csf

Due to the changes by exim caused by CVE-2016-1531, exim no longer reports the script location that it was initiated from. This now means that LF_SCRIPT_* will no longer function.

EDIT: We have just be informed by cPanel that they have developed a workaround that will be released imminently for EXIM that should restore the functionality. Yay!

Changes:

• Removed UI integration from CentOS Web Panel as recent permission changes break the implementation. The csf installer will restore the original functionality

If you see this error on uprading csf (if you installed v8.14 before 8.15 replaced that release):

# csf -u
Can't locate object method "ssl_opts" via package "LWP::UserAgent" at /usr/local/csf/lib/ConfigServer/URLGet.pm line 142.

You can fix the code and then upgrade using:

# sed -i "s/\$ua->ssl_opts/#\$ua->ssl_opts/" /usr/local/csf/lib/ConfigServer/URLGet.pm
# csf -u

Changes:

• Added new configuration option IP to point to the IP binary. This will be used in preference to IFCONFIG, the latter is no longer required when the IP binary is correctly configured and executable
• Added full UI integration into CentOS Web Panel (CWP). To disable integration:
  Rename: /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.orig.php
  to:     /usr/local/cwpsrv/htdocs/resources/admin/modules/csf.php
  create: /etc/csf/cwp.disable
• Updated Postfix SMTP AUTH regex (thanks to Marcele)
• Added support for /etc/csf/csf.blocklists in ZIP format. The zip file MUST only contain a single text file of a single IP/CIDR per line
• Added Stop Forum Spam (ZIP) example to csf.blocklists
• Added IPV6 support to csf.sips
• Fixed detection of ip6tables nat
• Removed development code for ispconfig from distribution as this should NOT be used. It has never been implemented nor released as a supported solution and is likely to be insecure. Upgrading will remove any installations of this development code

Changes:

• Added /usr/local/cpanel/3rdparty/php/54/sbin/php-fpm to csf.pignore for  cPanel installs
• Clarify cluster CLI commands that refer to remote server actions
• Added number of failures to the RBL check Subject field
• Modified Port Scan checks for more kernel log line formats in regex.pm

Changes:

• Additional Feature: Added support for listing ASNs in all Country Code (CC_*) options
• Fixed GLOBAL_ALLOW and GLOBAL_DENY when LF_IPSET is enabled
• Fixed GLOBAL_DYNDNS when LF_IPSET and LF_IPV6 are enabled
• IPSET binary location set to /sbin/ipset for Debian/Ubuntu new installs
• Additional regex included for vsftp login failures

Changes:

• Fixed issue on non-RedHat OS installations that failed due to problems whitelisting the installers IP address

Changes:

• Fixed issues with new non-RedHat OS installations by reasserting perl module check to the start of the installation process but removing included modules from checks
• Ports 2079 and 2080 added to TCP_IN for new cPanel installs to allow CalDAV/CardDAV access

Changes:

• Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or /sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow higher settings for PORTFLOOD than the default of 20 if configured
• Added LimitNOFILE to lfd.service on servers using systemd to allow for large numbers of open files
• Cater for full stops (.) in ethernet device names
• Moved Perl module checks until after csf installation has completed so that all included modules exist in /usr/local/csf/lib/

Changes:

• Fixed csf.sips modification via UI on Redhat/CentOS v7.1
• Raised csf.blocklist names from 9 to 25 characters long. This cannot be greater due to limits on ipset names on some OS’s and the use of prepended names for new ipset list swapping
• Added output from netstat for PT_LOAD to loadalert.txt for new installs. For existing installs, latest file copied to /usr/local/csf/tpl/loadalert.txt.new