Unsupported option –YSKIPWMAIL added. Using this, If –options [W] or –options [wW] is triggered, then the directory will be chmod as normal but no email will be sent. If any other option is triggered for the same scan, the email will still be sent. This option only applies to cxs Watch
Added full pseudo-breadcrumbs to cPanel csf UI
HTTP::Tiny upgraded to v0.042
On cPanel servers, use cPanel provided perldoc binary in UI if present
Exploit fingerprint definitions database additions

New csf v6.44

Changes:

File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs
Added Server Reports recommendation for CloudLinux if running CentOS or RedHat
Added Server Reports CloudLinux security feature checks
Modified Server Report check for dovecot v2
Updated Server Report version checks for Fedora, MySQL and Apache
Added missing bracket to regex.custom.pm example
Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports
Added Cached memory to the System Statistics
Added full pseudo-breadcrumbs to cPanel csf UI
Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See “man csf” and UI for more details of the “csf –profile [OPTIONS]” commands
HTTP::Tiny upgraded to v0.041

cxs False-positive: [P0388]

You may see a false-positive in cxs after a recent release of fingerprint detections:

# Known exploit = [Fingerprint Match] [PHP Exploit [P0388]]

To remove the false-positive, run the following:

rm -fv /etc/cxs/new.fp
cxs -U

Our apologies for any confusion that this may have caused.

Changes:

Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc)
RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to “3” is the recommended option
Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log
csf –dr modified to remove matching IPs from csf.tempip
File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit

Changes:

Changes:

New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option “3” which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information
Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP
csf UI option added for editing csf.syslogusers
Fixed a bug in PT_LOAD not producing PS output

Changes:

SECURITY WARNING:

Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines).
Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst.
Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users.
There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default.
See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice
NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care
Our thanks go to Rack911.com for bringing this issue to our attention

Other changes: