ChangeLog: 14.20 - Modified MaxMind URLs to use https Fixed DCOTYPE print order for integrated UI login Added "Require all granted" to Messenger v3 .htaccess generation Normalise source IP during connection tracking for IPv6 comparisons Fixed regression for some IMAP logon failure detections 14.19 - Switch to using iptables-nft if it exists in /usr/sbin/iptables-nft Added IO::Handle::clearerr() call before reading data from a log file Added "Require all granted" to the MESSENGER .htaccess file Added UID/GID rules to IPv6 if enabled Modified dovecot regex to look for "failed: Connection reset by peer" 14.18 - Added port 853 for DoT to all new installs Added exe wpt-panopticon on cPanel servers to csf.pignore Updated list of EOL PHP versions Modified HTACCESS regex to include "remote" as well as "client" log lines Implemented DA POST workaround for saving large text files via the UI Modified MESSENGER to only send unblock email if a valid IP is requested Modified DA server check to look for multiple php versions in /usr/local/php* 14.17 - Removed Security Report recommendations that do not apply to unsupported control panels Updated Security Report to show PHP v7.3 is EOL Confirmed support for RHEL v9 14.16 - Removed some spurious debug code Modified alert templates for: LF_WEBMIN_EMAIL_ALERT LF_CPANEL_ALERT LF_SUDO_EMAIL_ALERT LF_SU_EMAIL_ALERT LF_SSH_EMAIL_ALERT These have been changed to include the log line that triggered the alert to help give context to the alert and the date/time from the log to identify when the event occurred. All the relevant templates are modified to include the log line for existing and new installs Implemented an addition check for webmin that we're in the csf module before creating symlink to the UI script Fixed parameter checking for some dovecot regexes If DEBUG is enabled and the sendmail binary fails to send an lfd alert, the email text will now be logged to /var/log/lfd.log with an error 14.15 - Fixed regression issue with logfile regexes Implemented an improved email wrapper 14.14 - Fixed issue with using Text::Wrap 14.13 - Added inline pid match to all system regexes to cater for logging changes Use Text::Wrap to ensure email line lengths are within specifications Updated dovecot log regexes to support the changed format in v2.3.15+ 14.12 - Added cPanel SaaS servers to cpanel.allow Added a fix for RHEL v8 processes that were reporting excessive null or whitespace characters at the end of /prod/[pid]/cmdline. This is turn meant that such processes (e.g. spamd on cPanel servers) subverted some entries in csf.pignore Updated systemd entries in csf.logignore for RHEL v8+ Updated dovecot log regexes to support the changed format in v2.3.15+ Modify LookUpIP to hopefully account for data inconsistencies from Maxmind 14.11 - Added entries in csf.pignore for new cPanel installations: exe:/usr/sbin/mariadbd exe:/usr/sbin/atd exe:/usr/lib/systemd/systemd-timesyncd exe:/usr/lib/systemd/systemd-networkd exe:/usr/sbin/rsyslogd Updated configuration files to support cPanel on Ubuntu In Server Check don't check for Fork Bomb protection on cPanel servers running CloudLinux 14.10 - Fixed error message regarding location/permissions to the iptables binary in correctly referencing ip6tables Added PASV port range hole for VZ servers on cPanel for new installs Fixed MESSENGERV3 Apache tree search where ServerRoot is not configured so that csf defaults to /etc/apache2/ so that relative Includes are still defined correctly Modified LF_BIND regex to deal with new log field 14.09 - Improvements to CC IP lookup binary search Modified index.recaptcha.php and index.php to use square instead of deprecated curly brackets on array index for PHP v7.4+ Modified Server Check regex matching on include in dovecot config files in RHEL v8+ Added workaround for iOS issue with bootstrap modals Added EOL messages to Server Check report Modified dovecot.conf parsing on cPanel for include_try in Server Check Modified Apache 404 regex to check for either "info" or "error" Added two new CLI options: --temprma [ip], --temprmd [ip]. This allows distinction between allow and deny that does not exist for --temprm [ip] Updated UI to offer either --temprma [ip] or --temprmd [ip] instead of --temprm [ip] Added PHP v7.2 EOL notice to Server Report 14.08 - Added missing images/ subdir to webmin and interworx installers Added new option LF_TEMP_EMAIL_ALERT. This allows the disabling of temp IP block emails. It is enabled by default (send temp email alerts as before) 14.07 - Added missing images/ subdir to DA installer 14.06 - If DOCKER is enabled and the iptables nat table exists, csf now creates a DOCKER chain in the nat table for IPv4 cPanel additions to csf.pignore on new and existing installs Disable reputation service on error Added new options MESSENGERV3PERMS and MESSENGERV3GROUP for the creation of the MESSENGER_USER public_html directory. See csf.conf for information, defaults set for each install control panel type where possible Added exe:/sbin/rngd to csf.pignore for new installations 14.05 - Modified dovecot pop3d/imapd log line parsing to repeat single lines reporting multiple login failure attempts Additional entries in csf.pignore for new installs on CyberPanel v2 cPanel additions to csf.pignore on new and existing installs Convert embedded IPv4 addresses in /proc/net/tcp6 back to IPv4 14.04 - Added two new options: CC_MESSENGER_ALLOW, CC_MESSENGER_DENY. These options can control which Country Code IP blocks are redirected to the MESSENGER service, if it is enabled Fixed some typos in csf.conf Added DirectAdmin diagnostics to the admin UI for session security checks, together with a method to skip the checks if desired 14.03 - Updated DSHIELD blocklist to use https Updated Server Check PHP EOL information Improved DA session checking Improved DA Server Check report Modified cpanel.comodo.allow and cpanel.comodo.ignore with an additional IP address MESSENGERv3 now out of BETA testing Added UDP ports 80 and 443 to UDP_IN/UDP6_IN for new installations to support QUIC/HTTP3 Modified DA regex for Roundcube v1.4+ Modified DIRECTADMIN_LOG_R to point to /var/www/html/roundcube/logs/errors.log for Roundcube v1.4+ by default on new installs and change for old installs if not already set Added a new DA regex for phpMyAdmin Modified iframe resizer on DA, thank you to Martynas @ DirectAdmin Updated Integrated User Interface documentation to point to the latest Apache docs Added newly generated self-signed keys for lfd UI Updated Server Report descriptions for cPanel Updated Server Report for systemd processes Added back cPanel update check to the Server Report now that it has been reinstated by cPanel Removed outdated Server Report checks 14.02 - Added new BETA TESTING option: MESSENGERV3. This provides the MESSENGER service utilising the local webserver. It currently supports Apache v2.4+ and Litespeed/Openlitespeed. As the first iteration this likely contains bugs and may not be suitable for production environments. See csf.conf and readme.txt for more information Changed Country Code Lookup source to ipdeny.com Added CC_ALLOW_SMTPAUTH to all configurations for the benefit of servers other than cPanel running Exim Modify CC_ALLOW_FILTER to allow RELATED, ESTABLISHED connections through so that outgoing connection replies from remote sites not in CC_ALLOW_FILTER are accepted Added a note in csf.conf regarding MESSENGER_CHILDREN, that consideration needs to be made for local images displayed on the page. The default has also been increased to 20 for new installations Modifications to MESSENGER server to speed up connection response time and improve stability Modifications to LFD UI and CLUSTER server to improve stability Added SUDO login alerts: LF_SUDO_EMAIL_ALERT. This will send an email alert using the sudoalert.txt template whenever there is a failed or successful SUDO connection. SUDO_LOG must be set to the correct log file. LF_SUDO_EMAIL_ALERT is disabled by default Added new entry in csf.pignore on cPanel servers for v86+: exe:/usr/libexec/dovecot/imap-hibernate Added Server Check for EOL PHP v7.1 Removed cPanel update checks from the Server Report now that the options are no longer available in cPanel v86+ NOTICE: We are deprecating support for Virtuozzo/OpenVZ servers. Future releases will not take into consideration those platforms which have become onerous to support. The software application may continue to work but support and functionality is no longer guaranteed 14.01 - Changed mailman listings in csf.pignore on cPanel servers to cater for changes in python versions in RHEL v6/7 and 8 Fixed issue with CC_ALLOW_FILTER when not using IPSET but using SAFECHAINUPDATE would cause the new chain to be created in the wrong place by lfd when the zone is retrieved/updated Fixed issue when using CC_ALLOW_FILTER with IPSET enabled not adding the final DROP rule in lfd Further modifications to support RHEL/CentOS v8 Fixed issues with MESSENGER and CLUSTER server listeners terminating prematurely 14.00 - Added alternative database for Country Code Lists and Settings. These do not currently require logins/keys and in some cases are better optimised. A new setting CC_SRC allows switching between sources. For new installations these new sources are used. Existing installations are configured to continue to use the MaxMind databases. See the "Country Code Lists and Settings" section in /etc/csf/csf.conf for detailed information Added binary locations for CURL and WGET which will be tried if data retrieval fails when using the LWP perl module, e.g. on outdated OS's Added new option for URLGET setting "3". This allow the use of either CURL or WGET instead of the perl modules 13.12 - Modified CyberPanel installation to support move to python3 13.11 - Fixed interdependence issue between Country Code lookups and Country Code filters in lfd introduced in v13.09 Improved MM_LICENSE_KEY error messages 13.10 - Removed hard-coded date from MaxMind ASN url 13.09 - Due to MaxMind changing their free download policy to require signup and a license key, a new option MUST be configured to continue to use Country Code lookups (CC_LOOKUPS). The option MM_LICENSE_KEY must be set to the key obtained from the MaxMind site. See: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ https://www.maxmind.com/en/geolite2/signup Note: Existing installations will continue to use downloaded d/b's from before the MaxMind change, though may be cleared after CC_INTERVAL Changed CC_LOOKUPS option 4 from freegeoip.net to db-ip.com as the former no longer exists Fixed System Stats graphs not displaying on CyberPanel Updated csf control panel reporting in version display 13.08 - Added official CyberPanel integration and CyberPanel panel specific configuration (only tested on CentOS v7) More changes to support RHEL/CentOS v8 13.07 - Added format requirements for ASN entries in CC_* settings Removed SSHDSPAM exploit check as it's no longer critically relevant Modifications to support RHEL/CentOS v8 Modified systemd service to cater for RHEL/CentOS v7.7 pidfile symlink check changes Fixes and improvements to UI Ajax code Removed legacy bandmin code for cPanel servers and LF_CPANEL_BANDMIN setting Modified default InterWorx csf.conf to set SMTP_ALLOWGROUP appropriately for SMTP_BLOCK 13.06 - Removed debugging code from log file globbing routine Fixed reseller UI HTML text for each supported control panel Replaced the need in InterWorx for a custom Firewall.php with a preAction to intercept calls instead Moved csf in InterWorx to the Advanced section in Plugins UI Updated the InterWorx plugin.ini information to be more descriptive 13.05 - Added official CentOS Web Panel (CWP) integration and CWP panel specific configuration. See /etc/csf/readme.txt for more information (only tested on CentOS v7) Added official VestaCP integration and VestaCP specific configuration (only tested on CentOS v7) Additional entries to csf.pignore for new DirectAdmin installations Corrected DirectAdmin UI link text Fixed UI presentation HTML Fixed vsftpd regex for single character date of the month Modified Debian installation to detect ip(6)tables-legacy and use update-alternatives to switch to using them Modified InterWorx installation to not use chattr on /etc/apf/apf stub which was preventing apf upgrading. The lfd daemon will now reapply the stub if needed Modified Server Check on DA to get case-insensitive config from the binary rather than the directadmin.conf file Modified csf warning text on cPanel DNSONLY servers regarding the smtpgidonlytweak to disable it from CLI as it is not currently possible from the DNSONLY WHM UI 13.04 - Fixed issue with ConfigServer::CheckIP generating incorrect IPv6 addresses during validation using Net::CIDR::Lite Added UI entry for editing csf.reseller for DirectAdmin and InterWorx 13.03 - Fixed PATH issue in DirectAdmin installer when used from within the UI to upgrade 13.02 - Removed perl CGI::Carp module use from the DirectAdmin reseller UI as the module may not be present 13.01 - Added reseller support in InterWorx Added reseller support in DirectAdmin Added login failure detection on InterWorx (v6.3.16+). If LF_INTERWORX is enabled, INTERWORX_LOG will be scanned for login failures to NodeWorx and SiteWorx. This is enabled by default on all InterWorx installations Fixed text in Firewall.php stub in InterWorx Improved UI display in DA Improved UI display in InterWorx Fixed InterWorx UI issue with "Service Status" NodeWorx feature caused by Firewall.php stub Created cronjob to check for new product versions for the UI (/etc/cron.daily/csget). A manual check is still available if needed. This does not affect the daily upgrade check if enabled 13.00 - Added InterWorx integration and InterWorx panel specific configuration. See /etc/csf/readme.txt for more information (only tested on CentOS v7) Added InterWorx regex detection for proftpd, dovecot imap, dovecot pop3, and smtp auth login failures. Added regex detection for LF_DISTSMTP and LF_DISTFTP. Added regex detection for LF_CXS and LF_MODSEC. Added Login Tracking for LT_POP3D and LT_IMAPD Ensure UI errors are displayed in browser to avoid blank pages Display install.txt if perl module checks fail Reworked DirectAdmin UI to display within the parent template 12.12 - Updated CloudFlare code to use GET instead of POST to retrieve the id of an entry as POST in the API is no longer working, which affected entry deletion Modified --denyrm [ip] to not remove "do not delete" entries. This now must be done by editing /etc/csf/csf.deny to prevent unintentional unblocking, e.g. by MESSENGER reCAPTCHA or the UI MESSENGERv2: Set KeepAlive to Off Added new csf CLI cluster option: -cir, --cirm ip This will remove the IP from each remote /etc/csf/csf.ignore member and then restart lfd. This has also been added to the UI Added missing comment to cluster --ctempdeny entries Added missing timestamp to cluster --cignore entries Cluster command --cignore now checks for duplicates 12.11 - Added port 8443/tcp to cPanel server new installs to cater for the v80 calendar service. Existing installs will need to be modified manually if the service is used by adding the port to TCP_IN and TCP6_IN Updated various EOL version checks in Server Report Updated version modification system to check existing version before performing updates. Ensured that updates are applied chronologically 12.10 - Added routine to select from multiple download servers for script updates Added Sectigo (formerly Comodo) IPv6 DCV addresses to cpanel.comodo.allow and cpanel.comodo.ignore Added support to LF_CXS for litespeed logs on cPanel Added exception to csf.fignore for NodeJS yarn temporary files in cPanel v80 12.09 - Added new option CT_SUBNET_LIMIT. If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings. This option is disabled by default Removed ALTTOR from csf.blocklists on new installations as it has been discontinued Use ConfigServer::Slurp to read csf.resellers to avoid invalid line endings Modified CLUSTER_SENDTO and CLUSTER_RECVFROM so that they can be set to a file instead of listing IP's within the respective setting. See csf.conf for more details Removed open_basedir check on cPanel servers in Server Check Fixed csf.conf typo Updates to Courier IMAP regexes for Plesk 12.08 - Removed debugging code from lfd output Improvements for reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports 12.07 - Added commented out regex lines in csf.pignore on cPanel servers for the upcoming ubic implementation by cPanel Added port 53 filters in cpanel.comodo.allow on cPanel servers Added postfix support for LF_DISTSMTP Switched Sendmail and URLGET modules from using croak to carp to avoid unexpected parent death from child failure Double fork external commands in DA UI to work around DA mod_perl restrictions, allowing full functionality Added reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports and csf.deny entries 12.06 - Removed new regex for LF_EXIMSYNTAX 12.05 - Removed rbl.jp RBLs from csf.rbls Modify Project Honey Pot blocklist URLs to use https Ignore $SIG{PIPE} when running ipset Ensure csf shows ipset warnings Added osmd to lfd restart routine when cPanel upgrades Modified Server Check to look for underscore as well as dash settings Added test in lfd to ensure the pidfile is open before attempting to close it Added new regex for LF_EXIMSYNTAX Added new option: URLPROXY. If you need csf/lfd to use a proxy, then you can set this option to the URL of the proxy 12.04 - Updated license terms for GDPR compliance 12.03 - Make CC_IGNORE check case-insensitive Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, PT_* and PT_SSHDKILL) Updated cxs FontAwsome to v5 Added fixes for additional Include line processing Fixed race condition when processing CC_* zip files that could sometimes prevent the csv files from being extracted Updated HTTP::Tiny to v0.070 12.02 - Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases Added more CLI options that work if csf is disabled Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under "Include statement in configuration files" for the list of supported files Added mangle and raw tables to csf --grep [IP] and modified output to show a new column with the table then the chain that a rule is in Added mangle and raw tables to csf --status output and modified output to show a new header line with the table that a rule is in Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6 Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits Updated csf.conf documentation relating to the ICMP/PING settings Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled USE_CONNTRACK is now enabled by default on new installations Fixed DOCKER IPv6 warning message when DOCKER not enabled Modified csf.blocklists for GREENSNOW to use https on existing and new installations 12.01 - Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist CC_OLDGEOLITE set to "0" on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases 12.00 - Added support for GeoLite2 databases from Maxmind for CC_*. These databases are significantly larger than the soon to be deprecated GeoLite ones stored in /var/lib/csf/ Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and CC6_LOOKUPS. Added new option: CC_OLDGEOLITE. This option is enabled by default to continue using the old GeoLite databases. See csf.conf for more information. This option will be removed in the near future so that all installations use the new GeoLite2 databases GeoLite2 lookups now use the CSV files instead of the formatted Data files because the Perl dependencies for the MaxMind Perl modules that access the Data files are prohibitively excessive. We have developed our own fast binary search module to perform the required lookups on the CSV files for both IPv4 and IPv6 An advantage of the new GeoLite2 databases is that IPv6 lookups can now be done to the same level as IPv4: Country Code; Country; Region; City; ASN Unified storage of GeoLite2 database to avoid duplication between CC_LOOKUPS and CC_* databases Added new CC_LOOKUPS value of "4". This option does not use the MaxMind databases directly for lookups. Instead it uses a URL-based lookup from a third-party provider at https://freegeoip.net and so avoids having to download and process the large databases. See csf.conf for more information and limitations Modified CC_INTERVAL default to 14 days on new installations Ensure MESSENGERV2 service will not start if using a valid cPanel account in MESSENGER_USER (must be non-cPanel account) Create entry in /etc/aliases for "csf" if MESSENGERV2 is enabled on cPanel servers to reserve the account name Added new feature: DOCKER support. This configures iptables rules to allow Docker containers to communicate through the host. This is currently in BETA testing. See csf.conf for more information. Thanks to Marcele for the rules Removed redundant nat table check for ip6tables in Config.pm Replaced all remaining bareword file handles 11.07 - Added missing WAITLOCK to iptables when processing advanced port filters in csf and lfd and checking csf status in UI Added WAITLOCK, if enabled, to iptables-restore commands during FASTSTART Server Check Report - removed ini_set check as so many scripts use ini_set nowadays. Updated text on various checks Updated the postfix SMTP AUTH regex Added new SSHD "maximum authentication attempts exceeded" regex Set basic PATH before running csfpre.sh/csfpost.sh to avoid binary location issues csf now runs csfpre.sh/csfpost.sh directly without forcing it through /bin/sh. If present, csf chmods the script 0700 and checks for a shebang. If the shebang is missing #!/bin/bash is added to the top. The script is then run Added seventh parameter to regex.custom.pm to allow Cloudflare blocking if a CUSTOM regex is triggered (see latest regex.custom.pm in distro) Rearranged UI tabs and shortened tab names. Moved quick actions to the top of the "csf" tab pane Added "AUTH command used when not advertised" to the LF_EXIMSYNTAX regex check Added new csf CLI cluster option: -ci, --cignore ip [comment] This will add the IP to each remote /etc/csf/csf.ignore member and then restart lfd. This has also been added to the UI Fixed cluster grep output in UI Modified MESSENGERV2 to support combined certificates+keys in cPanel v68+ Added triggered setting and, if applicable, temporary TTL to the "Blocked:" status in block alert emails Added "wildcard" option to "Search System Logs" UI to use ZGREP to search the specified log with a wildcard suffix. ZGREP option added to csf.conf which must point to the zgrep binary Added git binaries to csf.pignore on cPanel servers for upcoming v72/74 features 11.06 - Modified Integrated UI to use new cxs UI perl modules Added custom redirect line for webmin UI when STYLE_CUSTOM enabled Ensure ip6tables nat table is flushed if present whether MESSENGER is enabled or not 11.05 - Added new configuration option PT_SSHDKILL. This option will terminate the SSH processes created when blocking an IP Added a "Fix Common Problems" section to the csf UI for various common configuration issues Ensure application ports are always defined in lfd 11.04 - Added new configuration option LF_APACHE_ERRPORT. This option is used to determine if the Apache error_log format contains the client port after the client IP. By default it is set to autodetect 11.03 - Improvements to ajax output in integrated UI 11.02 - Integrated UI fix for CloudFlare page Removed non-participated deny options for cxs reputation service Changed PT_SSHDHUNG to use a regex for process cmdline detection Fixed issue with IPv6 client detection in Apache logs 11.01 - Corrections to readme.txt In UI, display long output into fixed height divs with scrollbars and font size changer Modified Server Check to not display the mod_cloudflare warning if CF_ENABLE enabled Modified Server Check to display a single warning for each PHP check listing affected versions instead of multiple warnings Additional exim check added to Server Check Improvements to ajax output in UI 11.00 - New Feature: CloudFlare Firewall integration. This feature provides blocking and unblocking functionality with the CloudFlare Firewall from within lfd, together with new CLI commands for direct access. See documentation for CF_ENABLE in csf.conf, information in readme.txt as well as the csf man page Added UI elements for CloudFlare Firewall integration New CLI command --trace [ip]. This replaces the --w, --watch CLI command to Log SYN packets for an IP across iptables chains by using the iptables TRACE module New Feature: Check the size of the ModSecurity IP D/B. This option will send an alert if the ModSecurity IP persistent storage grows excessively large. This is enabled on cPanel by default. See csf.conf for more information New Feature: Allow use of comma separated list of ports in Advanced Allow/Deny Filters WATCH_MODE in csf.conf and --w, --watch CLI commands removed in favour of the new --trace [add/remove] [ip] CLI command Restrict the scope of Perl shebang replacement when installing on cPanel servers Modifications and fixes for the example MESSENGERV2 templates Ensure /proc/sys/net/netfilter/nf_conntrack_helper is enabled at startup to allow connection tracking to continue working on newer kernels Stop needlessly setting and elements in Ajax returns Various corrections and updates to readme.txt Tweaks to the Mobile View UI button arrangement and spacing 10.25 - CSS change to UI configuration page Remove refresh timer from UI log file grep 10.24 - On webmin servers, added csf.body file to UI skinning (STYLE_CUSTOM). See readme.txt for more information 10.23 - On cPanel servers, ensure that the csf driver for WHM is removed on uninstall Added hooks for upcoming cxs IP Reputation Service On webmin servers, added csf.htmltag and csf.bodytag files to UI skinning (STYLE_CUSTOM). See readme.txt for more information MESSENGERV2 released as stable on cPanel servers. This uses the Apache http daemon to provide the web service for MESSENGER HTML and HTTPS Additions to csf.logignore on new installs Added IPv6 support to BLOCKLISTS Added Spamhaus DROPv6 and Stop Forum Spam IPv6 blocklists to csf.blocklists Removed Spamcannibal and added all.s5h.net from/to csf.rbls Fixed issues with IPv6 rule creation attempts when IPV6 disabled Automatically enable WAITLOCK on initial installation if supported 10.22 - Fixed issue with the ModSecurity regex modification in v10.20 10.21 - Ensure /etc/logrotate.d/lfd is overwritten on upgrade 10.20 - Prevent lfd logrotate from erroring if log files missing Modified Apache ModSecurity regex to cater for changes in logging format on cPanel servers with ModSecurity v2.9.2 Modified Apache cxs regex to cater for changes in logging format on cPanel servers with ModSecurity v2.9.2 Ensure destination files are owned by root during installation 10.19 - MESSENGERV2: Take a copy of the live certs and keys and use these in csf.messenger.conf to work around changing filenames for keys and certs when they are regenerated which causes httpd to fail. This is done each time lfd restarts Added CLI option csf --mregen: MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd 10.18 - Stability improvements to the UI daemon Fixed MESSENGER log entry spelling 10.17 - Prevent Cluster and UI daemons from terminating the main process if they themselves terminate Modify Cluster and UI daemons to restart if they are stopped or fail Modify Cluster and UI daemons to be more verbose about reasons for stopping Fixed typos in readme.txt and csf.conf Added MESSENGER child logging to /var/log/lfd_messenger.log, also for MESSENGERV2 via a new index.recaptcha.php Modified logrotate configuration to include /var/log/lfd_messenger.log 10.16 - Fixed issue in 10.15 which was causing the Cluster daemon to exit unexpectedly 10.15 - New EXPERIMENTAL feature on cPanel servers: MESSENGERV2. This uses the Apache http daemon to provide the web service for MESSENGER HTML and HTTPS Added new option LF_APACHE_401 that works in a similar way to LF_APACHE_404 and LF_APACHE_403 Added new option RECAPTCHA_ALERT. This will send an email when a recaptcha unblock request is attempted by lfd. This option is enabled by default Stability improvements to UI, MESSENGER and CLUSTER daemon processes Added memory usage information to lfd log when using MESSENGER_HTTPS Add limiter to enforce MESSENGER_CHILDREN when connections are waiting for a child process Modify MESSENGER HTML examples for new installs to use inline images to improve page load speed and reduce lfd overheads Modified network interface detection to allow dash (-) in name URL updates in Server Check Increased the default value for MESSENGER_RATE to 100/s (from 30/m) and MESSENGER_BURST to 150 (from 5) for all installations to alleviate slow MESSENGER response times Set the SELinux security context for systemd and executable files Ensure firewalld is masked on systemd servers 10.14 - Made configuration checks on iptables more fault tolerant to avoid unnecessary failures while loading Removed openbl.org from csf.blocklists for new and existing installs More generic binaries added to csf.pignore 10.13 - Fixed looping/timeout of integrated UI children when Chrome client is used 10.12 - Configured UI to fully integrate with cPanel templates without using iframes Configured UI to display full cPanel breadcrumbs Configured UI to support cPanel v66 WHM UI changes 10.11 - Modified username regex for csf.syslogusers Fixed issue with /var/lib/csf/lfd.stats excessive growth 10.10 - Modified HTML to cater for major change in cPanel v66 10.09 - Added new option DROP_OUT which is set to "REJECT" by default. This option sets the default target for blocked outgoing ports. See csf.conf for more information Added improved detection of xtables lock and recommend enabling WAITLOCK on error Improved csf down detection when xtables lock in effect and WAITLOCK is not enabled Added support for listing ASNs in CC_IGNORE 10.08 - Added cpanel.allow and cpanel.ignore Include files for the cPanel authentication servers. These are included on new installations and added to existing files on cPanel installations If running cPanel 1:1 NAT, use the contents of /var/cpanel/cpnat to whitelist/ignore the external IP addresses 10.07 - Fixed bug when using RECAPTCHA_NAT where the listed IP's were not correctly processed Server Check now follows includes in dovecot.conf Server Check now reports RHEL/CentOS/CloudLinux v5.* as EOL 10.06 - Added new entry in csf.pignore on cPanel servers for: exe:/usr/libexec/dovecot/indexer exe:/usr/libexec/dovecot/indexer-worker Croak if IPTABLES is not set, incorrect or not present in csf.conf Set SELinux context for /etc/logrotate.d/lfd on new generic installs 10.05 - Fixed table header html/css Added workaround for adding superusers listed in /etc/csf/csf.syslogusers to the RESTRICT_SYSLOG_GROUP if the log socket is not accessed via the owner permissions Changes for cPanel v64 template Updated text description in csf.dirwatch for new installs 10.04 - Added error message to RECAPTCHA_* if the non-priveleged user cannot write to its home directory Further improvements to RECAPTCHA_* hostname check 10.03 - Added new option MESSENGER_HTTPS_SKIPMAIL on cPanel installations. This option ignores ServerAlias definitions that begin with "mail.". This can help with memory usage on systems that do not require the use of MESSENGER_HTTPS on those subdomains. The option is enabled by default on cPanel servers Improved RECAPTCHA_* hostname check Cluster CLI can now block CIDRs, e.g LF_NETBLOCK blocks will be applied cluster-wide 10.02 - Modified Messenger HTTPS to cater for a wider range of Apache VirtualHost formatting Added Messenger HTTPS workaround for servers using PEM but a version of IO::Socket::SSL that does not yet support it (pre v1.988) Added Messenger HTTPS warning in csf.conf regarding memory usage on some servers using the option Added java binary for cPanel solr process to csf.pignore on new and existing servers 10.00 - Added new feature to MESSENGER: MESSENGER_HTTPS*. See /etc/csf/csf.conf for more detail. This option redirects blocked IP addresses that connect over an HTTPS connection (port 443) to the HTML MESSENGER service. The option uses existing SSL certificates on the server for each domain to maintain a secure SSL SNI connection without browser warnings. The setting is disabled by default Note: The perl module IO::Socket::SSL (v1.83+) with support for SNI must be available to use MESSENGER_HTTPS* otherwise it will be disabled Added new feature to MESSENGER: Google ReCAPTCHA (v2) to allow those blocked in the firewall to unblock themselves. See RECAPTCHA_* in /etc/csf/csf.conf for more details and limitations Added MESSENGER procedure to restart listening sub-process if it has died Moved MESSENGER processes to a separate module Ensure that all forked processes terminate appropriately On cPanel servers, use the cPanel WHM Template to support the new v64 UI layout (as best we can to maintain the look that we want) Modified the cPanel csf ACL metadata and driver Perl modules to match new requirements for v64 and also maintain backwards compatibility 9.30 - Fix to try and resolve cluster send/recv issues (Note: _All_ members of the cluster need to be running v9.30 for clustering to function correctly) 9.29 - Fixed issue that was breaking LF_DISTSMTP Fixed issue in UI lfd Stats. Note: The lfd stats data file has been renamed from /var/lib/csf/stats/lfdmain to /var/lib/csf/stats/lfdstats Additionally, the stats for 2016-12-31 will reset to 0 due to this bug Corrected text in readme.txt Added new csf CLI cluster option: -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment] This sends a temporary deny request to the cluster Added new csf CLI cluster option: -cta, --ctempallow ip ttl [-p port] [-d direction] [comment] This sends a temporary allow request to the cluster Added new csf CLI cluster option: -cg, --cgrep ip This requests the --grep output for [ip] from each cluster member Modified cluster requests to respond with an acknowledgment to the sender Modified --cdeny [ip] and --callow [ip] to include optional comment Added separate tab for Cluster options in UI if enabled and added new cluster temp allow/deny commands to UI Modified Port Scan Tracking. UDP packets destined for the network broadcast address(es) will now be ignored in Port Scan Tracking unless BRD is added to PS_PORTS. The broadcast address(es) include the those listed in IP or IFCONFIG plus the default (255.255.255.255) unless one of the servers IPs Added new feature: PT_USERRSS. This User Process Tracking option sends an alert if any user process exceeds the RSS memory limit set - RAM used, not virtual. PT_USERRSS is set to 256 (MB) and PT_USERMEM is now set to 512 (MB) by default on new installations. On existing installs PT_USERRSS is set to the same value as PT_USERMEM 9.28 - New logo added and configured for cPanel plugins HTML fixes STYLE_CUSTOM is now set to 0 by default on all new installations. If you want to choose custom styling this option can be enabled 9.27 - Fix for UI Quick Unblock button Fix for UI main page [ENTER] not working on all forms 9.26 - Fix for webmin UI when watching logs Various UI html syntax fixes Reduced UI banner padding Port 23 added to DROP_NOLOG for new installations WAITLOCK taken out of beta Modified UI View Listening Ports Reworked main UI table to produce syntactically correct HTML Fixed duplicate HTML top and bottom page elements 9.25 - Correct csf lookup failure message Converted UI icon for temp allow removal to new format Simplified Configuration display of radio toggles to help screen readers Added patch to send message text for CLUSTER blocks 9.24 - UI html fixes 9.23 - Added upgrade note to the top of the UI if available UI improvements for integrated cse and interface to cxs Added Scroll to Top/Bottom buttons Consolidate images, css and javascript into a common directory in the installer 9.22 - Modify UI temporary IP deny buttons to not wrap in table Modified UI Statistics images to be responsive Modified readme.txt to detail additional UI styling options Added two new options STYLE_CUSTOM and STYLE_MOBILE relating to UI styling Globalised SIGNALs where needed to help prevent zombie children Modified UI to use container-fluid to improve whitespace use Modified pre tags to wrap on whitespace 9.20 - Redesigned UI based on Bootstrap New functionality: Added integrated mobile device view with subset of functions Modified csf to not warn about the SENDMAIL binary if LF_ALERT_SMTP is enabled Added use of the ace editor if present on cPanel installs to edit files. Added toggle to switch back to textarea. Added buttons to decrease and increase font size in editor Modified readme.txt to include information regarding changing styles and disabling Mobile View 9.14 - Fixed LOGSCANNER logging to only report to the log if DEBUG enabled Added new BETA options WAITLOCK and WAITLOCK_TIMEOUT which provide support for the iptables --wait option Added UI support for cxs with Bootstrap 9.13 - Modify Server Check to prevent hanging process for CloudLinux PHP versions prior to v5.2 9.12 - Improved LOGSCANNER accuracy of hourly and daily runs between restarts Added more binaries on cPanel servers to csf.pignore for cPanel v60 Fixed repeated check for PHP open_basedir in Server Check Do not perform suexec check if mod_ruid2 enabled in Server Check Corrected text description of IPv6 port lists in non-cPanel csf.conf Export ConfigServer::Logger::logfile Detect mpm_itk_module and treat in a similar manner to ruid2_module in Server Check Removed use of Cpanel::cPanelFunctions as it is now being withdrawn Updated common ConfigServer UI Fix instance where cluster block timeout for temporary blocks was not being sent Check for EOL PHP v5.5 in Server Check Added detection of alt-php versions provided by CloudLinux, but do not check them for EOL version status 9.11 - Fixed issue with csf.allow Include checks when allowing an IP Added the Greensnow blocklist to csf.blocklists for new installs Fixed display of ports in CLI temporary blocks Fixed issue removing CIDR blocks via the CLI from csf.deny 9.10 - Fix profile diff in the CLI Fixed issue with deny removal by IP address of advanced rules in the CLI 9.09 - Additional fix for ip6tables MESSENGER service when LF_IPSET not enabled (ip6tables nat) 9.08 - AUTOSHUN list removed from csf.blocklists as the public list is no longer available Added support for ip6tables MESSENGER service when LF_IPSET not enabled (ip6tables nat) 9.07 - Fixed removal of complex allow and deny rules Fixed IPv6 implementation of CC_ALLOW_PORTS_* and CC_DENY_PORTS_* Fixed file upload in cse via the integrated UI Fixed "csf --cfile [file]" Removed setting: OLD_REAPER Localised SIGNALs Localised uid and gid change in MESSENGER Removed Bareword file handles Where ip6tables <= v1.3.5 and IPV6 is enabled, disable USE_CONNTRACK if enabled as ip6tables does not support the conntrack module in older versions. This will force the use of the state module instead 9.06 - Fixed incorrect inclusion of cPanel Free SSL service include entries on new non-cPanel installations 9.05 - Fixed RT_AUTHRELAY_LIMIT detection 9.04 - Fixed issue with custom regex rules where log hash was not being passed to regex.custom.pm Fixed issue with custom regex rules where "use strict" was used incorrectly 9.03 - Fixed issue with LF_ALERT_TO and LF_ALERT_FROM not being used when set 9.02 - Fixed Reseller UI command execution 9.01 - Fixed graph display when using integrated UI 9.00 - Convert csfui.pl, csfuir.pl and cseui.pl to perl modules and modify the calling UI specific scripts Updated cseUI so that is passes perl strict module checks Fixed issue with deny removal of some IPv6 addresses Ensure /etc/chkservd/lfd is recreated when lfd is enabled via csf -e on cPanel servers Added exes to csf.pignore on existing and new cPanel server: /usr/libexec/dovecot/lmtp /usr/local/cpanel/3rdparty/php/54/bin/php-cgi /usr/local/cpanel/3rdparty/php/56/bin/php-cgi /usr/local/cpanel/3rdparty/php/56/sbin/php-fpm Ensure all file opens are properly flocked Switch to using require instead of eval/use to load runtime modules where possible Code review - started addressing perl critic suggestions in all scripts and modules Moved regex.pm to a seperate perl module Moved email sending to a seperate perl module Moved lfd logging to a seperate perl module Add allow and ignore Include files for the cPanel Free SSL service from Comodo in cPanel v58+. These are included on new installations and added to existing files on cPanel installations Fixed spurious Include error in lfd for csf.ignore 8.26 - Added more dovecot binaries to csf.pignore for new and existing cPanel servers Updated lfd-cron to use the csf startup routines to restart lfd on systemd servers correctly, existing cron jobs are also modified HTTP::Tiny upgraded to v0.058 8.25 - Modified Config loading to check for valid ip6tables location before attempting to use it Modify Server Report to support checking of cPanel MultiPHP configurations when using EasyApache v4 Removed PHP check for suhosin from Server Report Improved cipher check for pure-ftpd in Server Report Added password reset check for subaccounts in Server Report on cPanel servers Added cPanelID check in Server Report on cPanel servers 8.23 - On cPanel servers ensure the lfd service is always correctly appended to chkservd.conf on csf installation 8.22 - Fix csf --tempdeny from allowing blocking of local IPs Fix problem where LF_NETBLOCK was no longer affective after blocking a its first netblock until it timed out from csf.tempip Modify UI table spacing 8.21 - Modified cPanel version check to avoid restart loop if GENERIC set to 1 in csf.conf 8.20 - Modify Relay Alert email to specify "localhost" rather than "Local Account" when localhost IPv6 address detected as it currently does for IPv4 localhost Improvement to lfd restart routine for MailScanner and pure-ftpd when cPanel upgrades on RHEL/CentOS/CloudLinux v7+ servers 8.19 - Move SMTP_BLOCK rules to a separate chain to avoid conflicts with other control panels deleting required rules 8.18 - Reversed csf.tempip changes to avoid a possible locking issue in csf.pl, lfd.pl changes retained 8.17 - Fixed 12 month statistics pie chart rendering Increased default value and sanity range for PT_USERMEM Modified SMTP_BLOCK to use iptables multiport Added new feature: SMTP_REDIRECT. This redirects non-authorised outbound SMTP connections to the local SMTP server Ensure LF_PERMBLOCK IP's are removed from csf.tempip when rotating csf.deny after reaching DENY_IP_LIMIT Remove stale csf.tempip entries on lfd startup Added IPv6 support to RT_LOCALHOSTRELAY tracking Update binary locations for new installations on DirectAdmin Debian Improved fix for detection of ip6tables nat chains Added UI Firewall Configuration On/Off buttons Added UI Firewall Configuration dropdowns for some value ranges Updated UI restricted list Updated sanity checks Various UI updates and modifications Added a warning when using mod_cloudflare to Server Check Report 8.16 - Removed UI integration from CentOS Web Panel as recent permission changes break the implementation. The csf installer will restore the original functionality 8.15 - Added new configuration option IP to point to the IP binary. This will be used in preference to IFCONFIG, the latter is no longer required when the IP binary is correctly configured and executable Added full UI integration into CentOS Web Panel (CWP). To disable integration: Rename: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.orig.php to: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.php create: /etc/csf/cwp.disable Updated Postfix SMTP AUTH regex (thanks to Marcele) Added support for /etc/csf/csf.blocklists in ZIP format. The zip file MUST only contain a single text file of a single IP/CIDR per line Added Stop Forum Spam (ZIP) example to csf.blocklists Added IPV6 support to csf.sips Fixed detection of ip6tables nat Removed development code for ispconfig from distribution as this should NOT be used. It has never been implemented nor released as a supported solution and is likely to be insecure. Upgrading will remove any installations of this development code 8.13 - Added /usr/local/cpanel/3rdparty/php/54/sbin/php-fpm to csf.pignore for cPanel installs Clarify cluster CLI commands that refer to remote server actions Added number of failures to the RBL check Subject field Modified Port Scan checks for more kernel log line formats in regex.pm 8.12 - Additional Feature: Added support for listing ASNs in all Country Code (CC_*) options Fixed GLOBAL_ALLOW and GLOBAL_DENY when LF_IPSET is enabled Fixed GLOBAL_DYNDNS when LF_IPSET and LF_IPV6 are enabled IPSET binary location set to /sbin/ipset for Debian/Ubuntu new installs Additional regex included for vsftp login failures 8.11 - Fixed issue on non-RedHat OS installations that failed due to problems whitelisting the installers IP address 8.10 - Fixed issues with new non-RedHat OS installations by reasserting perl module check to the start of the installation process but removing included modules from checks Ports 2079 and 2080 added to TCP_IN for new cPanel installs to allow CalDAV/CardDAV access 8.09 - Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or /sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow higher settings for PORTFLOOD than the default of 20 if configured Added LimitNOFILE to lfd.service on servers using systemd to allow for large numbers of open files Cater for full stops (.) in ethernet device names Moved Perl module checks until after csf installation has completed so that all included modules exist in /usr/local/csf/lib/ 8.08 - Fixed csf.sips modification via UI on Redhat/CentOS v7.1 Raised csf.blocklist names from 9 to 25 characters long. This cannot be greater due to limits on ipset names on some OS's and the use of prepended names for new ipset list swapping Added output from netstat for PT_LOAD to loadalert.txt for new installs. For existing installs, latest file copied to /usr/local/csf/tpl/loadalert.txt.new 8.07 - Ensure spaces are stripped from values in /etc/cpanel/ea4/paths.conf on cPanel servers Fixed issue with csf --add [ip] not always removing [ip] if present from csf.deny Modified the LF_QOS regex to cater for additional log formats 8.06 - Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel servers for Pyzor that was added by cPanel in v11.52 Support added for EasyApache4 log locations in cPanel from /etc/cpanel/ea4/paths.conf Added more executable files to csf.pignore on cPanel servers for cPanel EasyApache4 Modify Server Check to support cPanel EasyApache4 Added regex to support cPanel/WHM login failures with the new log format in v11.52+ If mod_ruid2 is enabled do not check for mod_userdir in Server Check Always ensure binary exists and is executable before performing processing during Server Check Modified ProFTPD regex to support more formats vsftpd inbuilt log file format regex added Modified cPanel antirelayd Server Check to also support popbeforesmtp added in v11.52 Added dbus and time systemd regexes to csf.logignore for new installs 8.05 - Added alarms to HOST binary calls Added new csf CLI option: --rbl [email]. This generates the report checking IP addresses against a set of RBLs. Optional configuration is available through /etc/csf/csf.rblconf Added UI to utilise the new --rbl [email] option Added systemd status output after lfd restart via the csf CLI Modified Server Check to only report bind if a named configuration file exists Require cPanel resellers to enter a Comment when allowing or denying an IP Added new option UI_IP to allow binding to a specific IP address for the integrated UI 8.04 - Added more executable files to csf.pignore on cPanel servers for cPanel v11.5*+ Added warning to both csf output and Server Check report if PT_USERKILL is enabled 8.03 - Fixed bug where iptables nat tables were not being flushed or grepped correctly 8.02 - Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS Added new csf CLI option: --lfd [stop|start|restart|status]. Actions to take with the lfd daemon Added new csf CLI option: -ra, --restartall. Restart firewall rules (csf) and then restart lfd daemon Fixed several output message typos for "FASTSTART" Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel Improve IPv6 detection on installation Implemented more efficient csf.conf loading in ConfigServer::Config 8.01 - Modify ConfigServer::CheckIP to cope with entries not passed by reference 8.00 - Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups Added IPv6 support for LF_IPSET Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled) Added IPv6 support for X_ARF report where found in the Abusix Contact DB Added IPv6 nameserver support for /etc/resolv.conf Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3 Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3 Added IPv6 support for SYNFLOOD Added flush of ip6tables nat table if ip6tables version >= 1.4.17 Standardise all IPv6 addresses and networks to use the short form for consist representation Added FASTSTART support to LF_IPSET Increased ulimit -n to 4096 in /etc/init.d/lfd Included Net::IP for IP address manipulation Included version perl module for version comparisons Added missing csf.allow search to csf --grep Added Server Check report for LF_IPSET when using Country Code filters 7.73 - Fix for temporary denies allowing duplicate IP/Port blocks/allows Speedup csf --grep [ip] when searching IPSET sets. Note: This does mean that partial IP queries will no longer match IPSET entries Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for larger ipset sets Added option HOST as the location of the "host" binary for DNS TXT record lookups Modified X_ARF report to include the abuse contact for a reported IP address where found in the Abusix Contact DB Added new option X_ARF_ABUSE. This option allows for automatic sending of X_ARF reports to the IP addresses abuse contact. See csf.conf for warnings about using this option Added binary location checking in csf and issue warnings if incorrect, not installed or not executable 7.72 - Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate such processes. See csf.conf for more info Added new binaries to csf.pignore on existing cPanel installations to cater for v11.50 and CentOS v7 LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for new installations Updated Server Check ipv6 detection Updated sanity checks 7.71 - Added warning on cPanel servers for GreyListing Fixed issue with RedHat/CentOS/CloudLinux v7 where local IPs were not being successfully detected from IFCONFIG 7.70 - Removed PayPal Donation buttons due to recent abuse 7.69 - Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (added cxs pure-uploadscript restart) 7.68 - Added Debian v8 and Ubuntu v15 support HTTP::Tiny upgraded to v0.054 7.67 - Added a workaround for Plesk sendmail wrapper SIGCHLD problem 7.66 - Fixed UI status form tags Added new option LF_SPI. This option configures csf iptables as a Stateful Packet Inspection (SPI) firewall - the default. If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost Added common systemd logs to csf.logignore for new installs Modify LF_IPSET in csf to print failure messages instead of aborting on error On servers using systemd if firewalld found to be active, csf and lfd will not start until is is stopped and disabled as csf cannot be used with firewalld Added option SYSTEMCTL to csf.conf as the location of the systemctl binary for use with servers using systemd 7.65 - Fixed csf.blocklist for new installs which incorrectly had OPENBL enabled by default 7.64 - UI HTML updates and fixes Modified openbl.org URLs in csf.blocklist to use https - this will likely need URLGET set to 2 (LWP) 7.63 - Modified Server Check to highlight PHP v5.3.* as EOL and therefore a security risk Port 587 added to TCP_OUT/TCP6_OUT on all new installations (previously only on cPanel) Added new CLI option to csf, -i --iplookup will lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf Manually allowed/denied permanent/temporary IPs through the csf CLI now include the CC information if no comment is used Renamed csf and lfd cron jobs in /etc/cron.d/ to cater for non-LSB compliant Linux cron managers Modified Server Check report to cater for servers running systemd More Server Check fixes for out of date checks Added 2 new alert settings for FTP and SMTP distributed attacks: LF_DISTFTP_ALERT and LF_DISTSMTP_ALERT 7.62 - Modified ModSecurity regexes to be more generic 7.61 - Fix issues with lfd restart via integrated UI and DA UI 7.60 - Ensure that /usr/lib/systemd/system/ is created on install on systemd servers 7.59 - Fix sanity check for SMTPAUTH_RESTRICT Fixed incorrect reference to cxs in the generic csf installer Modified csf.conf to show that LWP::Protocol::https is needed for LWP to retrieve https URLs and added examples of how to install these perl modules Implemented native systemd support for startup and shutdown of csf and lfd Added recommendation in csf.conf to use IPSET if wanting to set DENY_IP_LIMIT to a high value If IPSET is enabled, no sanity warnings are issued for DENY_IP_LIMIT Also add SSH port to TCP6_IN on new installations 7.58 - Display warning and revert to HTTP::Tiny if URLGET is set to use LWP but the perl module is not installed 7.57 - URLGET now set to "2" to use LWP by default on new installations instead of HTTP::Tiny If URLGET set to use LWP, csf will perform upgrades over SSL to https://download.configserver.com Added check for URLGET to Server Check Added option "3" for CC_LOOKUPS to also include IP ASNs via the MaxMind GeoIPASNum database Updated SSH login regexes Updated named regex Added 30 second timeout for ST_IPTABLES iptables stats writing to prevent a child creation loop Modified lfd to restart if more than 200 children are currently active to prevent child creation loops 7.56 - Fixed issue with Restricted UI item sanity checks failing Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (lfd, MailScanner cxs Watch). Restart triggers are limited to every 12 hours and will only trigger if upcp is not running 7.55 - If LF_SELECT is enabled the port(s) listed in PORTS_* can now be specifed as port;protocol,port;protocol, e.g. "53;udp,53;tcp" to allow for protocol specific port blocks. This port format can also now be used in regex.custom.pm and csf --td/--ta to allow udp port blocks PORTS_bind now defaults to "53;udp,53;tcp" on new installations PORTS_directadmin added for DA installs to allow for per port blocks if LF_SELECT is enabled Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs LF_IPSET taken out of BETA as it is proving stable Modified Server Check to skip checking xinetd on Plesk servers Modified UI_SSL_VERSION for new installations to use the new IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so that SSLv3 is disabled If systemd is running the installer disables firewalld using systemctl 7.54 - Added IPv4/IPv6 column to show whether the port in the csf --ports option is listed in *_IN (e.g. TCP_IN) Added Conn column to show the number of ESTABLISHED connections to the port in the csf --ports Modified Server Check text from "SMTP Tweak" to "SMTP Restrictions" for cPanel/WHM UI Added the following to LF_IPSET for IPv4 IPs and CIDRs: /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables Modified ipset information in csf.conf including that only ipset v6+ is supported Modified ConfigServer::Slurp to carp instead of croak Improvements to Server Check nameserver checking to include IPv6 servers and better determine how many are local nameservers Modified csf --graphs to append a trailing slash if missing to directory name 7.53 - Modified Slurp.pm to use O_RDONLY instead of O_RDWR 7.52 - Fixed issue with Restricted UI items sanity checks failing 7.51 - Removed duplicate "Search System Logs" button from the UI 7.50 - Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and csf.blocklist bulk list matching. See csf.conf for more info Added new UI option to view ports on the server that have a running process behind them listening for external connections Added new CLI option (csf -p, csf --ports) to view ports on the server that have a running process behind them listening for external connections Added new CLI option (csf --graphs) to Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements If using DYNDNS and the FQDN has multiple A records then all IP addresses will now be allowed IPv6 support added to DYNDNS. Requires the Perl module Socket6 from cpan.org to be installed On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin if installed and logging enabled via CustomBuild v2+. Failures will contribute to the LF_DIRECTADMIN trigger level for that IP On DA servers, FTPD_LOG now defaults to /var/log/messages on new installs Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs on DA Added to UI count of entries in /etc/csf/csf.allow Added blocklist.de to csf.blocklists for new installs, latest file copied to /etc/csf/csf.blocklists.new on existing installs Started moving common functions to separate modules within csf HTTP::Tiny upgraded to v0.050 Fixed csf stop/start routines on reboot for servers using systemd Modified integrated UI to display die errors to browser Modified X_ARF report to use a self-published schema: http://download.configserver.com/abuse_login-attack_0.2.json Modified X_ARF to lowercase the Source-Type field Modified X_ARF template to use the v0.2 "X-XARF: PLAIN" header field Updated restricted UI items Geo::IP upgraded to v1.45 Crypt::CBC upgraded to v2.33 7.15 - Updated installer to fix generic installs on some Redhat/CentOS setups Fixed issue with temporary allow/deny not applying individual port rules for outgoing connections 7.14 - Updated scripts to use download.configserver.com 7.13 - Fixed issue with temporary allow/deny when issued through the UI 7.12 - Reverted PACKET_FILTER rule changes OPEN added as an option to PS_PORTS so that TCP_IN and UDP_IN ports will be ignored by Port Scan Tracking by default, but can be added if desired 7.11 - DROP_PF_LOGGING disabled by default on new installs as enabling by default will just cause confusion 7.10 - Removed debugging code from Port Scan Tracking 7.09 - Set scripts (.pl,.cgi,.php,.sh,.py) in /etc/csf/ to chmod 700 Simplified PACKET_FILTER rules for dropping INVALID connection tracking states. This feature now only applies a single rule for incoming INVALID packets DROP_PF_LOGGING enabled by default on new installs INVALID added as an option to PS_PORTS so that PACKET_FILTER logs will be ignored by Port Scan Tracking by default, but can be added if desired Modified ST_ENABLE locking Regex updates to cater for Plesk 12 - thanks to Marcel Evenson Fixed issue with temporary allow/deny comment not being parsed correctly when port * specified 7.08 - Withdrawn 7.07 - Modified lfd to silently drop ST_ENABLE lock queue entries unless DEBUG is enabled Modified ST_ENABLE logging to append to data file and only truncate when needed 7.06 - Added locking to ST_ENABLE and ST_SYSTEM to prevent child process queues 7.05 - Fix SMTPAUTH_RESTRICT where IPv6 addresses need to be quoted for exim 7.04 - Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is triggered, then if LF_DIST_ACTION is a path to a script, it will run the script and pass arguments to it. See csf.conf for more info Added limit check on VPS servers when using FASTSTART to ensure there are sufficient numiptents available for all of the iptables rules in that block Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to /etc/exim.smtpauth Fixed LF_BIND - BIND_LOG was not being added to the log list to watch On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option scans DIRECTADMIN_LOG for failed logins and blocks accordingly Fixed typo in csf.conf 7.03 - Added new option DROP_UID_LOGGING which allows UID logging to be disabled for outgoing connections. This option is enabled by default and can be disabled on OS's that do not support --log-uid Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for use with the csf --profile option Updates to sanity.txt for new options Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to www.dshield.org/block.txt for new and existing installs 7.02 - Make auto.pl scripts more resilient to avoid leaving an incomplete configuration file after upgrades Improved output errors if FASTSTART fails Ensure UNZIP binary exists before attempting to process GeoLite CSV Country database Corrected FASTSTART description in Server Report check Modified auto.pl to not automatically enable IPV6 on Virtuozzo/OpenVZ Report all errors after csf starts in case they were missed in the main output 7.01 - Fixed issue with FASTSTART and DROP_PF_LOGGING 7.00 - New feature SMTPAUTH_RESTRICT - This option will only allow SMTP AUTH to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth on EXIM mail servers. The additional option CC_ALLOW_SMTPAUTH can be used with this option to additionally restrict access to specific countries. See csf.conf and readme.txt for more information New FASTSTART procedures in csf and lfd to centralise functions and add error reporting FASTSTART added to GLOBAL_ALLOW, GLOBAL_DENY, GLOBAL_DYNDNS, csf.deny, csf.allow, Port Settings, PACKET_FILTER, DROP_NOLOG, SMTP Block, DNS Remove duplicate IP addresses from individual blocklists Remove duplicate IP addresses (not CIDRs) across blocklists as they are newly retrieved Ensure /usr/local/bandmin/bandminstart exists and is executable on cPanel servers before using it Removed MySQL version check as it is currently redundant from Server Report Improve Net::CIDR::Lite use integrity to prevent unnecessary lfd failures Ensure GeoIPCountryWhois.csv is removed before processing a new d/b download Add /etc/csf/csf.smtpauth to UI if SMTPAUTH_RESTRICT is enabled Fixed issue with IPv6 generation of SMTP_ALLOWUSER rules 6.48 - Fixed csf --ta/d not accepting comma separated port list Modified csf -t multi-port reporting Modified csf UI to support specifying port list in temporary allow/deny Modified integrated UI call to perform separate calls to IO::Socket::SSL to use the appropriate AF_INET(6) call depending on the setting for IPV6 Updates to integrated cse UI CSS Added regular expressions for courier-imap, Qmail SMTP AUTH and Postfix SMTP_AUTH for Plesk servers Removed RBN from csf.blocklist for new installs as it is now obsolete Check for an apply correct permissions on /var/lib/csf and /usr/local/csf in addition to /etc/csf 6.47 - Overhaul of Apache regexes to cater for Apache v2.4 formats Fail with an appropriate error if attempting to use an IPv6 address but IPV6 is not enabled Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT when DROP_OUT_LOGGING is disabled Strip leading and trailing spaces from form IP in csf UI DROP_OUT_LOGGING is now enabled by default on new installations ST_ENABLE is now enabled by default on new installations CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This provides a more consistent approach and quicker lookups with reduced memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE 6.46 - HTTP::Tiny reverted to v0.041 as it breaks on some installations 6.45 - Modified LF_SCRIPT_ALERT to only report detected lines Modified Server Check for sshd_config port to be case-insensitive Modified PORTS_sshd check of sshd_config port to be case-insensitive HTTP::Tiny upgraded to v0.042 Reverse sort temp bans in UI 6.44 - File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs Added Server Reports recommendation for CloudLinux if running CentOS or RedHat Added Server Reports CloudLinux security feature checks Modified Server Report check for dovecot v2 Updated Server Report version checks for Fedora, MySQL and Apache Added missing bracket to regex.custom.pm example Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports Added Cached memory to the System Statistics Added full pseudo-breadcrumbs to cPanel csf UI Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See "man csf" and UI for more details of the "csf --profile [OPTIONS]" commands HTTP::Tiny upgraded to v0.041 6.43 - Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc) RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to "3" is the recommended option Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log csf --dr modified to remove matching IPs from csf.tempip File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit 6.42 - New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option "3" which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP csf UI option added for editing csf.syslogusers Fixed a bug in PT_LOAD not producing PS output 6.41 - SECURITY WARNING: Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines). Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst. Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users. There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default. See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care Our thanks go to Rack911.com for bringing this issue to our attention UI design updates and fixes Modify Apache regex to support log lines containing thread ID Prevent lfd from blocking CIDRs triggered from log lines 6.40 - Fix for LF_INTEGRITY which was non-functional after changes in v6.38 6.39 - Added error output from IO::Socket::INET for CLUSTER_* commands from csf if present UI HTML fixes and form design elements added Improved error report for invalid csf.conf lines Removed Server Check tmp mountpoint checks 6.38 - Parameterise calls to system and Open3 where possible HTTP::Tiny upgraded to v0.039 Modifications to csftest.pl Removed the UI "Pre-configured settings for Low, Medium or High" as they are outdated and meaningless. Users should go through the csf configuration and setup the firewall for their individual server needs Translate ampersand for HTML output Modified csf.blocklist for new installations to use the SSL URL for the TOR exit list now that they have forced redirection from the non-SSL URL, with a note to change URLGET to use LWP Modified csf.blocklist for new installations to specify an alternative TOR exit node list 6.37 - Fixed issue that produced false-positive failures for IP address actions through UI when checking for a valid IP address Modified lfd to support the use of either "password" or "pass" in /root/.my.cnf for ST_MYSQL Updated CLUSTER information in readme.txt 6.36 - Removed VPS PASV check from Server Check in UI Added new option URLGET - This option can be used to select either HTTP::Tiny or LWP::UserAgent to retrieve URL data. HTTP::Tiny is faster than LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may have to be installed manually, but it can better support https:// URL's. HTTP::Tiny is selected by default Removed extraneous bracket in UI output when reporting errors in user supplied data Added new options LF_EXIMSYNTAX, LF_EXIMSYNTAX_PERM - These will block IP addresses producing repeated exim syntax errors, typically seen from: spammers, hackers and broken MUAs and MTAs. This option is enabled by default HTTP::Tiny upgraded to v0.036 6.35 - Security fix with included cse when using inbuilt User Interface: prevent XSS due to malicious directory/file names 6.34 - Load DYNDNS and GLOBAL_DYNDNS from last known values when restarting csf instead of waiting for lfd to load the initial rules Improved performance of file slurping Cluster documentation correction in readme.txt UI button style modifications Added specific check for Spamhaus drop lists so that retrieval is never attempted before 2 hours elapses between attempts whether those retrieval attempts are successful or not Improvements to SSHD regexes Modified mod_security logging to include the last triggered rule id if present 6.33 - Modified LF_PERMBLOCK to perform IP lookup on blocked IP Perform modprobe when using FASTSTART on server boot to ensure iptables modules are loaded Modified migration detection for particularly old csf installations Check that TAIL and GREP exist and are executable in UI 6.32 - Applied UI changes to inbuilt cse and Reseller UI's Improvements to Virtuozzo/OpenVZ system detection where /proc/vz/veinfo does not exist Added System Check on cPanel servers for disable-security-tokens If /etc/csuibuttondisable exists then the UI buttons will revert for those that cannot cope with the themed ones 6.31 - Fixed "Deny Server IPs" option in UI Additional SSHD regex Enable account tracking for LF_CPANEL login failures to allow for LF_DISTATTACK detection Ignore Server Check for register_globals for PHP v5.4+ Added new option UI_SSL_VERSION, to allow the setting of the SSL protocol version that the UI server allows Added window Detach option to UI search system logs UI display changes Fixed files permissions issue affecting System Graphs and lfd Graphs in DA 6.30 - Prevent HTML rendering of watch and search system log file output 6.29 - Removed CLUSTER_PORT from sanity checking Modified changelog to state that HTACCESS_LOG needs to be correct for nginx LF_HTACCESS regexes Added new UI option to watch (tail) system log files listed in /etc/csf/csf.syslogs Added new UI option to search (grep) system log files listed in /etc/csf/csf.syslogs Improvements to "View iptables Log" output in UI Enable "SSL_honor_cipher_order" for UI IO::Socket::SSL sessions 6.28 - Fixed sanity check for UID_INTERVAL 6.27 - Modified Apache regexes for Apache v2.4+ Fixed UI configurable lines display for lfd.log Fixed length display text for CLUSTER_KEY in csf.conf Ignore suspendedpage.cgi triggers for LF_SYMLINK on cPanel servers Updated sanity checks and ranges for csf.conf settings Added RESTRICT_UI to Server Check recommended options Modified Virtuozzo/OpenVZ FTP port check to verify kernel version before issuing PASV port warning Added new setting PS_DIVERSITY. To specify how many different ports qualifies as a Port Scan you can increase this value. The risk in doing so will mean that persistent attempts to attack a specific closed port will not be detected and blocked. The setting defaults to the original setting of 1 Added 3 LF_HTACCESS regexes for nginx. Remember to set HTACCESS_LOG correctly for the location of the nginx error log 6.26 - Fixed UI issue with some settings sent via the Cluster Config option Modified CONNLIMIT_LOGGING rule insertion point Added new feature: Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. These typically originate from exploit scripts uploaded through vulnerable web scripts. The feature is controlled by: UDPFLOOD, UDPFLOOD_LIMIT, UDPFLOOD_BURST, UDPFLOOD_LOGGING, UDPFLOOD_ALLOWUSER Update the TOR URL in existing /etc/csf/csf.blocklists file if still set to the old URL 6.25 - Fixed UI "Temporary IP entries > Flush all temporary IP entries" Fixed UI_USER and UI_PASS being emptied on saving the firewall configuration through the UI Fixed CLUSTER_KEY not displaying when RESTRICT_UI is disabled 6.24 - Security - Removed items from Cluster Config UI option if RESTRICT_UI enabled 6.23 - Security - added new option RESTRICT_UI. This options restricts the ability to modify settings within csf.conf from the csf UI. Should the parent control panel be compromised, these restricted options could be used to further compromise the server. This option is enabled by default on all installations Added entries to csf.pignore on new installations on cPanel servers for Dovecot v2.2 (cPanel v11.40+) Fixed UI Template validation error message 6.22 - Security Fix - Sanitised user data input to prevent running unauthorised commands via the UI. A user would require root access to exploit this, so vulnerability is probably low. Thanks to Steven at Rack911.com for reporting this issue Added Password ENV variable check to Server Check on cPanel servers Update cPanel ACL Driver installations to change force cache update using "touch" instead of removing the cache Modified TOR URL in /etc/csf/csf.blocklists to use: http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 6.21 - Modified auto-update logic to only create the /etc/cron.d/csf_update file if it does not already exist Fix permissions on csf man file and directory Modified webmin module paths to be relative rather than absolute so that webmin via mod_proxy works correctly Fixed "in" direction --tempallow/--tempdeny leaking into [comment] Added nginx regex for ModSecurity rule detection. Remember to set MODSEC_LOG correctly for the location of the nginx error log Fixed file permission/ownership problem on DirectAdmin servers for the /plugins directory 6.20 - Introduced a new directory structure to get closer to the Linux Filesystem Hierarchy Standard (FHS): /etc/csf/ - (mostly) configuration files /var/lib/csf/ - temporary data files /usr/local/csf/bin/ - scripts /usr/local/csf/lib/ - perl modules and static data /usr/local/csf/tpl/ - email alert templates Existing data and templates files are migrated into the new structure automatically. Some files and directories are symlinked to /etc/csf/ for backwards compatibility and ease of use. See the following for individual file locations in the new configuration: http://blog.configserver.com/?p=7 CC_LOOKUPS rDNS reporting improvements HTTP::Tiny upgraded to v0.033 Removed Security Token check from Server Check Report now that it is implicitly set in v11.18.0+ Switched the location of the csf.pl and lfd.pl binaries with their symlinks Code tidy for servercheck.pm, csfui.pl Allow comments to be appended to csf --tempdeny and csf --tempallow in the same way as csf --deny and csf --allow. Also made the options more flexible in usage of optional elements Added Comments field to UI for Quick Allow, Quick Deny, and Temporary Allow/Deny Added csf(1) man page and changed csf --help to use a text version of the new man page Fixed unnecessary open of csf.fignore 6.15 - Modified MaxMind City Database lookup code to be more resilent 6.14 - Added support for cPanel v11.38.1+ AppConfig addon registration NOTE: In accordance with the new conventions for v11.38.1+ AppConfig the url to the csf WHM plugin will change from /cgi/addon_csf.cgi to /cgi/configserver/csf.cgi. This will only happen with csf v6.14+ and cPanel v11.38.1+. Older version of csf will continue to use the old URL. This has no particular relevance to users accessing through WHM, but will affect direct URL access by users or third party applications Added support for cPanel v11.38.1+ Custom ACL driver. This creates an ACL (software-ConfigServer-csf) which must be used to grant resellers access via "WHM > Edit Reseller Nameservers and Privileges > Third Party Services > ConfigServer Security & Firewall (Reseller UI)" when running cPanel v11.38.1+ Added Server Check for AppConfig restrictions for cPanel v11.38.1+ Switched from using Geo::IP::PurePerl to Geo::IP perl module Added MaxMind GeoIP Anonymous Proxies to csf.blocklists for new installs Added new setting CSFDATADIR. This is the location of the csf and lfd temporary data. By default it is set to the current value of /etc/csf with the intention of moving this data to /var/lib/csf in the future in a move towards the Linux Filesystem Hierarchy Standard (FHS) Moved the default location for ST_DISKW_DD to /var/lib/dd_test for new installations 6.13 - Fixed Server Check for dhclient 6.12 - Added iptables UID logging for dropped outgoing packets New feature - DROP_OUT_LOGGING. Enables iptables logging of dropped outgoing connections. Where available, these logs will also include the UID connecting out which can help track abuse. Note: Only outgoing SYN packets for TCP connections are logged. The option is not enabled by default, but we recommend that it is enabled Option DROP_ONLYRES now only applies to incoming port connections New feature - User ID Tracking. This feature tracks UID blocks logged by iptables to syslog. If a UID generates a port block that is logged more than UID_LIMIT times within UID_INTERVAL seconds, an alert will be sent. Requires DROP_OUT_LOGGING to be enabled Modified Port Scan Tracking regexes to ensure only incoming connections are tracked Added Server Check for dhclient running Added Server Check on cPanel servers for antirelayd Added Server Check for a swap file (don't bother on Virtuozo) Added Server Check for xinetd, qpidd, portreserve and rpcbind in Services Check since most people won't use them 6.11 - Fixed SMTP_ALLOWLOCAL not functioning correctly. Added IPv6 support for SMTP_ALLOWLOCAL Removed SMTP_BLOCK restriction for IPv6 requiring port 25 to be present in TCP6_OUT 6.10 - New feature - separate Blocklist configuration file to allow for expansion of the available block lists. The following options have been removed from csf.conf and a new csf.blocklists file added to configure blocklists: LF_DSHIELD, LF_SPAMHAUS, LF_TOR, LF_BOGON During the upgrade if those options were enabled, then they will be enabled in the new csf.blocklists file. If you used a custom blocklist URL in one of those options you will have to manually add it to the new configuration. Modified UI to provide edit function for csf.blocklists 6.09 - Modified csf UI to detect Webmin install and symlink script and images directory so as to no longer require Webmin module update on a new csf version Tidied up csf UI html Fixed System Statistics graph display when using Webmin Modified Server Security check to only perform GENERIC test when using Webmin to prevent hanging processes Added CLI options --car, --carm. This removes an allowed IP in a Cluster and removes it from /etc/csf.allow Added new options LF_WEBMIN, LF_WEBMIN_PERM. This feature adds login failure detection for Webmin in WEBMIN_LOG Added new option LF_WEBMIN_EMAIL_ALERT. This feature sends an email if a successful login to Webmin is detected in WEBMIN_LOG Modified LF_SCRIPT_ALERT text in csf.conf for cPanel servers Modified proftpd regex to cope with non-standard format and to remove trailing colons from account name Modified LF_SCRIPT_ALERT regex to cater for paths containing spaces Improvements to LF_SCRIPT_ALERT memory usage and possible script detection Added alternative LF_SCRIPT_ALERT regex for specific 1H.com exim logging ACL 6.08 - Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that do not support IPv6 connection tracking by opening ephemeral port range 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the same workaround implemented by RedHat in their sample default IPv6 rules 6.07 - Fixed issue with processing /proc/PID/stat for process information 6.06 - Prevent csf/lfd from failing to run if a non-critical configuration file does not exist In webmin, force table stylesheet to override webmin css. Requires webmin module reinstall on existing installations 6.05 - Improvements to minimal perl module detection on new installs Bugfix for default lfd.pl perl shebang 6.04 - Implement slurp routine for configuration files to cater for incorrect linefeeds Ignore leading and trailing spaces from lines in configuration files Fixed Include statements in csf.ignore not implemented in lfd Additional debug logging for RT_*_LIMIT added Replaced call to Time::HiRes::sleep with standard sleep Additional dovecot entries in csf.pignore for new installations 6.03 - Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary Modified lfd perl module loading to be conditional where possible to reduce lfd memory footprint Modify initial file processing to reduce lfd memory footprint Modify PS_PORTS processing to reduce lfd memory footprint Moved init of Geo::IP::PurePerl into iplookup subroutine Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to false-positives Modify LF_DIRWATCH_DISABLE so that only files are added to suspicious.tar and removed. Suspicious directories will no longer be removed Removed File::Path - no longer required 6.02 - Modify MESSENGER HTML header to return code 403 instead of 200 Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables detection of repeated Apache symlink race condition triggers from the Apache patch provided by: http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html This patch has also been included by cPanel via the easyapache option: "Symlink Race Condition Protection" 6.01 - Ensure all binaries are called with their full paths for the scheduled Server Security Check reports Allow csf -u/-uf/--update and -c/--check when csf is disabled Make RT_* checks IPv6 compatible Added dns query caching for ip lookups during lfd process lifetime Modify TOR rule loading to use FASTSTART in lfd if enabled Added iptables locking to FASTSTART code LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries Added "DEFERRED" login failure checking to CPANEL_LOG regex 6.00 - Major new option - FASTSTART: This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways: 1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled [*] Not supported on all OS platforms FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually Other Changes: Improvements to csf and lfd init routines LF_QUICKSTART renamed to LFDSTART, setting value preserved Fixed a problem with scheduled Server Security Check reports Crypt::CBC upgraded to v2.32 5.79 - Modified csf error routine to store failing error in csf.error and display an instructional message Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM Modified the Server Report proxysubdomains check on cPanel servers Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries 5.78 - Due to issues that some are experiencing with the switch from the state to the conntrack module a new settings has been added USE_CONNTRACK which is disabled by default except on servers running kernel 3.7+ where on new installations it will be enabled 5.77 - Add an exception for the useless Virtuozzo kernels iptables implementation so that csf uses the deprecated state module instead of conntrack 5.76 - Only add the /128 IPv6 bound address per NIC instead of the whole /64 to the local IPv6 addresses Modify SSHD and SU regexes to allow for empty hostname field in log file Added new option UNBLOCK_REPORT. This option will run an external script when a temporary block is unblocked Additional entries in csf.logignore on new installations Switched from using the iptables state module to using the conntrack module in preparation of the formers obsolescence Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so that new tests can be easily added and then ignored desired Added new LF_EXPLOIT check SSHDSPAM to check for the existence of /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See: http://www.webhostingtalk.com/showthread.php?t=1235797 5.75 - Fixed issue with single quotes appearing in CC lookup names leading to lfd IP blocks to fail 5.74 - Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36 Additional entries in csf.logignore on new installations Try harder to get a CPU temperature if lm_sensors is installed for System Statistics Enforce PORTFLOOD setting restrictions and issue warning if entry discarded Correct location of CC_ALLOWF in LOCALINPUT after update from lfd Make CC_[chain] actions more verbose in lfd.log Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature Modified SMTP_PORTS to include ports 465 and 587 on new installations Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent 5.73 - Fixed issue with crontab line for TESTING option not being detected and removed when TESTING mode is disabled 5.72 - Added missing DD setting in DA and generic installations for ST_DISKW Modified IPv6 port settings to reflect IPv4 port settings for new installs in csf.conf If a deleted executable process is detected and reported then do not further report children of the parent (or the parent itself if a child triggered the report) if the parent is also a deleted executable process Parent PID added to PT_DELETED_ACTION parameters In the Server Report allow for spaces before Apache directives Updated instructions for modifying log_selector for exim configurations in readme.txt and Server Report Modify DD calculation for ST_DISKW for disks that report in GB/s Updated to use the new cPanel 11.36+ integrated perl binary if exists 5.71 - Fixed problem processing dd output for ST_DISKW on some systems Fixed dovecot imap login failure regex processing Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog) 5.70 - Fixed an issue with PERMBLOCK introduced in v5.68 5.69 - Fixed duplicate entries in csf.conf on GENERIC installations 5.68 - New feature added - LF_DIST_INTERVAL. This option provides a separate timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is set to 300 seconds Implemented better handling of repeat blocks when an IP is already temporarily or permanenetly blocked Added missing inclusion of Time::HiRes in csf.pl Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log unless DEBUG enabled Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled RELAYHOSTS setting now defaults to "0" to improve security on cPanel servers Increased default value of DENY_IP_LIMIT to 200 5.67 - Fixed a problem with permanent IP blocking when using LF_SELECT 5.66 - Implemented a new locking system to try to mitigate an iptables bug when issuing concurrent iptables commands Implement flushing on the lfd pid file so that it is always accurate Improvements to csf --grep [ip] to escape regular expression matching New feature added - LF_REPEATBLOCK. This option instructs csf to deny an already blocked IP address the number of times set. See csf.conf for more information New feature added - LF_BLOCKINONLY. This option instructs csf to only block inbound traffic from those IP's and so reduces the number of iptables rules, but at the expense of effectiveness. See csf.conf for more information New feature added - ST_DISKW. This option adds disk write performance statistics to the stats graphs. See csf.conf for more information Fixed file location for Debian and derivative OS's for /etc/mysql/my.cnf in Server Check 5.65 - Removed some of the command locking as it was causing hangs 5.63 - Implemented a locking and retry system to try to mitigate an iptables bug when issuing concurrent iptables commands 5.62 - Added ModSecurity connection dropping to the LF_MODSEC regex Added new option - ETH6_DEVICE. By adding a device to this option, ip6tables can be configured only on the specified device. Otherwise, ETH_DEVICE and then the default setting will be used Added new option - LF_SCRIPT_ACTION. On cPanel servers, this can contain the path to a script that is run whenever LF_SCRIPT_ALERT is triggered Fixed stats graph average calculation and display if average equals 0 Split Slow MySQL Queries stats graphs from MySQL Queries Improvements to Apache CPU Usage stats graphs 5.61 - On Debian systems, check for my.cnf in /etc/mysql/my.cnf in Server Check Add missing/changed images in the DA/Webmin installs. For webmin, the csf webmin module will need to be reinstalled Another fix for LF_NETBLOCK to skip IPv6 addresses Fixed csf --tempallow where -d [direction] was performing inout when in requested Fixed UI option "Edit the Log Scanner file (csf.logfiles)" which was incorrectly overwriting csf.dyndns instead of writing to csf.logfiles Changed ETH_DEVICE_SKIP device check from a failure to a warning Skip checks for register_globals and suhosin if running PHP v5.4.* in Server Check report 5.60 - Added new options to include the Spamhaus Extended DROP list. These additional netblocks are included in the main Spamhaus chain. The feature uses LF_SPAMHAUS_EXTENDED and LF_SPAMHAUS_EXTENDED_URL which are enabled by default, but used only if LF_SPAMHAUS is enabled. To force a reload of the SPAMHAUS list to include the Extended list, delete /etc/csf/csf.spamhaus file after upgrading to this version and then restart lfd Added new options to allow blocking of TOR Bulk Exit nodes. This works in the same manner as the LF_SPAMHAUS and LF_DSHIELD options. The feature uses LF_TOR and LF_TOR_URL and is disabled by default. Warning: This could block legitimate users who are trying to protect their anonymity, so use with caution Fix LF_NETBLOCK to skip IPv6 addresses as it is unsupported as has long been stated in csf.conf Added missing html elements in UI Added unblock button to UI IP searches when results is either in csf.deny or a temporary block Implemented a locking system to mitigate iptables stability issues when loading concurrent iptables chains in lfd Fixed bug in the display of the 30 days ST_SYSTEM stats Added new option ST_SYSTEM_MAXDAYS. This allows you to define the maximum number of days of stats to collect (default 30 days) Increased stats graph sizes Added CIDR checking of csf.allow to the CLI command csf --deny Added checking of csf.ignore to the CLI command csf --deny 5.59 - Fixed a loop which caused high load when using GLOBAL_IGNORE Improvements to GLOBAL_IGNORE load speed and effectiveness Improvements to CC_IGNORE load speed 5.58 - Corrected ST_APACHE error message return text Add meaningful message if stats graph generation fails in UI Added new icon in UI for "Quick Allow" that inserts the current visitors IP address Added new icon in UI for "Quick Ignore" that inserts the current visitors IP address Replaced some of the included icons 5.57 - Added new option PT_APACHESTATUS to configure the URL to the Apache Status URL during PT_LOAD alert report Added Apache Statistics to ST_SYSTEM. A new option ST_APACHE must be set to collect these statistics and PT_APACHESTATUS must be correctly set. ST_APACHE is disabled by default Modification to SYSLOG option to remove the later introduced "nofatal" option to improve backwards compatibility, also enable the "pid" option to log the process ID Added new options SYSLOG_CHECK and SYSLOG_LOG to check whether syslog is running. See csf.conf for more information. This option is disabled by default, but we recommend that it is enabled on all servers Added SYSLOG_CHECK to Server Check Report recommended settings 5.56 - Improvements to ST_MYSQL password detection in /root/.my.cnf where the password is quoted Improvements to the SMTP AUTH regex to cope with differing settings in exim log_selector Removed debugging code in SMTP AUTH regex detection 5.55 - Update Fedora version check now that v17 has been released Added MySQL Connection and Thread statistics to ST_MYSQL/ST_SYSTEM Modified Server Check Report for cPanel servers see whether mod_ruid2 has been enabled making the Apache suEXEC check moot Improvements to the SMTP AUTH regex to cope with differing settings in exim log_selector 5.54 - Modified ST_MYSQL connection errors to advise disabling ST_MYSQL if it is not used ST_MYSQL now disabled by default on new csf installations 5.53 - Added Email Usage to the ST_SYSTEM System Statistics feature when RT_* options are enabled Fixed incorrect Min/Max calculations in System Statistics Improvements to Disk Usage stats in System Statistics for some virtual environments Added CPU Temperature to the ST_SYSTEM System Statistics feature when lm-sensors/coretemp installed and enabled (highest core temp recorded) Added MySQL graphs to the ST_SYSTEM System Statistics feature when ST_MYSQL is installed and enabled - requires DBI and DBD::mysql perl modules. Authentication is via new ST_MYSQL* options. The option is enabled on cPanel servers by default, disabled on others Modified stats collection routine to append data to the stats file on each minute interval and to clean up only on lfd startup. This is to help minimise the risk of the stats file being incomplete due to process termination Added new options LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM. This option will keep track of successful SMTP logins. If the number of successful logins to an individual account is at least LF_DISTSMTP in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common SMTP account compromise attacks that use a distributed network of zombies to send spam (exim MTA only). Not enabled by default Modified Server Check Report for cPanel servers see whether mod_ruid2 has been enabled making the PHP Handler check moot Modified the ModSecurity regex to cater for the paid Atomic rules Apache error log non-standard format Modified non-cPanel new installs to disable ST_SYSTEM by default 5.52 - Alternative kill and status methods employed for lfd init process on Debian/Ubuntu Added new feature: System Statistics. This option will gather basic system statstics. Through the UI it displays various graphs for disk, cpu, memory, network, etc usage. The feature requires the perl module GD::Graph. It is enabled by default with the ST_SYSTEM option 5.51 - Updated Donation buttons 5.50 - Removed check for Melange on cPanel servers from Server Check Report Improvements to the cPanel exim SMTP AUTH login failure regex after changes in cPanel v11.32 Added exe:/usr/local/cpanel/3rdparty/sbin/mydns to csf.pignore for new installs on cPanel servers Additional cmd/pcmd suggestions added to csf.pignore for new installs on cPanel servers (not enabled) 5.49 - Remove atd from Service Check in Server Check Report Ensure all DNS traffic between non-local IP addresses in /etc/resolv.conf is allowed through the firewall when DNS_STRICT_NS is not enabled Added exim to example script pt_deleted_action.pl Added /var/log/cxswatch.log to csf.logfiles for new installations Added new option LF_ALERT_SMTP which allows lfd to be configured to send alert emails via SMTP instead of through the SENDMAIL binary. LF_ALERT_SMTP needs to be set to the name or IP address of the SMTP server to use this feature Added new option CC_DROP_CIDR. Set this option to a valid CIDR to ignore CIDR blocks smaller than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of CC entries and may improve iptables throughput Improved installation procedure for checking required perl modules 5.48 - New option LF_QOS added which matches hits against the mod_qos Apache module New option LF_CXS added which matches hits against the mod_security Apache module rule for cxs if implemented 5.47 - Improvements to non-core perl module loading Improvements to PT_LOAD Apache Status retrieval and messages Regex modifications to cater for Dovecot v2.1+ On cPanel servers, block additional ports that exim uses in the WHM > Service Manager for RT_*_BLOCK 5.46 - Modified upgrade warning for integrated UI to not use the DA warning text Validate local IP addresses Only check local IPv6 addresses if IPV6 is enabled in config Separate IPv4 from IPv6 ignore CIDRs due to Net::CIDR::Lite restrictions Improvements to ignore files IP address validation Add server check for PHP v5.2.* to the obsolete/security risk list Add server check for RedHat/CentOS v4.* and Fedora < v15 to the obsolete/security risk list Removed server checks for RLimitMEM/RLimitCPU 5.45 - Only log Log Scanner in lfd.log if DEBUG set to 2 to allow empty reports if monitoring lfd.log Added new option LF_BOGON_SKIP. If you don't want BOGON rules applied to specific NICs, then list them in a comma separated list Added new option LF_CONSOLE_EMAIL_ALERT which will send an email if there is a root login to the server console. This is enabled by default 5.44 - New feature - Log Scanner. This feature will send out an email summary of the log lines of each log listed in /etc/csf/csf.logfiles. All lines will be reported unless they match a regular expression in /etc/csf/csf.logignore Set LWP::UserAgent agent to "csf/[version]" instead of the default 5.43 - csf and lfd modified to better handle !lo interface for compatibility with newer iptables versions Removed use of Sys::Hostname::Long Added new options LF_APACHE_403 and LF_APACHE_403_PERM. This option will keep track of the number of "client denied by server configuration" errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information 5.42 - SECURITY FIX. Anyone running csf on a DirectAdmin server should upgrade to this release immediately: Add check for successful open of admin.list on DA servers to avoid a segfault, which could lead to a buffer overflow 5.41 - Added text description of allow/deny made by cPanel Resellers via UI in csf.allow and csf.deny If cPanel UI Resellers email alerts are enabled, a csf grep will be performed before an IP adress is unblocked and the output included in the alert email, together with the results of the UNBLOCK If cPanel UI Resellers email alerts are enabled, the results of an ALLOW or DENY will be included in the alert email Added logging of cPanel UI Reseller actions ALLOW/DENY/UNBLOCK to /var/log/lfd.log Update to urlget to not fail on empty file if successfully retrieved Take Integrated UI out of BETA as no reported issues Take csf.redirect out of BETA as no reported issues 5.40 - Added new feature - csf UI Reseller functions for cPanel. See /etc/csf/csf.resellers and WHM UI Improvements to cse Integrated UI Modified redundant cPanel function calls in UI Removed ModSecurity functionality in UI Modified WHM UI "Remove Deny" to be "Quick Unblock" that now removes a specified IP address entries from csf.deny and/or temporary blocks 5.39 - Fixed detection of the nat tables on some Virtuozzo VPS servers 5.38 - Modification to the Integrated UI to allow access to cxs if it is installed via UI_CXS Include an updated cse with csf for use with the Integrated UI via UI_CSE Added option UI_CIPHER to allow the SSL cipher suite to be set manually for the Integrated UI Added HTTP request internal memory limits to the Integrated UI 5.37 - Added new BETA feature - User Interface. This feature provides a HTML UI to csf and lfd, without requiring a control panel or web server. The UI runs as a sub process to the lfd daemon. See csf.conf and readme.txt for information and requirements Fixed issue with RT_* regex routine ignoring 127.0.0.1 Fixed detection of DNSONLY cPanel installs Added Security Check on cPanel server checks for disabled "Proxy subdomains" and "Proxy subdomain creation" Added new option LF_CPANEL_ALERT_ACTION. If a LF_CPANEL_ALERT event is triggered, then if LF_CPANEL_ALERT_ACTION contains the path to a script, it will run the script and passed the ip and username and the DNS IP lookup result as 3 arguments 5.36 - Fix for the lfd child lock mechanism effectiveness 5.35 - Added new BETA feature - Port/IP address Redirection. This feature uses the file /etc/csf/csf.redirect to redirect connections from/to IP/port combinations to alternative IP/ports. See readme.txt for more information Updated syslog daemon checking in Server Report Set PT_DELETED to 0 by default on new installations Improvements to csf startup locking within lfd Improvements to error trapping between csf and lfd Check minimum values for interval settings and set to recommended values if too low during lfd startup to improve stability Added lfd child locks to improve stability due too server or network resource issues or too low an interval setting Updated Sanity Checks for settings lfd will now not start if TESTING is enabled Do not require write permissions to /etc/crontab when no changes required for TESTING mode enable/disable Prevent parricide by lfd children unless required Added nat table check in csf Fixed bug in csf --grep not matching the nat table 5.34 - Improvement to dovecot account name sanitisation checks in lfd Modified cronjobs for new installs to be compatible with anacron Added new option CLUSTER_BLOCK which is enabled by default. This allows you to disable automatic sharing of lfd blocks around a csf cluster, e.g. if you only wish to use the CLUSTER option to share settings and manual blocks and allows Added new option RT_ACTION. If an RT_* event is triggered, then if RT_ACTION contains the path to a script, it will be run in a child process and be passed a list of items (see csf.conf - for cPanel and DA only) Fix to DYNDNS Advanced Allow/Deny Filters using pipe separator Set permissions to 700 on *.sh, *.pl and *.php in /etc/csf/ instead of a blanket 600 of non-csf scripts 5.33 - Add link to the Changelog when csf is upgraded Extended urlget timeout to 300 seconds to help cope with the large MaxMind City Database download where enabled Include cpdavd login failures for LF_CPANEL. Added port 2077 and 2078 to the cPanel block ports when LF_SELECT enabled Disable ftp Server Check reports if ftp server disabled in cPanel Added regex validation to any specified csf.pignore or csf.figonre entries to lfd Updated cPanel tier checks to cope with old STABLE and DNSONLY releases and newer v11.30+ Improvement to account name sanitisation checks in lfd 5.32 - AUTO_UPDATES enabled for new installations in csf.conf Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still set in csf.conf it will be ignored Check MESSENGER service to ensure privileges are dropped before starting the daemon Drop privileges when performing removal during LF_DIRWATCH_DISABLE For new installations, IPV6 enabled if IP6TABLES exists and an IPv6 address is found in the output from IFCONFIG. IPV6_SPI is set according to the kernel version (i.e. whether SPI is supported or not) 5.31 - Updated the LF_TRIGGER_PERM explaination in csf.conf to properly reflect the possible settings of LF_TRIGGER Perform account name sanitisation checks in lfd 5.30 - Fixed a SECURITY BUG that can be exploited remotely via log file spoofing resulting in root privilege escalation. Our thanks to Jeff Petersen for reporting this issue All csf users should upgrade to this release immediately 5.22 - New feature: Connection Limit Protection (CONNLIMIT, CONNLIMIT_LOGGING). This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports. See csf.conf and readme.txt for more information and about the format of the CONNLIMIT option and its limitations Minor csf UI Firewall Configuration virtual pagination improvements Updated cPanel Server Check update settings for v11.30+ Removed cPanel Server Check for new versions due to changes in the v11.30+ versioning system making this redundant Updated MySQL Server Check for v5.1.* Added a warning to csf.conf for SYNFLOOD to only enable the option if you know you are under a SYN flood attack as it will restrict all new connection to the server if triggered 5.21 - Added port 500 to DROP_NOLOG for new installations Corrected the LF_APACHE_404 lfd log line output Added startup failure on invalid PORTFLOOD settings Make csf.pignore item selector case-insensitive (e.g. exe: and EXE:) All user: item selector examples removed from the default csf.pignore for all new installations (e.g. user:mailman). csf.pignore examples for some common processes can be found here: http://forum.configserver.com/viewtopic.php?f=6&t=2059 Updated DA and GENERIC default csf.pignore files for new installations csf UI Firewall Configuration virtual pagination improvements Updated Sanity checks for settings in csf.conf Modified Sanity checks for settings in csf.conf to always show the recommended range in the UI Set LF_GLOBAL to 0 instead of an empty string by default on new installations Added new option LF_LOOKUPS to toggle rDNS IP address lookups 5.20 - Updated installation scripts to distinguish between IPv4 and IPv6 port report Modified Virtuozzo VPS numiptent check to distinguish between host and client servers Added exe:/usr/sbin/ntpd to csf.pignore on new installations Don't perform the runlevel check on Debian/Ubuntu servers as it isn't indicative of a potential security issue as with other Linux distros Added new option PT_DELETED_ACTION which if defined with an executable script will run if PT_DELETED is triggered passing the process PID, executable and account. An example script is provided in: /etc/csf/pt_deleted_action.pl If CC_LOOKUPS enable for the MaxMind City Database then also display the Region, where available Added csf UI Firewall Configuration virtual pagination Rearranged csf.conf for csf UI Firewall Configuration virtual pagination Re-instated sanity check highlights in csf UI Firewall Configuration Improved Server Check recursion checking in included configuration files Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option will keep track of the number of "File does not exist" errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information 5.19 - Added stats workaround for February/March calculations Added new option CC_IGNORE - this Country Code list will prevent lfd from blocking IP address hits for the listed CC's Reduced CC_* memory usage when loading zones Modified lfd logging for regex.pm and regex.custom.pm login failures to lfd.log to use the return reason from the regex match instead of a generic message. This does mean that the format for these messages has changed DA Server Check for proftpd - check whether pureftp=1 in DA config Replaced IP::Country and Geography::Countries with Geo::IP::PurePerl using the MaxMind GeoLite Country database for CC_LOOKUPS Added new option GUNZIP which is required to expand the MaxMind GeoLite Country database Extended CC_LOOKUPS which can now be configured to report Country Code and Country and City using the MaxMind City Database. See csf.conf for more information Added Donation buttons to csf UI main page 5.18 - Remove RT_POPRELAY_* from csf.conf on DA servers as it does not apply Improved Server Check for cPanel Update configuration check Modifed csf restart to not start bandmin during the stop phase Modified LF_DIRWATCH to remove dependency on File::Type Modified LF_DIRWATCH for speedups and removed the need for a file size limit Debian v6 support confirmed Added /etc/bind/named.conf.options to the list of named.conf files to check for recursion settings (for Debian) 5.17 - Updated Server Check for cPanel Update configuration check to cater for the new format Disable LFD service in DA on uninstall of csf using SED instead of REPLACE 5.16 - Fixed missing perm.png from DA install Fixed Temporary IP Entries table headers in UI If DENY_IP_LIMIT is reached, remove excess IPs from iptables as well as csf.deny (previously only removed from csf.deny) csf on cPanel servers automatically re-enables the cPanel Bandwith chains after iptables is configured. If bandmin is not functioning, or you don't use the bandmin stats you can disable this new option LF_CPANEL_BANDMIN (enabled by default on cPanel servers) 5.15 - Check for multiple Ports settings for sshd in /etc/ssh/sshd_config when the LF_SELECT option is enabled Updated SMTPAUTH regex to detect more login authentication methods Updated AUTHRELAY regex to detect more login authentication methods Added option to UI to permanently block temporarily blocked IP's 5.14 - Updated RELAY regex to detect the dovecot/courier login authentication methods on cPanel servers Updated Server Check Report to reflect cPanel/WHM changes in v11.28, including additional checks and updating reference text Added checks to LF_DIRWATCH_FILE to ensure watched resources exist on startup and while running a check. Those that do not exist are ignored and logged in lfd.log 5.13 - Added obsolete OS checks for Fedora v11 and v12, plus RedHat/CentOS v2 and v3 in Server Check Fixed broken reference URL's in Server Check for cPanel servers Modified statistics to not display pie chart if no data is available Sort LF_DIRWATCHFILE output by time to improve the reported results Added new setting for AT_ALERT to only trigger on modification to the root account (i.e. not all superuser accounts) Tested successfully for support on Fedora v14 and Ubuntu v10.10 5.12 - Added some lfd blocking statistics which can be viewed via the UI. Requires gd graphics library and the GD::Graph perl module with all dependent modules Added 8th argument to BLOCK_REPORT for the setting that triggered the block Added setting that triggered a block to lfd log lines 5.11 - Removed erroneous Port Knocking messages in lfd.log when PORTKNOCKING_ALERT not enabled Added 'exe:/usr/bin/postgres' to the cPanel csf.pignore for new installations Added retry timeout in WHM UI for checking www.configserver.com for new version information (to avoid repeated hangs when unreachable) Fixed LF_PERMBLOCK issue that flushed all temporary IP blocks, not just the IP being permanently blocked Added check to PHP Server Check that php -i output is complete 5.10 - Always report UID:GID of a DIRWATCH file incase the user account owning a reported file no longer exists Report error gracefully on CIDR->add failures and continue Added "query (cache)" check to BIND flooding regex Fix issue with killing Advanced Port blocks using the pipe separator Update warning messages to include xt_owner with ipt_owner Replace URL in Server Check for instructions on disabling IPv6 Fixed a bug in LF_CPANEL_ALERT ip address tracking Added new option LF_CPANEL_ALERT_USERS to be used with LF_CPANEL_ALERT to alert for a specified list of WHM/cPanel account logins. See csf.conf for more information Added new feature: Port Knocking. See csf.conf and readme.txt for more information on the PORTKNOCKING, PORTKNOCKING_LOG and PORTKNOCKING_ALERT options Added new UI option: Quick Ignore, for IP addresses 5.09 - Added Server Check report check that klogd is running if using syslogd or that klog module is loaded if running rsyslogd Added Server Check report, checks for apache settings: TraceEnable, ServerSignature, ServerTokens and FileETag on cPanel servers Fixed ip6tables IPV6_SPI check warning for older kernels Added instruction to open outgoing TCP6 and UDP6 ports when using an older kernel for ip6tables IPv6 Final (no longer Beta) Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you do not want this to apply to LT_POP3D/LT_IMAPD, then enable this option Added new option PT_USER_ACTION. If a PT_* event is triggered, then PT_USER_ACTION will be run in a child process and passed the PID(s) of the process(es) 5.08 - New option CLUSTER_MASTER which is the IP of the master node in a cluster allowed to send CLUSTER_CONFIG changes. This must be set in order to use CLUSTER_CONFIG options Added new Cluster CLI option --cfile (-cf) for sending a file to cluster members. The file will only be uploaded to the /etc/csf/ directory Added new Cluster CLI option --crestart (-crs) to initiate a restart of csf and lfd on all cluster members Removed CLI option -ccr, --cconfigr [name] [value] in favour of the new --crs, --crestart option Modified regular expressions to cater for RFC3339 date format in log files. For example, RFC3339 date format used by default in rsyslog on CentOS v5.5 5.07 - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup rules that could affect servers where iptables connection tracking isn't working correctly 5.06 - Increased PT_USERMEM default to 200 from 100 for new installations Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for report generation in lfd which caused lfd to fail in Net::CIDR::Lite 5.05 - Updated the Server Check report IPv6 text Fixed ip6tables command execution in iptables firewall during startup 5.04 - Added BETA IPv6 support. See csf.conf for more information on the new settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT UDP6_IN UDP6_OUT New CLI option csf --status6 (csf -l6) added to list ip6tables rules Changed temporary DENY and ACCEPT working file formats to use a different record separator to cater for future IPv6 support Advanced Allow/Deny Filters now use | as the separator character to cope with IPv6 addresses. Legacy support remains for the old : separator for IPv4 addresses, though these should also now use | as the field separator In Server Check report, don't issue IPv6 warning if only ::1/128 is bound to a NIC (i.e. loopback) Upgraded Net::CIDR::Lite to v0.21 Upgraded from IP::Countries to Geography::Countries 5.03 - Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites Changed DA default configuration of FTPD_LOG to "/var/log/secure" 5.02 - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1 Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP Added lfd check to enforce 0600 permissions on /etc/csf/ 5.01 - Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK) Added new CLI option csf --tempallow (csf -ta) which works in exactly the same way as csf --tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers Updated UI entry for adding and removing temporary allows and blocks Display temporary block TTL in days hours minutes and seconds Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information Modified csf and lfd init scripts to be LSB-compliant Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error 5.00 - lfd Clustering, final release. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications Added new option LF_DISTATTACK. Distributed Account Attack detection. This option will keep track of login failures from distributed IPs to a specific application account. If the number of failures matches the trigger value, ALL of the IP addresses involved in the attack will be blocked. This option is currently disabled by default - see csf.conf for more information Added new option PT_USERKILL_ALERT if you want to disable email alerts for PT_USERKILL triggers. This option is enabled by default, i.e. alerts are sent Added new options LF_QUICKSTART in csf.conf and CLI options -q, --startq, -sf, --startf to allow deferral of csf startup to lfd instead of waiting for the CLI to perform the work. See the CLI help and csf.conf for more information Added UI option for "Firewall Quick Restart" which uses csf -q, "Firewall Restart" uses csf -sf lfd now restarts csf (if stopped and LF_CSF enabled) within the main process to enhance the integrity of the firewall Multiple login failure regex detection improvements Fixed typos in permblock.txt 4.99 - Improved csf locking to enhance the integrity of the firewall Log lfd csf deny failures New SSHD regex added Improved the dovecot regex's New Beta option: lfd Clustering. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications 4.89 - New SSHD regex added Added Server Check to check whether SSHD UseDNS is set to "no" - it should be disabled Added an Important Note to the readme.txt regarding the sshd UseDNS setting Speedup for LF_DIRWATCH regex matching 4.88 - Fixed URL's in Server Check report for cPanel if Security Tokens are enabled in v11.25+ Added ipv6 explanation that the information is determined from the output from ifconfig and display ipv6 addresses found Added the ability to use Include statements in csf.deny and csf.allow, see readme.txt for information and restrictions 4.87 - Ignore csf.rignore for LT_POP3D and LT_IMAPD Removed unnecessary csf.locks during some GLOBAL list updates Updated Copyright notice Modified the block message for LF_MODSEC and LF_SUHOSIN to be more appropriate (i.e. not "login failures") Added new block options for BIND denied requests: LF_BIND, LF_BIND_PERM, BIND_LOG. This works in the same way as the other similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have had BIND (named) requests denied more than LF_BIND times in LF_INTERVAL seconds. Currently named client denied log lines for "update" and "zone transfer" trigger the option Modified GLOBAL_ routines to continue if retrieval for one fails instead of immediately exiting Added IPv6 check to Server Check Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled on single line comments (lfd.log, csf.deny, etc) Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the respective email alerts can be disabled Updated IP::Country 4.86 - Added Dovecot regex checking for LT_POP3D and LT_IMAPD Modified Server Check for Fedora v10 EOL now that Fedora v12 has been released Improved Dovecot IMAP and POP3D login failure regex Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD Fixed TLSCipherSuite Server Check for proftpd Added SSHD regex for "Did not receive identification string from IP" failures 4.85 - Further improvements to ICMP rule filters - Added backup mod_security log viewer for non-cPanel servers 4.84 - Mod_security log viewer removed from csf in favour of cmc Improved ICMP rule filters. This could help some hosts that experience connection issues with csf Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS to include this, i.e. to Port Scan for all ports use: PS_PORTS = "0:65535,ICMP" This is now the default on new installations 4.83 - Added multiple checks to the Server Check for new cPanel v11.25 security settings Tidied up and rearranged the main UI Removed redundant UI options Added total perm bans to UI 4.82 - Removed the need for UI lfd cron restart jobs on Direct Admin 4.81 - Fixed case sensitivity issue introduced in v4.80 with port specific lfd deny lines being ignored 4.80 - Modified WHM login regex to only trap successful root page displays for LF_CPANEL_ALERT Apache status for PT_LOAD now checks http://127.0.0.1/server-status on GENERIC/DA servers. You need to ensure that the server-status page has access from 127.0.0.1 in the apache server-status Location container Extended SU log file regex for Debian servers Sanitise UI file edit HTML output Improvements to the removal of alternative firewalls script Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS list via URL Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE, especially on Debian Improved detection of already blocked IP addresses 4.79 - Withdrawn 4.78 - Modified DA installation to overcome permissions problems on some systems preventing the UI from working 4.77 - Expanded dovecot regex matching Fixed the generic installation to install regex.custom.pm 4.76 - Added check for FrontPage extensions to Server Check as they should be considered a security risk as they were EOL in 2006 Added support for the impending cPanel v11.25 Security Tokens feature 4.75 - Added a [block] section to the Login Failure alert.txt template. This new report template will be copied to /etc/csf/alert.txt.new on existing installations, rename it to alert.txt to use it Modified existing lfd alerts to use currently used tags instead of appending block information to the IP address (alert.txt modified as above) Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for email sent via a local IP addresses, separating the trigger from RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf for more information Added Relay Tracking to Direct Admin running exim. See RT_* and SMTPRELAY_LOG in csf.conf for more information Added csf.mignore to allow ignoring of specified usernames or local IP addresses from RT_LOCALRELAY_ALERT Modified csf UI to use a single dropdown for all lfd ignore files Added proftpd regex matching for "UseReverseDNS on" in proftpd config 4.74 - Removed FUSER from csf.conf as it is no longer used Added UNZIP to csf.conf which is required for Country Code to CIDR functions Modified the Country Code allow/deny/allow_filter feature to generate CC CIDRs from the Maxmind GeoLite Country database instead of using iplocationtools.com. Note: GeoLite is much more accurate that the previous zones used. This also means that there are usually more CIDRs for each CC which adds to the burden of using this feature 4.73 - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's to prevent module failures New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses WHM via root. An IP address will be reported again 1 hour after the last tracked access (or if lfd is restarted) 4.72 - Modified mail sending code to use a common procedure that copes better with differing combinations and variations of From:, To:, LF_ALERT_TO and LF_ALERT_FROM settings for lfd alerts 4.71 - Code speedups in csf --grep Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note added to alert if ip match found Modified Server Check for Fedora v9 EOL now that Fedora v11 has been released Modified iptables output from csf.pl to exclude the Fedora v11 intrapositioned negation messages Fixed typo in integrity.txt alert template for new installations Modified the email header for csf --mail Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY Modified lfd output filehandle names to avoid read/write conflicts Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for an example Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where only listed Country Codes are allowed, however normal port and packet filter rules are still applied to those connections. All other connections are dropped 4.70 - Modified UI access to csf.sips to display checkboxes instead of direct editing, for ease of use Fixed problem where RELAYHOSTS setting wasn't always being honoured Modified mod_security configuration editor to handle HTML elements Rewritten RT_*_ALERT regex and counting code to better deal with a variety of exim log output formats Added recipient count to RT_*_ALERT to include emails sent to multiple recipients. This option requires that the exim log_selector setting in the exim configuration includes the option: +received_recipients So, the recommended log_selector setting is now: log_selector = +subject +arguments +received_recipients Modified Server Check cPanel version check to cater for x86_64 OS's Added check to prevent Server Check mail report cron duplicates Added abbreviated UI for mobile phone access to Quick Allow, Quick Deny and Remove Deny. Direct URLs: cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1 DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1 Webmin: https://1.2.3.4:10000/csf/?mobi=1 4.69 - Added Gentoo (generic) support Added Server Check for MySQL LOAD DATA LOCAL Modified Server Check for enable_dl to also check whether dl is in disable_functions 4.68 - Added ipv6 IP detection for proftpd login failures Removed ossec and webmin from the Server Check services section 4.67 - Modified the Country Code allow/deny feature to use iplocationtools.com now that ipdeny.com has gone offline 4.66 - Modified OS version check to prevent Fedora v10 obsolete false-positive in Server Check Modified the exim SMTP AUTH regex to use the latest cPanel/exim format Added failure notification for DYNDNS entry lookups in lfd if they fail to resolve or timeout 4.65 - Modified Firewall Security Level UI to set PS_LIMIT within range Fixed problem processing template for SU_ALERT Empty csf.dshield on upgrade to work around problem where DSHIELD blocked themselves in their own BLOCK list 4.64 - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work if SMTP_BLOCK isn't actually enabled Added new CLI option (csf -uf) which forces an update of csf+lfd Added new CLI option (csf -df) which removes and unblocks all entries in /etc/csf.deny (excluding those marked "do not delete") Added new UI option to that removes and unblocks all entries in csf.deny (excluding those marked "do not delete") and all temporary IP bans Added csf file names to the csf UI options 4.63 - New feature - Added new CLI option: csf --mail (or csf -m) which can take an email address as an argument. It will display the Server Check in HTML or send the output to the email address if present Added option to UI Server Check to schedule csf to generate the report and email the results to the address specied at the interval specified Removed MySQL check from cPanel DNSOnly Server Check Updated the perl v5.8.8 Server Check comment Fixed sanity check for RT_*_BLOCK Fixed copy of install.txt for generic installs and upgrades Modified UI for Deny Servers IPs > Change to indicate that csf needs restarting, not lfd Added built-in replacement function for the Messenger Service message files for [HOSTNAME] which will be replaced by the servers FQDN hostname. Updated the sample Messenger index templates Updated the uninstall scripts to remove the cronjob and logrotate files Added colour highlights to the Quick Allow and Quick Deny UI boxes 4.62 - Fixed problem with SU_ALERT alert report in v4.61 Modified the Server Check for cPanel update settings to check for daily updates more accurately Added Server Check for cPanel tree Upgraded IP::Country New feature - Added sanity check to configuration values in csf, UI Server Check and UI Firewall Configuration. In the UI Firewall Configuration: lines highlighted in red fall outside the recommended range; lines highlighted in pale green differ from the default on installation Added cPanel Security Check to check that at least one configured nameserver is on a different server Added proftpd checks to csf (for VPS servers) and in Server Check Added DirectAdmin Checks to UI Server Check for: SSL login to DA; proftpd cipher; nameserver on a different server; PHP version and configuration checks; Apache version; dovecot cipher Removed resolv.conf localhost check 4.61 - Modified lfd iptables command error handling to log errors and continue instead of terminating when in TESTING mode Removed loading of iptables modules from csftest.pl to avoid modprobe problems with some OS kernels Added Connection Tracking check for pre-existing block to cater for linux connection status timeouts Moved LF_CSF check to the start of the lfd processing interval New option LF_ALERT_FROM. If set, the value of this option will override the From: field in all of the lfd alert templates. This change also uses the From: field in the template (or this option if set) as the value for the SENDMAIL -f option Modified POP/IMAP Server Checks for the chosen mail server only on cPanel servers Modified FTP Server Checks for the chosen ftp server only on cPanel servers Added SMTP Tweak to Server Check on cPanel servers and removed block on csf starting if enabled 4.60 - Modified cipher checks to strip out quotes Modified Apache cipher message to remoind that you have to rebuild the Apache configuration and restart for changes to be effective 4.59 - Added proftpd regex for Plesk server log file format Modifed the Server Check cipher checks for pure-ftpd and Apache to use openssl to ensure SSLv2 is disabled Added cPanel Server Check checks for dovecot, courier-imap IMAP and POP3D SSL cipher list New option SAFECHAINUPDATE added. If enabled, all dynamic update chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN) will create a new chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the old dynamic chain and rename the new chain. See csf.conf for more information. This option is disabled by default, but we do recommend that it is enabled on non-VPS servers with restrictive numiptent values Added SAFECHAINUPDATE to the firewall Server Check (except for Virtuozzo VPS servers) Modified Server Check on cPanel to make the PHP v4 warning clear and to warn where PHP v5 and v4 have both been compiled (PHP v4 is obsolete and should not be used at all anymore) Added WHM checks for skipparentcheck and cpsrvd-domainlookup to Security Check New option LF_ALERT_TO. If set, the value of this option will override the To: field in all of the lfd alert templates 4.58 - Modified exim cipher check in Server Check to use openssl to test the expanded configured cipher suites to ensure SSLv2 is disabled 4.57 - Improved exim configuration option detection in Server Check Added Exim Configuration checks to DirectAdmin Server Check Modified csftest.pl to perform a modprobe on all used iptables modules before testing Added PASV port hole warning on VPS servers to the output of csf on start and to the cPanel (if using pure-ftpd) Server Check Added lfd to the DirectAdmin Service Monitor Added back a revised Firewall Security Level option to UI 4.56 - Added TCP_OUT port 2222 for the DA default configuration for new installations Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for more information and examples Updated readme.txt to reflect the Control Panel UI availability for cPanel, DirectAdmin and Webmin Modified mod_security configuration file check to the TLD only of /usr/local/apache/conf/ and only files ending in .conf 4.55 - Fixed issue with csf.conf not being loaded for the Server Check Report Removed erroneous chkconfig check from Server Check Report Disabled various checks in Server Check Report for non-cPanel servers Modified Debian/Ubuntu init entry creation and removal procedure Modified Server Check to search for multiple named.conf locations 4.54 - Bug fix to Exploit Check code Fixed problem with iptables logs not being collated if PS_INTERVAL is disabled but ST_ENABLE is enabled Fixed potential problem with SMTPRELAY_LOG not being scanned when RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled 4.53 - Upgraded the csf Webmin UI module to the new csf UI and added installation/upgrade instructions to the install.txt for Webmin Fixed image locations and javascript in DA and webmin UI Updated the uninstall scripts and the uninstall section of install.txt 4.52 - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd Added warning in DA UI to upgrade csf from the root shell due to restrictions in DirectAdmin NOTE: DA users should upgrade csf to this version from the root shell using "csf -u" and not use the Upgrade button in the UI 4.51 - Fixed csf --upgrade (csf -u) for DA installations 4.50 - Added restrictions information regarding the PORTFLOOD setting and ipt_recent to readme.txt (i.e. hit count max is 20) Modular development of csf UI Added DirectAdmin UI and installation support for csf/lfd Added Statistics options (ST_ENABLE, etc) to generic csf installation Added SMTP options (SMTP_BLOCK, etc) to generic csf installation Removed pre-configured firewall settings through UI for redevelopment as it has become out-dated Modify csf UI to signal lfd to start/restart/enable only. A one minute cron job will actually perform the signalled function. The CLI is unaffected and performs the command immediately. This is introduced to overcome fork issues from within an Apache session 4.41 - Added information about runing external iptables commands using csfpre.sh and/or csfpost.sh to readme.txt Added new CLI option csf --addrm (csf -ar) to remove an IP address from csf.allow and delete the associated iptables rules Removed the need for the MONOLITHIC_KERNEL option and made modprobe perform silently on csf startup. Added the relevant information regarding some Monolithic kernels and the need for a PASV port range hole to readme.txt Added timeout to csf modprobe to avoid startup hanging on buggy kernels 4.40 - Added workaround for php --info bug in Server Report when checking PHP configuration settings Modified LF_INTEGRITY to regenerate the md5sum comparison file immediately after a match is found instead of waitng for the next cycle Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty 4.39 - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and LF_NETBLOCK_COUNT with act if more than the number of hits are detected, not on the exact number set Modified csf WHM UI to use csf -u to upgrade csf when a new version is available Added new script /etc/csf/csftest.pl which will test the servers iptables modules for functionality. The tests are for the required iptables modules and the optional modules for the SMTP_BLOCK, PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool for kernel/iptables problems and to check whether the features above will function Added csf WHM UI option to run csftest.pl Updated the csf install.txt to run csftest.pl before running up csf 4.38 - Improved detection of working ipt_owner iptables module on VPS servers such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks will be automatically disabled and csf will continue to start 4.37 - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended setting for cPanel servers which use ping times to determine fastest mirrors for various update functions Modified PT_LOAD_ACTION code to stop duplicate load emails from being send by lfd Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter rules on VPS Servers for as ipt_owner is now apparently supported on the latest kernels. However, if the latest kernel isn't being used or the VPS host hasn't included the ipt_owner iptables module for the client VPS, then csf will fail with an error 4.36 - Modified Process Tracking to allow regex exceptions in csf.pignore for deleted executable processes 4.35 - Modified regex.pm detection of iptables kernel log lines to cater for alternative formatting Restored the substitution of the NULL separator with spaces for the /proc/PID/cmdline in Process Tracking 4.34 - Added code to Process Tracking to translate non-printable characters to especially help detect and report deleted executable file processes WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd and awstats.pl from lfd.pl. If you want to ignore such processes for Process Tracking, you will need to add appropriate ignore rules to csf.pignore for them 4.33 - Disable ST_LOOKUP by default on new installations Modified lfd stats performance when ST_LOOKUP is enabled and added a warning for this setting to csf.conf for when DROP_IP_LOGGING is enabled 4.32 - Modified the su tracking regex to better trap RHE/CentOS v5 su login attempts Added a Server Check for "FTP Logins with Root Password" Added new WHM UI option to display Last X iptables Log Lines. Note that the report will only display log lines since this update. The new statistics will be expanded in future developments. Added new ST_* options to the cPanel csf.conf to control the recording of stats Removed fwlogwatch from distro and will use self-produced reports 4.31 - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It is not a good idea to use that option Modified PT_USERKILL to not kill (deleted) processes (these should be restarted manually after investigation) as per the documentation 4.30 - If you add the text "do not delete" to the comments of an entry in csf.deny then DENY_IP_LIMIT will ignore those entries and not remove them. Updated csf.deny information text for new installations Made the (deleted) process text even more explicit for those that are not reading csf.conf or the FAQ for their explanation Updated DSHIELD information URL in csf.conf Added new feature - csf.rignore is an ignore file that lists domains and partial domains that lfd should ignore. Read /etc/csf/csf.rignore for more information Option GOOGLEBOT removed. This feature is now performed using csf.rignore. If GOOGLEBOT was previously enabled it will be added to csf.rignore 4.29 - Added Slackware support (tested on v12.2.0) Added Fedora v10 support Added new option GOOGLEBOT - Prevent *.googlebot.com from being blocked by lfd. See csf.conf for more information Added csf version from/to to output from csf --update when upgrading 4.28 - Fixed GENERIC csf problem with csf.pl perl modules 4.27 - New Feature - Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports. This option limits the number of connections per time interval that new connections can be made to specific ports. See csf.conf and readme.txt for more information. This option is only available on servers with the ipt_recent kernel module cPanel DNSONLY compatibility added - Thanks to JJ for the assistance Improved Cipher suite checking and advice for Apache and FTP in Server Check Remove md5sum check from JS exploit check as it is covered by LF_INTEGRITY and causes confusion Added new option LOGFLOOD_ALERT which will send an email alert based on logfloodalert.txt if lfd skips logs lines due to log file processing problems Added new option PT_DELETED together with the FAQ explaination as to why lfd reports deleted processes. The option can be disabled to ignore such processes Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow exceptions to SMTP_BLOCK 4.26 - New Feature - Country Code to CIDR allow/deny. This feature can allow or deny whole country CIDR ranges. The CIDR blocks are downloaded from http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW, CC_DENY and CC_INTERVAL in csf.conf Expanded the dovecot regex to include more login failure permutations Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel servers SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default 4.25 - Fixed bug in csf --grep when CIDRs used in advanced port filters Fixed problems with aborted Server Check Report Fixed position of the lo device rule in the OUTPUT chain which broke SMTP_BLOCK Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all listed ports (not just port 25). This is populated on installation or when TESTING = 1 if an additional port is listed in "WHM > Service Manager > exim on another port". Otherwise, SMTP_PORTS needs to be updated manually. The default setting contains port 25 SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled 4.24 - Added workaround for issue with WHM image display in the addon header for cPanel v11.24 *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report *Added cPanel v11.24 FTP Cipher Suite checks in Server Report *Added cPanel v11.24 Apache Cipher Suite checks in Server Report *Added cPanel v11.24 Exim Cipher Suite checks in Server Report Added Fedora v8 to the obsolete OS list now that v10 is out Updated dovecot regex in regex.pm for v1.1.6 used by cPanel * Will only display if cPanel version is >= 11.24 4.23 - Added skip to connection and process tracking for empty tcp6 connection data Fixed PT_LOAD email output of ps and vmstat 4.22 - Additional fixes for an issue on VPS servers where temporary block removal from csf.tempban failed 4.21 - Fixed an issue on VPS servers where temporary block removal from csf.tempban failed 4.20 - Modified csf.tempban processing code in lfd to perform more stringent file locking to preserve temporary bans if lfd is writing during shutdown Modified Port Scan tracking of IP's to not attempt multiple blocks on the same IP address in the same log line processing batch Fixed broken timestamp in lfd.log for dates < 10th of the month Various code modifications to improve performance and stability 4.19 - Reverted the tied file changes as they were causing a deadlock situation locking csf.tempban Improved the process tracking detection of deleted executables of running processes 4.18 - Modified temporary IP address storage to use a tied file to preserve temporary bans if lfd is writing during shutdown 4.17 - Replaced the use of backticks in csf, lfd and the WHM UI with calls to IPC::Open3 Various lfd and csf code improvements and tidy up Ensure lfd parent dies cleanly on error Debug information improved and timer modified to use Time::HiRes for more accuracy 4.16 - Removed port 953 from the TCP and UDP allow lists for new csf installations as it's not necessary to whitelist as bind listens on the localhost device for such control connections by default Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login, exe:/usr/libexec/dovecot/imap-login to new and old cPanel installations csf.pignore to cater for cPanel support for both nsd and dovecot (currently in EDGE) Only use Cpanel::Rlimit if it's available in WHM UI 4.15 - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing connections from blocked IP addresses in csf.deny or temporary blocks. The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN, GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct this. Many thanks to Brian for his help in tracking this issue down. 4.14 - Implemented the use of cPanel routine Cpanel::Rlimit to remove process resource limit restrictions as the cPanel memory limitation setting was causing the Server Check to abort with memory allocations problems through WHM on some servers Modified port checking for 23 and 53 in Server Check to no longer use the fuser binary and use the port mappings directly from /proc Modified lfd and Server Check to check for IPv6 bound processes as the IPv4 and IPv6 connections are stored in a different file to IPv4 only bound processes 4.13 - Updated various comments in csf.conf Fixed call to csfpost.sh from csf 4.12 - Modified lfd Login Failure tracking to use a per IP address rolling LF_INTERVAL window rather than a static one for all tracked IPs. This makes login failure counting more accurate and blocking more responsive Added new feature - Block Reporting. lfd can run an external script when it performs and IP address block following for example a login failure. BLOCK_REPORT is to the full path of the external script. See readme.txt for format details If csf is installed or upgraded via an SSH session the connecting IP address will now be automatically added to csf.allow (note: it is not added to csf.ignore so lfd may still block it). This IP can be removed after testing if desired Modified the lfd.log format to the standard: :: lfd[]: If you parse lfd.log you will need to update your scripts! Added DEBUG option - for internal use only 4.11 - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain Added /etc/cron.d/lfdcron.sh to restart lfd daily Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+ As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic) Added informational text to Process Tracking email report if a process is running an executable that has been deleted Added csf version to the daemon startup log line in lfd.log 4.10 - Added /usr/libexec/hald-addon-keyboard to csf.pignore Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default) 4.09 - Modification to cPanel version to restart chkservd using /scripts/restartsr_chkservd instead of the init script as the latter is removed in the latest EDGE release that puts chkservd under the control of tailwatchd (/scripts/restartsrv_chkservd is a stub for restarting tailwatchd in the latest EDGE instead of a direct restart script in older cPanel versions). chkservd is restarted when csf is installed/uninstalled/upgraded/disabled/enabled 4.08 - Added a new timing system to more accurately trigger lfd tasks. This should alleviate timing issues such as those seen with LT_POP3D and LT_IMAPD and improve the overall effectiveness and performance of lfd Added new method for reaping child processes. If you find that zombie lfd processes start to build up you can revert to the old reaper by enabling new option OLD_REAPER 4.07 - Messenger service now supports advanced filter permanent port block redirection 4.06 - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the LOCALxxPUT chains so that the entries can be correctly listed with ACCEPT's at the top and DENY's at the bottom of the chain Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and OUTPUT chains so that bandwidth accounting is kept accurate Fixed a problem processing advanced port filters in GLOBAL_ALLOW and GLOBAL_DENY 4.05 - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains 4.04 - Fixed problem with rule placement for ETH_DEVICE_SKIP Ensure all ALLOW requests are inserted before DENY requests after csf has been restarted Ensure that fwlogwatch stats creation uses IPTABLES_LOG file Only perform operations on the nat table if MESSENGER service is enabled lfd Process Tracking will now ignore MESSENGER_USER messenger services Added new option PT_ALL_USERS so that all Linux accounts on a cPanel server are checked in Process Tracking, not just cPanel users. This option is disabled by default on cPanel servers. Enabling this option may require adding exceptions to csf.pignore Additional exceptions added to csf.pignore for cPanel servers for the new PT_ALL_USERS option PT_SKIP_HTTP now disabled by default for new installations Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check 4.03 - Fixed problem where the new LOCALxxPUT chains were only processing tcp requests Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule count in the OUTPUT chain under certain circumstances 4.02 - If csf fails with an error lfd will now die and require a restart after the issue with csf is resolved. csf commands apart from start and restart are also disabled Released from BETA 4.01 - Allow the Messenger Service to be used on VPS servers. However, if the ipt_REDIRECT module is missing csf will fail to start correctly and abort HTML Messenger service server now only reads a limited line length instead of unlimited input to prevent overflows 4.00 - New feature - Messenger Service. This feature allows the display of a message to a blocked connecting IP address to inform the user that they are blocked in the firewall. This can help when users get themselves blocked, e.g. due to multiple login failures. The service is provided by two daemons running on ports providing either an HTML or TEXT message. See csf.conf and readme.txt for more information (not available on VPS platforms and others missing the ipt_REDIRECT kernel module) Moved INPUT and OUTPUT chain rules for blocks and allows to their own respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP blocks will be listed in the INPUT or OUTPUT chains, but in the new ones Re-organised all of the INPUT and OUTPUT chain rules to give precedence to the LOCALINPUT rules before invoking other chains and port ALLOW rules Moved the SYNFLOOD protection chain rule to be the first chain rule after the LOCALINPUT chain rule Moved the lo device rules to the always be at the top of the INPUT and OUTPUT chains Modified the syslog regex matches to only match on local entries to cope with centralised syslog configurations 3.43 - Improved application IP block checking Restored the option LF_SCRIPT_PERM with additional checks for directories within the cPanel homedirs and for symlinks. Warning added to csf.conf for this option Added random query-source port setting for BIND to the Server Report 3.42 - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to be the same as the cPanel csf.conf If LF_SELECT is enabled make sure all cPanel ports are blocked on cpanel login failure. This was only doing ports 2082,2083 and will now block 2082,2083,2086,2087,2095,2096 3.41 - Added new mechanism to allow custom regular expression matching with individual settings for lfd login failure detection. See /etc/csf/regex.custom.pm for details Modified all timestamps in lfd reports to also include the standard timezone offset (i.e. from GMT) Added new setting CC_LOOKUPS to control the new Country Code lookups (enabled by default) DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled PS_INTERVAL enabled by default on new installations Doubled the number of lines before log file flooding detection will be triggered 3.40 - Added queuealert.txt to the WHM UI dropdown list for editing Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the check Added Country Code lookups for IP addresses. Any reported IP addresses will include the international CC where available. It should be noted that with international ISPs this may not be wholly accurate. Where possible the CC will be translated into the associated country name 3.39 - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP addresses listed in the csf.allow file and not block them Added new option LF_QUEUE_ALERT, which will send an email alert using queuealert.txt if the exim queue length exceeds the value it is set to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the ConfigServer MailScanner configuration is being used, both the MailScanner pending and exim delivery queues will be checked. This is a cPanel only option Added new option CT_PORTS to Connection Tracking so that you can specify which ports you want to count towards CT_LIMIT, e.g. 80,443 Modified Server Report check for register_globals in cPanel's php.ini incase the new cPanel WHM setting is being bypassed 3.38 - Additional SSHD regex added to regex.pm Improved the WHM UI reporting of the csf status: disabled, running, testing mode Added Enable/Start buttons to WHM UI next to the csf status if disabled/stopped Updated Server Report checks for csf status Changed the destination of the ConfigServer Services link at the bottom of the WHM UI to go to the csf web page 3.37 - Fixed an issue currently in cPanel EDGE that affects the use of the cPanel SafeFile module in WHM scripts 3.36 - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds Improved lfd internal timing system for event triggers Added new feature - Account Tracking. The new AT_* options configure an alert system for account modifications which will send an email if there are new accounts added, existing accounts deleted plus password uid gid login dir and login shell changes. Each of these changes can be enabled or disabled. You can also enable tracking for superuser accounts only. That latter is the default setting. This feature uses the email template accounttracking.txt Added reason text to temporary IP bans Added Server Report check for ini_set in PHP disable_functions Added ossec to list of processes to disable as it will conflict and duplicate csf functionality Changed Server Check scoring text to instead show a coloured table indicating score 3.35 - Changes to WHM UI script for cPanel v11 Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer supported Added # of temp blocks to WHM UI "Temporary IP Bans" on main page Modified Server Report check for register_globals in cPanel's php.ini to use the new cPanel WHM setting Added Server Report check for passwords in WHM email setting Added Server Report check for WHM root/reseller login to users cPanel Modified Server Report nobody cron check to only fail on non-zero cron file Modified Server Report check for Fedora now that Fedora 7 is EOL (2008-06-13) Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd blocking 3.34 - Modified regex matching to allow for trailing spaces in log lines Modified PT_LOAD routine to prevent multiple triggers resulting in more than one alert being email sent Removed the need for NETSTAT from lfd to reduce overheads and improve performance allowing CT_INTERVAL to be set lower. Now uses /proc/net/[protocol] 3.33 - Modified skip for su login checking from root to cater for (uid=0) Added option SYNFLOOD_BURST to allow configuration of --limit-burst when SYNFLOOD is enabled. Changed default values Added to --grep searches to csf.deny and temporary blocks in addition to iptables Modified SSH regex to improve login failures detection further Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations Added vsftpd regex for ftp login failures 3.32 - Modified SSH regex to check for ipv6 addresses Added another regex to improve SSH matching 3.31 - Modified -denyrm to abort if left blank instead of clearing all blocks Added lfd check for existing temporary block to avoid duplicates Fixed regex handling for courier-imap POP and IMAP login failures Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use this option, LF_DIRWATCH_FILE will likely trigger due to the changed output the first time you restart lfd after upgrading Fixed typo in Suhosin description in the Server Check Report Added Referrer Security to the Server Check Report Added register_globals check in cPanel php.ini to Server Check Report 3.30 - Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries Option LF_SCRIPT_PERM removed Our thanks to Jeff Petersen for the detailed information describing these issues We recommend that all users of csf upgrade to this new version 3.28 - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking Modified relay tracking to not ignore RELAYHOST IP's Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's LF_SUHOSIN will now skip matches for "script tried to increase memory_limit" 3.27 - Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny 3.26 - Added new CLI option to csf, -g --grep will search the iptables chains for a specified match which is either explicit or part of a CIDR Added WHM UI option for csf --grep Added new CLI option to csf, -dr --denyrm will remove an IP address from csf.deny and unblock it Added WHM UI option for csf --denyrm 3.25 - Added csf.suignore file where you can list usernames that are ignored during the LF_EXPLOIT SUPERUSER test New option PT_LOAD_ACTION added that can contain a script to be run if PT_LOAD triggers an event. See csf.conf for more information Added SUPERUSER check to Server Check Report Added Suhosin check to Server Check Report 3.24 - Allow comments after IP addresses in csf.dyndns Added new login failure option LF_SUHOSIN which detects alert messages and blocks the attacker IP after the configured number of matches Added a new exploit check for non-root superuser accounts Added a new configuration option LF_EXPLOIT_CHECK which allows you to configure which tests are performed by LF_EXPLOIT 3.23 - Modified the Server Report code for checking PHP variables to be more lenient when checking the output from /usr/local/bin/php -i Modified lfd calculation of Jiffies to use the POSIX::sysconf function to obtain the clock ticks instead of assuming 100 ticks for Linux Fix duplicate LF_INTEGRITY emails 3.22 - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this setting if you use Port Scan Tracking as it will cause redundant blocks Added tag [hostname] to all of the alert reports. You will need to add this manually to the report text Subject: line (or anywhere else in the report that you would like it) for existing installations Added "A note about FTP over TLS/SSL" to readme.txt 3.21 - Fixed problem in Server Check that caused an error in some situations Modified netblock caching code to prevent repeated block attempts 3.20 - Corrected net block logic so that after a net or perm block occurs, subsequent log entries that would incur the same block are ignored 3.19 - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have had X temporary blocks in the last Y seconds. Uses email template permblock.txt New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or C) if more than X IP addresses in a specified class have been blocked in the last Y seconds. This may help within some DDOS attacks launched from within a specific network class. Uses email template netblock.txt Modified MD5SUM comparision code to better reset md5sum checks after a hit Only issue Random JS Tookit warning if all the MD5SUM checks fail for the relevant files Removed POP flood Protection setting check from Server Report as it's no longer relevant to courier-imap Rewritten the Apache Check code for the Server Report to better detect the current running settings on all Apache and PHP versions Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they aren't relevant (as they apply to the host VPS configuration) for the Server Report 3.18 - Fixed bug in the generic csf release where the default csf.conf was missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim for the help in tracking the issue down 3.17 - Rewritten the update code so that a new csf.conf is creating when upgrading. It now uses the latest csf.conf and transfers the existing settings to the new configuration file. This way all installations are sure to have all new settings and the latest comments. It also makes the release process for new builds much simpler Other installation/update improvements Updated APF/BFD removal procedure 3.16 - Fixed bug introduced in v3.14 for generic installation only 3.15 - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf Modified csf.conf text for new installations to account for auto-configuration of ETH_DEV which has been the case for some time: # By default, csf will auto-configure iptables to filter all traffic except on # the local (lo:) device. If you only want iptables rules applied to a specific # NIC, then list it here (e.g. eth1, or eth+) ETH_DEVICE = "" # If you don't want iptables rules applied to specific NICs, then list them in # a comma separated list (e.g "eth1,eth2") ETH_DEVICE_SKIP = "" 3.14 - Added new format for cPanel (v11.18.3) login failures to regex.pm Added exe:/usr/libexec/gam_server to the default list of ignored binaries Fixed problem with SCRIPT_ALERT not picking up alternative /home directories from wwwacct.conf 3.13 - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans held in the temporary IP ban list to prevent iptables flooding. If the limit is reached, the oldest bans will be removed/allowed by lfd on the next unblock cycle regardless of remaining TTL for the entry Added LF_FLUSH for the flush interval of reported usernames, files and pids so that persistent problems continue to be reported. Default is set to the previously hard-coded value of 3600 seconds Fixed uw-imap ipop3d regex Added check for TESTING mode when using csf -a or csf -d to only add to the respective csf.allow or csf.deny files and not insert into iptables to prevent errors if iptables has been flushed after reaching TESTING_INTERVAL 3.12 - Added SMTP AUTH failure regex for Kerio MailServers Fixed an issue where a permanent Port Scanning alert would report as a temporary block, eventhough a permanent block was performed Added regex for failed SSH key authentication logins (thanks to Paul) 3.11 - Use /proc for Process Tracking instead of ps output incase of exploited system binaries and to better determine resource usage of each process 3.10 - Modified INPUT and OUTPUT chain rules to always specify the ethernet device csf now re-applies temporary IP blocks on restart Added new CLI command to add temporary IP bans. See csf -h for the new csf -td command Added new options to WHM csf UI to unblock temporary IP bans Added new option to WHM csf UI to block IP temporarily for a specified TTL 3.09 - Fixed missing copy for the portscan.txt report for generic installations Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking email alerts Added a sample of the port blocks that trigger the Port Scan to the report. This new report will be copied to /etc/csf/portscan.txt.new on existing installations, rename it to portscan.txt to use it Added Port Scan Tracking to WHM UI Firewall Security Level Added cPAddon update email setting check to Server Security Report Modified the SuEXEC link location to the cPanel v11 location in Server Security Report Added portscan.txt template to editable list in WHM UI Updated readme.txt 3.08 - Modified Port Scan Tracking to ignore blocked IP addresses incase DROP_IP_LOGGING is enabled 3.07 - Added Apache Server Status report to PT_LOAD for load average report monitoring. To benefit from this feature you will need to rename the new report file /etc/csf/loadalert.txt.new to loadalert.txt. The reports (ps, vmstat and apache) are now included as MIME attachments in the email report instead of inline text New feature: Port Scan Tracking. This feature tracks port blocks logged by iptables to syslog. It can help block hackers attempting to scan the server for open ports, or to block them while trying to access blocked standard ports, e.g. SSH. See csf.conf for more information Upgraded the urlget module 3.06 - Added System Exploit Checking. This enables lfd to check for the Random JS Toolkit and may check for others in the future: http://www.cpanel.net/security/notes/random_js_toolkit.html It compares md5sums of the binaries listed in the exploit above for changes and also attempts to create and remove a number directory. The open is enabled by default. The report is generated from the exploitalert.txt template file 3.05 - Added perl regex checking to csf.pignore with the new options puser, pexe and pcmd. Text added to csf.pignore for new installations: # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex[*] # puser:username as a perl regex[*] # pcmd:command line as a perl regex[*] # # [*]You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* 3.04 - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you to set the incoming and outgoing ICMP rate limits independently, or to disable rate limiting in either direction completely for ICMP packets 3.03 - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of "ls -laAR" Modified rules so that only icmp ping is blocked and all other icmp packets allowed if ping disabled in csf configuration. This may well help improve iptables performance if ping was disabled Added rate-limiting for all icmp packets to prevent inbound flooding New option SYNFLOOD configures iptables to offer some protection from tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet rate per IP so the option can be tailored Added SYN flag checking of state NEW tcp connections if PACKET_FILTER is enabled. NEW tcp connections should always starts with a SYN Moved PACKET_FILTER rules to their own iptables chain called INVALID Fixed issue where some drops were not logging when logging enabled Added hourly flush interval of reported usernames, files and pids so that persistent problems continue to be reported Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI 3.02 - Modified the text comments at the top of csf.allow for new installs: # Note: IP addressess listed in this file will NOT be ignored by lfd, so they # can still be blocked. If you do not want lfd to block an IP address you must # add it to csf.ignore Removed RELAYHOSTS check from Server Check report Don't show SMTP_BLOCK check if on a VPS in Server Check report PT_USERKILL, if set, will now also kill user processes that exceed PT_USERPROC Fixed problem where csf.tempusers was not being cleared down on an lfd restart Added two new csf command line options to flush IP's from the temporary ban list: -tr -tf (see csf -h for more information) 3.01 - Tightened DNS port configuration restrictions as the old rules were being catered for by iptables connection Added Kerio Mailserver POP3/IMAP regex's 3.00 - Added progress information to LWP downloads within csf Added numiptent checking for VPS servers. csf will flush iptables and lfd will stop blocking IP's if numiptent is nearly depleted. This should help prevent VPS lockouts due to insufficient server resources. If this happens, you will either need to reduce the number of iptables rules (e.g. disable Block List usage) or have the VPS provider increase numiptent. A value of ~700-1000 should be fine for most SPI firewall applications with full Block List configuration Added support for the BOGON List (Block List) with LF_BOGON - http://www.cymru.com/Bogons/ See link and csf.conf for more information Fixed problem with RELAYHOSTS not working Removed use of the replace binary 2.95 - Reduced memory overhead and added large file skipping for LF_DIRWATCH Improved performance of LF_DIRWATCH trigger checks Fixed problem with LF_SELECT temporarily blocking outbound access on all ports. Now now only the relevant inbound only port(s) will be blocked if triggered 2.94 - Fixed linux line-endings in some configuration files from v2.93 - doesn't affect existing installations 2.93 - Improved mod_security v2 regex for filter triggers Added MySQL v5 check 2.92 - Improved the cPanel version check for < v11 and whether up to date Added new CLI option -t (--temp) which lists the temporary IP bans and the TTL before the IP is flushed from iptables Added "View Temporary IP Bans" to WHM UI Changed WHM UI lfd Log auto-refresh default to unchecked Added regex for dovecot "Aborted login" messages in /var/log/maillog Added support for displaying mod_security v2 logs in WHM UI 2.91 - Added Fedora Core v6 to the obsolete OS check Added php v4 check Added apache v2.2 check Added Perl v5.8.8 check Added cPanel v11 check Modified Sys::Syslog use to utilise the ndelay and nofatal options Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in a globally located ignore file Added new option CT_STATES to Connection Tracking so that you can specify which connection states you want to count towards CT_LIMIT, e.g. SYN_RECV 2.90 - Ensured that Process Tracking doesn't affect processes running under root Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and existing installations Added Apache v2 checks to Server Checks Report Removed mod_evasive from Server Checks Report as it appears to be less relevant, especially with Apache v2 2.89 - Fixed the csf webmin module Added updates to the webmin module Completely removed use of cat in the WHM module and wget/cat from the webmin module 2.88 - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD Modified the courier IMAP and POP3D regex's to include connections over SSL in lfd Modified lfd to ignore cpdavd processes Modified the cPanel regex's to include cPanel v11 variants in lfd 2.87 - Fixed duplication of settings during generic configuration upgrade procedure Only display version confirmation update message when running csf -u interactively (Thanks to Brian Coogan for the perl tip) Fixed issue with temporary files not being truncated before being written to, which caused problems e.g. with global allow/deny files Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from connection tracking Updated the csf webmin module to use the &ReadParse() routine to overcome problems when running through SSL (Thanks to Tim Ballantine for this tip) 2.86 - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive" on RedHat 2.85 - Fixed a problem with v2.84 which broke permanent IP blocking in lfd - it's been a long week :-/ 2.84 - Fixed problem with permanent LF blocks in lfd for individual application port blocks when set to permanent Added new SYSLOG option to csf.conf to allow additional lfd logging to SYSLOG (requires perl module Sys::Syslog) Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh interval of 3600 to prevent getting yourself blocked! 2.83 - Fixed broken Server Check from v2.82 2.82 - Fixed a documentation for LF_TRIGGER_PERM Fixed issue where RT_[relay]_ALERT set to "0" was being ignored Fixed condition from v2.80 which prevented SCRIPT_ALERT from working If killproc.conf does not exist the Server Check now links to the Background Process Killer page instead of issuing a file missing error 2.81 - Added exe:/usr/local/cpanel/cpdavd to csf.pignore Added option to disable refresh in WHM csf UI when viewing lfd.log Removed debug code that prevented IP blocking -- oops 2.80 - Added new lfd feature - Relay Tracking. This allows you to track email that is relayed through the server (cPanel only). It tracks general email sent into the server, email sent out after POP before SMTP and SMTP_AUTH authentication, local email sent from the server (e.g. web scripts). There are also options to send alerts and block IP addresses if the number of emails relayed per hour exceeds configured limits. The blocks can be either permanent or temporary. Currently blocking does not function for LOCALRELAY email. Introduced a new blocking mechanism in lfd that allows a choice of permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for details on how to configure the various blocking options to use temporary instead of permanent blocks, e.g. for Login Failure blocking Modified new installations to default to using seperate triggers for login failures, instead of the global LF_TRIGGER value 2.79 - Bug fixes Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK is enabled for the new cPanel Webmail configuration in v11 Added new configuration option DROP that allows you to choose the drop target for rejected packets (see csf.conf for more information) Remove /etc/cron.d/csf_update on uninstall 2.77 - Closed vulnerability with temporary file checking Tighted log file regex's to prevent spoofed remote IP block attacks 2.76 - Improved file checking in Server Check script to prevent WHM failures 2.75 - Modified Server Check to only look at pure-ftpd settings if installed Simplified throttling mechanism 2.74 - Modified PHP Server Checks to use the php binary output instead of trying to find the active php.ini file Added PHP Server Check for register_globals Improvements to the Server Check code Fixed bug in TCP port 23 check in Server Check Added new option --check (-c) to check whether the installed verison of csf is the latest, no update is performed Added multiple csf configuration checks to the Server Check report Added throttling to LF_INTEGRITY and increased the timeout proportionally 2.73 - Modified SMTP_BLOCK warning on VPS servers to only display if the option is enabled Modifed the Server Services Check text to omit using -del with chkconfig and better explain that a process is enabled even if it is not currently running and needs to be disabled to prevent startup on boot Removed reliance on wget for updates and version checks Coding improvements in csf.pl and addon_csf.cgi Added /var/log/lfd.log tail automatic refresh to WHM UI 2.72 - Fixed problem with DENY_IP_LIMIT not counting all IP entries in csf.deny correctly Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS since the Virtuozzo VPS kernel does not support ipt_owner Remove Shell/Fork Bomb Protection check in Server Check as the option breaks a Virtuozzo VPS if enabled Added more processes to check in Server Services Check Removed restriction on outbound source port rule construction 2.71 - Added CSS settings to support pre-v11 cPanel installations 2.70 - Modified to adopt cPanel v11 WHM theme Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new installations for v11 cPanel Added FC5 to the list of (or soon to be) unsupported OS's Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading 2.69 - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where a suspicious directory would not be removed Added perl module check for File::Path Added path configuration to tar and chattr in csf.conf Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login failures. When upgrading the new setting will be set to whatever you have LF_FTPD set to 2.68 - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead to arbitray code being executed in the context of the user running lfd , i.e. root. This option has been disabled in the code until further notice. You will have to manually remove any reported files. Tightened csf file ownerships on installation 2.67 - Security fix - A major security issue has been found in the LF_DIRWATCH code that can lead to arbitrary code being executed in the context of the user running lfd, i.e. root, if that option is enabled and a hacker has access to create a crafted filename in one of the watched directories. This update closes this hole. *ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL EXPLOITATION* 2.66 - Modified LF_CPANEL text in csf.conf for new installations to reflect the change in the SSL login handling by cPanel (i.e. it does now log SSL login IP's) Modified the log line monitoring in lfd to cope with log line flooding to prevent looping/excessive resource usage. Also recoded without the use of the POSIX routines lfd process name now shows which log file it is scanning 2.65 - New Feature: System Integrity Checking. This enables lfd to compare md5sums of the servers OS binary application files from the time when lfd starts. If the md5sum of a monitored file changes an alert is sent. This option is intended as an IDS (Intrusion Detection System) and is the last line of detection for a possible root compromise. See csf.conf for more information 2.64 - Modified lfd check for rotated system logs to re-open a log file if logs are emptied instead of rotated 2.63 - Added regex support for uw-imap (imap and pop3) login failures Added regex support for proftpd login failures Timeout version check incase version server is unavailable 2.62 - Fixed CIDR support issue with csf.ignore only recognising the first listed entry 2.61 - Fixed problem with lfd not being killed by /etc/init.d/lfd 2.60 - Added log file locations to csf.conf openSUSE v10 compatible (generic) Debian v3.1 (sarge) compatible (generic) Unbuntu v6.06 LTS compatible (generic) Added installation check for the LWP (libwww-perl) perl module Ran spell checker against the readme.txt file 2.59 - Fixed mod_security report not displaying if only 1 entry 2.58 - Tweaked the mod_security entry layout 2.57 - New feature: WHM UI mod_security v1 display last X entries in the audit_log New feature: WHM UI mod_security v1 edit files or directories in /usr/local/apache/conf/ that are prefixed with modsec or mod_sec Tweaked the pre-configured Firewall Security Level settings 2.56 - Fixed v2.55 fix for non-EDGE versions 2.55 - Fix to to support current EDGE in csf WHM UI 2.54 - Tightened the mod_security v1 regex after the changes in v2.52 2.53 - Modified Server Check to reflect withdrawn FedoraLegacy support for FC3 and FC4 which should now be considered insecure 2.52 - Separated the log file regex's into regex.pm for those feeling brave to tailor them for non-cPanel servers Unified installer for cPanel and non-cPanel installations - so that only install.sh needs to be run (checks for the existence of: /usr/local/cpanel/version If you install on a server intending to use cPanel before cPanel is installed, run the install.cpanel.sh script instead Added mod_security v2 regex when running Apache2 to lfd Added [iptext] tag for connectiontracking.txt to list all the connections of an offending IP. Add this manually for existing installations 2.51 - Major Enhancement: csf+lfd can now be installed and used on a generic Linux OS without cPanel using install.generic.sh - see readme.txt for more information PF INVDROP entries made bi-directional if PF logging enabled (reduces the number of INVDROP LOG rules by half) Fixed Process Tracking throttle control to correctly use PT_INTERVAL 2.50 - Removed option ALLOW_RES_PORTS from new installs, setting is ignored Check for LF at the end of form data for files edited through the WHM UI and append one if omitted Following the changes in 2.48 the LOGDROP chain doesn't distinguish between incoming and outgoing blocks. So, LOGDROP has now been split into LOGDROPIN and LOGDROPOUT 2.49 - Fixed issue if ETH_DEVICE was set and from changes in 2.48 2.48 - csf will now specify ! lo as the main ethernet device unless otherwise defined in ETH_DEVICE. This will mean that the firewall is applied to all ethernet devices on the server unless otherwise specified in the configuration 2.47 - Modified DYNDNS code to set listed domains IP addresses to be ignored as if they were listed in csf.ignore If adding an IP address to csf.allow that is already in csf.deny, the IP address will now be removed from csf.deny first and the DROP removed from iptables. It will then be added to csf.allow as normal 2.46 - Added auto-detection of additional exim port (same as SSH port) which will be added to TCP_IN on csf installation (or if in TESTING mode) Only report PT_USERMEM and PT_USERTIME PIDs once 2.45 - Added workaround to restart the bandmin acctboth chains if csf is stopped or (re)started Rewritten the way RELAYHOSTS works so instead of using an iptables chain a check is done at block time on the IP address and if it is in /etc/relayhosts then it will be treated as if it is listed in csf.ignore Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0) instead of a time interval Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore Added new options PT_USERMEM and PT_USERTIME to report excessive user process usage and optionally PT_USERKILL to kill such processes. An alert is sent using resalert.txt 2.44 - Added new option PT_LOAD which will detect if the server load average of choice exceeds a set threshold and send an alert Reduced the DROP_NOLOG default setting to not include ephemeral ports for new installations Moved DROP_NOLOG rules to the LOGDROP chain 2.43 - Added new option DROP_PF_LOGGING which will give detailed iptables log information on dropped packets that are INVALID or out of sequence. This can help tracking down why iptables may be blocking certain IP connections 2.42 - Improved the csf locking mechanism to avoid deadlocks 2.41 - Fixed syntax in lfd procedure for csf locking Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it will be run before any of the csf iptables rules are applied. If /etc/csf/csfpost.sh exists it will be run after all of the csf rules have been applied. This allows you run your own iptables commands within those files. Each file is passed through /bin/sh Added two new command line options to completely enable and disable csf and lfd Added Enable and Disable options to WHM UI 2.40 - Added csf lock procedure to avoid iptables race conditions if multiple /simultaneous instances of csf or lfd are executed Added check for child reaper looping to dramatically reduce lfd load 2.39 - Added OS check to Security Check to warn if using RH7/9 FC1/2 which are no longer supported (or about to be retired) Made lfd more lenient when it cannot open a log file (reports the error but continues to function) PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for php settings Added new option RELAYHOSTS to csf.conf which allows you to automatically allow access to IP's listed in /etc/relayhosts at a specified interval 2.38 - Fixed DYDNS (forgot to add the rule to redirect packets to the ALLOWDYN iptables chain) 2.37 - Added canna to the Security Check New feature - added support for dynamic dns (DYNDNS) records. See csf.conf for more information Added dyndns file edit to WHM UI 2.36 - Added runlevel check to Security Check Added nobody cron check to Security Check Added melange server check to Security Check Modified the regex for the php.ini disable_functions check Added timing function to lfd that logs how long each stage takes. This can be enabled by editing lfd.pl and setting $timing=1 - this can help in tracking down performance issues with lfd 2.35 - Added specific exclusion for proftpd in lfd.pl process tracking Fixed bug with LF_GLOBAL being ignored 2.34 - Added a new option (beta for now) PT_SMTP. This option will check for outgoing connections to port 25, ecluding root, exim and mailman. The purpose of the feature is to log SMTP connections if you believe you have a spammer on the server who is bypassing exim to send out spam emails - this is traditionally a very difficult form of spam to track down. The option currently logs relevant process information to lfd.log to avoid an email alert flood. 2.33 - Code modification to allow csf+lfd to run without erroring on cPanel DNS-Only installations Added forced error checking on SMTP blocking iptables commands Added check in csf and lfd for duplicate settings in csf.conf 2.32 - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25 for web scripts, etc, if SMTP_BLOCK is enabled Added check to csf startup to fail if "WHM > Tweak Security > SMTP Tweak" is enabled otherwise it can break SMTP traffic completely. The SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used instead 2.31 - Added automatic throttling code to help prevent lfd using excessive resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If the sub process takes too long to run, the interval between its next run is increased temporarily (for the duration lfd runs for, a restart will reset it) and will continue to extend this time to prevent excessive server load. However, it will also proportionately increase the time given for the sub process to complete so that it can at least attempt to get the check done. If you see throttling messages appearing in the lfd.log you should consider increasing the process interval as indicated permanently (i.e. within csf.conf) Added throttling to CT_INTERVAL 2.30 - Modified PT_USERPROC to respect all ignore entries in csf.pignore 2.29 - New feature - User Process Tracking. This option enables the tracking of the number of process any given cPanel account is running at one time. If the number of processes exceeds the value of the PT_USERPROC setting an email alert is sent with details of those processes. A user is only reported once, so lfd must be restarted to reinstate checking of all users. If you specify a user in csf.pignore it will be ignored. The alert file is useralert.txt Added useralert.txt for editing through the WHM UI Added PT_USERPROC to the Firewall Security Level settings 2.28 - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to csf.pignore Only perform strict iptables error checking when in TESTING mode 2.27 - Fixed another mis-configuation for outgoing global deny rule - Thanks again to Marie from Jagwire Hosting 2.26 - Fixed a mis-configuation for outgoing global deny rule - Thanks to Marie from Jagwire Hosting Allow advanced allow and block filters using the -a and -d options when running csf in CLI Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the application trigger levels set, you can now set LF_SELECT to "1" if you only want to block IP access to that application instead of a complete block Changed installer behaviour to only add SSH port to TCP_IN if TESTING is set to "1" - done to help those that don't want to always have the SSH port opened 2.25 - Modified lfd init procedure to use the init functions Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd will instead trigger blocks based on the value of the application trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3 mod_security alerts. Or if LF_POP3D is set to "10" then it will trigger on 10 pop3d login failures. When in this mode, i.e. with LF_TRIGGER set to "0", login failures for different triggers are not cumulative, whereis LF_TRIGGER set to a number > "0" they are cumulative as before Modification to csf.conf to reflect the changes to LF_TRIGGER - only applied to new installations Rewrite of the iptables command invocation in lfd.pl to trap iptables errors and shutdown firewall if any found - should help prevent lockouts Allow advanced rules in Global Allow and Deny lists. Input and Output direction support included. Added Global Allow and Deny lists to the OUTPUT chain as well as the INPUT chain Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to ignore. Updated WHM UI to allow easy file edits 2.24 - Fixed global allow/deny lists so that you can correctly not have to specify both an allow and a deny file 2.23 - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH from the cPanel configuration Added maildir check to Security Check Fixed a typo in advanced rules - Thank you to Victor from Touch Support for pointing this out Added binary executable check for LF_DIRWATCH files Added core dump check in cron directories to LF_DIRWATCH Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still find it timing out, make sure that you have been clearing down your tmp directories 2.22 - Added CIDR recognition to csf.ignore Rewrite of the iptables command invocation in csf.pl to trap iptables errors and shutdown firewall if any found - should help prevent lockouts 2.21 - Fixed a problem on some installations where the update process emptied out csf.conf. If this has happened, you will need to remove /etc/csf/csf.conf and then rerun the installation procedure and reconfigure the firewall. If you're already running at least v2.18 you can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf and then upgrade to this release 2.20 - Added workaround for different output from the fuser application in different OS's 2.19 - Added Security Check for recurions restrictions in named.conf Modified port 23 check to be quicker Added Security Check for localhost/127.0.0.1 entry in resolv.conf Added Security Check for webmin if running Added 3 more WHM Security Checks for domain parking Added Security Check for boxtrapper Added a Run Again button to the Security Check page Added Security Checks for cPanel and security package updates 2.18 - Fixed an issue with checking the /var/tmp symlink by comparing the inodes of /tmp and the symlink destination of /var/tmp Added checking of /usr/tmp Added checking of SSH PasswordAuthentication Modified update routine to take a copy of csf.conf before upgrading - the backup file is /etc/csf/csf.conf.preupdate Added check in /etc/cron.daily/logrotate for /tmp noexec workaround 2.17 - Fixed installation process where duplicate entries were being added to csf.conf for new settings. Routine added to remove duplicates and redundant settings Added logrotate script for for the lfd.log file 2.16 - Fixed syntax issue with the csf.deny application feature added in v2.15 that prevents csf adding the IP to csf.deny 2.15 - Added a list of the applications that lfd blocks a login failure for into csf.deny, e.g. (ftpd,mod_security) Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature will watch for changes in directories and files listed in csf.dirwatch using an md5sum for the ls output. If the md5sum changes between checks an email alert is sent using watchalert.txt Modified pid file locking for the lfd process to ensure duplicate processes won't run Completely reworked the child reaper code to prevent SIG_CHLD kernel errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs Added new option to csf.fignore that allows you to ignore files owned by a specific user by adding an entry in the format user:bob Fixed bug in LF_DSHIELD timer code Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch their respective data New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to specify a URL where csf can grab a centralised copy of an IP allow and/or deny block list of your own. They are both retrieved after a LF_GLOBAL interval in seconds by lfd Added WHM UI changes for LF_DIRWATCH_FILE 2.14 - Modification to /var/tmp check to cater for symlinks with a trailing slash Added check for native SSL support in cPanel in Server Check for those versions that now support it Added MySQL port check to Server Check Added missing comments when clickcing Display All Comments 2.13 - Added cPanel version check to Security Check Added suspicious symlink checking to LF_DIRWATCH Added a Display All Comments to Security Check Added hyperlinks to WHM URLs in Security Check comments Fixed the Apache Limits comments of the Security Check Added shell limit checks to Security Check Added Background Process Killer to Security Check 2.12 - Removed duplicate /var/tmp tests Fixed another typo 2.11 - Typo corrections in output text Removed dependencies on external modules for the Server Check report 2.10 - Fixed /dev/shm test 2.09 - Removed the nodev check on /tmp etc 2.08 - Changed app name to ConfigServer Security & Firewall New Feature - Added Server Security Check report to WHM UI 2.07 - Improved suspicious directory detection 2.06 - Document update Change directory watching to only check for suspicious sub directories 2.05 - Fixed log file error if DShield or Spamhaus block list retrieval fails Added perl regex matching in csf.fignore (see updated readme.txt) 2.04 - Added /tmp/.horde/* to csf.fignore 2.03 - Fixed a looping issue with the temporary Connection Tracking block code Added a 10 second timeout for the LF_DIRWATCH child to prevent looping 2.02 - In LF_DIRWATCH, allow wildcard matching at the end of a file name in csf.fignore, such that /tmp/clamav* will ignore any files starting with /tmp/clamav, e.g. /tmp/clamav-1234 Added a throttle to LF_DIRWATCH - if more than 10 emails are being emailed in one pass, LF_DIRWATCH will create the file /etc/csf/csf.dwdisable and then disable itself. To get it watching again, either restart lfd or delete that file Fixed a bug where LF_DIRWATCH always reported the same file when different files had been detected in a pass 2.01 - Added an LF_DIRWATCH exception for postgres /tmp files Prevent a file being reported more than once in an LF_DIRWATCH run Removed LF_DIRWATCH check for files being excecutable since too many apps set temporary files with the flag set, e.g. mod_gzip 2.00 - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits. These can optionally be moved into a tarball Directory Watching false-positives can be listed in csf.fignore which is accessible from the WHM UI 1.99 - Bug fix for multiple NICs in the lfd code 1.98 - Modified code to allow for multiple ethernet NICs so that all rules are applied to all NICs, for example, if you have IP's spread over eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+" 1.97 - Tightened DNS port 53 connections in accordance with: http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07 Moved no log dropping to the end of the chains Moved allowed IP's to before Block Lists 1.96 - Liberalised connections allowed to and from DNS port 53 1.95 - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to update from shell to get to v1.95 using: csf -u 1.94 - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore 1.93 - Fixed problem where external resolvers were being used and responses from them were being dropped because they were coming back on ephemeral ports - added a scan of /etc/resolv.conf and external nameservers now have whitelisted source port 53 to ephemeral ports Drop logging of failed attempts to access port 53 so they don't consume syslog Moved update from /tmp do /usr/src 1.92 - Fixed bug where the DShield and Spamhaus block lists weren't being periodically updated by lfd 1.90 - Minor fix to pre-configured settings 1.89 - Added Pre-configured settings for Low, Medium or High firewall security to WHM UI 1.88 - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain 1.87 - Modified drop list chains to use their own drop logging to differentiate from normal drop - if drop logging enabled 1.86 - Modified lfd connection tracking to drop udp as well as tcp packets when blocking Added support for the DShield Block List with LF_DSHIELD - http://www.dshield.org/block_list_info.php See csf.conf for more information Added support for the Spamhaus DROP List with LF_SPAMHAUS - http://www.spamhaus.org/drop/index.lasso See csf.conf for more information 1.85 - Workaround for spam PT false-positives Added exe:/usr/bin/spamc to csf.pignore Added csf version to title bar in WHM 1.84 - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native cPanel setup (currently in EDGE) 1.83 - Enhanced lfd.log logging for application failure detection lines Set lfd to ignore child processes to get rid of zombie children. If you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE, but you are likely to see harmless lfd zombie processes 1.82 - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled Extended the Advanced Allow/Deny Filters to allow use of UID and GID filtering for outgoing packets - see readme.txt for more details Modified code to deal with modprobe command output more cleanly 1.81 - Further modification for the newer xt iptables modules 1.80 - Modified iptables LKM modprobe code to cater for newer xt_* module naming scheme 1.79 - Added new feature to send an alert email if su is used to login from one account to another. Alerts are sent whether the attempt was successful or failed 1.78 - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd process tracking 1.77 - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels, e.g. RH9/FC1 Modified WHM UI textareas to expand to fit file contents 1.76 - Changed WHM interface to restart csf before lfd when restarting both 1.75 - Fix to prevent duplicates in csf.deny Added a slight pause between stop and start when restarting Code fix for TESTING mode crontab entry removal 1.74 - Fixed lfd to when reading csf.ignore when comments present 1.73 - Added new option LF_CSF to restart csf if iptables appears to have been flushed (i.e. stopped) Added new option LF_SCRIPT_PERM to disable directories identified by LF_SCRIPT_ALERT - see csf.conf for more information Workaround to child reaper when 2 children die at the same time Added workaround for PT spamd false-positives 1.72 - Fixed bug in (deleted) lfd checks 1.71 - Added some more exceptions to csf.pignore Lowered the default setting for LF_SCRIPT_LIMIT to 100 Modified PT to check for deleted binaries on exemptions which happen when upcp runs and the binaries are replaced 1.70 - PT now only reports processes with open ports 1.69 - lfd tweaks 1.68 - Additions to csf.pignore Added new option PT_SKIP_HTTP - see csf.conf/readme.txt Updated readme.txt regarding unavoidable false-positives and possible mitigation. 1.67 - More tweaks to PT with additions to csf.pignore 1.66 - Updated csf.pignore file with additional executables lfd code tweaks 1.65 - Added very simple ASCII obfuscation for lfd PT skip lines Fixed port typo for entropychat port 1.64 - Updated CLI help and readme.txt for new csf -u command from v1.63 Changed the format of the email templates for new installations - if you want to use the new format remove /etc/csf/*.txt and then install csf Added mechanism to prevent multiple email/block attempts from login attacks in lfd Added new feature - Process Tracking. This option enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information - readme.txt for details 1.63 - Added feature to WHM UI to enable editing of the email templates Modified WHM UI to use fixed-width larger font for command output and edit boxes Added notice to install.txt and readme.txt about enabling klogd (on VPS systems in particular) Added autoupdates system using AUTO_UPDATES - see csf.conf for details 1.62 - Added to APF/BFD removal in WHM UI the logrotate configuration files Added comments system to csf.allow and csf.deny - see readme.txt for more information 1.61 - Tighten up some of the csf rules Added new fature - LF_SCRIPT_ALERT when enabled will scan /var/log/exim_mainlog for extended exim logging lines that show the cwd= line for paths in /home which indicate emails sent from scripts. If LF_SCRIPT_LIMIT emails from the same path are sent within an hour, an email alert is sent using scriptalert.txt containing the first 10 probably exim mainlog line matches and also likely mailing scripts within the identifed path - an ideal tool to help identify spamming scripts sending out email through exim. The option is disabled by default as you do need to enable extended exim logging first as explained in the csf.conf file 1.60 - Modified lfd to use a child reaper instead of ignoring the CHLD signal Added login failure detection of cpanel, webmail and whm connections - this will only work for access to non-secure ports as cPanel doesn't know the IP address of the user when connection are over SSL due to the way stunnel works 1.59 - Added workaround to ethernet device detection for VPS servers 1.58 - Fixed problem where SSH port detection on installation would add an emtpy , if the SSH port had not been explicitly defined in sshd_config Modified csf and lfd ethernet device detection so that if specified in either csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded ethernet devices on some OS's 1.57 - Removed erroneous 's in lfd.log csf start automatically does a restart to avoid problems with any existing iptables rules or chains Added new option "Deny Server IPs" and associated file csf.sips to allow blocking of all traffic on server configured IP's if they're not in use Added notification to CLI and WHM UI if TESTING still enabled 1.56 - lfd modification to avoid a race condition with the ALRM calls Added new feature - /etc/csf/csf.ignore can contain IP addresses that are ignored by lfd. If an event is triggered it may be logged in lfd.log but will not result in an email alert - e.g. you could list your own IP address to avoid alerts from when you login over SSH, etc Added WHM UI option to edit the ignore file 1.55 - Fixed a strict refs issue in lfd 1.54 - Fixed IP DNS lookup routine to avoid empty () when no host found Added local DIE for ALRM calls for IP lookups and netstat commands Removed chkservd restart from /etc/init.d/lfd so that it behaves like other monitored services Improved error trapping routines to better report to lfd.log if the process dies 1.53 - Optimised logging in lfd Improved error handling and reporting in lfd Modified WHM UI report to include all data, not just a single day Improved DROP logging to SYSLOG Added logging of dropped ICMP connections Added new option DROP_IP_LOGGING to log IP addresses that have been blocked in csf.deny or by lfd with temporary connection tracking blocks 1.52 - beta test release 1.51 - Added DNS lookups for IP addresses in all lfd alert emails 1.5 - Added new feature - Connection Tracking. Enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than CT_LIMIT then the offending IP address is blocked in csf, or temporarily blocked in iptables. This can be used to help prevent some types of DOS attack Added new feature - SSH login alerts. An email is sent if a successful SSH login is detected Fixed a descriptive issue with the WHM UI Modified so that lfd checks that it doesn't block a server IP 1.42 - Modified lfd login tracking to check the csf.allow file for an offending IP address and to skip it if it's allowed - note this only works for specified full IP addresses (not CIDRs or advanced port/IP) 1.41 - Added an exception for 127.0.0.1 when checking ethernet interfaces as VPS servers are setup with that IP on both the loopback and main interface 1.4 - Fixed error routine iptables flush command typo Modified interface checking for non-english Linux distributions Modified interface checking for IP addresses assigned to multiple interfaces by mistake (I've just seen this happen!) Set FORWARD chain to ACCEPT on stopping firewall Reorganised csf.pl code Added advanced port+ip filtering within csf.allow and csf.deny with the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info) Added link to readme.txt in WHM interface Added iptables status (Running/Stopped) to WHM interface Added Quick Allow and Quick Deny IP address options to WHM interface 1.33 - Added blocking of SSL POP3 and IMAP ports to LT (993/995) Added option to Restart csf+lfd within WHM interface when appropriate Added buttons to WHM interface to remove APF or BFD if still installed Removed csf nat and mangle chain actions 1.32 - Modified log line checking to deal with syslog compression. This is where syslog will add a line "last message repeated X times" if the next line it were to add is identical to the last. This could lead to login attempts being missed. But no more - lfd now checks for that line and repeats the processing of the previous log line X times to count all the login failures 1.31 - Removed some redundant code from csf Display error in csf if IP already in allow/deny file Stopped install.sh from overwriting email templates Added email notification for login tracking including a new email template tracking.txt Added mod_security apache module IP blocking in lfd 1.3 - Fixed a problem with the tick time in the alert report Changed the way allow and deny IP addresses are inserted into iptables so that using the command line -a or -d doesn't require a firewall restart csf -l now shows iptables line numbers Added login tracking (LT) options to keep track of POP3 and IMAP logins and limit them to X connections per hour per account per IP address. Uses iptables to block offenders to the appropriate protocol port only and flushes them every hour. All of these blocks are temporary and can be cleared by restarting csf 1.21 - Added the real log file failure entry matches to the alert email. Existing installations will need to add a [text] variable into /etc/csf/alert.txt Added link in WHM to the ChangeLog if a new version is available 1.2 - Fixed uninstall script to remove lfd from chkservd Fixed lfd so that checks were not made on options where a log file is shared Fixed lfd stop/start to dis/enable chkservd option Added upgrade feature to WHM when a new version of csf is available 1.11 - Use full paths to chkconfig within the csf installation scripts Documentation improvements 1.1 - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks an IP address. lfd now forks a child process to handle the IP blocking and email so that it doesn't hinder the daemon process from scanning the logs. It uses a template file for the email. 1.0 - Initial public release Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading Check /var/log/messages and /var/log/secure for SSHD logins Clarified in the configuration file that only courier-imap/pop3 connections are trapped in lfd 1.0RC2 - Added filtering out of \r in WHM interface for allow and deny Fixed typo in WHM addon Added new configuration option ALLOW_RES_PORTS 1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch: http://sourceforge.net/projects/fwlogwatch/ This processes /var/log/messages and extracts the iptables log entries (if logging is enabled) and produces a simple HTML summary report 0.2b - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat module installed Modified lfd to use asterix in the log message when blocking to highlight in Thunderbird in the same way as the kernel log messages if you use the "Quote Colors" extension - http://quotecolors.mozdev.org/ Added list of TCP and UDP ports currently being listened on to install Set DNS_ZONE to default to 1 Removed backups of csf.conf files as the WHM interface is stable Added ipt_owner module load for SMTP Tweak on LKM kernels Added ipt_LOG to the required module list for LKM kernels to ensure drop logging to syslog Added new configuration option DENY_IP_LIMIT 0.1b - Initial beta release (24 May 2006)