ConfigServer Services Blog

New csf v4.87

Changes:

  • Ignore csf.rignore for LT_POP3D and LT_IMAPD
  • Removed unnecessary csf.locks during some GLOBAL list updates
  • Updated Copyright notice
  • Modified the block message for LF_MODSEC and LF_SUHOSIN to be more appropriate ( i.e. not “login failures” )
  • Added new block options for BIND denied requests: LF_BIND, LF_BIND_PERM, BIND_LOG. This works in the same way as the other similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have had BIND (named) requests denied more than LF_BIND times in LF_INTERVAL seconds. Currently named client denied log lines for “update” and “zone transfer” trigger the option
  • Modified GLOBAL_ routines to continue if retrieval for one fails instead of immediately exiting
  • Added IPv6 check to Server Check
  • Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled on single line comments (lfd.log, csf.deny, etc)
  • Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the respective email alerts can be disabled
  • Updated IP::Country

New cxs v1.12

Changes:

  • New option (-X, –xtra [file]) to allow custom regular expression matches and filenames that cxs will additionally scan for
  • Exploit fingerprint definitions database additions

SpamAssassin FH_DATE_PAST_20XX 0.0 rule bug

There’s a bug in SpamAssassin that the developers have yet to fix in sa_update that is causing problems since the turnover to 01/01/2010:https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269The bug causes every email sent since 01/01/2010 to receive a spam score of 3.19, whether it is spam or not.If you’re running our MailScanner package you can do the following to zero score that rule and alleviate the problem:

echo score FH_DATE_PAST_20XX 0.0 >> /etc/mail/spamassassin/configserver.cf

New cxs v1.11

Changes:

  • Modified hidden image text file to exclude most FrontPage extensions files
  • Exploit regex definitions database additions
  • Exploit fingerprint definitions database additions

New csf v4.86

Changes:

  • Added Dovecot regex checking for LT_POP3D and LT_IMAPD
  • Modified Server Check for Fedora v10 EOL now that Fedora v12 has been released
  • Improved Dovecot IMAP and POP3D login failure regex
  • Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD
  • Fixed TLSCipherSuite Server Check for proftpd
  • Added SSHD regex for “Did not receive identification string from IP” failures

New cxs v1.10

Changes:

  • Added new check to suspicious file routine to detect text files hiding as image files
  • Made file extension checks case-insensitive
  • Exploit fingerprint definitions database additions

New RootKit Hunter v1.3.6

Rkhunter have released a new version of the root kit scanner:http://sourceforge.net/forum/forum.php?forum_id=1050043Upgrade for our service package:

wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.6.tar.gztar -xzf rkhunter*cd rkhunter-*./installer.sh –layout default –install

It does appear to currently throw a false-positive on CentOS v4.8 systems, but you should check this:

Warning: Checking for possible rootkit strings

New csf v4.85

Changes:

  • Further improvements to ICMP rule filters
  • Added backup mod_security log viewer for non-cPanel servers

New cmc v1.01

Changes:

  • Fixed broken image icon in the WHM header
  • Switched to a proportional font to display the mod_security log entries to better fit the browser window
  • Increased the lines per mod_security log lines to display from 40 to 200
  • Fixed a display formatting issue with the mod_security log entries