General

Changes:

• New feature SMTPAUTH_RESTRICT – This option will only allow SMTP AUTH to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth on EXIM mail servers. The additional option CC_ALLOW_SMTPAUTH can be used with this option to additionally restrict access to specific countries. See csf.conf and readme.txt for more information
• New FASTSTART procedures in csf and lfd to centralise functions and add error reporting
• FASTSTART added to GLOBAL_ALLOW, GLOBAL_DENY, GLOBAL_DYNDNS, csf.deny, csf.allow, Port Settings, PACKET_FILTER, DROP_NOLOG, SMTP Block, DNS
• Remove duplicate IP addresses from individual blocklists
• Remove duplicate IP addresses (not CIDRs) across blocklists as they are newly retrieved
• Ensure /usr/local/bandmin/bandminstart exists and is executable on cPanel servers before using it
• Removed MySQL version check as it is currently redundant from Server Report
• Improve Net::CIDR::Lite use integrity to prevent unnecessary lfd failures
• Ensure GeoIPCountryWhois.csv is removed before processing a new d/b download
• Add /etc/csf/csf.smtpauth to UI if SMTPAUTH_RESTRICT is enabled
• Fixed issue with IPv6 generation of SMTP_ALLOWUSER rules

Changes:

• Fixed csf –ta/d not accepting comma separated port list
• Modified csf -t multi-port reporting
• Modified csf UI to support specifying port list in temporary allow/deny
• Modified integrated UI call to perform separate calls to IO::Socket::SSL to use the appropriate AF_INET(6) call depending on the setting for IPV6
• Updates to integrated cse UI CSS
• Added regular expressions for courier-imap, Qmail SMTP AUTH and Postfix SMTP_AUTH for Plesk servers
• Removed RBN from csf.blocklist for new installs as it is now obsolete
• Check for an apply correct permissions on /var/lib/csf and /usr/local/csf in addition to /etc/csf

Changes:

• Overhaul of Apache regexes to cater for Apache v2.4 formats
• Fail with an appropriate error if attempting to use an IPv6 address but IPV6 is not enabled
• Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT when DROP_OUT_LOGGING is disabled
• Strip leading and trailing spaces from form IP in csf UI
• DROP_OUT_LOGGING is now enabled by default on new installations
• ST_ENABLE is now enabled by default on new installations
• CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This provides a more consistent approach and quicker lookups with reduced memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE

Changes:

• HTTP::Tiny reverted to v0.041 as it breaks on some installations

Changes:

• Modified LF_SCRIPT_ALERT to only report detected lines
• Modified Server Check for sshd_config port to be case-insensitive
• Modified PORTS_sshd check of sshd_config port to be case-insensitive
• HTTP::Tiny upgraded to v0.042
• Reverse sort temp bans in UI

Changes:

• File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs
• Added Server Reports recommendation for CloudLinux if running CentOS or RedHat
• Added Server Reports CloudLinux security feature checks
• Modified Server Report check for dovecot v2
• Updated Server Report version checks for Fedora, MySQL and Apache
• Added missing bracket to regex.custom.pm example
• Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports
• Added Cached memory to the System Statistics
• Added full pseudo-breadcrumbs to cPanel csf UI
• Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See “man csf” and UI for more details of the “csf –profile [OPTIONS]” commands
• HTTP::Tiny upgraded to v0.041