csf

New csf v6.27

Changes:

  • Modified Apache regexes for Apache v2.4+
  • Fixed UI configurable lines display for lfd.log
  • Fixed length display text for CLUSTER_KEY in csf.conf
  • Ignore suspendedpage.cgi triggers for LF_SYMLINK on cPanel servers
  • Updated sanity checks and ranges for csf.conf settings
  • Added RESTRICT_UI to Server Check recommended options
  • Modified Virtuozzo/OpenVZ FTP port check to verify kernel version before issuing PASV port warning
  • Added new setting PS_DIVERSITY. To specify how many different ports qualifies as a Port Scan you can increase this value. The risk in doing so will mean that persistent attempts to attack a specific closed port will not be detected and blocked. The setting defaults to the original setting of 1
  • Added 3 LF_HTACCESS regexes for nginx. Remember to set MODSEC_LOG correctly for the location of the nginx error log

New csf v6.26

Changes:

  • Fixed UI issue with some settings sent via the Cluster Config option
  • Modified CONNLIMIT_LOGGING rule insertion point
  • Added new feature: Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. These typically originate from exploit scripts uploaded through vulnerable web scripts. The feature is controlled by: UDPFLOOD, UDPFLOOD_LIMIT, UDPFLOOD_BURST, UDPFLOOD_LOGGING, UDPFLOOD_ALLOWUSER
  • Update the TOR URL in existing /etc/csf/csf.blocklists file if still set to the old URL

New csf v6.25

Changes:

  • Fixed UI “Temporary IP entries > Flush all temporary IP entries”
  • Fixed UI_USER and UI_PASS being emptied on saving the firewall configuration through the UI
  • Fixed CLUSTER_KEY not displaying when RESTRICT_UI is disabled

 

New csf v6.24

Changes:

  • Security – Removed items from Cluster Config UI option if RESTRICT_UI enabled

 

New csf v6.23

Changes:

  • Security – added new option RESTRICT_UI. This options restricts the ability to modify settings within csf.conf from the csf UI. Should the parent control panel be compromised, these restricted options could be used to further compromise the server. This option is enabled by default on all installations
  • Added entries to csf.pignore on new installations on cPanel servers for Dovecot v2.2 (cPanel v11.40+)
  • Fixed UI Template validation error message

 

New csf v6.22

Changes:

  • Security Fix – Sanitised user data input to prevent running unauthorised commands via the UI. A user would require root access to exploit this, so vulnerability is probably low. Thanks to Steven at Rack911.com for reporting this issue
  • Added Password ENV variable check to Server Check on cPanel servers
  • Update cPanel ACL Driver installations to change force cache update using “touch” instead of removing the cache
  • Modified TOR URL in /etc/csf/csf.blocklists to use:
    http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

 

New csf v6.21

Changes:

  • Modified auto-update logic to only create the /etc/cron.d/csf_update file if it does not already exist
  • Fix permissions on csf man file and directory
  • Modified webmin module paths to be relative rather than absolute so that webmin via mod_proxy works correctly
  • Fixed “in” direction –tempallow/–tempdeny leaking into [comment]
  • Added nginx regex for ModSecurity rule detection. Remember to set MODSEC_LOG correctly for the location of the nginx error log
  • Fixed file permission/ownership problem on DirectAdmin servers for the /plugins directory

New csf v6.20

Changes:

  • Introduced a new directory structure to get closer to the Linux
    Filesystem Hierarchy Standard (FHS):

    /etc/csf/           - (mostly) configuration files
/var/lib/csf/       - temporary data files
/usr/local/csf/bin/ - scripts
/usr/local/csf/lib/ - perl modules and static data
/usr/local/csf/tpl/ - email alert templates

    Existing data and templates files are migrated into the new structure automatically. Some files and directories are symlinked to /etc/csf/ for backwards compatibility and ease of use. See the following for individual file locations in the new configuration:
    http://blog.configserver.com/?p=7

  • CC_LOOKUPS rDNS reporting improvements
  • HTTP::Tiny upgraded to v0.033
  • Removed Security Token check from Server Check Report now that it is implicitly set in v11.18.0+
  • Switched the location of the csf.pl and lfd.pl binaries with their symlinks
  • Code tidy for servercheck.pm, csfui.pl
  • Allow comments to be appended to csf –tempdeny and csf –tempallow in the same way as csf –deny and csf –allow. Also made the options more flexible in usage of optional elements
  • Added Comments field to UI for Quick Allow, Quick Deny, and Temporary Allow/Deny
  • Added csf(1) man page and changed csf –help to use a text version of the new man page
  • Fixed unnecessary open of csf.fignore

Forthcoming csf file and directory changes

In the next release (due in the next few days) we will be moving csf towards the Linux Filesystem Hierarchy Standard (FHS), rather than installing everything in /etc/csf/. The following structure will be used:

        /etc/csf/           - (mostly) configuration files
        /var/lib/csf/       - temporary data files
        /usr/local/csf/bin/ - scripts
        /usr/local/csf/lib/ - perl modules and static data
        /usr/local/csf/tpl/ - email alert templates

The functionality  and usage of csf remains the same with the csf CLI running from /usr/sbin/csf as it does now. The main difference will be the storing of temporary data in /var/lib/csf/. All the configuration files (apart from the email alert templates and regex.custom.pm) remain in /etc/csf/.

Existing data and templates files are migrated into the new structure automatically when upgrading to the new version. Some files and directories are symlinked to /etc/csf/ for backwards compatibility and ease of use. Nothing needs to be done at all other than performing a standard upgrade.

This information is being provided more for information than anything else, incase you panic because things appear to have suddenly disappeared from your installation. If you are modifying csf through anything other than the provided CLI or modification of the configuration files, you will have to take into consideration the location of, for example, the temporary data.

Here is a sample listing from those directories:

/etc/csf:
total 504
drw-------  4 root root   4096 Jun 24 16:30 ./
drwx--x--x 77 root root  12288 Jun 24 16:56 ../
lrwxrwxrwx  1 root root     18 Jun 20 12:05 alerts -> /usr/local/csf/tpl/
-rw-------  1 root root 145160 Jun 23 11:04 changelog.txt
-rw-------  1 root root    860 Mar 11 11:56 csf.allow
-rw-------  1 root root   3216 Jun 23 11:04 csf.blocklists
-rw-------  1 root root  78924 Jun 23 11:04 csf.conf
-rw-------  1 root root  78924 Jun 23 11:04 csf.conf.preupdate
-rw-------  1 root root  16761 Jun 24 09:24 csf.deny
-rw-------  1 root root    617 Mar  7 17:13 csf.dirwatch
-rw-------  1 root root    712 Mar  7 17:13 csf.dyndns
-rw-------  1 root root    923 Mar  7 17:12 csf.fignore
-rw-------  1 root root    554 Mar 11 11:56 csf.ignore
-rw-------  1 root root    657 Mar  7 17:12 csf.logfiles
-rw-------  1 root root   1949 May  9 16:07 csf.logignore
-rw-------  1 root root    408 Mar  7 17:13 csf.mignore
-rw-------  1 root root   3137 Mar  7 18:01 csf.pignore
lrwxrwxrwx  1 root root     13 Jun 23 11:04 csf.pl -> /usr/sbin/csf*
-rw-------  1 root root   1142 Mar  7 17:13 csf.redirect
-rw-------  1 root root   1938 Mar  7 17:13 csf.resellers
-rw-------  1 root root   1622 Mar  7 17:13 csf.rignore
-rw-------  1 root root    413 Mar  7 17:13 csf.signore
-rw-------  1 root root    510 Mar  7 17:13 csf.sips
-rw-------  1 root root    368 Mar  7 17:13 csf.suignore
lrwxrwxrwx  1 root root     29 Jun 23 11:04 csftest.pl -> /usr/local/csf/bin/csftest.pl*
-rw-------  1 root root    457 Jun  1 15:31 csf.uidignore
lrwxrwxrwx  1 root root     27 Jun 23 11:04 csfui.pl -> /usr/local/csf/bin/csfui.pl*
lrwxrwxrwx  1 root root     28 Jun 23 11:04 csfwebmin.tgz -> /usr/local/csf/csfwebmin.tgz
-rw-------  1 root root   2609 Jun 23 11:04 install.txt
lrwxrwxrwx  1 root root     13 Jun 23 11:04 lfd.pl -> /usr/sbin/lfd*
-rw-------  1 root root  10174 Jun 23 11:04 license.txt
drw-------  2 root root   4096 Mar  7 17:12 messenger/
lrwxrwxrwx  1 root root     39 Jun 23 11:04 pt_deleted_action.pl -> /usr/local/csf/bin/pt_deleted_action.pl*
-rw-------  1 root root  50354 Jun 23 11:04 readme.txt
lrwxrwxrwx  1 root root     34 Jun 24 16:30 regex.custom.pm -> /usr/local/csf/bin/regex.custom.pm*
lrwxrwxrwx  1 root root     36 Jun 23 11:04 remove_apf_bfd.sh -> /usr/local/csf/bin/remove_apf_bfd.sh*
drw-------  3 root root   4096 Jun 17 16:12 ui/
lrwxrwxrwx  1 root root     31 Jun 23 11:04 uninstall.sh -> /usr/local/csf/bin/uninstall.sh*
-rw-------  1 root root      4 Jun 23 11:04 version.txt
lrwxrwxrwx  1 root root     25 Jun 23 11:04 webmin -> /usr/local/csf/lib/webmin/
/usr/local/csf:
total 36
drw-------  5 root root  4096 Jun 23 11:04 ./
drwxr-xr-x 21 root root  4096 Jun 20 12:05 ../
drw-------  2 root root  4096 Jun 20 12:05 bin/
-rw-------  1 root root 15485 Jun 23 11:04 csfwebmin.tgz
drw-------  7 root root  4096 Jun 22 11:48 lib/
drw-------  2 root root  4096 Jun 20 12:05 tpl/
/usr/local/csf/bin:
total 436
drw------- 2 root root   4096 Jun 20 12:05 ./
drw------- 5 root root   4096 Jun 23 11:04 ../
-rwx------ 1 root root  32992 Jun 23 11:04 cseui.pl*
-rwx------ 1 root root   5877 Jun 23 11:04 csftest.pl*
-rwx------ 1 root root 238031 Jun 23 11:04 csfui.pl*
-rwx------ 1 root root  11817 Jun 23 11:04 csfuir.pl*
-rwx------ 1 root root   4587 Jun 17 16:12 migratedata.pl*
-rwx------ 1 root root   1151 Jun 13 15:47 pt_deleted_action.pl*
-rwx------ 1 root root   2077 Mar  7 17:13 regex.custom.pm*
-rwx------ 1 root root  25367 Jun 23 11:04 regex.pm*
-rwx------ 1 root root    397 Jun 23 11:04 remove_apf_bfd.sh*
-rwx------ 1 root root  75613 Jun 23 11:04 servercheck.pm*
-rwx------ 1 root root   1019 Jun 23 11:04 uninstall.sh*
/usr/local/csf/lib:
total 52
drw------- 7 root root  4096 Jun 22 11:48 ./
drw------- 5 root root  4096 Jun 23 11:04 ../
drw------- 2 root root  4096 Jun 23 11:04 Crypt/
-rw------- 1 root root 14349 Jun 23 11:04 csf.div
-rw------- 1 root root  3745 Jun 23 11:04 csf.help
drw------- 3 root root  4096 Jun 23 11:04 Geo/
drw------- 2 root root  4096 Jun 23 11:04 HTTP/
drw------- 3 root root  4096 Jun 23 11:03 Net/
-rw------- 1 root root  3857 Jun 23 11:04 sanity.txt
drw------- 3 root root  4096 Jun 23 11:04 webmin/
/usr/local/csf/tpl:
total 136
drw------- 2 root root 4096 Jun 20 12:05 ./
drw------- 5 root root 4096 Jun 23 11:04 ../
-rw------- 1 root root  124 Mar  7 17:13 accounttracking.txt
-rw------- 1 root root  181 Mar  7 17:12 alert.txt
-rw------- 1 root root  192 Mar  7 17:13 connectiontracking.txt
-rw------- 1 root root   76 Mar  7 17:12 consolealert.txt
-rw------- 1 root root  136 Mar  7 17:13 cpanelalert.txt
-rw------- 1 root root  129 Mar  7 17:12 exploitalert.txt
-rw------- 1 root root  151 Mar  7 17:12 filealert.txt
-rw------- 1 root root  132 Mar  7 17:13 forkbombalert.txt
-rw------- 1 root root  374 Mar  7 17:12 integrityalert.txt
-rw------- 1 root root 1042 Mar  7 17:13 loadalert.txt
-rw------- 1 root root  103 Mar  7 17:13 logalert.txt
-rw------- 1 root root  101 Mar  7 17:13 logfloodalert.txt
-rw------- 1 root root  191 Mar  7 17:12 netblock.txt
-rw------- 1 root root  209 Mar  7 17:12 permblock.txt
-rw------- 1 root root  129 Mar  7 17:12 portknocking.txt
-rw------- 1 root root  175 Mar  7 17:13 portscan.txt
-rw------- 1 root root  391 Mar  7 17:12 processtracking.txt
-rw------- 1 root root   97 Mar  7 17:12 queuealert.txt
-rw------- 1 root root  196 Mar  7 17:13 relayalert.txt
-rw------- 1 root root  260 Mar  7 17:12 resalert.txt
-rw------- 1 root root  181 Jun 23 11:04 reselleralert.txt
-rw------- 1 root root  200 Mar  7 17:12 scriptalert.txt
-rw------- 1 root root  176 Mar  7 17:12 sshalert.txt
-rw------- 1 root root  159 Mar  7 17:13 sualert.txt
-rw------- 1 root root  194 Mar  7 17:12 syslogalert.txt
-rw------- 1 root root  298 Mar  7 17:13 tracking.txt
-rw------- 1 root root  129 Mar  7 17:12 uialert.txt
-rw------- 1 root root  150 Jun  1 15:31 uidscan.txt
-rw------- 1 root root  192 Mar  7 17:13 usertracking.txt
-rw------- 1 root root  129 Mar  7 17:13 watchalert.txt
-rw------- 1 root root  146 May 25 09:15 webminalert.txt
-rw------- 1 root root 1207 Jun 23 11:04 x-arf.txt
/var/lib/csf:
total 62708
drw-------  8 root root     4096 Jun 24 09:24 ./
drwxr-xr-x 21 root root     4096 Jun 20 12:05 ../
-rw-------  1 root root      317 Jun 24 15:01 csf.block.DSHIELD
-rw-------  1 root root     7910 Jun 24 15:01 csf.block.SPAMDROP
-rw-------  1 root root      276 Jun 24 15:01 csf.block.SPAMEDROP
-rw-------  1 root root        0 Jun 24 16:00 csf.cclookup
-rw-------  1 root root       58 Jun 24 09:39 csf.dnscache
-rw-------  1 root root        0 Mar  7 17:13 csf.lock
-rw-------  1 root root     1095 Jun 24 16:51 csf.logtemp
-rw-------  1 root root        0 Jun 23 11:04 csf.tempallow
-rw-------  1 root root        0 Jun 24 10:39 csf.tempban
-rw-------  1 root root       16 Jun 24 16:58 csf.tempdisk
-rw-------  1 root root    73350 Jun 23 11:04 csf.tempint
-rw-------  1 root root       54 Jun 24 09:39 csf.tempip
-rw-------  1 root root 64000000 Jun 24 16:58 dd_test
drw-------  2 root root     4096 Jun 24 16:00 Geo/
drw-------  2 root root     4096 May 28 09:29 lock/
drw-------  2 root root     4096 Jun 24 00:00 stats/
drw-------  2 root root     4096 Jun 20 12:05 ui/
drw-------  2 root root     4096 Jun 22 11:48 webmin/
drw-------  2 root root     4096 Mar  7 17:13 zone/

New csf v6.15

Changes:
– Modified MaxMind City Database lookup code to be more resilent