General

New csf v3.33

Changes:

  • Modified skip for su login checking from root to cater for (uid=0)
  • Added option SYNFLOOD_BURST to allow configuration of –limit-burst when SYNFLOOD is enabled. Changed default values
  • Added to –grep searches to csf.deny and temporary blocks in addition to iptables
  • Modified SSH regex to improve login failures detection further
  • Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
  • Added vsftpd regex for ftp login failures

New csf v3.32

Apologies for the multiple releases today:Changes:

  • Modified SSH regex to check for ipv6 addresses
  • Added another regex to improve SSH matching

New csf v3.31

Changes:

  • Modified -denyrm to abort if left blank instead of clearing all blocks
  • Added lfd check for existing temporary block to avoid duplicates
  • Fixed regex handling for courier-imap POP and IMAP login failures
  • Added –full-time to the ls command for LF_DIRWATCH_FILE. If you use this option, LF_DIRWATCH_FILE will likely trigger due to the changed output the first time you restart lfd after upgrading
  • Fixed typo in Suhosin description in the Server Check Report
  • Added Referrer Security to the Server Check Report
  • Added register_globals check in cPanel php.ini to Server Check Report

New csf v3.30 (Security Fix)

Changes:

  • Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd
  • The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources
  • Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries
  • Option LF_SCRIPT_PERM removed

Our thanks to Jeff Petersen for the detailed information describing these issues.We recommend that all users of csf upgrade to this new version

New csf v3.28

Changes:

  • Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
  • Modified relay tracking to not ignore RELAYHOST IP’s
  • Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
  • LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

New csf v3.27

Changes:

  • Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny

New csf v3.26

Changes:

  • Added new CLI option to csf, -g –grep will search the iptables chains for a specified match which is either explicit or part of a CIDR
  • Added WHM UI option for csf –grep
  • Added new CLI option to csf, -dr –denyrm will remove an IP address from csf.deny and unblock it
  • Added WHM UI option for csf –denyrm

New csf v3.25

Changes:

  • Added csf.suignore file where you can list usernames that are ignored during the LF_EXPLOIT SUPERUSER test
  • New option PT_LOAD_ACTION added that can contain a script to be run if PT_LOAD triggers an event. See csf.conf for more information
  • Added SUPERUSER check to Server Check Report
  • Added Suhosin check to Server Check Report

Problems with LWP and access to https URL's

If you’re using perl scripts on your server that use LWP and suddenly find them failing with connections to https resources with the following type error:

500 read failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

then you’ve probably got LWP v5.811 installed which breaks SSL connections! The author fixed the problem he created after about two days with v5.812 but the damage was done on many servers. cPanel have put a hold back on cpan module updates for LWP to v5.810 but if your servers already upgraded LWP then you’ll need to either upgrade it manually from the cpan source to v5.812 or downgrade to v5.810.Downgrading LWP:

wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/libwww-perl-5.810.tar.gztar -xzf libwww-perl-5.810.tar.gzcd libwww-perl-5.810perl Makefile.PLmake(take the default options unless you want to additional binaries installed)make install

New csf v3.24

Changes:

  • Allow comments after IP addresses in csf.dyndns
  • Added new login failure option LF_SUHOSIN which detects alert messages and blocks the attacker IP after the configured number of matches
  • Added a new exploit check for non-root superuser accounts
  • Added a new configuration option LF_EXPLOIT_CHECK which allows you to configure which tests are performed by LF_EXPLOIT