csf

Changes:

• Updated various comments in csf.conf
• Fixed call to csfpost.sh from csf

Changes:

• Modified lfd Login Failure tracking to use a per IP address rolling LF_INTERVAL window rather than a static one for all tracked IPs. This makes login failure counting more accurate and blocking more responsive
• Added new feature – Block Reporting. lfd can run an external script when it performs and IP address block following for example a login failure. BLOCK_REPORT is to the full path of the external script. See readme.txt for format details
• If csf is installed or upgraded via an SSH session the connecting IP address will now be automatically added to csf.allow (note: it is not added to csf.ignore so lfd may still block it). This IP can be removed after testing if desired
• Modified the lfd.log format to the standard: :: lfd[]: If you parse lfd.log you will need to update your scripts!
• Added DEBUG option – for internal use only

Changes:

• Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations
• Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain
• Added /etc/cron.d/lfdcron.sh to restart lfd daily
• Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore
• Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+
• As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic)
• Added informational text to Process Tracking email report if a process is running an executable that has been deleted
• Added csf version to the daemon startup log line in lfd.log

Changes:

• Added /usr/libexec/hald-addon-keyboard to csf.pignore
• Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open
• Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default)

Changes:

• Modified skip for su login checking from root to cater for (uid=0)
• Added option SYNFLOOD_BURST to allow configuration of –limit-burst when SYNFLOOD is enabled. Changed default values
• Added to –grep searches to csf.deny and temporary blocks in addition to iptables
• Modified SSH regex to improve login failures detection further
• Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
• Added vsftpd regex for ftp login failures

Apologies for the multiple releases today:Changes:

• Modified SSH regex to check for ipv6 addresses
• Added another regex to improve SSH matching

Changes:

• Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd
• The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources
• Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries
• Option LF_SCRIPT_PERM removed

Our thanks to Jeff Petersen for the detailed information describing these issues.We recommend that all users of csf upgrade to this new version

Changes:

• Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
• Modified relay tracking to not ignore RELAYHOST IP’s
• Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
• LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

Changes:

• Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny