Server Software and Configuration Services
New cmc v2.00
Changes:
- Added Easyapache v4 support
- Removed references to modsecparse.pl as it is no longer used by cPanel
- Fixed modify file list to only list actual files
ConfigServer Services Blog
New csf v8.06
Changes:
- Added port 24441 to UDP_OUT and UDP6_OUT for new installs on cPanel servers for Pyzor that was added by cPanel in v11.52
- Support added for EasyApache4 log locations in cPanel from /etc/cpanel/ea4/paths.conf
- Added more executable files to csf.pignore on cPanel servers for cPanel EasyApache4
- Modify Server Check to support cPanel EasyApache4
- Added regex to support cPanel/WHM login failures with the new log format in v11.52+
- If mod_ruid2 is enabled do not check for mod_userdir in Server Check
- Always ensure binary exists and is executable before performing processing during Server Check
- Modified ProFTPD regex to support more formats
- vsftpd inbuilt log file format regex added
- Modified cPanel antirelayd Server Check to also support popbeforesmtp added in v11.52
- Added dbus and time systemd regexes to csf.logignore for new installs
New csf v8.05
Changes:
- Added alarms to HOST binary calls
- Added new csf CLI option: –rbl [email]. This generates the report checking IP addresses against a set of RBLs. Optional configuration is available through /etc/csf/csf.rblconf
- Added UI to utilise the new –rbl [email] option
- Added systemd status output after lfd restart via the csf CLI
- Modified Server Check to only report bind if a named configuration file exists
- Require cPanel resellers to enter a Comment when allowing or denying an IP
- Added new option UI_IP to allow binding to a specific IP address for the integrated UI
New cxs v5.31
Changes:
- Ensure only root can attempt to download the bayes corpus
- Fixed POD reference to –bforget
- Fixed POD formatting of long example commands
- Updated Software Version Checking
- Exploit regex definitions database additions
- Exploit fingerprint definitions database additions
csf PT_USERKILL Recommendation
We wanted to reiterate the points made in the csf configuration and during csf restart regarding the PT_USERKILL option and the problems it can cause on servers as there appears to have been a spate of people enabling the option, which we do not recommend for stability reasons.
As csf itself now reports:
*WARNING* PT_USERKILL should not normally be enabled as it can easily lead to legitimate processes being terminated, use csf.pignore instead
And as stated in /etc/csf/csf.conf:
# Warning: We don't recommend enabling this option unless absolutely necessary # as it can cause unexpected problems when processes are suddenly terminated. # It can also lead to system processes being terminated which could cause # stability issues. It is much better to leave this option disabled and to # investigate each case as it is reported when the triggers above are breached
New csf v8.04
Changes:
- Added more executable files to csf.pignore on cPanel servers for cPanel v11.5*+
- Added warning to both csf output and Server Check report if PT_USERKILL is enabled
New csf v8.03
Changes:
- Fixed bug where iptables nat tables were not being flushed or grepped correctly
New csf v8.02
Changes:
- Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
- Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS
- Added new csf CLI option: –lfd [stop|start|restart|status]. Actions to take with the lfd daemon
- Added new csf CLI option: -ra, –restartall. Restart firewall rules (csf) and then restart lfd daemon
- Fixed several output message typos for “FASTSTART”
- Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel
- Improve IPv6 detection on installation
- Implemented more efficient csf.conf loading in ConfigServer::Config
New csf v8.01
Changes:
- Modify ConfigServer::CheckIP to cope with entries not passed by reference
New csf v8.00
Changes:
- Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups
- Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK
- Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
- Added IPv6 support for LF_IPSET
- Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled)
- Added IPv6 support for X_ARF report where found in the Abusix Contact DB
- Added IPv6 nameserver support for /etc/resolv.conf
- Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed
- Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3
- Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3
- Added IPv6 support for SYNFLOOD
- Added flush of ip6tables nat table if ip6tables version >= 1.4.17
- Standardise all IPv6 addresses and networks to use the short form for consist representation
- Added FASTSTART support to LF_IPSET
- Increased ulimit -n to 4096 in /etc/init.d/lfd
- Included Net::IP for IP address manipulation
- Included version perl module for version comparisons
- Added missing csf.allow search to csf –grep
- Added Server Check report for LF_IPSET when using Country Code filters