csf

Changes:

• Check /sys/module/ipt_recent/parameters/ip_pkt_list_tot or /sys/module/xt_recent/parameters/ip_pkt_list_tot if defined to allow higher settings for PORTFLOOD than the default of 20 if configured
• Added LimitNOFILE to lfd.service on servers using systemd to allow for large numbers of open files
• Cater for full stops (.) in ethernet device names
• Moved Perl module checks until after csf installation has completed so that all included modules exist in /usr/local/csf/lib/

Changes:

• Fixed csf.sips modification via UI on Redhat/CentOS v7.1
• Raised csf.blocklist names from 9 to 25 characters long. This cannot be greater due to limits on ipset names on some OS’s and the use of prepended names for new ipset list swapping
• Added output from netstat for PT_LOAD to loadalert.txt for new installs. For existing installs, latest file copied to /usr/local/csf/tpl/loadalert.txt.new

Changes:

• Ensure spaces are stripped from values in /etc/cpanel/ea4/paths.conf on cPanel servers
• Fixed issue with csf –add [ip] not always removing [ip] if present from csf.deny
• Modified the LF_QOS regex to cater for additional log formats

Changes:

• Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel servers for Pyzor that was added by cPanel in v11.52
• Support added for EasyApache4 log locations in cPanel from /etc/cpanel/ea4/paths.conf
• Added more executable files to csf.pignore on cPanel servers for cPanel EasyApache4
• Modify Server Check to support cPanel EasyApache4
• Added regex to support cPanel/WHM login failures with the new log format in v11.52+
• If mod_ruid2 is enabled do not check for mod_userdir in Server Check
• Always ensure binary exists and is executable before performing processing during Server Check
• Modified ProFTPD regex to support more formats
• vsftpd inbuilt log file format regex added
• Modified cPanel antirelayd Server Check to also support popbeforesmtp added in v11.52
• Added dbus and time systemd regexes to csf.logignore for new installs

Changes:

• Added alarms to HOST binary calls
• Added new csf CLI option: –rbl [email]. This generates the report checking IP addresses against a set of RBLs. Optional configuration is available through /etc/csf/csf.rblconf
• Added UI to utilise the new –rbl [email] option
• Added systemd status output after lfd restart via the csf CLI
• Modified Server Check to only report bind if a named configuration file exists
• Require cPanel resellers to enter a Comment when allowing or denying an IP
• Added new option UI_IP to allow binding to a specific IP address for the integrated UI

We wanted to reiterate the points made in the csf configuration and during csf restart regarding the PT_USERKILL option and the problems it can cause on servers as there appears to have been a spate of people enabling the option, which we do not recommend for stability reasons.

As csf itself now reports:

*WARNING* PT_USERKILL should not normally be enabled as it can easily 
lead to legitimate processes being terminated, use csf.pignore instead

And as stated in /etc/csf/csf.conf:

# Warning: We don't recommend enabling this option unless absolutely necessary
# as it can cause unexpected problems when processes are suddenly terminated.
# It can also lead to system processes being terminated which could cause
# stability issues. It is much better to leave this option disabled and to
# investigate each case as it is reported when the triggers above are breached

Changes:

• Added more executable files to csf.pignore on cPanel servers for cPanel v11.5*+
• Added warning to both csf output and Server Check report if PT_USERKILL is enabled

Changes:

• Fixed bug where iptables nat tables were not being flushed or grepped correctly

Changes:

• Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
• Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS
• Added new csf CLI option: –lfd [stop|start|restart|status]. Actions to take with the lfd daemon
• Added new csf CLI option: -ra, –restartall. Restart firewall rules (csf) and then restart lfd daemon
• Fixed several output message typos for “FASTSTART”
• Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel
• Improve IPv6 detection on installation
• Implemented more efficient csf.conf loading in ConfigServer::Config

Changes:

• Modify ConfigServer::CheckIP to cope with entries not passed by reference