New csf v2.29


  • New feature – User Process Tracking. This option enables the tracking of the number of process any given cPanel account is running at one time. If the number of processes exceeds the value of the PT_USERPROC setting an email alert is sent with details of those processes. A user is only reported once, so lfd must be restarted to reinstate checking of all users. If you specify a user in csf.pignore it will be ignored. The alert file is useralert.txt
  • Added useralert.txt for editing through the WHM UI
  • Added PT_USERPROC to the Firewall Security Level settings

New csf v2.26


  • Fixed a mis-configuation for outgoing global deny rule – Thanks to Marie from Jagwire Hosting
  • Allow advanced allow and block filters using the -a and -d options when running csf in CLI
  • Added new option LF_SELECT. If you have LF_TRIGGER set to “0” and the application trigger levels set, you can now set LF_SELECT to “1” if you only want to block IP access to that application instead of a complete block
  • Changed installer behaviour to only add SSH port to TCP_IN if TESTING is set to “1” – done to help those that don’t want to always have the SSH port opened

New csf v2.25

Fixes and Features:

  • Modified lfd init procedure to use the init functions
  • Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to “0” then lfd will instead trigger blocks based on the value of the application trigger, e.g. if LF_MODSEC is set to “3” then it will trigger on 3 mod_security alerts. Or if LF_POP3D is set to “10” then it will trigger on 10 pop3d login failures. When in this mode, i.e. with LF_TRIGGER set to “0”, login failures for different triggers are not cumulative, whereis LF_TRIGGER set to a number > “0” they are cumulative as before
  • Modification to csf.conf to reflect the changes to LF_TRIGGER – only applied to new installations
  • Rewrite of the iptables command invocation in to trap iptables errors and shutdown firewall if any found – should help prevent lockouts
  • Allow advanced rules in Global Allow and Deny lists. Input and Output direction support included.
  • Added Global Allow and Deny lists to the OUTPUT chain as well as the INPUT chain
  • Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to ignore. Updated WHM UI to allow easy file edits

News csf v2.23

Fixes and features:

  • Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH from the cPanel configuration
  • Added maildir check to Security Check
  • Fixed a typo in advanced rules – Thank you to Victor from Touch Support for pointing this out
  • Added binary executable check for LF_DIRWATCH files
  • Added core dump check in cron directories to LF_DIRWATCH
  • Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match
  • Increased LF_DIRWATCH timeout from 10 to 20 seconds – if you still find it timing out, make sure that you have been clearing down your tmp directories

New csf v2.22


  • Added CIDR recognition to csf.ignore
  • Rewrite of the iptables command invocation in to trap iptables errors and shutdown firewall if any found – should help prevent lockouts

New csf v2.21

Bug fix:

  • Fixed a problem on some installations where the update process emptied out csf.conf. If this has happened, you will need to remove /etc/csf/csf.conf and then rerun the installation procedure and reconfigure the firewall. If you’re already running at least v2.18 you can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf and then upgrade to this release

New csf v2.18

New features and bugs fixed:

  • Fixed an issue with checking the /var/tmp symlink by comparing the inodes of /tmp and the symlink destination of /var/tmp
  • Added checking of /usr/tmp
  • Added checking of SSH PasswordAuthentication
  • Modified update routine to take a copy of csf.conf before upgrading – the backup file is /etc/csf/csf.conf.preupdate
  • Added check in /etc/cron.daily/logrotate for /tmp noexec workaround

New csf v2.15

Some new features and bugfixes:

  • Added a list of the applications that lfd blocks a login failure for into csf.deny, e.g. (ftpd,mod_security)
  • Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature will watch for changes in directories and files listed in csf.dirwatch using an md5sum for the ls output. If the md5sum changes between checks an email alert is sent using watchalert.txt
  • Modified pid file locking for the lfd process to ensure duplicate processes won’t run
  • Completely reworked the child reaper code to prevent SIG_CHLD kernel errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs
  • Added new option to csf.fignore that allows you to ignore files owned by a specific user by adding an entry in the format user:bob
  • Fixed bug in LF_DSHIELD timer code
  • Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch their respective data
  • New Feature – GLOBAL_ALLOW and GLOBAL_DENY options allow you to specify a URL where csf can grab a centralised copy of an IP allow and/or deny block list of your own. They are both retrieved after a LF_GLOBAL interval in seconds by lfd
  • Added WHM UI changes for LF_DIRWATCH_FILE