ConfigServer Services Blog

New csf v3.34

Changes:

  • Modified regex matching to allow for trailing spaces in log lines
  • Modified PT_LOAD routine to prevent multiple triggers resulting in more than one alert being email sent
  • Removed the need for NETSTAT from lfd to reduce overheads and improve performance allowing CT_INTERVAL to be set lower. Now uses /proc/net/[protocol]

New ClamAV v0.93.1

Changes:

  • This version improves handling of PDF, CAB, RTF, OLE2 and HTML files and includes various bugfixes for 0.93 issues

If you use MSFE you can upgrade using the UI.

New csf v3.33

Changes:

  • Modified skip for su login checking from root to cater for (uid=0)
  • Added option SYNFLOOD_BURST to allow configuration of –limit-burst when SYNFLOOD is enabled. Changed default values
  • Added to –grep searches to csf.deny and temporary blocks in addition to iptables
  • Modified SSH regex to improve login failures detection further
  • Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
  • Added vsftpd regex for ftp login failures

New csf v3.32

Apologies for the multiple releases today:Changes:

  • Modified SSH regex to check for ipv6 addresses
  • Added another regex to improve SSH matching

New csf v3.31

Changes:

  • Modified -denyrm to abort if left blank instead of clearing all blocks
  • Added lfd check for existing temporary block to avoid duplicates
  • Fixed regex handling for courier-imap POP and IMAP login failures
  • Added –full-time to the ls command for LF_DIRWATCH_FILE. If you use this option, LF_DIRWATCH_FILE will likely trigger due to the changed output the first time you restart lfd after upgrading
  • Fixed typo in Suhosin description in the Server Check Report
  • Added Referrer Security to the Server Check Report
  • Added register_globals check in cPanel php.ini to Server Check Report

New csf v3.30 (Security Fix)

Changes:

  • Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd
  • The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources
  • Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries
  • Option LF_SCRIPT_PERM removed

Our thanks to Jeff Petersen for the detailed information describing these issues.We recommend that all users of csf upgrade to this new version

cPanel breaks your MTA with 11.23.0-EDGE_24083 and 11.23.0-CURRENT_24083

If you’re running either of the listed builds above, then you could have a broken MTA.For some bizarre reason, cPanel decided to add a new feature that breaks the standard MTA configuration of sending out all email on a servers main IP address. Their change is to send it out on the IP address of the sending domain. This means that unless all your rDNS PTR records for all of your servers IP addresses are set to your hostname a large number of receiving MTA’s on the internet will either treat incoming email as spam or simply bounce it.In their wisdom, cPanel have made this massive MTA change as the new default in EDGE and CURRENT, changing the status quo without your knowledge or indeed control. You cannot currently disable this change and revert back to the way the MTA should work.In the short term, you can delete /etc/mailips and add a line to /scripts/postupcp to remove that file, however this still leaves a window between upcp running /scripts/updateuserdomains and /scripts/postupcp running when your outgoing email could be broken.Apparently this change was made to benefit the use of SPF records. Since that technology has proven to provide little or no benefit, and there are no requirements whatsoever in the MTA RFC’s to use SPF, it seems bizarre that cPanel has taken this route as their default configuration.Note: MTA ~ SMTP Server

New csf v3.28

Changes:

  • Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
  • Modified relay tracking to not ignore RELAYHOST IP’s
  • Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
  • LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

New csf v3.27

Changes:

  • Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny