Modified –decode [file] and –options [D] to drop privileges to the “nobody” user while running the interactive php interpreter and on the ownership of the decoded file while processing it
Added new scanning option: cxs Watch. This is an alternative to ftp and web script upload scanning. The cxs Watch daemon uses a separate process to watch entire user accounts for new and modified files and scans them immediately. The scanning children use up significantly fewer resources than the ftp and web script upload scanning methods. This new feature requires:
Added stats workaround for February/March calculations
Added new option CC_IGNORE – this Country Code list will prevent lfd from blocking IP address hits for the listed CC’s
Reduced CC_* memory usage when loading zones
Modified lfd logging for regex.pm and regex.custom.pm login failures to lfd.log to use the return reason from the regex match instead of a generic message. This does mean that the format for these messages has changed
DA Server Check for proftpd – check whether pureftp=1 in DA config
Replaced IP::Country and Geography::Countries with Geo::IP:: PurePerl using the MaxMind GeoLite Country database for CC_LOOKUPS
Added new option GUNZIP which is required to expand the MaxMind GeoLite Country database
Extended CC_LOOKUPS which can now be configured to report Country Code and Country and City using the MaxMind City Database. See csf.conf for more information
Added a note to the CGI alert email for ModSecurity false-positives where the request body is inspected before Apache has a chance to determine whether the called script exists (i.e. a 404)
Added new option –wttw [file] which is available for submitting text exploits (i.e. PHP, Perl, Shell) to ConfigServer if cxs fails to detect it. The file is sent as an attachment via email. Please be sure to read the documentation before using this option
