Server Software and Configuration Services
New csf v6.07
Changes:
– Fixed issue with processing /proc/PID/stat for process information
csf
New csf v6.06
Changes:
– Prevent csf/lfd from failing to run if a non-critical configuration file does not exist
– In webmin, force table stylesheet to override webmin css. Requires webmin module reinstall on existing installations
New csf v6.05
Changes:
– Improvements to minimal perl module detection on new installs
– Bugfix for default lfd.pl perl shebang
New csf v6.04
Changes:
– Implement slurp routine for configuration files to cater for incorrect linefeeds
– Ignore leading and trailing spaces from lines in configuration files
– Fixed Include statements in csf.ignore not implemented in lfd
– Additional debug logging for RT_*_LIMIT added
– Replaced call to Time::HiRes::sleep with standard sleep
– Additional dovecot entries in csf.pignore for new installations
New csf v6.03
Changes:
– Switched from using LWP to HTTP::Tiny to reduce memory footprint and reliance on the LWP perl module. The HTTP::Tiny module is included in the distribution, so no further action is necessary
– Modified lfd perl module loading to be conditional where possible to reduce lfd memory footprint
– Modify initial file processing to reduce lfd memory footprint
– Modify PS_PORTS processing to reduce lfd memory footprint
– Moved init of Geo::IP::PurePerl into iplookup subroutine
– Removed “DEFERRED” login failure checking from CPANEL_LOG regex due to false-positives
– Modify LF_DIRWATCH_DISABLE so that only files are added to suspicious.tar and removed. Suspicious directories will no longer be removed
– Removed File::Path – no longer required
New csf v6.02
Changes:
– Modify MESSENGER HTML header to return code 403 instead of 200
– Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled
– Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables detection of repeated Apache symlink race condition triggers from the Apache patch provided by:
http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
This patch has also been included by cPanel via the easyapache option:
“Symlink Race Condition Protection”
WHM/cPanel v11.36 in RELEASE
cPanel v11.36 has now entered the RELEASE tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:
curl -s configserver.com/free/csupdate | perl
You should take care to read through the output to ensure that all the upgrades have worked as expected.
New csf v6.01
Changes:
– Ensure all binaries are called with their full paths for the scheduled Server Security Check reports
– Allow csf -u/-uf/–update and -c/–check when csf is disabled
– Make RT_* checks IPv6 compatible
– Added dns query caching for ip lookups during lfd process lifetime
– Modify TOR rule loading to use FASTSTART in lfd if enabled
– Added iptables locking to FASTSTART code
– LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts
– Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion
– Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries
– Added “DEFERRED” login failure checking to CPANEL_LOG regex
New csf v6.00
Changes:
– Major new option – FASTSTART:
This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways:
1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence
2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled
[*] Not supported on all OS platforms
FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously
FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually
Other Changes:
– Improvements to csf and lfd init routines
– LF_QUICKSTART renamed to LFDSTART, setting value preserved
– Fixed a problem with scheduled Server Security Check reports
– Crypt::CBC upgraded to v2.32
New csf v5.79
Changes:
– Modified csf error routine to store failing error in csf.error and display an instructional message
– Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
– Modified the Server Report proxysubdomains check on cPanel servers
– Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries