Fixed a SECURITY BUG in Quarantine file restore which could result in root privilege escalation. The destination restore file must not now exist before restoring will work. Our thanks to Jeff Petersen for reporting this issue
All cxs users should upgrade to this release immediately
Fixed a SECURITY BUG that can be exploited remotely via log file spoofing resulting in root privilege escalation. Our thanks to Jeff Petersen for reporting this issue
All csf users should upgrade to this release immediately
New –options [R]. It will trigger a match for the inbuilt regex used by –options [D] when decoding PHP encoded (base64, etc) scripts
Improvements to –decode ([D]) option so that both the last and the penultimate decode level are both scanned
Added improved code for dropping privileges to the “nobody” user while running the interactive php interpreter as root
Ensure Quarantine only works on files
Updated UI text for options
Removed duplicated regex definitions from the database now that –options [R] has been added. Be sure to add R to your –options lists if you specify them if you still want to trap these.
New feature: Connection Limit Protection (CONNLIMIT, CONNLIMIT_LOGGING). This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports. See csf.conf and readme.txt for more information and about the format of the CONNLIMIT option and its limitations
Minor csf UI Firewall Configuration virtual pagination improvements
Updated cPanel Server Check update settings for v11.30+
Removed cPanel Server Check for new versions due to changes in the v11.30+ versioning system making this redundant
Updated MySQL Server Check for v5.1.*
Added a warning to csf.conf for SYNFLOOD to only enable the option if you know you are under a SYN flood attack as it will restrict all new connection to the server if triggered
New Feature – Added daily check for new Exploit Fingerprints. If cxs is scheduled to check for a new version daily, an additional check for new Exploit Fingerprints released since the last cxs version is performed. These will be downloaded and used on subsequent scans
Added port 500 to DROP_NOLOG for new installations
Corrected the LF_APACHE_404 lfd log line output
Added startup failure on invalid PORTFLOOD settings
Make csf.pignore item selector case-insensitive (e.g. exe: and EXE: )
All user: item selector examples removed from the default csf.pignore for all new installations (e.g. user:mailman). csf.pignore examples for some common processes can be found here:http://forum.configserver.com/viewtopic.php?f=6&t=2059
Updated DA and GENERIC default csf.pignore files for new installations
Updated installation scripts to distinguish between IPv4 and IPv6 port report
Modified Virtuozzo VPS numiptent check to distinguish between host and client servers
Added exe:/usr/sbin/ntpd to csf.pignore on new installations
Don’t perform the runlevel check on Debian/Ubuntu servers as it isn’t indicative of a potential security issue as with other Linux distros
Added new option PT_DELETED_ACTION which if defined with an executable script will run if PT_DELETED is triggered passing the process PID, executable and account. An example script is provided in: /etc/csf/pt_deleted_action.pl
If CC_LOOKUPS enable for the MaxMind City Database then also display the Region, where available
Rearranged csf.conf for csf UI Firewall Configuration virtual pagination
Re-instated sanity check highlights in csf UI Firewall Configuration
Improved Server Check recursion checking in included configuration files
Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option will keep track of the number of “File does not exist” errors in HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. See csf.conf for more information
