General

New csf v3.13

Changes:

  • Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans held in the temporary IP ban list to prevent iptables flooding. If the limit is reached, the oldest bans will be removed/allowed by lfd on the next unblock cycle regardless of remaining TTL for the entry
  • Added LF_FLUSH for the flush interval of reported usernames, files and pids so that persistent problems continue to be reported. Default is set to the previously hard-coded value of 3600 seconds
  • Fixed uw-imap ipop3d regex
  • Added check for TESTING mode when using csf -a or csf -d to only add to the respective csf.allow or csf.deny files and not insert into iptables to prevent errors if iptables has been flushed after reaching TESTING_INTERVAL

New csf v3.12

Changes:

  • Added SMTP AUTH failure regex for Kerio MailServers
  • Fixed an issue where a permanent Port Scanning alert would report as a temporary block, eventhough a permanent block was performed
  • Added regex for failed SSH key authentication logins (thanks to Paul)

New RootKit Hunter v1.3.2

The Rootkit Hunter project team announces release 1.3.2.The changelog lists 3 additions, 6 changes and 14 bugfixes. Naming a few:- Socklog and rsyslog daemons support.- IRIX/IRIX64 support.- Application version check errors mostly ignored.- Unset ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1.- Application check whitelisting.- ‘pflog’ checked for all *BSD now.- Correct scanning of /dev in LAZY mode.- Whitelisted passwordless account names logged.- Corrected obtaining process names in Solaris.- Unset MANPATH for .spec (OpenSuSE).- Correct hidden files/directories test behaviour.This is the procedure we use to upgrade rkhunter:

wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.2.tar.gztar -xzf rkhunter*cd rkhunter-*./installer.sh –layout default –install

New csf v3.11

Changes:

  • Use /proc for Process Tracking instead of ps output incase of exploited system binaries and to better determine resource usage of each process

New csf v3.10

Changes:

  • Modified INPUT and OUTPUT chain rules to always specify the ethernet device
  • csf now re-applies temporary IP blocks on restart
  • Added new CLI command to add temporary IP bans. See csf -h for the new csf -td command
  • Added new options to WHM csf UI to unblock temporary IP bans
  • Added new option to WHM csf UI to block IP temporarily for a specified TTL

New csf v3.09

Changes:

  • Fixed missing copy for the portscan.txt report for generic installations
  • Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking email alerts
  • Added a sample of the port blocks that trigger the Port Scan to the report. This new report will be copied to /etc/csf/portscan.txt.new on existing installations, rename it to portscan.txt to use it
  • Added Port Scan Tracking to WHM UI Firewall Security Level
  • Added cPAddon update email setting check to Server Security Report
  • Modified the SuEXEC link location to the cPanel v11 location in Server Security Report
  • Added portscan.txt template to editable list in WHM UI
  • Updated readme.txt

New csf v3.08

Changes:

  • Modified Port Scan Tracking to ignore blocked IP addresses incase DROP_IP_LOGGING is enabled

New csf v3.07

Changes:

  • Added Apache Server Status report to PT_LOAD for load average report monitoring. To benefit from this feature you will need to rename the new report file /etc/csf/loadalert.txt.new to loadalert.txt. The reports (ps, vmstat and apache) are now included as MIME attachments in the email report instead of inline text
  • New feature: Port Scan Tracking. This feature tracks port blocks logged by iptables to syslog. It can help block hackers attempting to scan the server for open ports, or to block them while trying to access blocked standard ports, e.g. SSH. See csf.conf for more information
  • Upgraded the urlget module

New csf v3.06

Changes:

  • Added System Exploit Checking. This enables lfd to check for the Random JS Toolkit and may check for others in the future:http://www.cpanel.net/security/notes/random_js_toolkit.htmlIt compares md5sums of the binaries listed in the exploit above for changes and also attempts to create and remove a number directory. The open is enabled by default. The report is generated from the exploitalert.txt template file