ConfigServer Services Blog

cxs False-positive: [P0388]

You may see a false-positive in cxs after a recent release of fingerprint detections:

# Known exploit = [Fingerprint Match] [PHP Exploit [P0388]]

To remove the false-positive, run the following:

rm -fv /etc/cxs/new.fp
cxs -U

Our apologies for any confusion that this may have caused.

New csf v6.43

Changes:

  • Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc)
  • RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to “3” is the recommended option
  • Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log
  • csf –dr modified to remove matching IPs from csf.tempip
  • File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit

 

New cxs v4.16

Changes:

  • Updated POD to reflect –[no]fallback being disabled by default
  • Changed default value of –Wsymlinkmax to 1000
  • Changed default value of –Wsymlinksec to 10
  • Added performance note about using –Wsymlink [script] to POD
  • Modified cxswatch restart routine to run /etc/cxs/cxswatch.sh directly
  • Modified cxswatch to more quickly detect restart requests on busy systems
  • Exploit fingerprint definitions database additions

 

New csf v6.42

Changes:

  • New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option “3” which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information
  • Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP
  • csf UI option added for editing csf.syslogusers
  • Fixed a bug in PT_LOAD not producing PS output

 

New csf v6.41

Changes:

SECURITY WARNING:

  • Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines).
  • Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst.
  • Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users.
  • There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default.
  • See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice
  • NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care
  • Our thanks go to Rack911.com for bringing this issue to our attention

Other changes:

  • UI design updates and fixes
  • Modify Apache regex to support log lines containing thread ID
  • Prevent lfd from blocking CIDRs triggered from log lines

New cxs v4.15

Changes:

  • Memory usage improvements and general speedups
  • Added the ability to use negative –options [-][], i.e. the default list of options is used apart from those listed when prefixed with a minus
  • –[no]fallback now defaults to –nofallback due to performance concerns which should be noted before enabling the option
  • Exploit fingerprint definitions database additions

 

New cxs v4.14

Changes:

  • Force cxs into a detached process if running –upgrade as a CRON job to fix upgrade hanging issue

 

New cxs v4.13

Changes:

  • Significant speedups in regex (up to 300% faster) and FP matching
  • Exploit fingerprint definitions database additions