Server Software and Configuration Services
New cxs v4.18
Changes:
- HTTP::Tiny reverted to v0.041 as it breaks on some installations
ConfigServer Services Blog
New csf v6.46
Changes:
- HTTP::Tiny reverted to v0.041 as it breaks on some installations
New csf v6.45
Changes:
- Modified LF_SCRIPT_ALERT to only report detected lines
- Modified Server Check for sshd_config port to be case-insensitive
- Modified PORTS_sshd check of sshd_config port to be case-insensitive
- HTTP::Tiny upgraded to v0.042
- Reverse sort temp bans in UI
New cxs v4.17
Changes:
- Unsupported option –YSKIPWMAIL added. Using this, If –options [W] or –options [wW] is triggered, then the directory will be chmod as normal but no email will be sent. If any other option is triggered for the same scan, the email will still be sent. This option only applies to cxs Watch
- Added full pseudo-breadcrumbs to cPanel csf UI
- HTTP::Tiny upgraded to v0.042
- On cPanel servers, use cPanel provided perldoc binary in UI if present
- Exploit fingerprint definitions database additions
New csf v6.44
Changes:
- File globbing is now allowed for logs listed in csf.logfiles and csf.syslogs
- Added Server Reports recommendation for CloudLinux if running CentOS or RedHat
- Added Server Reports CloudLinux security feature checks
- Modified Server Report check for dovecot v2
- Updated Server Report version checks for Fedora, MySQL and Apache
- Added missing bracket to regex.custom.pm example
- Added new PORTS_* options to csf.conf to allow custom modification of LF_SELECT application ports
- Added Cached memory to the System Statistics
- Added full pseudo-breadcrumbs to cPanel csf UI
- Added new CLI and UI commands to backup/restore csf.conf and to apply preconfigured csf.conf profiles. See “man csf” and UI for more details of the “csf –profile [OPTIONS]” commands
- HTTP::Tiny upgraded to v0.041
cxs False-positive: [P0388]
You may see a false-positive in cxs after a recent release of fingerprint detections:
# Known exploit = [Fingerprint Match] [PHP Exploit [P0388]]
To remove the false-positive, run the following:
rm -fv /etc/cxs/new.fp cxs -U
Our apologies for any confusion that this may have caused.
New csf v6.43
Changes:
- Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc)
- RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to “3” is the recommended option
- Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log
- csf –dr modified to remove matching IPs from csf.tempip
- File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit
New cxs v4.16
Changes:
- Updated POD to reflect –[no]fallback being disabled by default
- Changed default value of –Wsymlinkmax to 1000
- Changed default value of –Wsymlinksec to 10
- Added performance note about using –Wsymlink [script] to POD
- Modified cxswatch restart routine to run /etc/cxs/cxswatch.sh directly
- Modified cxswatch to more quickly detect restart requests on busy systems
- Exploit fingerprint definitions database additions
New csf v6.42
Changes:
- New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option “3” which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information
- Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP
- csf UI option added for editing csf.syslogusers
- Fixed a bug in PT_LOAD not producing PS output
New MailScanner Script v2.91
Changes:
- More IPv4 CIDR validation bug fixes
- INSTALL.TXT updated
- Disabled use of Sys::Syslog::setlogsock as it can break logging