New csf v12.02

Posted on by Chirpy

Changes:

  • Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases
  • Added more CLI options that work if csf is disabled
  • Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under “Include statement in configuration files” for the list of supported files
  • Added mangle and raw tables to csf –grep [IP] and modified output to show a new column with the table then the chain that a rule is in
  • Added mangle and raw tables to csf –status output and modified output to show a new header line with the table that a rule is in
  • Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state
  • Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6
  • Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits
  • Updated csf.conf documentation relating to the ICMP/PING settings
  • Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else
  • csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled
  • USE_CONNTRACK is now enabled by default on new installations
  • Fixed DOCKER IPv6 warning message when DOCKER not enabled
  • Modified csf.blocklists for GREENSNOW to use https on existing and new installations

New cxs v9.07

Posted on by Chirpy

Changes:

  • Added new option to cxsControl settings for statistics collection. This provides the ability to enable or disable the collection of statistical information for the cxsControl graphs. Existing and new installations will default to DISABLED to improve scanning performance
  • Database updates are now batch processed via cron (and when accessing the cxsControl UI) to improve scanning performance. The cronjob runs every 10 minutes from /etc/cron.d/cxsdb-cron
  • Added a check for Wnotify filechange to force flush the event buffer if it grows excessively
  • Modified –dbreport to be ignored if used in cxscgi.sh, cxsftp.sh and cxs Watch, updated docs to reflect the change

New cxs v9.06

Posted on by Chirpy

Changes:

  • Added prevention routines to stop corrupt fingerprint and regex entries from being loaded
  • Reduced memory footprint when handling fingerprints
  • Reduced memory footprint of cxs Watch controlling process
  • Fixed issue with cxs installation/upgrade sometimes restarting cxs Watch whether it was running or not
  • Modified eval+use+module checks to use bundled Module::Installed::Tiny instead
  • Fixed perl memory leak when using regexes in cxs.ignore. This fix can significantly reduce the memory overhead of cxs processes, especially with cxs Watch and –allusers scans

cxs False Positives

Posted on by Chirpy

We had a corrupt daily update of the cxs signatures that is causing problems for some users. If you are seeing a problem with detections, please do the following immediately:

rm -fv /etc/cxs/new.fp
cxs -U
service cxswatch restart

 

If you need to perform a bulk restore from quarantine due to this issue:

Depending on the location of your quarantine, the following should work:

find /home/quarantine/cxsuser/ -type f -exec cxs --qrestore {} \;

You will get messages about “Restore failed – Restore file not found” which you can ignore.
Note: The destination file must _not_ exist otherwise the restore for the file will fail.

New cxs v9.04

Posted on by Chirpy

Changes:

  • Fixed spurious DBI error when rescanning a quarantine directory in the UI
  • When running/viewing scans or configurations through the UI, ensure any configured quarantine directory is created if missing