Server Software and Configuration Services
Changes: AUTO_UPDATES enabled for new installations in csf.conf Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still set in csf.conf it will be ignored Check MESSENGER service to ensure privileges are dropped before starting the daemon Drop…
Changes: During cxs Watch startup default to the POSIX locale to avoid error message ambiguity for intotify from the kernel Improvements to –decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions
Changes: Improvements to –decode ([D]) option Exploit regex definitions database additions Exploit fingerprint definitions database additions
Changes: Updated the LF_TRIGGER_PERM explaination in csf.conf to properly reflect the possible settings of LF_TRIGGER Perform account name sanitisation checks in lfd
Changes: Further SECURITY improvements to Quarantine functionality All cxs users should upgrade to this release immediately
Changes: Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue All cxs users…
Changes: Fixed a SECURITY BUG that can be exploited remotely via log file spoofing resulting in root privilege escalation. Our thanks to Jeff Petersen for reporting this issue All csf users should upgrade to this release immediately
Changes: New –options [R]. It will trigger a match for the inbuilt regex used by –options [D] when decoding PHP encoded (base64, etc) scripts Improvements to –decode ([D]) option so that both the last and the penultimate decode level are…
Changes: Removed code that dropped privileges to the “nobody” user while running the interactive php interpreter as it broke subsequent scanning at depth Exploit regex definitions database additions Exploit fingerprint definitions database additions
Changes: New feature: Connection Limit Protection (CONNLIMIT, CONNLIMIT_LOGGING). This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific…