ConfigServer Services Blog

Changes:

• Updated the Server Check report IPv6 text
• Fixed ip6tables command execution in iptables firewall during startup

New

Changes:

• Added BETA IPv6 support. See csf.conf for more information on the new settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT UDP6_IN UDP6_OUT
• New CLI option csf –status6 (csf -l6) added to list ip6tables rules
• Changed temporary DENY and ACCEPT working file formats to use a different record separator to cater for future IPv6 support
• Advanced Allow/Deny Filters now use | as the separator character to cope with IPv6 addresses. Legacy support remains for the old : separator for IPv4 addresses, though these should also now use | as the field separator
• In Server Check report, don’t issue IPv6 warning if only ::1/128 is bound to a NIC (i.e. loopback)
• Upgraded Net::CIDR::Lite to v0.21
• Upgraded from IP::Countries to Geography::Countries

We have tested and confirmed functionality of csf on the latest Ubuntu 10.04 LTS.

Changes:

• Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK
• Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites
• Changed DA default configuration of FTPD_LOG to “/var/log/secure”

Changes:

• Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information
• Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded
• Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well
• Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1
• Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP
• Added lfd check to enforce 0600 permissions on /etc/csf/

Changes:

• Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK)
• Added new CLI option csf –tempallow (csf -ta) which works in exactly the same way as csf –tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries
• Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers
• Updated UI entry for adding and removing temporary allows and blocks
• Display temporary block TTL in days hours minutes and seconds
• Added new CLI option csf –watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information
• Modified csf and lfd init scripts to be LSB-compliant
• Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts
• Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error