csf

Changes:

• Overhaul of Apache regexes to cater for Apache v2.4 formats
• Fail with an appropriate error if attempting to use an IPv6 address but IPV6 is not enabled
• Fix to OUTPUT chain final packet failure still logging to LOGDROPOUT when DROP_OUT_LOGGING is disabled
• Strip leading and trailing spaces from form IP in csf UI
• DROP_OUT_LOGGING is now enabled by default on new installations
• ST_ENABLE is now enabled by default on new installations
• CC_IGNORE rewritten to use CC_LOOKUPS data to ignore countries. This provides a more consistent approach and quicker lookups with reduced memory footprint. CC_LOOKUPS must now be enabled to use CC_IGNORE

Changes:

• HTTP::Tiny reverted to v0.041 as it breaks on some installations

Changes:

• Modified LF_SCRIPT_ALERT to only report detected lines
• Modified Server Check for sshd_config port to be case-insensitive
• Modified PORTS_sshd check of sshd_config port to be case-insensitive
• HTTP::Tiny upgraded to v0.042
• Reverse sort temp bans in UI

Changes:

• File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs
• Added Server Reports recommendation for CloudLinux if running CentOS or RedHat
• Added Server Reports CloudLinux security feature checks
• Modified Server Report check for dovecot v2
• Updated Server Report version checks for Fedora, MySQL and Apache
• Added missing bracket to regex.custom.pm example
• Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports
• Added Cached memory to the System Statistics
• Added full pseudo-breadcrumbs to cPanel csf UI
• Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See “man csf” and UI for more details of the “csf –profile [OPTIONS]” commands
• HTTP::Tiny upgraded to v0.041

Changes:

• Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc)
• RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to “3” is the recommended option
• Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log
• csf –dr modified to remove matching IPs from csf.tempip
• File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit

Changes:

• New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option “3” which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information
• Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP
• csf UI option added for editing csf.syslogusers
• Fixed a bug in PT_LOAD not producing PS output

Changes:

SECURITY WARNING:

• Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines).
• Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst.
• Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users.
• There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default.
• See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice
• NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care
• Our thanks go to Rack911.com for bringing this issue to our attention

Other changes:

• UI design updates and fixes
• Modify Apache regex to support log lines containing thread ID
• Prevent lfd from blocking CIDRs triggered from log lines

Changes:

• Fix for LF_INTEGRITY which was non-functional after changes in v6.38

Changes:

• Added error output from IO::Socket::INET for CLUSTER_* commands from csf if present
• UI HTML fixes and form design elements added
• Improved error report for invalid csf.conf lines
• Removed Server Check tmp mountpoint checks

Changes:

• Parameterise calls to system and Open3 where possible
• HTTP::Tiny upgraded to v0.039
• Modifications to csftest.pl
• Removed the UI “Pre-configured settings for Low, Medium or High” as they are outdated and meaningless. Users should go through the csf configuration and setup the firewall for their individual server needs
• Translate ampersand for HTML output
• Modified csf.blocklist for new installations to use the SSL URL for the TOR exit list now that they have forced redirection from the non-SSL URL, with a note to change URLGET to use LWP
• Modified csf.blocklist for new installations to specify an alternative TOR exit node list