ConfigServer Services Blog

Changes:

• Fixed bug introduced in v5.04 that omitted two outgoing DNS lookup rules that could affect servers where iptables connection tracking isn’t working correctly

Changes:

• Increased PT_USERMEM default to 200 from 100 for new installations
• Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for report generation in lfd which caused lfd to fail in Net::CIDR::Lite

Changes:

• Updated the Server Check report IPv6 text
• Fixed ip6tables command execution in iptables firewall during startup

New

Changes:

• Added BETA IPv6 support. See csf.conf for more information on the new settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT UDP6_IN UDP6_OUT
• New CLI option csf –status6 (csf -l6) added to list ip6tables rules
• Changed temporary DENY and ACCEPT working file formats to use a different record separator to cater for future IPv6 support
• Advanced Allow/Deny Filters now use | as the separator character to cope with IPv6 addresses. Legacy support remains for the old : separator for IPv4 addresses, though these should also now use | as the field separator
• In Server Check report, don’t issue IPv6 warning if only ::1/128 is bound to a NIC (i.e. loopback)
• Upgraded Net::CIDR::Lite to v0.21
• Upgraded from IP::Countries to Geography::Countries

We have tested and confirmed functionality of csf on the latest Ubuntu 10.04 LTS.

Changes:

• Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK
• Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites
• Changed DA default configuration of FTPD_LOG to “/var/log/secure”

Changes:

• Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information
• Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded
• Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well
• Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1
• Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP
• Added lfd check to enforce 0600 permissions on /etc/csf/