General

Changes:

• Added new feature to MESSENGER: MESSENGER_HTTPS*. See /etc/csf/csf.conf for more detail. This option redirects blocked IP addresses that connect over an HTTPS connection (port 443) to the HTML MESSENGER service. The option uses existing SSL certificates on the server for each domain to maintain a secure SSL SNI connection without browser warnings. The setting is disabled by default

  Note: The perl module IO::Socket::SSL (v1.83+) with support for SNI must be available to use MESSENGER_HTTPS* otherwise it will be disabled

• Added new feature to MESSENGER: Google ReCAPTCHA (v2) to allow those blocked in the firewall to unblock themselves. See RECAPTCHA_* in /etc/csf/csf.conf for more details and limitations
• Added MESSENGER procedure to restart listening sub-process if it has died
• Moved MESSENGER processes to a separate module
• Ensure that all forked processes terminate appropriately
• On cPanel servers, use the cPanel WHM Template to support the new v64 UI layout (as best we can to maintain the look that we want)
• Modified the cPanel csf ACL metadata and driver Perl modules to match new requirements for v64 and also maintain backwards compatibility

Changes:

• Fix to try and resolve cluster send/recv issues (Note: _All_ members of the cluster need to be running v9.30 for clustering to function correctly)

Changes:

• Fixed issue that was breaking LF_DISTSMTP
• Fixed issue in UI lfd Stats. Note: The lfd stats data file has been renamed from /var/lib/csf/stats/lfdmain to /var/lib/csf/stats/lfdstats Additionally, the stats for 2016-12-31 will reset to 0 due to this bug
• Corrected text in readme.txt
• Added new csf CLI cluster option: -ctd, –ctempdeny ip ttl [-p port] [-d direction] [comment]
  This sends a temporary deny request to the cluster
• Added new csf CLI cluster option: -cta, –ctempallow ip ttl [-p port] [-d direction] [comment]
  This sends a temporary allow request to the cluster
• Added new csf CLI cluster option: -cg, –cgrep ip
  This requests the –grep output for [ip] from each cluster member
• Modified cluster requests to respond with an acknowledgment to the sender
• Modified –cdeny [ip] and –callow [ip] to include optional comment
• Added separate tab for Cluster options in UI if enabled and added new cluster temp allow/deny commands to UI
• Modified Port Scan Tracking. UDP packets destined for the network broadcast address(es) will now be ignored in Port Scan Tracking unless BRD is added to PS_PORTS. The broadcast address(es) include the those listed in IP or IFCONFIG plus the default (255.255.255.255) unless one of the servers IPs
• Added new feature: PT_USERRSS. This User Process Tracking option sends an alert if any user process exceeds the RSS memory limit set – RAM used, not virtual. PT_USERRSS is set to 256 (MB) and PT_USERMEM is now set to 512 (MB) by default on new installations. On existing installs PT_USERRSS is set to the same value as PT_USERMEM