Server Software and Configuration Services
New cxs v1.25
Changes:
- Improved handling of –decode failures
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
General
New csf v5.01
Changes:
- Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK)
- Added new CLI option csf –tempallow (csf -ta) which works in exactly the same way as csf –tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries
- Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers
- Updated UI entry for adding and removing temporary allows and blocks
- Display temporary block TTL in days hours minutes and seconds
- Added new CLI option csf –watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information
- Modified csf and lfd init scripts to be LSB-compliant
- Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts
- Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error
New csf v5.00
Changes:
- lfd Clustering, final release. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications
- Added new option LF_DISTATTACK. Distributed Account Attack detection. This option will keep track of login failures from distributed IPs to a specific application account. If the number of failures matches the trigger value, ALL of the IP addresses involved in the attack will be blocked. This option is currently disabled by default – see csf.conf for more information
- Added new option PT_USERKILL_ALERT if you want to disable email alerts for PT_USERKILL triggers. This option is enabled by default, i.e. alerts are sent
- Added new options LF_QUICKSTART in csf.conf and CLI options -q, –startq, -sf, –startf to allow deferral of csf startup to lfd instead of waiting for the CLI to perform the work. See the CLI help and csf.conf for more information
- Added UI option for “Firewall Quick Restart” which uses csf -q, “Firewall Restart” uses csf -sf
- lfd now restarts csf (if stopped and LF_CSF enabled) within the main process to enhance the integrity of the firewall
- Multiple login failure regex detection improvements
- Fixed typos in permblock.txt
New cxs v1.24
Changes:
- Improvements to –decode [file]
- Add the cxs command line to a report even if the scan report is empty
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
New cxs v1.23
Changes:
- Fixed a false-positive detection of c/c++ source files
- Added filename legend to View option UI in Other Files
- For single or multiple user scans, Symlinks within the homedir will now be ignored
- Removed [\;\|\`\\] regex checks from the [f] and [d] –options, as it appears to be of little value (you could always add back such a check using a similar regex entry in an xtra file)
- Modified hidden text in image file check to only report if the text is script code
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
New csf v4.99
Changes:
- Improved csf locking to enhance the integrity of the firewall
- Log lfd csf deny failures
- New SSHD regex added
- Improved the dovecot regex’s
- New Beta option: lfd Clustering. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications
New cxs v1.22
Changes:
- Fixed –options [D] output not going to a –report [file]
- Improvement to –decode [file] variable detection
- Exploit fingerprint definitions database additions
New cxs v1.21
Changes:
- Added UID check to ensure updates are only performed by root (UID=0)
- New –options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) –decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches
- Added eval(str_rot13 to –decode [file]
- Fixed –decode [file] not scanning final decoded result with regex definitions and fingerprints
- Improvements to –decode [file] detection and processing
- Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
New cxs v1.20
Changes:
- Improvements to regex definitions database
- Added new ignore options for sym:, psym: and hsym: to allow ignoring of symlinks
- Modified –generate to add sym: for symlinks to ignore file
- All UI user selections modified to be dropdown lists
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
New cxs v1.19
Changes:
- Fixed bug preventing csf from blocking FTP IP addresses when –block used
- Added failure message from csf to FTP email if deny fails
- Added new exploit scanning option W to be used with –option (must be explicitly added to the options list – the same way as the C option). The W option will chmod all world writable directories found to 755. Use this option with care as it could prevent web scripts from functioning on non-suPHP or non-SUEXEC enabled systems