General

New csf v7.57

Changes:

  • 7.57   – URLGET now set to “2” to use LWP by default on new installations instead of HTTP::Tiny
  • If URLGET set to use LWP, csf will perform upgrades over SSL to https://download.configserver.com
  • Added check for URLGET to Server Check
  • Added option “3” for CC_LOOKUPS to also include IP ASNs via the MaxMind GeoIPASNum database
  • Updated SSH login regexes
  • Updated named regex
  • Added 30 second timeout for ST_IPTABLES iptables stats writing to prevent a child creation loop
  • Modified lfd to restart if more than 200 children are currently active to prevent child creation loops

New cxs v5.08

Changes:

  • Fixed a rare potential issue with fingerprint processing in –xtra [file]
  • Added new advanced PHP decoders
  • Updated scripts to use https://download.configserver.com
  • Revert to using LWP::UserAgent instead of HTTP::Tiny for SSL support

Changes to ConfigServer Services

We have made changes to our product offerings

Our paid products will now consist of:

  • cPanel Service Package – as before, providing a configuration, hardening and scan service for cPanel servers.
  • ConfigServer eXploit Scanner – this service provides the installation of cxs. It also now includes setup of daily/weekly scan jobs
  • ConfigServer MailScanner Front-End – this service provides installation of our front-end to MailScanner. It also includes installation of MailScanner itself along with DCC, cmq, MailWatch, etc. Support of MailScanner itself is now restricted to the 7 day post-installation period. Any further support for MailScanner itself will provided at our discretion and be charged at an hourly rate

We are no longer offering the following:

  • Exploit scan service – this is provided for by the cPanel Service Package, though we may offer a simple scan and report add-on service on purchase of the ConfigServer eXploit Scanner product if there is demand
  • ConfigServer MailScanner Front-End license only – this is provided for by the ConfigServer MailScanner Front-End product which you can choose to install yourself if you wish

New Pricing for January 2015, plus Holiday Schedule

Script and Service Pricing – 2015

Prices for our script applications and server services will see changes in the new year from 1st January 2015.

If you want to purchase at the current prices you should do so before 1st January 2015 as we will not be offering the old prices from that date onwards.

Holiday Schedule

We will be closing our Store from 22nd to the 29th of December 2014 (inclusive).

We will be closing our Help Desk from 24nd to the 29th of December 2014 (inclusive).

cxs and “CryptoPHP”

CryptoPHP:

http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/

cxs can detect “CryptoPHP” for currently reported variants (and has done so for some time with then known variants).

A few things to note:

  • As with all exploits, new variants are developed regularly so they will not always be detected
  • Ensure that you have a daily cron job to update cxs
  • cxs will not necessarily prevent an account being exploited as this “infection” is caused by clients installing illegal (“nulled”) applications that have already been exploited
  • As with all exploits, regular full cxs scans have to be run to detect newly reported variants that may have previously evaded cxs Watch
  • If you find new variants that are not detected by cxs, submit them to us in the normal manner (see the cxs –wttw [script] option in the documentation)

New cxs v5.07

Changes:

  • Modified new installs to better initially update to the latest fingerprints
  • Ignore and Xtra files can now use an Include statement to include additional files. If cxswatch is running then it will also watch the included files for changes and reload if necessary
  • Added new quarantine option –qignore [method] which used when restoring a file using –qrestore [file] will create an entry in –ignore [file] before restoring the file. See POD for more info
  • Optimised fingerprint database to remove duplicates and old entries of no value reducing the size without reducing effectiveness
  • Exploit fingerprint definitions database additions

New csf v7.56

Changes:

  • Fixed issue with Restricted UI item sanity checks failing
  • Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (lfd, MailScanner cxs Watch). Restart triggers are limited to every 12 hours and will only trigger if upcp is not running

New csf v7.55

Changes:

  • If LF_SELECT is enabled the port(s) listed in PORTS_* can now be specifed as port;protocol,port;protocol, e.g. “53;udp,53;tcp” to allow for protocol specific port blocks. This port format can also now be used in regex.custom.pm  and csf –td/–ta to allow udp port blocks
  • PORTS_bind now defaults to “53;udp,53;tcp” on new installations
  • PORTS_directadmin added for DA installs to allow for per port blocks if LF_SELECT is enabled
  • Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs
  • LF_IPSET taken out of BETA as it is proving stable
  • Modified Server Check to skip checking xinetd on Plesk servers
  • Modified UI_SSL_VERSION for new installations to use the new IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so that SSLv3 is disabled
  • If systemd is running the installer disables firewalld using systemctl

New cxs v5.06

Changes:

  • HTTP::Tiny upgraded to v0.050
  • Modified use of BSD::Resource to be silent on failure
  • Exploit fingerprint definitions database additions

New csf v7.54

Changes:

  • Added IPv4/IPv6 column to show whether the port in the csf –ports option is listed in *_IN (e.g. TCP_IN)
  • Added IPv4/IPv6 column to show the number of ESTABLISHED connections to the port in the csf –ports
  • Modified Server Check text from “SMTP Tweak” to “SMTP Restrictions” for cPanel/WHM UI
  • Added the following to LF_IPSET for IPv4 IPs and CIDRs: /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables
  • Modified ipset information in csf.conf including that only ipset v6+ is supported
  • Modified ConfigServer::Slurp to carp instead of croak
  • Improvements to Server Check nameserver checking to include IPv6 servers and better determine how many are local nameservers
  • Modified csf –graphs to append a trailing slash if missing to directory name