Improved csf locking to enhance the integrity of the firewall
Log lfd csf deny failures
New SSHD regex added
Improved the dovecot regex’s
New Beta option: lfd Clustering. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications
Added UID check to ensure updates are only performed by root (UID=0)
New –options [D]. This is an experimental option that puts any PHP scripts containing an eval() function that decodes base64 and rot13 data through the (experimental) –decode [file] option during a scan. This will then highlight the decoded result if it hits any regex, fingerprint or virus scan matches
Added eval(str_rot13 to –decode [file]
Fixed –decode [file] not scanning final decoded result with regex definitions and fingerprints
Improvements to –decode [file] detection and processing
Modified pure-uploadscript init file to cope with multiple pure-ftpd pids on restart and to stop pure-ftpd more cleanly
Fixed bug preventing csf from blocking FTP IP addresses when –block used
Added failure message from csf to FTP email if deny fails
Added new exploit scanning option W to be used with –option (must be explicitly added to the options list – the same way as the C option). The W option will chmod all world writable directories found to 755. Use this option with care as it could prevent web scripts from functioning on non-suPHP or non-SUEXEC enabled systems
Improvements to –decode performance and effectiveness
New optimised fingerprint database. This new database, though with fewer entries, is better targetted at detecting relevant exploits that ClamAV misses (the majority!)
Changed “Match for fingerprint of an exploit” to “Known exploit = [Fingerprint Match]”
Changed “Match for regular expression (regex)” to “Regular expression match = [regex]”
Added ” (Hits:nn)” to the Subject line of email reports
Added new option –ulist [file] for use with the –all option to perform scans of only those users listed in [file]
Regex scanning improvements
Disable default deep scanning on FTP and web script uploads to help avoid false-positives. If you want to continue deep scanning add –deep to cxsftp.sh and/or cxscgi.sh
Added breakout if –decode [file] depth is > 250 to prevent looping
Fixed problem with quarantine UI to cope with a trailing slash on the –quarantine [dir] statement
Improved detection of the quarantine directory in UI
Added DNS lookups on FTP IP address reports
Allow the use of floating point numbers with –throttle [num]
Added “Ignore” option for FTP quarantines files to Quarantine UI to add a file: ignore statement to a relevant ignore file if configured
Added new options –jumpfrom [user] and –jumpto [user] for use with the –all option to perform scans of only those user between the two points, both of which are inclusive
