ConfigServer Services Blog

Changes:

• Modified RESTRICT_SYSLOG_GROUP to always include /dev/log and /usr/share/cagefs-skeleton/dev/log, if a socket, if syslog/rsyslog process is not found and also to cater for systems using systemd (e.g. Fedora, RHEL v7, etc)
• RESTRICT_SYSLOG_GROUP taken out of BETA as it appears stable and effective. Setting RESTRICT_SYSLOG to “3” is the recommended option
• Updated readme.txt RESTRICT_SYSLOG mitigations to include CloudLinux method to disable access to caged /dev/log
• csf –dr modified to remove matching IPs from csf.tempip
• File globbing is now allowed for all *_LOG file settings in csf.conf. However, be aware that the more files lfd has to track, the greater the performance hit

Changes:

• New BETA option RESTRICT_SYSLOG_GROUP. This has been added for a new RESTRICT_SYSLOG option “3” which restricts write access to the syslog/rsyslog unix socket(s). See csf.conf and the new file /etc/csf/csf.syslogusers for more information
• Those running our MailScanner implementation, you must be running at least ConfigServer MailScanner Script v2.91 for logging to work with RESTRICT_SYSLOG_GROUP
• csf UI option added for editing csf.syslogusers
• Fixed a bug in PT_LOAD not producing PS output

Changes:

SECURITY WARNING:

• Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines).
• Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst.
• Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users.
• There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default.
• See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice
• NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care
• Our thanks go to Rack911.com for bringing this issue to our attention

Other changes:

• UI design updates and fixes
• Modify Apache regex to support log lines containing thread ID
• Prevent lfd from blocking CIDRs triggered from log lines