csf

Changes:

• Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
• Modified relay tracking to not ignore RELAYHOST IP’s
• Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
• LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

Changes:

• Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny

Changes:

• Added new CLI option to csf, -g –grep will search the iptables chains for a specified match which is either explicit or part of a CIDR
• Added WHM UI option for csf –grep
• Added new CLI option to csf, -dr –denyrm will remove an IP address from csf.deny and unblock it
• Added WHM UI option for csf –denyrm

Changes:

• Added csf.suignore file where you can list usernames that are ignored during the LF_EXPLOIT SUPERUSER test
• New option PT_LOAD_ACTION added that can contain a script to be run if PT_LOAD triggers an event. See csf.conf for more information
• Added SUPERUSER check to Server Check Report
• Added Suhosin check to Server Check Report

Changes:

• Allow comments after IP addresses in csf.dyndns
• Added new login failure option LF_SUHOSIN which detects alert messages and blocks the attacker IP after the configured number of matches
• Added a new exploit check for non-root superuser accounts
• Added a new configuration option LF_EXPLOIT_CHECK which allows you to configure which tests are performed by LF_EXPLOIT

Changes:

• Modified the Server Report code for checking PHP variables to be more lenient when checking the output from /usr/local/bin/php -i
• Modified lfd calculation of Jiffies to use the POSIX::sysconf function to obtain the clock ticks instead of assuming 100 ticks for Linux
• Fix duplicate LF_INTEGRITY emails

Changes:

• Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this setting if you use Port Scan Tracking as it will cause redundant blocks
• Added tag [hostname] to all of the alert reports. You will need to add this manually to the report text Subject: line (or anywhere else in the report that you would like it) for existing installations
• Added “A note about FTP over TLS/SSL” to readme.txt

Out apologies for the multiple releases today, but the new options behaved differently from testing in live environments.Changes:

• Fixed problem in Server Check that caused an error in some situations
• Modified netblock caching code to prevent repeated block attempts

Changes:

• Corrected net block logic so that after a net or perm block occurs, subsequent log entries that would incur the same block are ignored

Changes:

• New feature – LF_PERMBLOCK. Permanently blocks IP addresses that have had X temporary blocks in the last Y seconds. Uses email template permblock.txt
• New feature – LF_NETBLOCK. Permanently blocks network classes (A, B or C) if more than X IP addresses in a specified class have been blocked in the last Y seconds. This may help within some DDOS attacks launched from within a specific network class. Uses email template netblock.txt
• Modified MD5SUM comparision code to better reset md5sum checks after a hit
• Only issue Random JS Tookit warning if all the MD5SUM checks fail for the relevant files
• Removed POP flood Protection setting check from Server Report as it’s no longer relevant to courier-imap
• Rewritten the Apache Check code for the Server Report to better detect the current running settings on all Apache and PHP versions
• Don’t check Apache RLimitCPU/RLimitCPU limits on VPS servers as they aren’t relevant (as they apply to the host VPS configuration) for the Server Report