ConfigServer Services Blog

New csf v5.03

Changes:

  • Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK
  • Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites
  • Changed DA default configuration of FTPD_LOG to “/var/log/secure”

New csf v5.02

Changes:

  • Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information
  • Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded
  • Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well
  • Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1
  • Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP
  • Added lfd check to enforce 0600 permissions on /etc/csf/

New cxs v1.25

Changes:

  • Improved handling of –decode failures
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New csf v5.01

Changes:

  • Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK)
  • Added new CLI option csf –tempallow (csf -ta) which works in exactly the same way as csf –tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries
  • Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers
  • Updated UI entry for adding and removing temporary allows and blocks
  • Display temporary block TTL in days hours minutes and seconds
  • Added new CLI option csf –watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information
  • Modified csf and lfd init scripts to be LSB-compliant
  • Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts
  • Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error

New cmc v1.02

Changes:

  • Create/modify /scripts/posteasyapache to rename the script /etc/cron.hourly/modsecparse.pl out of the way if the option to Disable it is used (you may need to enable and disable the option on existing installations to create the /scripts/posteasyapache entry)
  • Added a timed refresh to the ModSecurity Log view

New csf v5.00

Changes:

  • lfd Clustering, final release. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications
  • Added new option LF_DISTATTACK. Distributed Account Attack detection. This option will keep track of login failures from distributed IPs to a specific application account. If the number of failures matches the trigger value, ALL of the IP addresses involved in the attack will be blocked. This option is currently disabled by default – see csf.conf for more information
  • Added new option PT_USERKILL_ALERT if you want to disable email alerts for PT_USERKILL triggers. This option is enabled by default, i.e. alerts are sent
  • Added new options LF_QUICKSTART in csf.conf and CLI options -q, –startq, -sf, –startf to allow deferral of csf startup to lfd instead of waiting for the CLI to perform the work. See the CLI help and csf.conf for more information
  • Added UI option for “Firewall Quick Restart” which uses csf -q, “Firewall Restart” uses csf -sf
  • lfd now restarts csf (if stopped and LF_CSF enabled) within the main process to enhance the integrity of the firewall
  • Multiple login failure regex detection improvements
  • Fixed typos in permblock.txt

New cxs v1.24

Changes:

  • Improvements to –decode [file]
  • Add the cxs command line to a report even if the scan report is empty
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New cxs v1.23

Changes:

  • Fixed a false-positive detection of c/c++ source files
  • Added filename legend to View option UI in Other Files
  • For single or multiple user scans, Symlinks within the homedir will now be ignored
  • Removed [\;\|\`\\] regex checks from the [f] and [d] –options, as it appears to be of little value (you could always add back such a check using a similar regex entry in an xtra file)
  • Modified hidden text in image file check to only report if the text is script code
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions