General

New csf v3.05

Changes:

  • Added perl regex checking to csf.pignore with the new options puser, pexe and pcmd. Text added to csf.pignore for new installations:

# Or, perl regular expression matching (regex):## pexe:/full/path/to/file as a perl regex[*]# puser:username as a perl regex[*]# pcmd:command line as a perl regex[*]## [*]You must remember to escape characters correctly when using regex’s, e.g.:# pexe:/home/.*/public_html/cgi-bin/script\.cgi# puser:bob\d.*# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

New csf v3.04

Changes:

  • Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you to set the incoming and outgoing ICMP rate limits independently, or to disable rate limiting in either direction completely for ICMP packets

New csf v3.03

Changes:

  • Modified LF_DIRWATCH_FILE to use the output from “ls -lAR” instead of

New csf v3.02

Changes:

  • Modified the text comments at the top of csf.allow for new installs:# Note: IP addressess listed in this file will NOT be ignored by lfd, so they# can still be blocked. If you do not want lfd to block an IP address you must# add it to csf.ignore
  • Removed RELAYHOSTS check from Server Check report
  • Don’t show SMTP_BLOCK check if on a VPS in Server Check report
  • PT_USERKILL, if set, will now also kill user processes that exceed PT_USERPROC
  • Fixed problem where csf.tempusers was not being cleared down on an lfd restart
  • Added two new csf command line options to flush IP’s from the temporary ban list: -tr -tf (see csf -h for more information)

PayPal Donations

We are always extremely grateful for any donation that we receive for our efforts in bringing you our free scripts. After repeated requests, we’ve added Subscription Payments along with our single donations button for those that prefer this method. An example is on the csf page.Thanks again to anyone who donates, no matter the amount, as it does help us spend time on the free projects.,

New csf v3.01

Changes:

  • Tightened DNS port configuration restrictions as the old rules were being catered for by iptables connection
  • Added Kerio Mailserver POP3/IMAP regex’s

PHP v4 – R.I.P

A reminder that support for PHP v4 was dropped by the PHP developers at the end of last year. For security and stability (yeah, right) reasons, you should be moving over to PHP v5 exclusively ASAP:http://php.net/#2007-07-13-1

New csf v3.00

Changes:

  • Added progress information to LWP downloads within csf
  • Added numiptent checking for VPS servers. csf will flush iptables and lfd will stop blocking IP’s if numiptent is nearly depleted. This should help prevent VPS lockouts due to insufficient server resources. If this happens, you will either need to reduce the number of iptables rules (e.g. disable Block List usage) or have the VPS provider increase numiptent. A value of ~700-1000 should be fine for most SPI firewall applications with full Block List configuration
  • Added support for the BOGON List (Block List) with LF_BOGON – http://www.cymru.com/Bogons/ See link and csf.conf for more information
  • Enhanced the cpanel.net lookup for httpdupdate.cpanel.net to workaround the lack of rDNS PTR records
  • Fixed problem with RELAYHOSTS not working
  • Removed use of the replace binary

Mrtg error after OS vendor update

If you’re seeing the following error after your OS updates mrtg if we’ve installed mrtg graphs for you:

ERROR: I Quit! Another copy of mrtg seems to be running. Check /etc/mrtg/mrtg.pid Daemonizing MRTG …

Simply do the following:

rm -fv /etc/cron.d/mrtg/etc/init.d/mrtg restart

You can ignore any subsequent mrtg errors referring to ETH1.

New csf v2.95

Changes:

  • Reduced memory overhead and added large file skipping for LF_DIRWATCH
  • Improved performance of LF_DRIWATCH trigger checks
  • Fixed problem with LF_SELECT temporarily blocking outbound access on all ports. Now now only the relevant inbound only port(s) will be blocked if triggered