csf

Changes:

• Added routine to select from multiple download servers for script updates
• Added Sectigo (formerly Comodo) IPv6 DCV addresses to cpanel.comodo.allow and cpanel.comodo.ignore
• Added support to LF_CXS for litespeed logs on cPanel
• Added exception to csf.fignore for NodeJS yarn temporary files in cPanel v80

Changes:

• Added new option CT_SUBNET_LIMIT. If the total number of connections from a class C subnet is greater than this value then the offending subnet is blocked according to the other CT_* settings. This option is disabled by default
• Removed ALTTOR from csf.blocklists on new installations as it has been discontinued
• Use ConfigServer::Slurp to read csf.resellers to avoid invalid line endings
• Modified CLUSTER_SENDTO and CLUSTER_RECVFROM so that they can be set to a file instead of listing IP’s within the respective setting. See csf.conf for more details
• Removed open_basedir check on cPanel servers in Server Check
• Fixed csf.conf typo
• Updates to Courier IMAP regexes for Plesk

Changes:

• Removed debugging code from lfd output
• Improvements for reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports

Changes:

• Added commented out regex lines in csf.pignore on cPanel servers for the upcoming ubic implementation by cPanel
• Added port 53 filters in cpanel.comodo.allow on cPanel servers
• Added postfix support for LF_DISTSMTP
• Switched Sendmail and URLGET modules from using croak to carp to avoid unexpected parent death from child failure
• Double fork external commands in DA UI to work around DA mod_perl restrictions, allowing full functionality
• Added reason text information to IPs and CC_LOOKUPS to netblocks for LF_PERMBLOCK and LF_NETBLOCK reports and csf.deny entries

Changes:

• Removed new regex for LF_EXIMSYNTAX

Changes:

• Removed rbl.jp RBLs from csf.rbls
• Modify Project Honey Pot blocklist URLs to use https
• Ignore $SIG{PIPE} when running ipset
• Ensure csf shows ipset warnings
• Added osmd to lfd restart routine when cPanel upgrades
• Modified Server Check to look for underscore as well as dash settings
• Added test in lfd to ensure the pidfile is open before attempting to close it
• Added new regex for LF_EXIMSYNTAX
• Added new option: URLPROXY. If you need csf/lfd to use a proxy, then you can set this option to the URL of the proxy

Changes:

• Make CC_IGNORE check case-insensitive
• Improved TCP/UDP port inspection for IPv6 connections (affecting CT_*, PT_* and PT_SSHDKILL)
• Updated cxs FontAwsome to v5
• Added fixes for additional Include line processing
• Fixed race condition when processing CC_* zip files that could sometimes prevent the csv files from being extracted
• Updated HTTP::Tiny to v0.070

Changes:

• Removed CC_OLDGEOLITE and associated code so that all installations will now use the MaxMind GeoLite2 databases
• Added more CLI options that work if csf is disabled
• Added Include line support to 20 more /etc/csf/csf.* configuration files. See /etc/csf/readme.txt under “Include statement in configuration files” for the list of supported files
• Added mangle and raw tables to csf –grep [IP] and modified output to show a new column with the table then the chain that a rule is in
• Added mangle and raw tables to csf –status output and modified output to show a new header line with the table that a rule is in
• Added new option USE_FTPHELPER. This enables the ftp helper via the iptables CT target on supporting kernels instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper and unrestricted use of RELATED state
• Modified ICMP_IN/ICMP_OUT to only affect PING (echo-request), all other ICMP traffic is allowed (which can help network performance) unless otherwise blocked. This is for IPv4, it does not affect IPv6
• Improved rule placement to prevent existing connections bypassing ICMP_IN_RATE/ICMP_OUT_RATE limits
• Updated csf.conf documentation relating to the ICMP/PING settings
• Added new option ICMP_TIMESTAMPDROP. For those with PCI Compliance tools that state that ICMP timestamps should be dropped, you can enable this option. Otherwise, there appears to be little evidence that it has anything to do with a security risk but can impact network performance, so should be left disabled by everyone else
• csf and lfd now exit with status 1 on error or if disabled. However, this will not happen with csf if the CLI option used still works while disabled
• USE_CONNTRACK is now enabled by default on new installations
• Fixed DOCKER IPv6 warning message when DOCKER not enabled
• Modified csf.blocklists for GREENSNOW to use https on existing and new installations

Changes:

• Added missing DOCKER_DEVICE setting from the generic and directadmin csf.conf files
• Ensure iptables/ip6tables mangle and raw tables are flushed on stop/start if they exist
• CC_OLDGEOLITE set to “0” on new servers and those upgrading to v12.* for the first time. This enables MaxMind GeoLite2 by default unless already set
• Note: The old MaxMind Geolite v1 database code will be removed in the near future, before the end of March, in favour of the v2 databases