Added hdir:/quarantine_clamavconnector to the csf.ignore.example file
Improvements to php script detection where extension is not .php
Filetype detection speedups
Filetype differentiation between MS-DOS and MS Windows executables
Added new option –Wrefresh. To keep the cxs Watch daemon up to date, it will restart every 7 days by default. To change this interval, you can set B<--Wrefresh [days]>
AUTO_UPDATES enabled for new installations in csf.conf
Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still set in csf.conf it will be ignored
Check MESSENGER service to ensure privileges are dropped before starting the daemon
Drop privileges when peforming removal during LF_DIRWATCH_DISABLE
For new installations, IPV6 enabled if IP6TABLES exists and an IPv6 address is found in the output from IFCONFIG. IPV6_SPI is set according to the kernel version (i.e. whether SPI is supported or not)
Fixed a SECURITY BUG that can be exploited remotely via log file spoofing resulting in root privilege escalation. Our thanks to Jeff Petersen for reporting this issue
All csf users should upgrade to this release immediately
New feature: Connection Limit Protection (CONNLIMIT, CONNLIMIT_LOGGING). This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports. See csf.conf and readme.txt for more information and about the format of the CONNLIMIT option and its limitations
Minor csf UI Firewall Configuration virtual pagination improvements
Updated cPanel Server Check update settings for v11.30+
Removed cPanel Server Check for new versions due to changes in the v11.30+ versioning system making this redundant
Updated MySQL Server Check for v5.1.*
Added a warning to csf.conf for SYNFLOOD to only enable the option if you know you are under a SYN flood attack as it will restrict all new connection to the server if triggered
Added port 500 to DROP_NOLOG for new installations
Corrected the LF_APACHE_404 lfd log line output
Added startup failure on invalid PORTFLOOD settings
Make csf.pignore item selector case-insensitive (e.g. exe: and EXE: )
All user: item selector examples removed from the default csf.pignore for all new installations (e.g. user:mailman). csf.pignore examples for some common processes can be found here:http://forum.configserver.com/viewtopic.php?f=6&t=2059
Updated DA and GENERIC default csf.pignore files for new installations
Updated installation scripts to distinguish between IPv4 and IPv6 port report
Modified Virtuozzo VPS numiptent check to distinguish between host and client servers
Added exe:/usr/sbin/ntpd to csf.pignore on new installations
Don’t perform the runlevel check on Debian/Ubuntu servers as it isn’t indicative of a potential security issue as with other Linux distros
Added new option PT_DELETED_ACTION which if defined with an executable script will run if PT_DELETED is triggered passing the process PID, executable and account. An example script is provided in: /etc/csf/pt_deleted_action.pl
If CC_LOOKUPS enable for the MaxMind City Database then also display the Region, where available
Rearranged csf.conf for csf UI Firewall Configuration virtual pagination
Re-instated sanity check highlights in csf UI Firewall Configuration
Improved Server Check recursion checking in included configuration files
Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option will keep track of the number of “File does not exist” errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information
Added stats workaround for February/March calculations
Added new option CC_IGNORE – this Country Code list will prevent lfd from blocking IP address hits for the listed CC’s
Reduced CC_* memory usage when loading zones
Modified lfd logging for regex.pm and regex.custom.pm login failures to lfd.log to use the return reason from the regex match instead of a generic message. This does mean that the format for these messages has changed
DA Server Check for proftpd – check whether pureftp=1 in DA config
Replaced IP::Country and Geography::Countries with Geo::IP:: PurePerl using the MaxMind GeoLite Country database for CC_LOOKUPS
Added new option GUNZIP which is required to expand the MaxMind GeoLite Country database
Extended CC_LOOKUPS which can now be configured to report Country Code and Country and City using the MaxMind City Database. See csf.conf for more information
