New csf v7.55

Changes:

  • If LF_SELECT is enabled the port(s) listed in PORTS_* can now be specifed as port;protocol,port;protocol, e.g. “53;udp,53;tcp” to allow for protocol specific port blocks. This port format can also now be used in regex.custom.pm  and csf –td/–ta to allow udp port blocks
  • PORTS_bind now defaults to “53;udp,53;tcp” on new installations
  • PORTS_directadmin added for DA installs to allow for per port blocks if LF_SELECT is enabled
  • Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs
  • LF_IPSET taken out of BETA as it is proving stable
  • Modified Server Check to skip checking xinetd on Plesk servers
  • Modified UI_SSL_VERSION for new installations to use the new IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so that SSLv3 is disabled
  • If systemd is running the installer disables firewalld using systemctl

New csf v7.54

Changes:

  • Added IPv4/IPv6 column to show whether the port in the csf –ports option is listed in *_IN (e.g. TCP_IN)
  • Added IPv4/IPv6 column to show the number of ESTABLISHED connections to the port in the csf –ports
  • Modified Server Check text from “SMTP Tweak” to “SMTP Restrictions” for cPanel/WHM UI
  • Added the following to LF_IPSET for IPv4 IPs and CIDRs: /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables
  • Modified ipset information in csf.conf including that only ipset v6+ is supported
  • Modified ConfigServer::Slurp to carp instead of croak
  • Improvements to Server Check nameserver checking to include IPv6 servers and better determine how many are local nameservers
  • Modified csf –graphs to append a trailing slash if missing to directory name

New csf v7.50

Changes:

  • Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and csf.blocklist bulk list matching. See csf.conf for more info
  • Added new UI option to view ports on the server that have a running process behind them listening for external connections
  • Added new CLI option (csf -p, csf –ports) to view ports on the server that have a running process behind them listening for external connections
  • Added new CLI option (csf –graphs) to Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
  • If using DYNDNS and the FQDN has multiple A records then all IP addresses will now be allowed
  • IPv6 support added to DYNDNS. Requires the Perl module Socket6 from cpan.org to be installed
  • On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin if installed and logging enabled via CustomBuild v2+. Failures will contribute to the LF_DIRECTADMIN trigger level for that IP
  • On DA servers, FTPD_LOG now defaults to /var/log/messages on new installs
  • Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs on DA
  • Added to UI count of entries in /etc/csf/csf.allow
  • Added blocklist.de to csf.blocklists for new installs, latest file copied to /etc/csf/csf.blocklists.new on existing installs
  • Started moving common functions to separate modules within csf
  • HTTP::Tiny upgraded to v0.050
  • Fixed csf stop/start routines on reboot for servers using systemd
  • Modified integrated UI to display die errors to browser
  • Modified X_ARF report to use a self-published schema: http://download.configserver.com/abuse_login-attack_0.2.json
  • Modified X_ARF to lowercase the Source-Type field
  • Modified X_ARF template to use the v0.2 “X-XARF: PLAIN” header field
  • Updated restricted UI items
  • Geo::IP upgraded to v1.45
  • Crypt::CBC upgraded to v2.33

New cxs v5.05

Changes:

  • Updated installer to fix generic installs on some Redhat/CentOS setups
  • Fixed issue with fingerprint database and a corrupt regex
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New csf v7.15

Changes:

  • Updated installer to fix generic installs on some Redhat/CentOS setups
  • Fixed issue with temporary allow/deny not applying individual port rules for outgoing connections

 

New cxs v5.04

Changes:

  • Improvements to .htaccess fingerprint P0216 -> P0767
  • Modify installer to always perform an update on installation to ensure the latest definitions are always available
  • cxswatch will now scan a directories permissions if any of its attributes are changed and –options [w] and/or –options [W] is enabled
  • Updated scripts to use download.configserver.com
  • Exploit fingerprint definitions database additions