csf

Changes:

• DROP_PF_LOGGING disabled by default on new installs as enabling by default will just cause confusion

Changes:

• Removed debugging code from Port Scan Tracking

Changes:

• Set scripts (.pl,.cgi,.php,.sh,.py) in /etc/csf/ to chmod 700
• Simplified PACKET_FILTER rules for dropping INVALID connection tracking states. This feature now only applies a single rule for incoming INVALID packets
• DROP_PF_LOGGING enabled by default on new installs
• INVALID added as an option to PS_PORTS so that PACKET_FILTER logs will be ignored by Port Scan Tracking by default, but can be added if desired
• Modified ST_ENABLE locking
• Regex updates to cater for Plesk 12 – thanks to Marcel Evenson
• Fixed issue with temporary allow/deny comment not being parsed correctly when port * specified

Changes:

• Modified lfd to silently drop ST_ENABLE lock queue entries unless DEBUG is enabled
• Modified ST_ENABLE logging to append to data file and only truncate when needed

Changes:

• Added locking to ST_ENABLE and ST_SYSTEM to prevent child process queues

Changes:

• Fix SMTPAUTH_RESTRICT where IPv6 addresses need to be quoted for exim

Changes:

• Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is triggered, then if LF_DIST_ACTION is a path to a script, it will run the script and pass arguments to it. See csf.conf for more info
• Added limit check on VPS servers when using FASTSTART to ensure there are sufficient numiptents available for all of the iptables rules in that block
• Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to /etc/exim.smtpauth
• Fixed LF_BIND – BIND_LOG was not being added to the log list to watch
• On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option scans DIRECTADMIN_LOG for failed logins and blocks accordingly
• Fixed typo in csf.conf

Changes:

• Added new option DROP_UID_LOGGING which allows UID logging to be disabled for outgoing connections. This option is enabled by default and can be disabled on OS’s that do not support –log-uid
• Preupgrade copy of csf.conf now created in /var/lib/csf/backup/ for use with the csf –profile option
• Updates to sanity.txt for new options
• Modified DSHIELD blocklist URL from feeds.dshield.org/block.txt to www.dshield.org/block.txt for new and existing installs

Changes:

• Make auto.pl scripts more resilient to avoid leaving an incomplete configuration file after upgrades
• Improved output errors if FASTSTART fails
• Ensure UNZIP binary exists before attempting to process GeoLite CSV Country database
• Corrected FASTSTART description in Server Report check
• Modified auto.pl to not automatically enable IPV6 on Virtuozzo/OpenVZ
• Report all errors after csf starts in case they were missed in the main output

Changes:

• Fixed issue with FASTSTART and DROP_PF_LOGGING