General

New csf v3.36

Changes:

  • Increased the IP lookup timeout for reported IP’s from 5 to 10 seconds
  • Improved lfd internal timing system for event triggers
  • Added new feature – Account Tracking. The new AT_* options configure an alert system for account modifications which will send an email if there are new accounts added, existing accounts deleted plus password uid gid login dir and login shell changes. Each of these changes can be enabled or disabled. You can also enable tracking for superuser accounts only. That latter is the default setting. This feature uses the email template accounttracking.txt
  • Added reason text to temporary IP bans
  • Added Server Report check for ini_set in PHP disable_functions
  • Added ossec to list of processes to disable as it will conflict and duplicate csf functionality
  • Changed Server Check scoring text to instead show a coloured table indicating score

cPanel – Perl on VPS Servers

It appears that many VPS servers overnight have installed the OS vendor version of perl, e.g. v5.8.5. This has meant that most of the perl modules that cPanel itself along with csf, MailScanner and other perl scripts use are missing. This in turn means that many perl based scripts (e.g. MailScanner, csf, cPanel itself) will have stopped functioning.To resolve this issue, either run:/scripts/checkperlmodulesOr, better, upgrade back to perl v5.8.8 using the distribution on the cPanel site:http://layer1.cpanel.net/You might also get away with simply going to /usr/bin/ and copying the perl v5.8.8 binary over the live perl binary.Whichever method you use, with MailScanner at least, you’ll have to update MailScanner either from our install script, or by selecting the Force MailScanner Update button for MailScanner in the WHM UI.It would then probably be a good idea to run:/scripts/upcp -forceHow this happened is odd as /etc/yum.conf on cPanel includes perl* in the ignore list.

New csf v3.35

Changes:

  • Changes to WHM UI script for cPanel v11
  • Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer supported
  • Added # of temp blocks to WHM UI “Temporary IP Bans” on main page
  • Modified Server Report check for register_globals in cPanel’s php.ini to use the new cPanel WHM setting
  • Added Server Report check for passwords in WHM email setting
  • Added Server Report check for WHM root/reseller login to users cPanel
  • Modified Server Report nobody cron check to only fail on non-zero cron file
  • Modified Server Report check for Fedora now that Fedora 7 is EOL (2008-06-13)
  • Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd blocking

New csf v3.34

Changes:

  • Modified regex matching to allow for trailing spaces in log lines
  • Modified PT_LOAD routine to prevent multiple triggers resulting in more than one alert being email sent
  • Removed the need for NETSTAT from lfd to reduce overheads and improve performance allowing CT_INTERVAL to be set lower. Now uses /proc/net/[protocol]

New csf v3.33

Changes:

  • Modified skip for su login checking from root to cater for (uid=0)
  • Added option SYNFLOOD_BURST to allow configuration of –limit-burst when SYNFLOOD is enabled. Changed default values
  • Added to –grep searches to csf.deny and temporary blocks in addition to iptables
  • Modified SSH regex to improve login failures detection further
  • Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
  • Added vsftpd regex for ftp login failures

New csf v3.32

Apologies for the multiple releases today:Changes:

  • Modified SSH regex to check for ipv6 addresses
  • Added another regex to improve SSH matching

New csf v3.31

Changes:

  • Modified -denyrm to abort if left blank instead of clearing all blocks
  • Added lfd check for existing temporary block to avoid duplicates
  • Fixed regex handling for courier-imap POP and IMAP login failures
  • Added –full-time to the ls command for LF_DIRWATCH_FILE. If you use this option, LF_DIRWATCH_FILE will likely trigger due to the changed output the first time you restart lfd after upgrading
  • Fixed typo in Suhosin description in the Server Check Report
  • Added Referrer Security to the Server Check Report
  • Added register_globals check in cPanel php.ini to Server Check Report

New csf v3.30 (Security Fix)

Changes:

  • Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd
  • The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources
  • Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries
  • Option LF_SCRIPT_PERM removed

Our thanks to Jeff Petersen for the detailed information describing these issues.We recommend that all users of csf upgrade to this new version

New csf v3.28

Changes:

  • Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
  • Modified relay tracking to not ignore RELAYHOST IP’s
  • Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
  • LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

New csf v3.27

Changes:

  • Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny