cPanel

Changes:

• Fixed a mis-configuation for outgoing global deny rule – Thanks to Marie from Jagwire Hosting
• Allow advanced allow and block filters using the -a and -d options when running csf in CLI
• Added new option LF_SELECT. If you have LF_TRIGGER set to “0” and the application trigger levels set, you can now set LF_SELECT to “1” if you only want to block IP access to that application instead of a complete block
• Changed installer behaviour to only add SSH port to TCP_IN if TESTING is set to “1” – done to help those that don’t want to always have the SSH port opened

Fixes and Features:

• Modified lfd init procedure to use the init functions
• Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to “0” then lfd will instead trigger blocks based on the value of the application trigger, e.g. if LF_MODSEC is set to “3” then it will trigger on 3 mod_security alerts. Or if LF_POP3D is set to “10” then it will trigger on 10 pop3d login failures. When in this mode, i.e. with LF_TRIGGER set to “0”, login failures for different triggers are not cumulative, whereis LF_TRIGGER set to a number > “0” they are cumulative as before
• Modification to csf.conf to reflect the changes to LF_TRIGGER – only applied to new installations
• Rewrite of the iptables command invocation in lfd.pl to trap iptables errors and shutdown firewall if any found – should help prevent lockouts
• Allow advanced rules in Global Allow and Deny lists. Input and Output direction support included.
• Added Global Allow and Deny lists to the OUTPUT chain as well as the INPUT chain
• Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to ignore. Updated WHM UI to allow easy file edits

Fixes and features:

• Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH from the cPanel configuration
• Added maildir check to Security Check
• Fixed a typo in advanced rules – Thank you to Victor from Touch Support for pointing this out
• Added binary executable check for LF_DIRWATCH files
• Added core dump check in cron directories to LF_DIRWATCH
• Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match
• Increased LF_DIRWATCH timeout from 10 to 20 seconds – if you still find it timing out, make sure that you have been clearing down your tmp directories

Changes:

• Added CIDR recognition to csf.ignore
• Rewrite of the iptables command invocation in csf.pl to trap iptables errors and shutdown firewall if any found – should help prevent lockouts

Bug fix:

• Fixed a problem on some installations where the update process emptied out csf.conf. If this has happened, you will need to remove /etc/csf/csf.conf and then rerun the installation procedure and reconfigure the firewall. If you’re already running at least v2.18 you can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf and then upgrade to this release

New features and bugs fixed:

• Fixed an issue with checking the /var/tmp symlink by comparing the inodes of /tmp and the symlink destination of /var/tmp
• Added checking of /usr/tmp
• Added checking of SSH PasswordAuthentication
• Modified update routine to take a copy of csf.conf before upgrading – the backup file is /etc/csf/csf.conf.preupdate
• Added check in /etc/cron.daily/logrotate for /tmp noexec workaround