csf

New csf v3.06

Changes:

  • Added System Exploit Checking. This enables lfd to check for the Random JS Toolkit and may check for others in the future:http://www.cpanel.net/security/notes/random_js_toolkit.htmlIt compares md5sums of the binaries listed in the exploit above for changes and also attempts to create and remove a number directory. The open is enabled by default. The report is generated from the exploitalert.txt template file

New csf v3.05

Changes:

  • Added perl regex checking to csf.pignore with the new options puser, pexe and pcmd. Text added to csf.pignore for new installations:

# Or, perl regular expression matching (regex):## pexe:/full/path/to/file as a perl regex[*]# puser:username as a perl regex[*]# pcmd:command line as a perl regex[*]## [*]You must remember to escape characters correctly when using regex’s, e.g.:# pexe:/home/.*/public_html/cgi-bin/script\.cgi# puser:bob\d.*# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

New csf v3.04

Changes:

  • Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you to set the incoming and outgoing ICMP rate limits independently, or to disable rate limiting in either direction completely for ICMP packets

New csf v3.03

Changes:

  • Modified LF_DIRWATCH_FILE to use the output from “ls -lAR” instead of

Exim Dictionary Attack ACL *Exploit*

If you’re still using our old exim_deny dictionary attack solution in cPanel you should stop doing so and exclusively use the one provided by cPanel in cPanel v11. An exploit vector has been found and published for our old method:http://paste2.org/p/12037However, using that exploit method would be quite tricky because the exim_deny.pl script generates that lock file when the very first email passes through the ACL after installation and from then on it wouldn’t be possible to use the above exploit. That is, someone would have to create the symlink as described in the time between you adding the ACL into exim and the first email arriving. Alternatively, if you actively and indiscriminately delete files from /tmp, then the exploit could be applied between the time of deleting the lock file and the next email passes through exim.Such a short window of opportunity makes the exploit as described extremely unlikely as the hacker would have no idea when you’re going to install the ACL or to do it in advance of installation.We’re not aware of anyone being exploited through the use of this method.Incidentally, if you’re running csf, then lfd would pick up this type of issue through LF_DIRWATCHMany thanks to Billy for bringing this to our attention.The simplest way to remove our old exim_deny method is to select the option in WHM > Exim Configuration Editor > Reset ACL Config to Defaults and then remove the exim_deny files:

rm -fv /etc/exim_deny /etc/exim_deny.pl /etc/exim_deny_whitelist /etc/cron.hourly/exim_deny.pl

New csf v3.02

Changes:

  • Modified the text comments at the top of csf.allow for new installs:# Note: IP addressess listed in this file will NOT be ignored by lfd, so they# can still be blocked. If you do not want lfd to block an IP address you must# add it to csf.ignore
  • Removed RELAYHOSTS check from Server Check report
  • Don’t show SMTP_BLOCK check if on a VPS in Server Check report
  • PT_USERKILL, if set, will now also kill user processes that exceed PT_USERPROC
  • Fixed problem where csf.tempusers was not being cleared down on an lfd restart
  • Added two new csf command line options to flush IP’s from the temporary ban list: -tr -tf (see csf -h for more information)

PayPal Donations

We are always extremely grateful for any donation that we receive for our efforts in bringing you our free scripts. After repeated requests, we’ve added Subscription Payments along with our single donations button for those that prefer this method. An example is on the csf page.Thanks again to anyone who donates, no matter the amount, as it does help us spend time on the free projects.,

New csf v3.01

Changes:

  • Tightened DNS port configuration restrictions as the old rules were being catered for by iptables connection
  • Added Kerio Mailserver POP3/IMAP regex’s

New csf v3.00

Changes:

  • Added progress information to LWP downloads within csf
  • Added numiptent checking for VPS servers. csf will flush iptables and lfd will stop blocking IP’s if numiptent is nearly depleted. This should help prevent VPS lockouts due to insufficient server resources. If this happens, you will either need to reduce the number of iptables rules (e.g. disable Block List usage) or have the VPS provider increase numiptent. A value of ~700-1000 should be fine for most SPI firewall applications with full Block List configuration
  • Added support for the BOGON List (Block List) with LF_BOGON – http://www.cymru.com/Bogons/ See link and csf.conf for more information
  • Enhanced the cpanel.net lookup for httpdupdate.cpanel.net to workaround the lack of rDNS PTR records
  • Fixed problem with RELAYHOSTS not working
  • Removed use of the replace binary

New csf v2.95

Changes:

  • Reduced memory overhead and added large file skipping for LF_DIRWATCH
  • Improved performance of LF_DRIWATCH trigger checks
  • Fixed problem with LF_SELECT temporarily blocking outbound access on all ports. Now now only the relevant inbound only port(s) will be blocked if triggered