new CLI option (csf -p, csf --ports) to view ports on the server that have a running process behind them listening for external connections Added new CLI option (csf --graphs) to Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements If using DYNDNS and the FQDN has multiple A records then all IP addresses will now be allowed IPv6 support added to DYNDNS. Requires the Perl module Socket6 from cpan.org to be installed On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin if installed and logging enabled via CustomBuild v2+. Failures will contribute to the LF_DIRECTADMIN trigger level for that IP On DA servers, FTPD_LOG now defaults to /var/log/messages on new installs Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs on DA Added to UI count of entries in /etc/csf/csf.allow Added blocklist.de to csf.blocklists for new installs, latest file copied to /etc/csf/csf.blocklists.new on existing installs Started moving common functions to separate modules within csf HTTP::Tiny upgraded to v0.050 Fixed csf stop/start routines on reboot for servers using systemd Modified integrated UI to display die errors to browser Modified X_ARF report to use a self-published schema: http://download.configserver.com/abuse_login-attack_0.2.json Modified X_ARF to lowercase the Source-Type field Modified X_ARF template to use the v0.2 "X-XARF: PLAIN" header field Updated restricted UI items Geo::IP upgraded to v1.45 Crypt::CBC upgraded to v2.33 7.15 - Updated installer to fix generic installs on some Redhat/CentOS setups Fixed issue with temporary allow/deny not applying individual port rules for outgoing connections 7.14 - Updated scripts to use download.configserver.com 7.13 - Fixed issue with temporary allow/deny when issued through the UI 7.12 - Reverted PACKET_FILTER rule changes OPEN added as an option to PS_PORTS so that TCP_IN and UDP_IN ports will be ignored by Port Scan Tracking by default, but can be added if desired 7.11 - DROP_PF_LOGGING disabled by default on new installs as enabling by default will just cause confusion 7.10 - Removed debugging code from Port Scan Tracking 7.09 - Set scripts (.pl,.cgi,.php,.sh,.py) in /etc/csf/ to chmod 700 Simplified PACKET_FILTER rules for dropping INVALID connection tracking states. This feature now only applies a single rule for incoming INVALID packets DROP_PF_LOGGING enabled by default on new installs INVALID added as an option to PS_PORTS so that PACKET_FILTER logs will be ignored by Port Scan Tracking by default, but can be added if desired Modified ST_ENABLE locking Regex updates to cater for Plesk 12 - thanks to Marcel Evenson Fixed issue with temporary allow/deny comment not being parsed correctly when port * specified 7.08 - Withdrawn 7.07 - Modified lfd to silently drop ST_ENABLE lock queue entries unless DEBUG is enabled Modified ST_ENABLE logging to append to data file and only truncate when needed 7.06 - Added locking to ST_ENABLE and ST_SYSTEM to prevent child process queues 7.05 - Fix SMTPAUTH_RESTRICT where IPv6 addresses need to be quoted for exim 7.04 - Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is triggered, then if LF_DIST_ACTION is a path to a script, it will run the script and pass arguments to it. See csf.conf for more info Added limit check on VPS servers when using FASTSTART to ensure there are sufficient numiptents available for all of the iptables rules in that block Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to /etc/exim.smtpauth Fixed LF_BIND - BIND_LOG was not being added to the log list to watch On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option scans DIRECTADMIN_LOG for failed logins and blocks accordingly Fixed typo in csf.conf 7.03 - Added new option DROP_UID_LOGGING which allows UID logging to be disabled for outgoing connections. This option is enabled by default and can be disabled on OS's that do not support --log-uid Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for use with the csf --profile option Updates to sanity.txt for new options Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to www.dshield.org/block.txt for new and existing installs 7.02 - Make auto.pl scripts more resilient to avoid leaving an incomplete configuration file after upgrades Improved output errors if FASTSTART fails Ensure UNZIP binary exists before attempting to process GeoLite CSV Country database Corrected FASTSTART description in Server Report check Modified auto.pl to not automatically enable IPV6 on Virtuozzo/OpenVZ Report all errors after csf starts in case they were missed in the main output 7.01 - Fixed issue with FASTSTART and DROP_PF_LOGGING 7.00 - New feature SMTPAUTH_RESTRICT - This option will only allow SMTP AUTH to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth on EXIM mail servers. The additional option CC_ALLOW_SMTPAUTH can be used with this option to additionally restrict access to specific countries. See csf.conf and readme.txt for more information New FASTSTART procedures in csf and lfd to centralise functions and add error reporting FASTSTART added to GLOBAL_ALLOW, GLOBAL_DENY, GLOBAL_DYNDNS, csf.deny, csf.allow, Port Settings, PACKET_FILTER, DROP_NOLOG, SMTP Block, DNS Remove duplicate IP addresses from individual blocklists Remove duplicate IP addresses (not CIDRs) across blocklists as they are newly retrieved Ensure /usr/local/bandmin/bandminstart exists and is executable on cPanel servers before using it Removed MySQL version check as it is currently redundant from Server Report Improve Net::CIDR::Lite use integrity to prevent unnecessary lfd failures Ensure GeoIPCountryWhois.csv is removed before processing a new d/b download Add /etc/csf/csf.smtpauth to UI if SMTPAUTH_RESTRICT is enabled Fixed issue with IPv6 generation of SMTP_ALLOWUSER rules 6.48 - Fixed csf --ta/d not accepting comma separated port list Modified csf -t multi-port reporting Modified csf UI to support specifying port list in temporary allow/deny Modified integrated UI call to perform separate calls to IO::Socket::SSL to use the appropriate AF_INET(6) call depending on the setting for IPV6 Updates to integrated cse UI CSS Added regular expressions for courier-imap, Qmail SMTP AUTH and Postfix SMTP_AUTH for Plesk servers Removed RBN from csf.blocklist for new installs as it is now obsolete Check for an apply correct permissions on /var/lib/csf and /usr/local/csf in addition to /etc/csf 6.47 - Overhaul of Apache regexes to cater for Apache v2.4 formats Fail with an appropriate error if attempting to use an IPv6 address but IPV6 is not enabled Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT when DROP_OUT_LOGGING is disabled Strip leading and trailing spaces from form IP in csf UI DROP_OUT_LOGGING is now enabled by default on new installations ST_ENABLE is now enabled by default on new installations CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This provides a more consistent approach and quicker lookups with reduced memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE 6.46 - HTTP::Tiny reverted to v0.041 as it breaks on some installations 6.45 - Modified LF_SCRIPT_ALERT to only report detected lines Modified Server Check for sshd_config port to be case-insensitive Modified PORTS_sshd check of sshd_config port to be case-insensitive HTTP::Tiny upgraded to v0.042 Reverse sort temp bans in UI 6.44 - File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs Added Server Reports recommendation for CloudLinux if running CentOS or RedHat Added Server Reports CloudLinux security feature checks Modified Server Report check for dovecot v2 Updated Server Report version checks for Fedora, MySQL and Apache Added missing bracket to regex.custom.pm example Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports Added Cached memory to the System Statistics Added full pseudo-breadcrumbs to cPanel csf UI Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See "man csf" and UI for more details of the "csf --profile [OPTIONS]" commands HTTP::Tiny upgraded to v0.041 6.43 - Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc) RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to "3" is the recommended option Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log csf --dr modified to remove matching IPs from csf.tempip File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit 6.42 - New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option "3" which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP csf UI option added for editing csf.syslogusers Fixed a bug in PT_LOAD not producing PS output 6.41 - SECURITY WARNING: Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines). Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst. Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users. There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default. See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care Our thanks go to Rack911.com for bringing this issue to our attention UI design updates and fixes Modify Apache regex to support log lines containing thread ID Prevent lfd from blocking CIDRs triggered from log lines 6.40 - Fix for LF_INTEGRITY which was non-functional after changes in v6.38 6.39 - Added error output from IO::Socket::INET for CLUSTER_* commands from csf if present UI HTML fixes and form design elements added Improved error report for invalid csf.conf lines Removed Server Check tmp mountpoint checks 6.38 - Parameterise calls to system and Open3 where possible HTTP::Tiny upgraded to v0.039 Modifications to csftest.pl Removed the UI "Pre-configured settings for Low, Medium or High" as they are outdated and meaningless. Users should go through the csf configuration and setup the firewall for their individual server needs Translate ampersand for HTML output Modified csf.blocklist for new installations to use the SSL URL for the TOR exit list now that they have forced redirection from the non-SSL URL, with a note to change URLGET to use LWP Modified csf.blocklist for new installations to specify an alternative TOR exit node list 6.37 - Fixed issue that produced false-positive failures for IP address actions through UI when checking for a valid IP address Modified lfd to support the use of either "password" or "pass" in /root/.my.cnf for ST_MYSQL Updated CLUSTER information in readme.txt 6.36 - Removed VPS PASV check from Server Check in UI Added new option URLGET - This option can be used to select either HTTP::Tiny or LWP::UserAgent to retrieve URL data. HTTP::Tiny is faster than LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may have to be installed manually, but it can better support https:// URL's. HTTP::Tiny is selected by default Removed extraneous bracket in UI output when reporting errors in user supplied data Added new options LF_EXIMSYNTAX, LF_EXIMSYNTAX_PERM - These will block IP addresses producing repeated exim syntax errors, typically seen from: spammers, hackers and broken MUAs and MTAs. This option is enabled by default HTTP::Tiny upgraded to v0.036 6.35 - Security fix with included cse when using inbuilt User Interface: prevent XSS due to malicious directory/file names 6.34 - Load DYNDNS and GLOBAL_DYNDNS from last known values when restarting csf instead of waiting for lfd to load the initial rules Improved performance of file slurping Cluster documentation correction in readme.txt UI button style modifications Added specific check for Spamhaus drop lists so that retrieval is never attempted before 2 hours elapses between attempts whether those retrieval attempts are successful or not Improvements to SSHD regexes Modified mod_security logging to include the last triggered rule id if present 6.33 - Modified LF_PERMBLOCK to perform IP lookup on blocked IP Perform modprobe when using FASTSTART on server boot to ensure iptables modules are loaded Modified migration detection for particularly old csf installations Check that TAIL and GREP exist and are executable in UI 6.32 - Applied UI changes to inbuilt cse and Reseller UI's Improvements to Virtuozzo/OpenVZ system detection where /proc/vz/veinfo does not exist Added System Check on cPanel servers for disable-security-tokens If /etc/csuibuttondisable exists then the UI buttons will revert for those that cannot cope with the themed ones 6.31 - Fixed "Deny Server IPs" option in UI Additional SSHD regex Enable account tracking for LF_CPANEL login failures to allow for LF_DISTATTACK detection Ignore Server Check for register_globals for PHP v5.4+ Added new option UI_SSL_VERSION, to allow the setting of the SSL protocol version that the UI server allows Added window Detach option to UI search system logs UI display changes Fixed files permissions issue affecting System Graphs and lfd Graphs in DA 6.30 - Prevent HTML rendering of watch and search system log file output 6.29 - Removed CLUSTER_PORT from sanity checking Modified changelog to state that HTACCESS_LOG needs to be correct for nginx LF_HTACCESS regexes Added new UI option to watch (tail) system log files listed in /etc/csf/csf.syslogs Added new UI option to search (grep) system log files listed in /etc/csf/csf.syslogs Improvements to "View iptables Log" output in UI Enable "SSL_honor_cipher_order" for UI IO::Socket::SSL sessions 6.28 - Fixed sanity check for UID_INTERVAL 6.27 - Modified Apache regexes for Apache v2.4+ Fixed UI configurable lines display for lfd.log Fixed length display text for CLUSTER_KEY in csf.conf Ignore suspendedpage.cgi triggers for LF_SYMLINK on cPanel servers Updated sanity checks and ranges for csf.conf settings Added RESTRICT_UI to Server Check recommended options Modified Virtuozzo/OpenVZ FTP port check to verify kernel version before issuing PASV port warning Added new setting PS_DIVERSITY. To specify how many different ports qualifies as a Port Scan you can increase this value. The risk in doing so will mean that persistent attempts to attack a specific closed port will not be detected and blocked. The setting defaults to the original setting of 1 Added 3 LF_HTACCESS regexes for nginx. Remember to set HTACCESS_LOG correctly for the location of the nginx error log 6.26 - Fixed UI issue with some settings sent via the Cluster Config option Modified CONNLIMIT_LOGGING rule insertion point Added new feature: Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. These typically originate from exploit scripts uploaded through vulnerable web scripts. The feature is controlled by: UDPFLOOD, UDPFLOOD_LIMIT, UDPFLOOD_BURST, UDPFLOOD_LOGGING, UDPFLOOD_ALLOWUSER Update the TOR URL in existing /etc/csf/csf.blocklists file if still set to the old URL 6.25 - Fixed UI "Temporary IP entries > Flush all temporary IP entries" Fixed UI_USER and UI_PASS being emptied on saving the firewall configuration through the UI Fixed CLUSTER_KEY not displaying when RESTRICT_UI is disabled 6.24 - Security - Removed items from Cluster Config UI option if RESTRICT_UI enabled 6.23 - Security - added new option RESTRICT_UI. This options restricts the ability to modify settings within csf.conf from the csf UI. Should the parent control panel be compromised, these restricted options could be used to further compromise the server. This option is enabled by default on all installations Added entries to csf.pignore on new installations on cPanel servers for Dovecot v2.2 (cPanel v11.40+) Fixed UI Template validation error message 6.22 - Security Fix - Sanitised user data input to prevent running unauthorised commands via the UI. A user would require root access to exploit this, so vulnerability is probably low. Thanks to Steven at Rack911.com for reporting this issue Added Password ENV variable check to Server Check on cPanel servers Update cPanel ACL Driver installations to change force cache update using "touch" instead of removing the cache Modified TOR URL in /etc/csf/csf.blocklists to use: http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 6.21 - Modified auto-update logic to only create the /etc/cron.d/csf_update file if it does not already exist Fix permissions on csf man file and directory Modified webmin module paths to be relative rather than absolute so that webmin via mod_proxy works correctly Fixed "in" direction --tempallow/--tempdeny leaking into [comment] Added nginx regex for ModSecurity rule detection. Remember to set MODSEC_LOG correctly for the location of the nginx error log Fixed file permission/ownership problem on DirectAdmin servers for the /plugins directory 6.20 - Introduced a new directory structure to get closer to the Linux Filesystem Hierarchy Standard (FHS): /etc/csf/ - (mostly) configuration files /var/lib/csf/ - temporary data files /usr/local/csf/bin/ - scripts /usr/local/csf/lib/ - perl modules and static data /usr/local/csf/tpl/ - email alert templates Existing data and templates files are migrated into the new structure automatically. Some files and directories are symlinked to /etc/csf/ for backwards compatibility and ease of use. See the following for individual file locations in the new configuration: http://blog.configserver.com/?p=7 CC_LOOKUPS rDNS reporting improvements HTTP::Tiny upgraded to v0.033 Removed Security Token check from Server Check Report now that it is implicitly set in v11.18.0+ Switched the location of the csf.pl and lfd.pl binaries with their symlinks Code tidy for servercheck.pm, csfui.pl Allow comments to be appended to csf --tempdeny and csf --tempallow in the same way as csf --deny and csf --allow. Also made the options more flexible in usage of optional elements Added Comments field to UI for Quick Allow, Quick Deny, and Temporary Allow/Deny Added csf(1) man page and changed csf --help to use a text version of the new man page Fixed unnecessary open of csf.fignore 6.15 - Modified MaxMind City Database lookup code to be more resilent 6.14 - Added support for cPanel v11.38.1+ AppConfig addon registration NOTE: In accordance with the new conventions for v11.38.1+ AppConfig the url to the csf WHM plugin will change from /cgi/addon_csf.cgi to /cgi/configserver/csf.cgi. This will only happen with csf v6.14+ and cPanel v11.38.1+. Older version of csf will continue to use the old URL. This has no particular relevance to users accessing through WHM, but will affect direct URL access by users or third party applications Added support for cPanel v11.38.1+ Custom ACL driver. This creates an ACL (software-ConfigServer-csf) which must be used to grant resellers access via "WHM > Edit Reseller Nameservers and Privileges > Third Party Services > ConfigServer Security & Firewall (Reseller UI)" when running cPanel v11.38.1+ Added Server Check for AppConfig restrictions for cPanel v11.38.1+ Switched from using Geo::IP::PurePerl to Geo::IP perl module Added MaxMind GeoIP Anonymous Proxies to csf.blocklists for new installs Added new setting CSFDATADIR. This is the location of the csf and lfd temporary data. By default it is set to the current value of /etc/csf with the intention of moving this data to /var/lib/csf in the future in a move towards the Linux Filesystem Hierarchy Standard (FHS) Moved the default location for ST_DISKW_DD to /var/lib/dd_test for new installations 6.13 - Fixed Server Check for dhclient 6.12 - Added iptables UID logging for dropped outgoing packets New feature - DROP_OUT_LOGGING. Enables iptables logging of dropped outgoing connections. Where available, these logs will also include the UID connecting out which can help track abuse. Note: Only outgoing SYN packets for TCP connections are logged. The option is not enabled by default, but we recommend that it is enabled Option DROP_ONLYRES now only applies to incoming port connections New feature - User ID Tracking. This feature tracks UID blocks logged by iptables to syslog. If a UID generates a port block that is logged more than UID_LIMIT times within UID_INTERVAL seconds, an alert will be sent. Requires DROP_OUT_LOGGING to be enabled Modified Port Scan Tracking regexes to ensure only incoming connections are tracked Added Server Check for dhclient running Added Server Check on cPanel servers for antirelayd Added Server Check for a swap file (don't bother on Virtuozo) Added Server Check for xinetd, qpidd, portreserve and rpcbind in Services Check since most people won't use them 6.11 - Fixed SMTP_ALLOWLOCAL not functioning correctly. Added IPv6 support for SMTP_ALLOWLOCAL Removed SMTP_BLOCK restriction for IPv6 requiring port 25 to be present in TCP6_OUT 6.10 - New feature - separate Blocklist configuration file to allow for expansion of the available block lists. The following options have been removed from csf.conf and a new csf.blocklists file added to configure blocklists: LF_DSHIELD, LF_SPAMHAUS, LF_TOR, LF_BOGON During the upgrade if those options were enabled, then they will be enabled in the new csf.blocklists file. If you used a custom blocklist URL in one of those options you will have to manually add it to the new configuration. Modified UI to provide edit function for csf.blocklists 6.09 - Modified csf UI to detect Webmin install and symlink script and images directory so as to no longer require Webmin module update on a new csf version Tidied up csf UI html Fixed System Statistics graph display when using Webmin Modified Server Security check to only perform GENERIC test when using Webmin to prevent hanging processes Added CLI options --car, --carm. This removes an allowed IP in a Cluster and removes it from /etc/csf.allow Added new options LF_WEBMIN, LF_WEBMIN_PERM. This feature adds login failure detection for Webmin in WEBMIN_LOG Added new option LF_WEBMIN_EMAIL_ALERT. This feature sends an email if a successful login to Webmin is detected in WEBMIN_LOG Modified LF_SCRIPT_ALERT text in csf.conf for cPanel servers Modified proftpd regex to cope with non-standard format and to remove trailing colons from account name Modified LF_SCRIPT_ALERT regex to cater for paths containing spaces Improvements to LF_SCRIPT_ALERT memory usage and possible script detection Added alternative LF_SCRIPT_ALERT regex for specific 1H.com exim logging ACL 6.08 - Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that do not support IPv6 connection tracking by opening ephemeral port range 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the same workaround implemented by RedHat in their sample default IPv6 rules 6.07 - Fixed issue with processing /proc/PID/stat for process information 6.06 - Prevent csf/lfd from failing to run if a non-critical configuration file does not exist In webmin, force table stylesheet to override webmin css. Requires webmin module reinstall on existing installations 6.05 - Improvements to minimal perl module detection on new installs Bugfix for default lfd.pl perl shebang 6.04 - Implement slurp routine for configuration files to cater for incorrect linefeeds Ignore leading and trailing spaces from lines in configuration files Fixed Include statements in csf.ignore not implemented in lfd Additional debug logging for RT_*_LIMIT added Replaced call to Time::HiRes::sleep with standard sleep Additional dovecot entries in csf.pignore for new installations 6.03 - Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary Modified lfd perl module loading to be conditional where possible to reduce lfd memory footprint Modify initial file processing to reduce lfd memory footprint Modify PS_PORTS processing to reduce lfd memory footprint Moved init of Geo::IP::PurePerl into iplookup subroutine Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to false-positives Modify LF_DIRWATCH_DISABLE so that only files are added to suspicious.tar and removed. Suspicious directories will no longer be removed Removed File::Path - no longer required 6.02 - Modify MESSENGER HTML header to return code 403 instead of 200 Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables detection of repeated Apache symlink race condition triggers from the Apache patch provided by: http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html This patch has also been included by cPanel via the easyapache option: "Symlink Race Condition Protection" 6.01 - Ensure all binaries are called with their full paths for the scheduled Server Security Check reports Allow csf -u/-uf/--update and -c/--check when csf is disabled Make RT_* checks IPv6 compatible Added dns query caching for ip lookups during lfd process lifetime Modify TOR rule loading to use FASTSTART in lfd if enabled Added iptables locking to FASTSTART code LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries Added "DEFERRED" login failure checking to CPANEL_LOG regex 6.00 - Major new option - FASTSTART: This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways: 1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled [*] Not supported on all OS platforms FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually Other Changes: Improvements to csf and lfd init routines LF_QUICKSTART renamed to LFDSTART, setting value preserved Fixed a problem with scheduled Server Security Check reports Crypt::CBC upgraded to v2.32 5.79 - Modified csf error routine to store failing error in csf.error and display an instructional message Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM Modified the Server Report proxysubdomains check on cPanel servers Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries 5.78 - Due to issues that some are experiencing with the switch from the state to the conntrack module a new settings has been added USE_CONNTRACK which is disabled by default except on servers running kernel 3.7+ where on new installations it will be enabled 5.77 - Add an exception for the useless Virtuozzo kernels iptables implementation so that csf uses the deprecated state module instead of conntrack 5.76 - Only add the /128 IPv6 bound address per NIC instead of the whole /64 to the local IPv6 addresses Modify SSHD and SU regexes to allow for empty hostname field in log file Added new option UNBLOCK_REPORT. This option will run an external script when a temporary block is unblocked Additional entries in csf.logignore on new installations Switched from using the iptables state module to using the conntrack module in preparation of the formers obsolescence Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so that new tests can be easily added and then ignored desired Added new LF_EXPLOIT check SSHDSPAM to check for the existence of /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See: http://www.webhostingtalk.com/showthread.php?t=1235797 5.75 - Fixed issue with single quotes appearing in CC lookup names leading to lfd IP blocks to fail 5.74 - Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36 Additional entries in csf.logignore on new installations Try harder to get a CPU temperature if lm_sensors is installed for System Statistics Enforce PORTFLOOD setting restrictions and issue warning if entry discarded Correct location of CC_ALLOWF in LOCALINPUT after update from lfd Make CC_[chain] actions more verbose in lfd.log Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature Modified SMTP_PORTS to include ports 465 and 587 on new installations Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent 5.73 - Fixed issue with crontab line for TESTING option not being detected and removed when TESTING mode is disabled 5.72 - Added missing DD setting in DA and generic installations for ST_DISKW Modified IPv6 port settings to reflect IPv4 port settings for new installs in csf.conf If a deleted executable process is detected and reported then do not further report children of the parent (or the parent itself if a child triggered the report) if the parent is also a deleted executable process Parent PID added to PT_DELETED_ACTION parameters In the Server Report allow for spaces before Apache directives Updated instructions for modifying log_selector for exim configurations in readme.txt and Server Report Modify DD calculation for ST_DISKW for disks that report in GB/s Updated to use the new cPanel 11.36+ integrated perl binary if exists 5.71 - Fixed problem processing dd output for ST_DISKW on some systems Fixed dovecot imap login failure regex processing Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog) 5.70 - Fixed an issue with PERMBLOCK introduced in v5.68 5.69 - Fixed duplicate entries in csf.conf on GENERIC installations 5.68 - New feature added - LF_DIST_INTERVAL. This option provides a separate timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is set to 300 seconds Implemented better handling of repeat blocks when an IP is already temporarily or permanenetly blocked Added missing inclusion of Time::HiRes in csf.pl Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log unless DEBUG enabled Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled RELAYHOSTS setting now defaults to "0" to improve security on cPanel servers Increased default value of DENY_IP_LIMIT to 200 5.67 - Fixed a problem with permanent IP blocking when using LF_SELECT 5.66 - Implemented a new locking system to try to mitigate an iptables bug when issuing concurrent iptables commands Implement flushing on the lfd pid file so that it is always accurate Improvements to csf --grep [ip] to escape regular expression matching New feature added - LF_REPEATBLOCK. This option instructs csf to deny an already blocked IP address the number of times set. See csf.conf for more information New feature added - LF_BLOCKINONLY. This option instructs csf to only block inbound traffic from those IP's and so reduces the number of iptables rules, but at the expense of effectiveness. See csf.conf for more information New feature added - ST_DISKW. This option adds disk write performance statistics to the stats graphs. See csf.conf for more information Fixed file location for Debian and derivative OS's for /etc/mysql/my.cnf in Server Check 5.65 - Removed some of the command locking as it was causing hangs 5.63 - Implemented a locking and retry system to try to mitigate an iptables bug when issuing concurrent iptables commands 5.62 - Added ModSecurity connection dropping to the LF_MODSEC regex Added new option - ETH6_DEVICE. By adding a device to this option, ip6tables can be configured only on the specified device. Otherwise, ETH_DEVICE and then the default setting will be used Added new option - LF_SCRIPT_ACTION. On cPanel servers, this can contain the path to a script that is run whenever LF_SCRIPT_ALERT is triggered Fixed stats graph average calculation and display if average equals 0 Split Slow MySQL Queries stats graphs from MySQL Queries Improvements to Apache CPU Usage stats graphs 5.61 - On Debian systems, check for my.cnf in /etc/mysql/my.cnf in Server Check Add missing/changed images in the DA/Webmin installs. For webmin, the csf webmin module will need to be reinstalled Another fix for LF_NETBLOCK to skip IPv6 addresses Fixed csf --tempallow where -d [direction] was performing inout when in requested Fixed UI option "Edit the Log Scanner file (csf.logfiles)" which was incorrectly overwriting csf.dyndns instead of writing to csf.logfiles Changed ETH_DEVICE_SKIP device check from a failure to a warning Skip checks for register_globals and suhosin if running PHP v5.4.* in Server Check report 5.60 - Added new options to include the Spamhaus Extended DROP list. These additional netblocks are included in the main Spamhaus chain. The feature uses LF_SPAMHAUS_EXTENDED and LF_SPAMHAUS_EXTENDED_URL which are enabled by default, but used only if LF_SPAMHAUS is enabled. To force a reload of the SPAMHAUS list to include the Extended list, delete /etc/csf/csf.spamhaus file after upgrading to this version and then restart lfd Added new options to allow blocking of TOR Bulk Exit nodes. This works in the same manner as the LF_SPAMHAUS and LF_DSHIELD options. The feature uses LF_TOR and LF_TOR_URL and is disabled by default. Warning: This could block legitimate users who are trying to protect their anonymity, so use with caution Fix LF_NETBLOCK to skip IPv6 addresses as it is unsupported as has long been stated in csf.conf Added missing html elements in UI Added unblock button to UI IP searches when results is either in csf.deny or a temporary block Implemented a locking system to mitigate iptables stability issues when loading concurrent iptables chains in lfd Fixed bug in the display of the 30 days ST_SYSTEM stats Added new option ST_SYSTEM_MAXDAYS. This allows you to define the maximum number of days of stats to collect (default 30 days) Increased stats graph sizes Added CIDR checking of csf.allow to the CLI command csf --deny Added checking of csf.ignore to the CLI command csf --deny 5.59 - Fixed a loop which caused high load when using GLOBAL_IGNORE Improvements to GLOBAL_IGNORE load speed and effectiveness Improvements to CC_IGNORE load speed 5.58 - Corrected ST_APACHE error message return text Add meaningful message if stats graph generation fails in UI Added new icon in UI for "Quick Allow" that inserts the current visitors IP address Added new icon in UI for "Quick Ignore" that inserts the current visitors IP address Replaced some of the included icons 5.57 - Added new option PT_APACHESTATUS to configure the URL to the Apache Status URL during PT_LOAD alert report Added Apache Statistics to ST_SYSTEM. A new option ST_APACHE must be set to collect these statistics and PT_APACHESTATUS must be correctly set. ST_APACHE is disabled by default Modification to SYSLOG option to remove the later introduced "nofatal" option to improve backwards compatibility, also enable the "pid" option to log the process ID Added new options SYSLOG_CHECK and SYSLOG_LOG to check whether syslog is running. See csf.conf for more information. This option is disabled by default, but we recommend that it is enabled on all servers Added SYSLOG_CHECK to Server Check Report recommended settings 5.56 - Improvements to ST_MYSQL password detection in /root/.my.cnf where the password is quoted Improvements to the SMTP AUTH regex to cope with differing settings in exim log_selector Removed debugging code in SMTP AUTH regex detection 5.55 - Update Fedora version check now that v17 has been released Added MySQL Connection and Thread statistics to ST_MYSQL/ST_SYSTEM Modified Server Check Report for cPanel servers see whether mod_ruid2 has been enabled making the Apache suEXEC check moot Improvements to the SMTP AUTH regex to cope with differing settings in exim log_selector 5.54 - Modified ST_MYSQL connection errors to advise disabling ST_MYSQL if it is not used ST_MYSQL now disabled by default on new csf installations 5.53 - Added Email Usage to the ST_SYSTEM System Statistics feature when RT_* options are enabled Fixed incorrect Min/Max calculations in System Statistics Improvements to Disk Usage stats in System Statistics for some virtual environments Added CPU Temperature to the ST_SYSTEM System Statistics feature when lm-sensors/coretemp installed and enabled (highest core temp recorded) Added MySQL graphs to the ST_SYSTEM System Statistics feature when ST_MYSQL is installed and enabled - requires DBI and DBD::mysql perl modules. Authentication is via new ST_MYSQL* options. The option is enabled on cPanel servers by default, disabled on others Modified stats collection routine to append data to the stats file on each minute interval and to clean up only on lfd startup. This is to help minimise the risk of the stats file being incomplete due to process termination Added new options LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM. This option will keep track of successful SMTP logins. If the number of successful logins to an individual account is at least LF_DISTSMTP in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common SMTP account compromise attacks that use a distributed network of zombies to send spam (exim MTA only). Not enabled by default Modified Server Check Report for cPanel servers see whether mod_ruid2 has been enabled making the PHP Handler check moot Modified the ModSecurity regex to cater for the paid Atomic rules Apache error log non-standard format Modified non-cPanel new installs to disable ST_SYSTEM by default 5.52 - Alternative kill and status methods employed for lfd init process on Debian/Ubuntu Added new feature: System Statistics. This option will gather basic system statstics. Through the UI it displays various graphs for disk, cpu, memory, network, etc usage. The feature requires the perl module GD::Graph. It is enabled by default with the ST_SYSTEM option 5.51 - Updated Donation buttons 5.50 - Removed check for Melange on cPanel servers from Server Check Report Improvements to the cPanel exim SMTP AUTH login failure regex after changes in cPanel v11.32 Added exe:/usr/local/cpanel/3rdparty/sbin/mydns to csf.pignore for new installs on cPanel servers Additional cmd/pcmd suggestions added to csf.pignore for new installs on cPanel servers (not enabled) 5.49 - Remove atd from Service Check in Server Check Report Ensure all DNS traffic between non-local IP addresses in /etc/resolv.conf is allowed through the firewall when DNS_STRICT_NS is not enabled Added exim to example script pt_deleted_action.pl Added /var/log/cxswatch.log to csf.logfiles for new installations Added new option LF_ALERT_SMTP which allows lfd to be configured to send alert emails via SMTP instead of through the SENDMAIL binary. LF_ALERT_SMTP needs to be set to the name or IP address of the SMTP server to use this feature Added new option CC_DROP_CIDR. Set this option to a valid CIDR to ignore CIDR blocks smaller than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of CC entries and may improve iptables throughput Improved installation procedure for checking required perl modules 5.48 - New option LF_QOS added which matches hits against the mod_qos Apache module New option LF_CXS added which matches hits against the mod_security Apache module rule for cxs if implemented 5.47 - Improvements to non-core perl module loading Improvements to PT_LOAD Apache Status retrieval and messages Regex modifications to cater for Dovecot v2.1+ On cPanel servers, block additional ports that exim uses in the WHM > Service Manager for RT_*_BLOCK 5.46 - Modified upgrade warning for integrated UI to not use the DA warning text Validate local IP addresses Only check local IPv6 addresses if IPV6 is enabled in config Separate IPv4 from IPv6 ignore CIDRs due to Net::CIDR::Lite restrictions Improvements to ignore files IP address validation Add server check for PHP v5.2.* to the obsolete/security risk list Add server check for RedHat/CentOS v4.* and Fedora < v15 to the obsolete/security risk list Removed server checks for RLimitMEM/RLimitCPU 5.45 - Only log Log Scanner in lfd.log if DEBUG set to 2 to allow empty reports if monitoring lfd.log Added new option LF_BOGON_SKIP. If you don't want BOGON rules applied to specific NICs, then list them in a comma separated list Added new option LF_CONSOLE_EMAIL_ALERT which will send an email if there is a root login to the server console. This is enabled by default 5.44 - New feature - Log Scanner. This feature will send out an email summary of the log lines of each log listed in /etc/csf/csf.logfiles. All lines will be reported unless they match a regular expression in /etc/csf/csf.logignore Set LWP::UserAgent agent to "csf/[version]" instead of the default 5.43 - csf and lfd modified to better handle !lo interface for compatibility with newer iptables versions Removed use of Sys::Hostname::Long Added new options LF_APACHE_403 and LF_APACHE_403_PERM. This option will keep track of the number of "client denied by server configuration" errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information 5.42 - SECURITY FIX. Anyone running csf on a DirectAdmin server should upgrade to this release immediately: Add check for successful open of admin.list on DA servers to avoid a segfault, which could lead to a buffer overflow 5.41 - Added text description of allow/deny made by cPanel Resellers via UI in csf.allow and csf.deny If cPanel UI Resellers email alerts are enabled, a csf grep will be performed before an IP adress is unblocked and the output included in the alert email, together with the results of the UNBLOCK If cPanel UI Resellers email alerts are enabled, the results of an ALLOW or DENY will be included in the alert email Added logging of cPanel UI Reseller actions ALLOW/DENY/UNBLOCK to /var/log/lfd.log Update to urlget to not fail on empty file if successfully retrieved Take Integrated UI out of BETA as no reported issues Take csf.redirect out of BETA as no reported issues 5.40 - Added new feature - csf UI Reseller functions for cPanel. See /etc/csf/csf.resellers and WHM UI Improvements to cse Integrated UI Modified redundant cPanel function calls in UI Removed ModSecurity functionality in UI Modified WHM UI "Remove Deny" to be "Quick Unblock" that now removes a specified IP address entries from csf.deny and/or temporary blocks 5.39 - Fixed detection of the nat tables on some Virtuozzo VPS servers 5.38 - Modification to the Integrated UI to allow access to cxs if it is installed via UI_CXS Include an updated cse with csf for use with the Integrated UI via UI_CSE Added option UI_CIPHER to allow the SSL cipher suite to be set manually for the Integrated UI Added HTTP request internal memory limits to the Integrated UI 5.37 - Added new BETA feature - User Interface. This feature provides a HTML UI to csf and lfd, without requiring a control panel or web server. The UI runs as a sub process to the lfd daemon. See csf.conf and readme.txt for information and requirements Fixed issue with RT_* regex routine ignoring 127.0.0.1 Fixed detection of DNSONLY cPanel installs Added Security Check on cPanel server checks for disabled "Proxy subdomains" and "Proxy subdomain creation" Added new option LF_CPANEL_ALERT_ACTION. If a LF_CPANEL_ALERT event is triggered, then if LF_CPANEL_ALERT_ACTION contains the path to a script, it will run the script and passed the ip and username and the DNS IP lookup result as 3 arguments 5.36 - Fix for the lfd child lock mechanism effectiveness 5.35 - Added new BETA feature - Port/IP address Redirection. This feature uses the file /etc/csf/csf.redirect to redirect connections from/to IP/port combinations to alternative IP/ports. See readme.txt for more information Updated syslog daemon checking in Server Report Set PT_DELETED to 0 by default on new installations Improvements to csf startup locking within lfd Improvements to error trapping between csf and lfd Check minimum values for interval settings and set to recommended values if too low during lfd startup to improve stability Added lfd child locks to improve stability due too server or network resource issues or too low an interval setting Updated Sanity Checks for settings lfd will now not start if TESTING is enabled Do not require write permissions to /etc/crontab when no changes required for TESTING mode enable/disable Prevent parricide by lfd children unless required Added nat table check in csf Fixed bug in csf --grep not matching the nat table 5.34 - Improvement to dovecot account name sanitisation checks in lfd Modified cronjobs for new installs to be compatible with anacron Added new option CLUSTER_BLOCK which is enabled by default. This allows you to disable automatic sharing of lfd blocks around a csf cluster, e.g. if you only wish to use the CLUSTER option to share settings and manual blocks and allows Added new option RT_ACTION. If an RT_* event is triggered, then if RT_ACTION contains the path to a script, it will be run in a child process and be passed a list of items (see csf.conf - for cPanel and DA only) Fix to DYNDNS Advanced Allow/Deny Filters using pipe separator Set permissions to 700 on *.sh, *.pl and *.php in /etc/csf/ instead of a blanket 600 of non-csf scripts 5.33 - Add link to the Changelog when csf is upgraded Extended urlget timeout to 300 seconds to help cope with the large MaxMind City Database download where enabled Include cpdavd login failures for LF_CPANEL. Added port 2077 and 2078 to the cPanel block ports when LF_SELECT enabled Disable ftp Server Check reports if ftp server disabled in cPanel Added regex validation to any specified csf.pignore or csf.figonre entries to lfd Updated cPanel tier checks to cope with old STABLE and DNSONLY releases and newer v11.30+ Improvement to account name sanitisation checks in lfd 5.32 - AUTO_UPDATES enabled for new installations in csf.conf Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still set in csf.conf it will be ignored Check MESSENGER service to ensure privileges are dropped before starting the daemon Drop privileges when performing removal during LF_DIRWATCH_DISABLE For new installations, IPV6 enabled if IP6TABLES exists and an IPv6 address is found in the output from IFCONFIG. IPV6_SPI is set according to the kernel version (i.e. whether SPI is supported or not) 5.31 - Updated the LF_TRIGGER_PERM explaination in csf.conf to properly reflect the possible settings of LF_TRIGGER Perform account name sanitisation checks in lfd 5.30 - Fixed a SECURITY BUG that can be exploited remotely via log file spoofing resulting in root privilege escalation. Our thanks to Jeff Petersen for reporting this issue All csf users should upgrade to this release immediately 5.22 - New feature: Connection Limit Protection (CONNLIMIT, CONNLIMIT_LOGGING). This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports. See csf.conf and readme.txt for more information and about the format of the CONNLIMIT option and its limitations Minor csf UI Firewall Configuration virtual pagination improvements Updated cPanel Server Check update settings for v11.30+ Removed cPanel Server Check for new versions due to changes in the v11.30+ versioning system making this redundant Updated MySQL Server Check for v5.1.* Added a warning to csf.conf for SYNFLOOD to only enable the option if you know you are under a SYN flood attack as it will restrict all new connection to the server if triggered 5.21 - Added port 500 to DROP_NOLOG for new installations Corrected the LF_APACHE_404 lfd log line output Added startup failure on invalid PORTFLOOD settings Make csf.pignore item selector case-insensitive (e.g. exe: and EXE:) All user: item selector examples removed from the default csf.pignore for all new installations (e.g. user:mailman). csf.pignore examples for some common processes can be found here: http://forum.configserver.com/viewtopic.php?f=6&t=2059 Updated DA and GENERIC default csf.pignore files for new installations csf UI Firewall Configuration virtual pagination improvements Updated Sanity checks for settings in csf.conf Modified Sanity checks for settings in csf.conf to always show the recommended range in the UI Set LF_GLOBAL to 0 instead of an empty string by default on new installations Added new option LF_LOOKUPS to toggle rDNS IP address lookups 5.20 - Updated installation scripts to distinguish between IPv4 and IPv6 port report Modified Virtuozzo VPS numiptent check to distinguish between host and client servers Added exe:/usr/sbin/ntpd to csf.pignore on new installations Don't perform the runlevel check on Debian/Ubuntu servers as it isn't indicative of a potential security issue as with other Linux distros Added new option PT_DELETED_ACTION which if defined with an executable script will run if PT_DELETED is triggered passing the process PID, executable and account. An example script is provided in: /etc/csf/pt_deleted_action.pl If CC_LOOKUPS enable for the MaxMind City Database then also display the Region, where available Added csf UI Firewall Configuration virtual pagination Rearranged csf.conf for csf UI Firewall Configuration virtual pagination Re-instated sanity check highlights in csf UI Firewall Configuration Improved Server Check recursion checking in included configuration files Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option will keep track of the number of "File does not exist" errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information 5.19 - Added stats workaround for February/March calculations Added new option CC_IGNORE - this Country Code list will prevent lfd from blocking IP address hits for the listed CC's Reduced CC_* memory usage when loading zones Modified lfd logging for regex.pm and regex.custom.pm login failures to lfd.log to use the return reason from the regex match instead of a generic message. This does mean that the format for these messages has changed DA Server Check for proftpd - check whether pureftp=1 in DA config Replaced IP::Country and Geography::Countries with Geo::IP::PurePerl using the MaxMind GeoLite Country database for CC_LOOKUPS Added new option GUNZIP which is required to expand the MaxMind GeoLite Country database Extended CC_LOOKUPS which can now be configured to report Country Code and Country and City using the MaxMind City Database. See csf.conf for more information Added Donation buttons to csf UI main page 5.18 - Remove RT_POPRELAY_* from csf.conf on DA servers as it does not apply Improved Server Check for cPanel Update configuration check Modifed csf restart to not start bandmin during the stop phase Modified LF_DIRWATCH to remove dependency on File::Type Modified LF_DIRWATCH for speedups and removed the need for a file size limit Debian v6 support confirmed Added /etc/bind/named.conf.options to the list of named.conf files to check for recursion settings (for Debian) 5.17 - Updated Server Check for cPanel Update configuration check to cater for the new format Disable LFD service in DA on uninstall of csf using SED instead of REPLACE 5.16 - Fixed missing perm.png from DA install Fixed Temporary IP Entries table headers in UI If DENY_IP_LIMIT is reached, remove excess IPs from iptables as well as csf.deny (previously only removed from csf.deny) csf on cPanel servers automatically re-enables the cPanel Bandwith chains after iptables is configured. If bandmin is not functioning, or you don't use the bandmin stats you can disable this new option LF_CPANEL_BANDMIN (enabled by default on cPanel servers) 5.15 - Check for multiple Ports settings for sshd in /etc/ssh/sshd_config when the LF_SELECT option is enabled Updated SMTPAUTH regex to detect more login authentication methods Updated AUTHRELAY regex to detect more login authentication methods Added option to UI to permanently block temporarily blocked IP's 5.14 - Updated RELAY regex to detect the dovecot/courier login authentication methods on cPanel servers Updated Server Check Report to reflect cPanel/WHM changes in v11.28, including additional checks and updating reference text Added checks to LF_DIRWATCH_FILE to ensure watched resources exist on startup and while running a check. Those that do not exist are ignored and logged in lfd.log 5.13 - Added obsolete OS checks for Fedora v11 and v12, plus RedHat/CentOS v2 and v3 in Server Check Fixed broken reference URL's in Server Check for cPanel servers Modified statistics to not display pie chart if no data is available Sort LF_DIRWATCHFILE output by time to improve the reported results Added new setting for AT_ALERT to only trigger on modification to the root account (i.e. not all superuser accounts) Tested successfully for support on Fedora v14 and Ubuntu v10.10 5.12 - Added some lfd blocking statistics which can be viewed via the UI. Requires gd graphics library and the GD::Graph perl module with all dependent modules Added 8th argument to BLOCK_REPORT for the setting that triggered the block Added setting that triggered a block to lfd log lines 5.11 - Removed erroneous Port Knocking messages in lfd.log when PORTKNOCKING_ALERT not enabled Added 'exe:/usr/bin/postgres' to the cPanel csf.pignore for new installations Added retry timeout in WHM UI for checking www.configserver.com for new version information (to avoid repeated hangs when unreachable) Fixed LF_PERMBLOCK issue that flushed all temporary IP blocks, not just the IP being permanently blocked Added check to PHP Server Check that php -i output is complete 5.10 - Always report UID:GID of a DIRWATCH file incase the user account owning a reported file no longer exists Report error gracefully on CIDR->add failures and continue Added "query (cache)" check to BIND flooding regex Fix issue with killing Advanced Port blocks using the pipe separator Update warning messages to include xt_owner with ipt_owner Replace URL in Server Check for instructions on disabling IPv6 Fixed a bug in LF_CPANEL_ALERT ip address tracking Added new option LF_CPANEL_ALERT_USERS to be used with LF_CPANEL_ALERT to alert for a specified list of WHM/cPanel account logins. See csf.conf for more information Added new feature: Port Knocking. See csf.conf and readme.txt for more information on the PORTKNOCKING, PORTKNOCKING_LOG and PORTKNOCKING_ALERT options Added new UI option: Quick Ignore, for IP addresses 5.09 - Added Server Check report check that klogd is running if using syslogd or that klog module is loaded if running rsyslogd Added Server Check report, checks for apache settings: TraceEnable, ServerSignature, ServerTokens and FileETag on cPanel servers Fixed ip6tables IPV6_SPI check warning for older kernels Added instruction to open outgoing TCP6 and UDP6 ports when using an older kernel for ip6tables IPv6 Final (no longer Beta) Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you do not want this to apply to LT_POP3D/LT_IMAPD, then enable this option Added new option PT_USER_ACTION. If a PT_* event is triggered, then PT_USER_ACTION will be run in a child process and passed the PID(s) of the process(es) 5.08 - New option CLUSTER_MASTER which is the IP of the master node in a cluster allowed to send CLUSTER_CONFIG changes. This must be set in order to use CLUSTER_CONFIG options Added new Cluster CLI option --cfile (-cf) for sending a file to cluster members. The file will only be uploaded to the /etc/csf/ directory Added new Cluster CLI option --crestart (-crs) to initiate a restart of csf and lfd on all cluster members Removed CLI option -ccr, --cconfigr [name] [value] in favour of the new --crs, --crestart option Modified regular expressions to cater for RFC3339 date format in log files. For example, RFC3339 date format used by default in rsyslog on CentOS v5.5 5.07 - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup rules that could affect servers where iptables connection tracking isn't working correctly 5.06 - Increased PT_USERMEM default to 200 from 100 for new installations Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for report generation in lfd which caused lfd to fail in Net::CIDR::Lite 5.05 - Updated the Server Check report IPv6 text Fixed ip6tables command execution in iptables firewall during startup 5.04 - Added BETA IPv6 support. See csf.conf for more information on the new settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT UDP6_IN UDP6_OUT New CLI option csf --status6 (csf -l6) added to list ip6tables rules Changed temporary DENY and ACCEPT working file formats to use a different record separator to cater for future IPv6 support Advanced Allow/Deny Filters now use | as the separator character to cope with IPv6 addresses. Legacy support remains for the old : separator for IPv4 addresses, though these should also now use | as the field separator In Server Check report, don't issue IPv6 warning if only ::1/128 is bound to a NIC (i.e. loopback) Upgraded Net::CIDR::Lite to v0.21 Upgraded from IP::Countries to Geography::Countries 5.03 - Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites Changed DA default configuration of FTPD_LOG to "/var/log/secure" 5.02 - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1 Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP Added lfd check to enforce 0600 permissions on /etc/csf/ 5.01 - Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK) Added new CLI option csf --tempallow (csf -ta) which works in exactly the same way as csf --tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers Updated UI entry for adding and removing temporary allows and blocks Display temporary block TTL in days hours minutes and seconds Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information Modified csf and lfd init scripts to be LSB-compliant Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error 5.00 - lfd Clustering, final release. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications Added new option LF_DISTATTACK. Distributed Account Attack detection. This option will keep track of login failures from distributed IPs to a specific application account. If the number of failures matches the trigger value, ALL of the IP addresses involved in the attack will be blocked. This option is currently disabled by default - see csf.conf for more information Added new option PT_USERKILL_ALERT if you want to disable email alerts for PT_USERKILL triggers. This option is enabled by default, i.e. alerts are sent Added new options LF_QUICKSTART in csf.conf and CLI options -q, --startq, -sf, --startf to allow deferral of csf startup to lfd instead of waiting for the CLI to perform the work. See the CLI help and csf.conf for more information Added UI option for "Firewall Quick Restart" which uses csf -q, "Firewall Restart" uses csf -sf lfd now restarts csf (if stopped and LF_CSF enabled) within the main process to enhance the integrity of the firewall Multiple login failure regex detection improvements Fixed typos in permblock.txt 4.99 - Improved csf locking to enhance the integrity of the firewall Log lfd csf deny failures New SSHD regex added Improved the dovecot regex's New Beta option: lfd Clustering. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications 4.89 - New SSHD regex added Added Server Check to check whether SSHD UseDNS is set to "no" - it should be disabled Added an Important Note to the readme.txt regarding the sshd UseDNS setting Speedup for LF_DIRWATCH regex matching 4.88 - Fixed URL's in Server Check report for cPanel if Security Tokens are enabled in v11.25+ Added ipv6 explanation that the information is determined from the output from ifconfig and display ipv6 addresses found Added the ability to use Include statements in csf.deny and csf.allow, see readme.txt for information and restrictions 4.87 - Ignore csf.rignore for LT_POP3D and LT_IMAPD Removed unnecessary csf.locks during some GLOBAL list updates Updated Copyright notice Modified the block message for LF_MODSEC and LF_SUHOSIN to be more appropriate (i.e. not "login failures") Added new block options for BIND denied requests: LF_BIND, LF_BIND_PERM, BIND_LOG. This works in the same way as the other similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have had BIND (named) requests denied more than LF_BIND times in LF_INTERVAL seconds. Currently named client denied log lines for "update" and "zone transfer" trigger the option Modified GLOBAL_ routines to continue if retrieval for one fails instead of immediately exiting Added IPv6 check to Server Check Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled on single line comments (lfd.log, csf.deny, etc) Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the respective email alerts can be disabled Updated IP::Country 4.86 - Added Dovecot regex checking for LT_POP3D and LT_IMAPD Modified Server Check for Fedora v10 EOL now that Fedora v12 has been released Improved Dovecot IMAP and POP3D login failure regex Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD Fixed TLSCipherSuite Server Check for proftpd Added SSHD regex for "Did not receive identification string from IP" failures 4.85 - Further improvements to ICMP rule filters - Added backup mod_security log viewer for non-cPanel servers 4.84 - Mod_security log viewer removed from csf in favour of cmc Improved ICMP rule filters. This could help some hosts that experience connection issues with csf Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS to include this, i.e. to Port Scan for all ports use: PS_PORTS = "0:65535,ICMP" This is now the default on new installations 4.83 - Added multiple checks to the Server Check for new cPanel v11.25 security settings Tidied up and rearranged the main UI Removed redundant UI options Added total perm bans to UI 4.82 - Removed the need for UI lfd cron restart jobs on Direct Admin 4.81 - Fixed case sensitivity issue introduced in v4.80 with port specific lfd deny lines being ignored 4.80 - Modified WHM login regex to only trap successful root page displays for LF_CPANEL_ALERT Apache status for PT_LOAD now checks http://127.0.0.1/server-status on GENERIC/DA servers. You need to ensure that the server-status page has access from 127.0.0.1 in the apache server-status Location container Extended SU log file regex for Debian servers Sanitise UI file edit HTML output Improvements to the removal of alternative firewalls script Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS list via URL Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE, especially on Debian Improved detection of already blocked IP addresses 4.79 - Withdrawn 4.78 - Modified DA installation to overcome permissions problems on some systems preventing the UI from working 4.77 - Expanded dovecot regex matching Fixed the generic installation to install regex.custom.pm 4.76 - Added check for FrontPage extensions to Server Check as they should be considered a security risk as they were EOL in 2006 Added support for the impending cPanel v11.25 Security Tokens feature 4.75 - Added a [block] section to the Login Failure alert.txt template. This new report template will be copied to /etc/csf/alert.txt.new on existing installations, rename it to alert.txt to use it Modified existing lfd alerts to use currently used tags instead of appending block information to the IP address (alert.txt modified as above) Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for email sent via a local IP addresses, separating the trigger from RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf for more information Added Relay Tracking to Direct Admin running exim. See RT_* and SMTPRELAY_LOG in csf.conf for more information Added csf.mignore to allow ignoring of specified usernames or local IP addresses from RT_LOCALRELAY_ALERT Modified csf UI to use a single dropdown for all lfd ignore files Added proftpd regex matching for "UseReverseDNS on" in proftpd config 4.74 - Removed FUSER from csf.conf as it is no longer used Added UNZIP to csf.conf which is required for Country Code to CIDR functions Modified the Country Code allow/deny/allow_filter feature to generate CC CIDRs from the Maxmind GeoLite Country database instead of using iplocationtools.com. Note: GeoLite is much more accurate that the previous zones used. This also means that there are usually more CIDRs for each CC which adds to the burden of using this feature 4.73 - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's to prevent module failures New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses WHM via root. An IP address will be reported again 1 hour after the last tracked access (or if lfd is restarted) 4.72 - Modified mail sending code to use a common procedure that copes better with differing combinations and variations of From:, To:, LF_ALERT_TO and LF_ALERT_FROM settings for lfd alerts 4.71 - Code speedups in csf --grep Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note added to alert if ip match found Modified Server Check for Fedora v9 EOL now that Fedora v11 has been released Modified iptables output from csf.pl to exclude the Fedora v11 intrapositioned negation messages Fixed typo in integrity.txt alert template for new installations Modified the email header for csf --mail Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY Modified lfd output filehandle names to avoid read/write conflicts Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for an example Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where only listed Country Codes are allowed, however normal port and packet filter rules are still applied to those connections. All other connections are dropped 4.70 - Modified UI access to csf.sips to display checkboxes instead of direct editing, for ease of use Fixed problem where RELAYHOSTS setting wasn't always being honoured Modified mod_security configuration editor to handle HTML elements Rewritten RT_*_ALERT regex and counting code to better deal with a variety of exim log output formats Added recipient count to RT_*_ALERT to include emails sent to multiple recipients. This option requires that the exim log_selector setting in the exim configuration includes the option: +received_recipients So, the recommended log_selector setting is now: log_selector = +subject +arguments +received_recipients Modified Server Check cPanel version check to cater for x86_64 OS's Added check to prevent Server Check mail report cron duplicates Added abbreviated UI for mobile phone access to Quick Allow, Quick Deny and Remove Deny. Direct URLs: cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1 DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1 Webmin: https://1.2.3.4:10000/csf/?mobi=1 4.69 - Added Gentoo (generic) support Added Server Check for MySQL LOAD DATA LOCAL Modified Server Check for enable_dl to also check whether dl is in disable_functions 4.68 - Added ipv6 IP detection for proftpd login failures Removed ossec and webmin from the Server Check services section 4.67 - Modified the Country Code allow/deny feature to use iplocationtools.com now that ipdeny.com has gone offline 4.66 - Modified OS version check to prevent Fedora v10 obsolete false-positive in Server Check Modified the exim SMTP AUTH regex to use the latest cPanel/exim format Added failure notification for DYNDNS entry lookups in lfd if they fail to resolve or timeout 4.65 - Modified Firewall Security Level UI to set PS_LIMIT within range Fixed problem processing template for SU_ALERT Empty csf.dshield on upgrade to work around problem where DSHIELD blocked themselves in their own BLOCK list 4.64 - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work if SMTP_BLOCK isn't actually enabled Added new CLI option (csf -uf) which forces an update of csf+lfd Added new CLI option (csf -df) which removes and unblocks all entries in /etc/csf.deny (excluding those marked "do not delete") Added new UI option to that removes and unblocks all entries in csf.deny (excluding those marked "do not delete") and all temporary IP bans Added csf file names to the csf UI options 4.63 - New feature - Added new CLI option: csf --mail (or csf -m) which can take an email address as an argument. It will display the Server Check in HTML or send the output to the email address if present Added option to UI Server Check to schedule csf to generate the report and email the results to the address specied at the interval specified Removed MySQL check from cPanel DNSOnly Server Check Updated the perl v5.8.8 Server Check comment Fixed sanity check for RT_*_BLOCK Fixed copy of install.txt for generic installs and upgrades Modified UI for Deny Servers IPs > Change to indicate that csf needs restarting, not lfd Added built-in replacement function for the Messenger Service message files for [HOSTNAME] which will be replaced by the servers FQDN hostname. Updated the sample Messenger index templates Updated the uninstall scripts to remove the cronjob and logrotate files Added colour highlights to the Quick Allow and Quick Deny UI boxes 4.62 - Fixed problem with SU_ALERT alert report in v4.61 Modified the Server Check for cPanel update settings to check for daily updates more accurately Added Server Check for cPanel tree Upgraded IP::Country New feature - Added sanity check to configuration values in csf, UI Server Check and UI Firewall Configuration. In the UI Firewall Configuration: lines highlighted in red fall outside the recommended range; lines highlighted in pale green differ from the default on installation Added cPanel Security Check to check that at least one configured nameserver is on a different server Added proftpd checks to csf (for VPS servers) and in Server Check Added DirectAdmin Checks to UI Server Check for: SSL login to DA; proftpd cipher; nameserver on a different server; PHP version and configuration checks; Apache version; dovecot cipher Removed resolv.conf localhost check 4.61 - Modified lfd iptables command error handling to log errors and continue instead of terminating when in TESTING mode Removed loading of iptables modules from csftest.pl to avoid modprobe problems with some OS kernels Added Connection Tracking check for pre-existing block to cater for linux connection status timeouts Moved LF_CSF check to the start of the lfd processing interval New option LF_ALERT_FROM. If set, the value of this option will override the From: field in all of the lfd alert templates. This change also uses the From: field in the template (or this option if set) as the value for the SENDMAIL -f option Modified POP/IMAP Server Checks for the chosen mail server only on cPanel servers Modified FTP Server Checks for the chosen ftp server only on cPanel servers Added SMTP Tweak to Server Check on cPanel servers and removed block on csf starting if enabled 4.60 - Modified cipher checks to strip out quotes Modified Apache cipher message to remoind that you have to rebuild the Apache configuration and restart for changes to be effective 4.59 - Added proftpd regex for Plesk server log file format Modifed the Server Check cipher checks for pure-ftpd and Apache to use openssl to ensure SSLv2 is disabled Added cPanel Server Check checks for dovecot, courier-imap IMAP and POP3D SSL cipher list New option SAFECHAINUPDATE added. If enabled, all dynamic update chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN) will create a new chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the old dynamic chain and rename the new chain. See csf.conf for more information. This option is disabled by default, but we do recommend that it is enabled on non-VPS servers with restrictive numiptent values Added SAFECHAINUPDATE to the firewall Server Check (except for Virtuozzo VPS servers) Modified Server Check on cPanel to make the PHP v4 warning clear and to warn where PHP v5 and v4 have both been compiled (PHP v4 is obsolete and should not be used at all anymore) Added WHM checks for skipparentcheck and cpsrvd-domainlookup to Security Check New option LF_ALERT_TO. If set, the value of this option will override the To: field in all of the lfd alert templates 4.58 - Modified exim cipher check in Server Check to use openssl to test the expanded configured cipher suites to ensure SSLv2 is disabled 4.57 - Improved exim configuration option detection in Server Check Added Exim Configuration checks to DirectAdmin Server Check Modified csftest.pl to perform a modprobe on all used iptables modules before testing Added PASV port hole warning on VPS servers to the output of csf on start and to the cPanel (if using pure-ftpd) Server Check Added lfd to the DirectAdmin Service Monitor Added back a revised Firewall Security Level option to UI 4.56 - Added TCP_OUT port 2222 for the DA default configuration for new installations Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for more information and examples Updated readme.txt to reflect the Control Panel UI availability for cPanel, DirectAdmin and Webmin Modified mod_security configuration file check to the TLD only of /usr/local/apache/conf/ and only files ending in .conf 4.55 - Fixed issue with csf.conf not being loaded for the Server Check Report Removed erroneous chkconfig check from Server Check Report Disabled various checks in Server Check Report for non-cPanel servers Modified Debian/Ubuntu init entry creation and removal procedure Modified Server Check to search for multiple named.conf locations 4.54 - Bug fix to Exploit Check code Fixed problem with iptables logs not being collated if PS_INTERVAL is disabled but ST_ENABLE is enabled Fixed potential problem with SMTPRELAY_LOG not being scanned when RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled 4.53 - Upgraded the csf Webmin UI module to the new csf UI and added installation/upgrade instructions to the install.txt for Webmin Fixed image locations and javascript in DA and webmin UI Updated the uninstall scripts and the uninstall section of install.txt 4.52 - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd Added warning in DA UI to upgrade csf from the root shell due to restrictions in DirectAdmin NOTE: DA users should upgrade csf to this version from the root shell using "csf -u" and not use the Upgrade button in the UI 4.51 - Fixed csf --upgrade (csf -u) for DA installations 4.50 - Added restrictions information regarding the PORTFLOOD setting and ipt_recent to readme.txt (i.e. hit count max is 20) Modular development of csf UI Added DirectAdmin UI and installation support for csf/lfd Added Statistics options (ST_ENABLE, etc) to generic csf installation Added SMTP options (SMTP_BLOCK, etc) to generic csf installation Removed pre-configured firewall settings through UI for redevelopment as it has become out-dated Modify csf UI to signal lfd to start/restart/enable only. A one minute cron job will actually perform the signalled function. The CLI is unaffected and performs the command immediately. This is introduced to overcome fork issues from within an Apache session 4.41 - Added information about runing external iptables commands using csfpre.sh and/or csfpost.sh to readme.txt Added new CLI option csf --addrm (csf -ar) to remove an IP address from csf.allow and delete the associated iptables rules Removed the need for the MONOLITHIC_KERNEL option and made modprobe perform silently on csf startup. Added the relevant information regarding some Monolithic kernels and the need for a PASV port range hole to readme.txt Added timeout to csf modprobe to avoid startup hanging on buggy kernels 4.40 - Added workaround for php --info bug in Server Report when checking PHP configuration settings Modified LF_INTEGRITY to regenerate the md5sum comparison file immediately after a match is found instead of waitng for the next cycle Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty 4.39 - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and LF_NETBLOCK_COUNT with act if more than the number of hits are detected, not on the exact number set Modified csf WHM UI to use csf -u to upgrade csf when a new version is available Added new script /etc/csf/csftest.pl which will test the servers iptables modules for functionality. The tests are for the required iptables modules and the optional modules for the SMTP_BLOCK, PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool for kernel/iptables problems and to check whether the features above will function Added csf WHM UI option to run csftest.pl Updated the csf install.txt to run csftest.pl before running up csf 4.38 - Improved detection of working ipt_owner iptables module on VPS servers such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks will be automatically disabled and csf will continue to start 4.37 - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended setting for cPanel servers which use ping times to determine fastest mirrors for various update functions Modified PT_LOAD_ACTION code to stop duplicate load emails from being send by lfd Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter rules on VPS Servers for as ipt_owner is now apparently supported on the latest kernels. However, if the latest kernel isn't being used or the VPS host hasn't included the ipt_owner iptables module for the client VPS, then csf will fail with an error 4.36 - Modified Process Tracking to allow regex exceptions in csf.pignore for deleted executable processes 4.35 - Modified regex.pm detection of iptables kernel log lines to cater for alternative formatting Restored the substitution of the NULL separator with spaces for the /proc/PID/cmdline in Process Tracking 4.34 - Added code to Process Tracking to translate non-printable characters to especially help detect and report deleted executable file processes WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd and awstats.pl from lfd.pl. If you want to ignore such processes for Process Tracking, you will need to add appropriate ignore rules to csf.pignore for them 4.33 - Disable ST_LOOKUP by default on new installations Modified lfd stats performance when ST_LOOKUP is enabled and added a warning for this setting to csf.conf for when DROP_IP_LOGGING is enabled 4.32 - Modified the su tracking regex to better trap RHE/CentOS v5 su login attempts Added a Server Check for "FTP Logins with Root Password" Added new WHM UI option to display Last X iptables Log Lines. Note that the report will only display log lines since this update. The new statistics will be expanded in future developments. Added new ST_* options to the cPanel csf.conf to control the recording of stats Removed fwlogwatch from distro and will use self-produced reports 4.31 - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It is not a good idea to use that option Modified PT_USERKILL to not kill (deleted) processes (these should be restarted manually after investigation) as per the documentation 4.30 - If you add the text "do not delete" to the comments of an entry in csf.deny then DENY_IP_LIMIT will ignore those entries and not remove them. Updated csf.deny information text for new installations Made the (deleted) process text even more explicit for those that are not reading csf.conf or the FAQ for their explanation Updated DSHIELD information URL in csf.conf Added new feature - csf.rignore is an ignore file that lists domains and partial domains that lfd should ignore. Read /etc/csf/csf.rignore for more information Option GOOGLEBOT removed. This feature is now performed using csf.rignore. If GOOGLEBOT was previously enabled it will be added to csf.rignore 4.29 - Added Slackware support (tested on v12.2.0) Added Fedora v10 support Added new option GOOGLEBOT - Prevent *.googlebot.com from being blocked by lfd. See csf.conf for more information Added csf version from/to to output from csf --update when upgrading 4.28 - Fixed GENERIC csf problem with csf.pl perl modules 4.27 - New Feature - Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports. This option limits the number of connections per time interval that new connections can be made to specific ports. See csf.conf and readme.txt for more information. This option is only available on servers with the ipt_recent kernel module cPanel DNSONLY compatibility added - Thanks to JJ for the assistance Improved Cipher suite checking and advice for Apache and FTP in Server Check Remove md5sum check from JS exploit check as it is covered by LF_INTEGRITY and causes confusion Added new option LOGFLOOD_ALERT which will send an email alert based on logfloodalert.txt if lfd skips logs lines due to log file processing problems Added new option PT_DELETED together with the FAQ explaination as to why lfd reports deleted processes. The option can be disabled to ignore such processes Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow exceptions to SMTP_BLOCK 4.26 - New Feature - Country Code to CIDR allow/deny. This feature can allow or deny whole country CIDR ranges. The CIDR blocks are downloaded from http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW, CC_DENY and CC_INTERVAL in csf.conf Expanded the dovecot regex to include more login failure permutations Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel servers SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default 4.25 - Fixed bug in csf --grep when CIDRs used in advanced port filters Fixed problems with aborted Server Check Report Fixed position of the lo device rule in the OUTPUT chain which broke SMTP_BLOCK Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all listed ports (not just port 25). This is populated on installation or when TESTING = 1 if an additional port is listed in "WHM > Service Manager > exim on another port". Otherwise, SMTP_PORTS needs to be updated manually. The default setting contains port 25 SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled 4.24 - Added workaround for issue with WHM image display in the addon header for cPanel v11.24 *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report *Added cPanel v11.24 FTP Cipher Suite checks in Server Report *Added cPanel v11.24 Apache Cipher Suite checks in Server Report *Added cPanel v11.24 Exim Cipher Suite checks in Server Report Added Fedora v8 to the obsolete OS list now that v10 is out Updated dovecot regex in regex.pm for v1.1.6 used by cPanel * Will only display if cPanel version is >= 11.24 4.23 - Added skip to connection and process tracking for empty tcp6 connection data Fixed PT_LOAD email output of ps and vmstat 4.22 - Additional fixes for an issue on VPS servers where temporary block removal from csf.tempban failed 4.21 - Fixed an issue on VPS servers where temporary block removal from csf.tempban failed 4.20 - Modified csf.tempban processing code in lfd to perform more stringent file locking to preserve temporary bans if lfd is writing during shutdown Modified Port Scan tracking of IP's to not attempt multiple blocks on the same IP address in the same log line processing batch Fixed broken timestamp in lfd.log for dates < 10th of the month Various code modifications to improve performance and stability 4.19 - Reverted the tied file changes as they were causing a deadlock situation locking csf.tempban Improved the process tracking detection of deleted executables of running processes 4.18 - Modified temporary IP address storage to use a tied file to preserve temporary bans if lfd is writing during shutdown 4.17 - Replaced the use of backticks in csf, lfd and the WHM UI with calls to IPC::Open3 Various lfd and csf code improvements and tidy up Ensure lfd parent dies cleanly on error Debug information improved and timer modified to use Time::HiRes for more accuracy 4.16 - Removed port 953 from the TCP and UDP allow lists for new csf installations as it's not necessary to whitelist as bind listens on the localhost device for such control connections by default Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login, exe:/usr/libexec/dovecot/imap-login to new and old cPanel installations csf.pignore to cater for cPanel support for both nsd and dovecot (currently in EDGE) Only use Cpanel::Rlimit if it's available in WHM UI 4.15 - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing connections from blocked IP addresses in csf.deny or temporary blocks. The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN, GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct this. Many thanks to Brian for his help in tracking this issue down. 4.14 - Implemented the use of cPanel routine Cpanel::Rlimit to remove process resource limit restrictions as the cPanel memory limitation setting was causing the Server Check to abort with memory allocations problems through WHM on some servers Modified port checking for 23 and 53 in Server Check to no longer use the fuser binary and use the port mappings directly from /proc Modified lfd and Server Check to check for IPv6 bound processes as the IPv4 and IPv6 connections are stored in a different file to IPv4 only bound processes 4.13 - Updated various comments in csf.conf Fixed call to csfpost.sh from csf 4.12 - Modified lfd Login Failure tracking to use a per IP address rolling LF_INTERVAL window rather than a static one for all tracked IPs. This makes login failure counting more accurate and blocking more responsive Added new feature - Block Reporting. lfd can run an external script when it performs and IP address block following for example a login failure. BLOCK_REPORT is to the full path of the external script. See readme.txt for format details If csf is installed or upgraded via an SSH session the connecting IP address will now be automatically added to csf.allow (note: it is not added to csf.ignore so lfd may still block it). This IP can be removed after testing if desired Modified the lfd.log format to the standard: