New rkhunter v1.2.9

The rkhunter developer has finally released a long awaited update:

  • This release added support for RHEL WS/AS/ES 3 Taroon update 8, Fedora Core 5, and SuSE 10. Checks were added for packet capturing applications and processes using deleted files. The netstat check was enabled for AIX and the backdoor check was enabled for SunOS. Logfile specification and checks were added.

http://rkhunter.sourceforge.net/Unfortunately, it looks like they still don’t support the most popular OS’s md5sums, i.e. RHEv4/CentOSv4To upgrade:

/bin/rm -Rf rkhunter*wget http://surfnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gztar -xzf rkhunter-*cd rkhunter-*./installer.sh cd ../bin/rm -Rf rkhunter*rkhunter –updaterkhunter -c –skip-keypress

New csf v2.34

New feature:

  • Added a new option (beta for now) PT_SMTP. This option will check for outgoing connections to port 25, ecluding root, exim and mailman. The purpose of the feature is to log SMTP connections if you believe you have a spammer on the server who is bypassing exim to send out spam emails – this is traditionally a very difficult form of spam to track down. The option currently logs relevant process information to lfd.log to avoid an email alert flood.

Serious cPanel Security Problem

A major security flaw has been found and is being actively exploited in cPanel. The exploit gives an authenticated user (i.e. someone who has access to a cPanel account) an escalation that gives them root access. cPanel have fixed the hole and most people will have been secured overnight. To be sure I would suggest everyone runs a forced upcp update on their servers:

/scripts/upcp –force

Some links:http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.htmlhttp://forums.cpanel.net/showthread.php?t=58090

New csf v2.33

Changes:

  • Code modification to allow csf+lfd to run without erroring on cPanel DNS-Only installations
  • Added forced error checking on SMTP blocking iptables commands
  • Added check in csf and lfd for duplicate settings in csf.conf

New csf v2.32

Changes:

  • Added new option SMTP_ALLOWLOCAL to allow local connections to port 25 for web scripts, etc, if SMTP_BLOCK is enabled
  • Added check to csf startup to fail if “WHM > Tweak Security > SMTP Tweak” is enabled otherwise it can break SMTP traffic completely. The SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used instead

New csf v2.31

Changes:

  • Added automatic throttling code to help prevent lfd using excessive resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If the sub process takes too long to run, the interval between its next run is increased temporarily (for the duration lfd runs for, a restart will reset it) and will continue to extend this time to prevent excessive server load. However, it will also proportionately increase the time given for the sub process to complete so that it can at least attempt to get the check done. If you see throttling messages appearing in the lfd.log you should consider increasing the process interval as indicated permanently (i.e. within csf.conf)
  • Added throttling to CT_INTERVAL

New csf v2.29

Changes:

  • New feature – User Process Tracking. This option enables the tracking of the number of process any given cPanel account is running at one time. If the number of processes exceeds the value of the PT_USERPROC setting an email alert is sent with details of those processes. A user is only reported once, so lfd must be restarted to reinstate checking of all users. If you specify a user in csf.pignore it will be ignored. The alert file is useralert.txt
  • Added useralert.txt for editing through the WHM UI
  • Added PT_USERPROC to the Firewall Security Level settings

New csf v2.26

Changes:

  • Fixed a mis-configuation for outgoing global deny rule – Thanks to Marie from Jagwire Hosting
  • Allow advanced allow and block filters using the -a and -d options when running csf in CLI
  • Added new option LF_SELECT. If you have LF_TRIGGER set to “0” and the application trigger levels set, you can now set LF_SELECT to “1” if you only want to block IP access to that application instead of a complete block
  • Changed installer behaviour to only add SSH port to TCP_IN if TESTING is set to “1” – done to help those that don’t want to always have the SSH port opened