csf

Brand new feature:

• New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits. These can optionally be moved into a tarball
• Directory Watching false-positives can be listed in csf.fignore which is accessible from the WHM UI

New version with a nice new feature for those with multiple NICs:

• Modified code to allow for multiple ethernet NICs so that all rules are applied to all NICs, for example, if you have IP’s spread over eth0 and eth1. To do this you have to set ETH_DEVICE = “eth+”

New changes for v1.97:

• Tightened DNS port 53 connections in accordance with:http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07
• Moved no log dropping to the end of the chains
• Moved allowed IP’s to before Block Lists

Be aware of the upgrade issues in v1.93 and v1.94:http://configserver.com/blog/index.php?itemid=84

• 1.95
  

New version with some changes and bugfixes:

• Fixed problem where external resolvers were being used and responses from them were being dropped because they were coming back on ephemeral ports – added a scan of /etc/resolv.conf and external nameservers now have whitelisted source port 53 to ephemeral ports
• Drop logging of failed attempts to access port 53 so they don’t consume syslog
• Moved update from /tmp do /usr/src

Added a new feature for v1.89:

• Added Pre-configured settings for Low, Medium or High firewall security to WHM UI

A major enhancement for v1.86:

• Modified lfd connection tracking to drop udp as well as tcp packets when blocking
• Added support for the DShield Block List with LF_DSHIELD – http://www.dshield.org/block_list_info.php See csf.conf for more information
• Added support for the Spamhaus DROP List with LF_SPAMHAUS – http://www.spamhaus.org/drop/index.lasso See csf.conf for more information

Minor changes for v1.85

• Workaround for spam PT false-positives
• Added exe:/usr/bin/spamc to csf.pignore
• Added csf version to title bar in WHM

New version with the following change:

• 1.84
  

Latest version supports iptables in the latest 2.6+ kernel that use xt_iptables:

• 1.81