New csf v12.09

Changes:

  • Added new option CT_SUBNET_LIMIT. If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings. This option is disabled by default
  • Removed ALTTOR from csf.blocklists on new installations as it has been discontinued
  • Use ConfigServer::Slurp to read csf.resellers to avoid invalid line endings
  • Modified CLUSTER_SENDTO and CLUSTER_RECVFROM so that they can be set to a file instead of listing IP’s within the respective setting. See csf.conf for more details
  • Removed open_basedir check on cPanel servers in Server Check
  • Fixed csf.conf typo
  • Updates to Courier IMAP regexes for Plesk

New csf v12.07

Changes:

  • Added commented out regex lines in csf.pignore on cPanel servers for the upcoming ubic implementation by cPanel
  • Added port 53 filters in cpanel.comodo.allow on cPanel servers
  • Added postfix support for LF_DISTSMTP
  • Switched Sendmail and URLGET modules from using croak to carp to avoid unexpected parent death from child failure
  • Double fork external commands in DA UI to work around DA mod_perl restrictions, allowing full functionality
  • Added reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports and csf.deny entries

New csf v12.05

Changes:

  • Removed rbl.jp RBLs from csf.rbls
  • Modify Project Honey Pot blocklist URLs to use https
  • Ignore $SIG{PIPE} when running ipset
  • Ensure csf shows ipset warnings
  • Added osmd to lfd restart routine when cPanel upgrades
  • Modified Server Check to look for underscore as well as dash settings
  • Added test in lfd to ensure the pidfile is open before attempting to close it
  • Added new regex for LF_EXIMSYNTAX
  • Added new option: URLPROXY. If you need csf/lfd to use a proxy, then you can set this option to the URL of the proxy

New csf v12.03

Changes:

  • Make CC_IGNORE check case-insensitive
  • Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, PT_* and PT_SSHDKILL)
  • Updated cxs FontAwsome to v5
  • Added fixes for additional Include line processing
  • Fixed race condition when processing CC_* zip files that could sometimes prevent the csv files from being extracted
  • Updated HTTP::Tiny to v0.070

New csf v12.02

Changes:

  • Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases
  • Added more CLI options that work if csf is disabled
  • Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under “Include statement in configuration files” for the list of supported files
  • Added mangle and raw tables to csf –grep [IP] and modified output to show a new column with the table then the chain that a rule is in
  • Added mangle and raw tables to csf –status output and modified output to show a new header line with the table that a rule is in
  • Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state
  • Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6
  • Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits
  • Updated csf.conf documentation relating to the ICMP/PING settings
  • Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else
  • csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled
  • USE_CONNTRACK is now enabled by default on new installations
  • Fixed DOCKER IPv6 warning message when DOCKER not enabled
  • Modified csf.blocklists for GREENSNOW to use https on existing and new installations

New csf v12.01

Changes:

  • Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files
  • Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist
  • CC_OLDGEOLITE set to “0” on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set
  • Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases

New csf v12.00

Changes:

  • Added support for GeoLite2 databases from Maxmind for CC_*. These databases are significantly larger than the soon to be deprecated GeoLite ones stored in /var/lib/csf/
  • Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and CC6_LOOKUPS
  • Added new option: CC_OLDGEOLITE. This option is enabled by default to continue using the old GeoLite databases. See csf.conf for more information. This option will be removed in the near future so that all installations use the new GeoLite2 databases
  • GeoLite2 lookups now use the CSV files instead of the formatted Data files because the Perl dependencies for the MaxMind Perl modules that access the Data files are prohibitively excessive. We have developed our own fast binary search module to perform the required lookups on the CSV files for both IPv4 and IPv6
  • An advantage of the new GeoLite2 databases is that IPv6 lookups can now be done to the same level as IPv4: Country Code; Country; Region; City; ASN
  • Unified storage of GeoLite2 database to avoid duplication between CC_LOOKUPS and CC_* databases
  • Added new CC_LOOKUPS value of “4”. This option does not use the MaxMind databases directly for lookups. Instead it uses a URL-based lookup from a third-party provider at https://freegeoip.net and so avoids having to download and process the large databases. See csf.conf for more information and limitations
  • Modified CC_INTERVAL default to 14 days on new installations
  • Ensure MESSENGERV2 service will not start if using a valid cPanel account in MESSENGER_USER (must be non-cPanel account)
  • Create entry in /etc/aliases for “csf” if MESSENGERV2 is enabled on cPanel servers to reserve the account name
  • Added new feature: DOCKER support. This configures iptables rules to allow Docker containers to communicate through the host. This is currently in BETA testing. See csf.conf for more information. Thanks to Marcele for the rules
  • Removed redundant nat table check for ip6tables in Config.pm
  • Replaced all remaining bareword file handles