General

New csf v8.06

Changes:

  • Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel servers for Pyzor that was added by cPanel in v11.52
  • Support added for EasyApache4 log locations in cPanel from /etc/cpanel/ea4/paths.conf
  • Added more executable files to csf.pignore on cPanel servers for cPanel EasyApache4
  • Modify Server Check to support cPanel EasyApache4
  • Added regex to support cPanel/WHM login failures with the new log format in v11.52+
  • If mod_ruid2 is enabled do not check for mod_userdir in Server Check
  • Always ensure binary exists and is executable before performing processing during Server Check
  • Modified ProFTPD regex to support more formats
  • vsftpd inbuilt log file format regex added
  • Modified cPanel antirelayd Server Check to also support popbeforesmtp added in v11.52
  • Added dbus and time systemd regexes to csf.logignore for new installs

New csf v8.05

Changes:

  • Added alarms to HOST binary calls
  • Added new csf CLI option: –rbl [email]. This generates the report checking IP addresses against a set of RBLs. Optional configuration is available through /etc/csf/csf.rblconf
  • Added UI to utilise the new –rbl [email] option
  • Added systemd status output after lfd restart via the csf CLI
  • Modified Server Check to only report bind if a named configuration file exists
  • Require cPanel resellers to enter a Comment when allowing or denying an IP
  • Added new option UI_IP to allow binding to a specific IP address for the integrated UI

New cxs v5.31

Changes:

  • Ensure only root can attempt to download the bayes corpus
  • Fixed POD reference to –bforget
  • Fixed POD formatting of long example commands
  • Updated Software Version Checking
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

csf PT_USERKILL Recommendation

We wanted to reiterate the points made in the csf configuration and during csf restart regarding the PT_USERKILL option and the problems it can cause on servers as there appears to have been a spate of people enabling the option, which we do not recommend for stability reasons.

As csf itself now reports:

*WARNING* PT_USERKILL should not normally be enabled as it can easily 
lead to legitimate processes being terminated, use csf.pignore instead

And as stated in /etc/csf/csf.conf:

# Warning: We don't recommend enabling this option unless absolutely necessary
# as it can cause unexpected problems when processes are suddenly terminated.
# It can also lead to system processes being terminated which could cause
# stability issues. It is much better to leave this option disabled and to
# investigate each case as it is reported when the triggers above are breached

New csf v8.04

Changes:

  • Added more executable files to csf.pignore on cPanel servers for cPanel v11.5*+
  • Added warning to both csf output and Server Check report if PT_USERKILL is enabled

New csf v8.03

Changes:

  • Fixed bug where iptables nat tables were not being flushed or grepped correctly

New csf v8.02

Changes:

  • Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
  • Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS
  • Added new csf CLI option: –lfd [stop|start|restart|status]. Actions to take with the lfd daemon
  • Added new csf CLI option: -ra, –restartall. Restart firewall rules (csf) and then restart lfd daemon
  • Fixed several output message typos for “FASTSTART”
  • Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel
  • Improve IPv6 detection on installation
  • Implemented more efficient csf.conf loading in ConfigServer::Config

New csf v8.01

Changes:

  • Modify ConfigServer::CheckIP to cope with entries not passed by reference

New csf v8.00

Changes:

  • Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups
  • Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK
  • Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
  • Added IPv6 support for LF_IPSET
  • Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled)
  • Added IPv6 support for X_ARF report where found in the Abusix Contact DB
  • Added IPv6 nameserver support for /etc/resolv.conf
  • Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed
  • Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3
  • Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3
  • Added IPv6 support for SYNFLOOD
  • Added flush of ip6tables nat table if ip6tables version >= 1.4.17
  • Standardise all IPv6 addresses and networks to use the short form for consist representation
  • Added FASTSTART support to LF_IPSET
  • Increased ulimit -n to 4096 in /etc/init.d/lfd
  • Included Net::IP for IP address manipulation
  • Included version perl module for version comparisons
  • Added missing csf.allow search to csf –grep
  • Added Server Check report for LF_IPSET when using Country Code filters

ConfigServer IPv6 Implementation

We are in the process of adding IPv6 connectivity to all of our domains. This has been enabled on www.waytotheweb.com and www.configserver.com so far.

Due to the way implementation of IPv6 often works over protocols and applications, connections and requests will usually prefer IPv6 over IPv4 connections and DNS resolution.

If you see IPv6 connectivity issues, ensure that you have enabled outgoing connections to port 80 and 443 in TCP6_OUT in your csf.conf.

If you still see problems, you will have to investigate your IPv6 server configuration to resolve the issue, or disable IPv6 on the server if it does not work.