csf

Changes:

• Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations
• Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain
• Added /etc/cron.d/lfdcron.sh to restart lfd daily
• Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore
• Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+
• As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic)
• Added informational text to Process Tracking email report if a process is running an executable that has been deleted
• Added csf version to the daemon startup log line in lfd.log

Changes:

• Added /usr/libexec/hald-addon-keyboard to csf.pignore
• Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open
• Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default)

Changes:

• Modified skip for su login checking from root to cater for (uid=0)
• Added option SYNFLOOD_BURST to allow configuration of –limit-burst when SYNFLOOD is enabled. Changed default values
• Added to –grep searches to csf.deny and temporary blocks in addition to iptables
• Modified SSH regex to improve login failures detection further
• Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations
• Added vsftpd regex for ftp login failures

Apologies for the multiple releases today:Changes:

• Modified SSH regex to check for ipv6 addresses
• Added another regex to improve SSH matching

Changes:

• Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd
• The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources
• Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries
• Option LF_SCRIPT_PERM removed

Our thanks to Jeff Petersen for the detailed information describing these issues.We recommend that all users of csf upgrade to this new version

Changes:

• Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking
• Modified relay tracking to not ignore RELAYHOST IP’s
• Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP’s
• LF_SUHOSIN will now skip matches for “script tried to increase memory_limit”

Changes:

• Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny

Changes:

• Added new CLI option to csf, -g –grep will search the iptables chains for a specified match which is either explicit or part of a CIDR
• Added WHM UI option for csf –grep
• Added new CLI option to csf, -dr –denyrm will remove an IP address from csf.deny and unblock it
• Added WHM UI option for csf –denyrm

Changes:

• Added csf.suignore file where you can list usernames that are ignored during the LF_EXPLOIT SUPERUSER test
• New option PT_LOAD_ACTION added that can contain a script to be run if PT_LOAD triggers an event. See csf.conf for more information
• Added SUPERUSER check to Server Check Report
• Added Suhosin check to Server Check Report