General

New csf v3.18

Changes:

  • Fixed bug in the generic csf release where the default csf.conf was missing the DROP, CT_STATES and GLOBAL_IGNORE settings – Thanks to Jim for the help in tracking the issue down

New csf v3.17

Changes:

  • Rewritten the update code so that a new csf.conf is creating when upgrading. It now uses the latest csf.conf and transfers the existing settings to the new configuration file. This way all installations are sure to have all new settings and the latest comments. It also makes the release process for new builds much simpler
  • Other installation/update improvements
  • Updated APF/BFD removal procedure

New csf v3.16

Changes:

  • Fixed bug introduced in v3.14 for generic installation only

New csf v3.15

Changes:

  • Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf
  • Modified csf.conf text for new installations to account for auto-configuration of ETH_DEV which has been the case for some time:# By default, csf will auto-configure iptables to filter all traffic except on# the local (lo: ) device. If you only want iptables rules applied to a specific# NIC, then list it here (e.g. eth1, or eth+ )ETH_DEVICE = “”# If you don’t want iptables rules applied to specific NICs, then list them in# a comma separated list (e.g “eth1,eth2” )ETH_DEVICE_SKIP = “”

New csf v3.14

Changes:

  • Added new format for cPanel (v11.18.3) login failures to regex.pm
  • Added exe:/usr/libexec/gam_server to the default list of ignored binaries
  • Fixed problem with SCRIPT_ALERT not picking up alternative /home directories from wwwacct.conf

New csf v3.13

Changes:

  • Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans held in the temporary IP ban list to prevent iptables flooding. If the limit is reached, the oldest bans will be removed/allowed by lfd on the next unblock cycle regardless of remaining TTL for the entry
  • Added LF_FLUSH for the flush interval of reported usernames, files and pids so that persistent problems continue to be reported. Default is set to the previously hard-coded value of 3600 seconds
  • Fixed uw-imap ipop3d regex
  • Added check for TESTING mode when using csf -a or csf -d to only add to the respective csf.allow or csf.deny files and not insert into iptables to prevent errors if iptables has been flushed after reaching TESTING_INTERVAL

New csf v3.12

Changes:

  • Added SMTP AUTH failure regex for Kerio MailServers
  • Fixed an issue where a permanent Port Scanning alert would report as a temporary block, eventhough a permanent block was performed
  • Added regex for failed SSH key authentication logins (thanks to Paul)

New RootKit Hunter v1.3.2

The Rootkit Hunter project team announces release 1.3.2.The changelog lists 3 additions, 6 changes and 14 bugfixes. Naming a few:- Socklog and rsyslog daemons support.- IRIX/IRIX64 support.- Application version check errors mostly ignored.- Unset ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1.- Application check whitelisting.- ‘pflog’ checked for all *BSD now.- Correct scanning of /dev in LAZY mode.- Whitelisted passwordless account names logged.- Corrected obtaining process names in Solaris.- Unset MANPATH for .spec (OpenSuSE).- Correct hidden files/directories test behaviour.This is the procedure we use to upgrade rkhunter:

wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.2.tar.gztar -xzf rkhunter*cd rkhunter-*./installer.sh –layout default –install

New csf v3.11

Changes:

  • Use /proc for Process Tracking instead of ps output incase of exploited system binaries and to better determine resource usage of each process