New csf v12.02

Changes:

  • Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases
  • Added more CLI options that work if csf is disabled
  • Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under “Include statement in configuration files” for the list of supported files
  • Added mangle and raw tables to csf –grep [IP] and modified output to show a new column with the table then the chain that a rule is in
  • Added mangle and raw tables to csf –status output and modified output to show a new header line with the table that a rule is in
  • Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state
  • Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6
  • Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits
  • Updated csf.conf documentation relating to the ICMP/PING settings
  • Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else
  • csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled
  • USE_CONNTRACK is now enabled by default on new installations
  • Fixed DOCKER IPv6 warning message when DOCKER not enabled
  • Modified csf.blocklists for GREENSNOW to use https on existing and new installations

New csf v12.01

Changes:

  • Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files
  • Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist
  • CC_OLDGEOLITE set to “0” on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set
  • Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases

New csf v12.00

Changes:

  • Added support for GeoLite2 databases from Maxmind for CC_*. These databases are significantly larger than the soon to be deprecated GeoLite ones stored in /var/lib/csf/
  • Added support for GeoLite2 databases from Maxmind for CC_LOOKUPS and CC6_LOOKUPS
  • Added new option: CC_OLDGEOLITE. This option is enabled by default to continue using the old GeoLite databases. See csf.conf for more information. This option will be removed in the near future so that all installations use the new GeoLite2 databases
  • GeoLite2 lookups now use the CSV files instead of the formatted Data files because the Perl dependencies for the MaxMind Perl modules that access the Data files are prohibitively excessive. We have developed our own fast binary search module to perform the required lookups on the CSV files for both IPv4 and IPv6
  • An advantage of the new GeoLite2 databases is that IPv6 lookups can now be done to the same level as IPv4: Country Code; Country; Region; City; ASN
  • Unified storage of GeoLite2 database to avoid duplication between CC_LOOKUPS and CC_* databases
  • Added new CC_LOOKUPS value of “4”. This option does not use the MaxMind databases directly for lookups. Instead it uses a URL-based lookup from a third-party provider at https://freegeoip.net and so avoids having to download and process the large databases. See csf.conf for more information and limitations
  • Modified CC_INTERVAL default to 14 days on new installations
  • Ensure MESSENGERV2 service will not start if using a valid cPanel account in MESSENGER_USER (must be non-cPanel account)
  • Create entry in /etc/aliases for “csf” if MESSENGERV2 is enabled on cPanel servers to reserve the account name
  • Added new feature: DOCKER support. This configures iptables rules to allow Docker containers to communicate through the host. This is currently in BETA testing. See csf.conf for more information. Thanks to Marcele for the rules
  • Removed redundant nat table check for ip6tables in Config.pm
  • Replaced all remaining bareword file handles

New csf v11.07

Changes:

  • Added missing WAITLOCK to iptables when processing advanced port filters in csf and lfd and checking csf status in UI
  • Added WAITLOCK, if enabled, to iptables-restore commands during FASTSTART
  • Server Check Report – removed ini_set check as so many scripts use ini_set nowadays. Updated text on various checks
  • Updated the postfix SMTP AUTH regex
  • Added new SSHD “maximum authentication attempts exceeded” regex
  • Set basic PATH before running csfpre.sh/csfpost.sh to avoid binary location issues
  • csf now runs csfpre.sh/csfpost.sh directly without forcing it through /bin/sh. If present, csf chmods the script 0700 and checks for a shebang. If the shebang is missing #!/bin/bash is added to the top. The script is then run
  • Added seventh parameter to regex.custom.pm to allow Cloudflare blocking if a CUSTOM regex is triggered (see latest regex.custom.pm in distro)
  • Rearranged UI tabs and shortened tab names. Moved quick actions to the top of the “csf” tab pane
  • Added “AUTH command used when not advertised” to the LF_EXIMSYNTAX regex check
  • Added new csf CLI cluster option: -ci, –cignore ip [comment] This will add the IP to each remote /etc/csf/csf.ignore member and then restart lfd. This has also been added to the UI
  • Fixed cluster grep output in UI
  • Modified MESSENGERV2 to support combined certificates+keys in cPanel v68+
  • Added triggered setting and, if applicable, temporary TTL to the “Blocked:” status in block alert emails
  • Added “wildcard” option to “Search System Logs” UI to use ZGREP to search the specified log with a wildcard suffix
  • ZGREP option added to csf.conf which must point to the zgrep binary
  • Added git binaries to csf.pignore on cPanel servers for upcoming v72/74 features

New csf v11.06

Changes:

  • Modified Integrated UI to use new cxs UI perl modules
  • Added custom redirect line for webmin UI when STYLE_CUSTOM enabled
  • Ensure ip6tables nat table is flushed if present whether MESSENGER is enabled or not

New csf v11.05

Changes:

  • Added new configuration option PT_SSHDKILL. This option will terminate the SSH processes created when blocking an IP
  • Added a “Fix Common Problems” section to the csf UI for various common configuration issues
  • Ensure application ports are always defined in lfd

New csf v11.04

Changes:

  • Added new configuration option LF_APACHE_ERRPORT. This option is used to determine if the Apache error_log format contains the client port after the client IP. By default it is set to autodetect

New csf v11.02

Changes:

  • Integrated UI fix for CloudFlare page
  • Removed non-participated deny options for cxs reputation service
  • Changed PT_SSHDHUNG to use a regex for process cmdline detection
  • Fixed issue with IPv6 client detection in Apache logs

New csf v11.01

Changes:

  • Corrections to readme.txt
  • In UI, display long output into fixed height divs with scrollbars and font size changer
  • Modified Server Check to not display the mod_cloudflare warning if CF_ENABLE enabled
  • Modified Server Check to display a single warning for each PHP check listing affected versions instead of multiple warnings
  • Additional exim check added to Server Check
  • Improvements to ajax output in UI