cPanel

Changes:

• If LF_SELECT is enabled the port(s) listed in PORTS_* can now be specifed as port;protocol,port;protocol, e.g. “53;udp,53;tcp” to allow for protocol specific port blocks. This port format can also now be used in regex.custom.pm  and csf –td/–ta to allow udp port blocks
• PORTS_bind now defaults to “53;udp,53;tcp” on new installations
• PORTS_directadmin added for DA installs to allow for per port blocks if LF_SELECT is enabled
• Ports 993 and 995 now added to TCP_OUT and TCP6_OUT on new installs
• LF_IPSET taken out of BETA as it is proving stable
• Modified Server Check to skip checking xinetd on Plesk servers
• Modified UI_SSL_VERSION for new installations to use the new IO::Socket::SSL default SSL_version setting of SSLv23:!SSLv3:!SSLv2 so that SSLv3 is disabled
• If systemd is running the installer disables firewalld using systemctl

Changes:

• Added IPv4/IPv6 column to show whether the port in the csf –ports option is listed in *_IN (e.g. TCP_IN)
• Added IPv4/IPv6 column to show the number of ESTABLISHED connections to the port in the csf –ports
• Modified Server Check text from “SMTP Tweak” to “SMTP Restrictions” for cPanel/WHM UI
• Added the following to LF_IPSET for IPv4 IPs and CIDRs: /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER. IPv6 IPs, Advanced Allow Filters and temporary blocks use traditional iptables
• Modified ipset information in csf.conf including that only ipset v6+ is supported
• Modified ConfigServer::Slurp to carp instead of croak
• Improvements to Server Check nameserver checking to include IPv6 servers and better determine how many are local nameservers
• Modified csf –graphs to append a trailing slash if missing to directory name

Changes:

• Modified Slurp.pm to use O_RDONLY instead of O_RDWR

Changes:

• Fixed issue with Restricted UI items sanity checks failing

Changes:

• Removed duplicate “Search System Logs” button from the UI

Changes:

• Added new BETA options LF_IPSET, IPSET. Use ipset for CC_* and csf.blocklist bulk list matching. See csf.conf for more info
• Added new UI option to view ports on the server that have a running process behind them listening for external connections
• Added new CLI option (csf -p, csf –ports) to view ports on the server that have a running process behind them listening for external connections
• Added new CLI option (csf –graphs) to Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
• If using DYNDNS and the FQDN has multiple A records then all IP addresses will now be allowed
• IPv6 support added to DYNDNS. Requires the Perl module Socket6 from cpan.org to be installed
• On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin if installed and logging enabled via CustomBuild v2+. Failures will contribute to the LF_DIRECTADMIN trigger level for that IP
• On DA servers, FTPD_LOG now defaults to /var/log/messages on new installs
• Added exe:/usr/libexec/dovecot/anvil to csf.pignore for new installs on DA
• Added to UI count of entries in /etc/csf/csf.allow
• Added blocklist.de to csf.blocklists for new installs, latest file copied to /etc/csf/csf.blocklists.new on existing installs
• Started moving common functions to separate modules within csf
• HTTP::Tiny upgraded to v0.050
• Fixed csf stop/start routines on reboot for servers using systemd
• Modified integrated UI to display die errors to browser
• Modified X_ARF report to use a self-published schema: http://download.configserver.com/abuse_login-attack_0.2.json
• Modified X_ARF to lowercase the Source-Type field
• Modified X_ARF template to use the v0.2 “X-XARF: PLAIN” header field
• Updated restricted UI items
• Geo::IP upgraded to v1.45
• Crypt::CBC upgraded to v2.33

Changes:

• Updated installer to fix generic installs on some Redhat/CentOS setups
• Fixed issue with temporary allow/deny not applying individual port rules for outgoing connections