csf

New csf v6.00

Changes:
– Major new option – FASTSTART:
This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways:
1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence
2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled
[*] Not supported on all OS platforms
FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously
FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually
Other Changes:
– Improvements to csf and lfd init routines
– LF_QUICKSTART renamed to LFDSTART, setting value preserved
– Fixed a problem with scheduled Server Security Check reports
– Crypt::CBC upgraded to v2.32

New csf v5.79

Changes:
– Modified csf error routine to store failing error in csf.error and display an instructional message
– Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
– Modified the Server Report proxysubdomains check on cPanel servers
– Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries

New csf v5.78

Changes:
– Due to issues that some are experiencing with the switch from the state to the conntrack module a new settings has been added USE_CONNTRACK which is disabled by default except on servers running kernel 3.7+ where on new installations it will be enabled

New csf v5.77

Changes:
– Add an exception for the useless Virtuozzo kernels iptables implementation so that csf uses the deprecated state module instead of conntrack

New csf v5.76

Changes:
– Only add the /128 IPv6 bound address per NIC instead of the whole /64 to the local IPv6 addresses
– Modify SSHD and SU regexes to allow for empty hostname field in log file
– Added new option UNBLOCK_REPORT. This option will run an external script when a temporary block is unblocked
– Additional entries in csf.logignore on new installations
– Switched from using the iptables state module to using the conntrack module in preparation of the formers obsolescence
– Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so that new tests can be easily added and then ignored desired
– Added new LF_EXPLOIT check SSHDSPAM to check for the existence of /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See:

New csf v5.75

Changes:
– Fixed issue with single quotes appearing in CC lookup names leading to lfd IP blocks to fail

New csf v5.74

Changes:
– Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations
– Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36
– Additional entries in csf.logignore on new installations
– Try harder to get a CPU temperature if lm_sensors is installed for System Statistics
– Enforce PORTFLOOD setting restrictions and issue warning if entry discarded
– Correct location of CC_ALLOWF in LOCALINPUT after update from lfd
– Make CC_[chain] actions more verbose in lfd.log
– Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries
– Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature
– Modified SMTP_PORTS to include ports 465 and 587 on new installations
– Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent

WHM/cPanel v11.36

cPanel v11.36 has now entered the CURRENT tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected.

New csf v5.73

Changes:
– Fixed issue with crontab line for TESTING option not being detected and removed when TESTING mode is disabled

New convenient update method for ConfigServer scripts

We have released a new method to force an update of all of our main scripts (on cPanel servers only):
cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected.