ConfigServer Services Blog

New csf v7.04

Changes:

  • Added new option LF_DIST_ACTION. If LF_DISTFTP or LF_DISTSMTP is triggered, then if LF_DIST_ACTION is a path to a script, it will run the script and pass arguments to it. See csf.conf for more info
  • Added limit check on VPS servers when using FASTSTART to ensure there are sufficient numiptents available for all of the iptables rules in that block
  • Modified SMTPAUTH_RESTRICT to add ::1 as a standalone IP to /etc/exim.smtpauth
  • Fixed LF_BIND – BIND_LOG was not being added to the log list to watch
  • On DirectAdmin servers, added new feature LF_DIRECTADMIN. This option scans DIRECTADMIN_LOG for failed logins and blocks accordingly
  • Fixed typo in csf.conf

New cxs v5.01

Changes:

  • Raised bayes low/medium/high thresholds
  • New master bayes corpus generated
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

 

New cxs v5.00

Changes:

  • New feature –[no]bayes taken out of BETA and is the basis of v5
  • Added –[no]bayes to the UI
  • New master bayes corpus generated
  • Added warning in UI for –[no]fallback option regarding potential performance impact
  • Exploit fingerprint definitions database additions

New cxs v4.27

Changes:

  • Modified cxs Watch so that watches are updated/created if the alternative configuration file reload method is used
  • Exploit fingerprint definitions database additions
  • BETA: Added a local bayes corpus so that learning and forgetting can be implemented locally
  • BETA: Added new option –blearn [X|C] so that new files can be added to the local corpus as either an exploit (X) or as a clean file (C)
  • BETA: Added new option –bforget [X|C] so that new files can be removed from the local corpus as either an exploit (X) or as a clean file (C). Only files previously learned should be forgotten
  • BETA: Modified cxs Watch to reload the master bayes corpus on change
  • BETA: Modified cxs Watch to reload the local bayes corpus, if one exists, on change
  • BETA: When cxs is upgraded and the master bayes corpus exists, the latest master corpus will be automatically downloaded
  • BETA: New master bayes corpus generated
  • BETA: Raised bayes low/medium/high thresholds

 

Security: Chkrootkit Exploit and Fix

An exploitable security bug has been found in chkrootkit:

http://www.securityfocus.com/bid/67813

Chkrootkit has released v0.50 to fix this issue and make improvements:

http://www.chkrootkit.org/

This is our preferred procedure for compiling and creating a script to run chkrootkit:

cd /root
rm -Rfv chkrootkit-0.*
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-0.50
make sense
chmod +x chkrootkit
cd ..
echo '
cd /root/chkrootkit-0.50
./chkrootkit -q
' > /root/chkrootkit.sh
chmod +x chkrootkit.sh
chown -R root:root chkrootkit*
rm -fv chkrootkit.tar.gz

Crontab then runs /root/chkrootkit.sh on a regular basis.

New cxs v4.25

Changes:

  • Fingerprint P0452 removed as it appears some legitimate scripts are using the same obfuscation technique commonly used in exploits
  • BETA: Bayes corpus size decreased by a further 28% but with increased accuracy
  • Exploit fingerprint definitions database additions

 

New cxs v4.24

Changes:

  • BETA: Bayes corpus format improved – if you are using this feature, download the new corpus using “cxs –bget”
  • BETA: Bayes corpus memory footprint decreased by a further 20%
  • BETA: Bayes corpus loading speed improvements