5.09 - Added Server Check report check that klogd is running if using syslogd or that klog module is loaded if running rsyslogd Added Server Check report, checks for apache settings: TraceEnable, ServerSignature, ServerTokens and FileETag on cPanel servers Fixed ip6tables IPV6_SPI check warning for older kernels Added instruction to open outgoing TCP6 and UDP6 ports when using an older kernel for ip6tables IPv6 Final (no longer Beta) Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you do not want this to apply to LT_POP3D/LT_IMAPD, then enable this option Added new option PT_USER_ACTION. If a PT_* event is triggered, then PT_USER_ACTION will be run in a child process and passed the PID(s) of the process(es) 5.08 - New option CLUSTER_MASTER which is the IP of the master node in a cluster allowed to send CLUSTER_CONFIG changes. This must be set in order to use CLUSTER_CONFIG options Added new Cluster CLI option --cfile (-cf) for sending a file to cluster members. The file will only be uploaded to the /etc/csf/ directory Added new Cluster CLI option --crestart (-crs) to initiate a restart of csf and lfd on all cluster members Removed CLI option -ccr, --cconfigr [name] [value] in favour of the new --crs, --crestart option Modified regular expressions to cater for RFC3339 date format in log files. For example, RFC3339 date format used by default in rsyslog on CentOS v5.5 5.07 - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup rules that could affect servers where iptables connection tracking isn't working correctly 5.06 - Increased PT_USERMEM default to 200 from 100 for new installations Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for report generation in lfd which caused lfd to fail in Net::CIDR::Lite 5.05 - Updated the Server Check report IPv6 text Fixed ip6tables command execution in iptables firewall during startup 5.04 - Added BETA IPv6 support. See csf.conf for more information on the new settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT UDP6_IN UDP6_OUT New CLI option csf --status6 (csf -l6) added to list ip6tables rules Changed temporary DENY and ACCEPT working file formats to use a different record separator to cater for future IPv6 support Advanced Allow/Deny Filters now use | as the separator character to cope with IPv6 addresses. Legacy support remains for the old : separator for IPv4 addresses, though these should also now use | as the field separator In Server Check report, don't issue IPv6 warning if only ::1/128 is bound to a NIC (i.e. loopback) Upgraded Net::CIDR::Lite to v0.21 Upgraded from IP::Countries to Geography::Countries 5.03 - Added new option LF_DISTATTACK_UNIQ so that you can specify how many unique IP addresses are required to trigger LF_DISTATTACK Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked. This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites Changed DA default configuration of FTPD_LOG to "/var/log/secure" 5.02 - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending X_ARF reports (see http://www.x-arf.org/specification.html). See csf.conf for more information Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and groups that can bypass SMTP_BLOCK can be easily added. These default to the original values previously hard-coded Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of 127.0.0.1 to cater for multiple loopback devices and allows connection to locally configured IPs as well Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1 Added new option CLUSTER_LOCALADDR to send out cluster requests on an IP other than the default IP Added lfd check to enforce 0600 permissions on /etc/csf/ 5.01 - Added a new 7th argument to BLOCK_REPORT that includes the log lines that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK) Added new CLI option csf --tempallow (csf -ta) which works in exactly the same way as csf --tempdeny (csf -td) except it provides a method of temporary IP allows for a given duration. csf -t, csf -tf and csf -tr now apply to both deny and allow entries Allow the use of a duration suffix in csf -ta and csf -td for m, h and d (minutes, hours and days). Only one suffix allowed and only integers Updated UI entry for adding and removing temporary allows and blocks Display temporary block TTL in days hours minutes and seconds Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration option WATCH_MODE. This new option logs SYN packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP is being DROPed or ACCEPTed by iptables. See readme.txt for more information Modified csf and lfd init scripts to be LSB-compliant Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download the list if it has not already been retrieved within the configured interval. This is to help prevent blacklisting by the list provider for repeated downloads after frequent lfd restarts Fixed problem with csf -q and csf -sf not restarting the firewall if there was a previous startup error 5.00 - lfd Clustering, final release. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications Added new option LF_DISTATTACK. Distributed Account Attack detection. This option will keep track of login failures from distributed IPs to a specific application account. If the number of failures matches the trigger value, ALL of the IP addresses involved in the attack will be blocked. This option is currently disabled by default - see csf.conf for more information Added new option PT_USERKILL_ALERT if you want to disable email alerts for PT_USERKILL triggers. This option is enabled by default, i.e. alerts are sent Added new options LF_QUICKSTART in csf.conf and CLI options -q, --startq, -sf, --startf to allow deferral of csf startup to lfd instead of waiting for the CLI to perform the work. See the CLI help and csf.conf for more information Added UI option for "Firewall Quick Restart" which uses csf -q, "Firewall Restart" uses csf -sf lfd now restarts csf (if stopped and LF_CSF enabled) within the main process to enhance the integrity of the firewall Multiple login failure regex detection improvements Fixed typos in permblock.txt 4.99 - Improved csf locking to enhance the integrity of the firewall Log lfd csf deny failures New SSHD regex added Improved the dovecot regex's New Beta option: lfd Clustering. This new set of options (CLUSTER*) in csf.conf allows the configuration of an lfd cluster environment where a group of servers can share blocks and, via the CLI, configuration option changes, allows and removes. See the readme.txt file for more information and details, setup and security implications 4.89 - New SSHD regex added Added Server Check to check whether SSHD UseDNS is set to "no" - it should be disabled Added an Important Note to the readme.txt regarding the sshd UseDNS setting Speedup for LF_DIRWATCH regex matching 4.88 - Fixed URL's in Server Check report for cPanel if Security Tokens are enabled in v11.25+ Added ipv6 explanation that the information is determined from the output from ifconfig and display ipv6 addresses found Added the ability to use Include statements in csf.deny and csf.allow, see readme.txt for information and restrictions 4.87 - Ignore csf.rignore for LT_POP3D and LT_IMAPD Removed unnecessary csf.locks during some GLOBAL list updates Updated Copyright notice Modified the block message for LF_MODSEC and LF_SUHOSIN to be more appropriate (i.e. not "login failures") Added new block options for BIND denied requests: LF_BIND, LF_BIND_PERM, BIND_LOG. This works in the same way as the other similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have had BIND (named) requests denied more than LF_BIND times in LF_INTERVAL seconds. Currently named client denied log lines for "update" and "zone transfer" trigger the option Modified GLOBAL_ routines to continue if retrieval for one fails instead of immediately exiting Added IPv6 check to Server Check Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled on single line comments (lfd.log, csf.deny, etc) Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the respective email alerts can be disabled Updated IP::Country 4.86 - Added Dovecot regex checking for LT_POP3D and LT_IMAPD Modified Server Check for Fedora v10 EOL now that Fedora v12 has been released Improved Dovecot IMAP and POP3D login failure regex Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD Fixed TLSCipherSuite Server Check for proftpd Added SSHD regex for "Did not receive identification string from IP" failures 4.85 - Further improvements to ICMP rule filters - Added backup mod_security log viewer for non-cPanel servers 4.84 - Mod_security log viewer removed from csf in favour of cmc Improved ICMP rule filters. This could help some hosts that experience connection issues with csf Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS to include this, i.e. to Port Scan for all ports use: PS_PORTS = "0:65535,ICMP" This is now the default on new installations 4.83 - Added multiple checks to the Server Check for new cPanel v11.25 security settings Tidied up and rearranged the main UI Removed redundant UI options Added total perm bans to UI 4.82 - Removed the need for UI lfd cron restart jobs on Direct Admin 4.81 - Fixed case sensitivity issue introduced in v4.80 with port specific lfd deny lines being ignored 4.80 - Modified WHM login regex to only trap successful root page displays for LF_CPANEL_ALERT Apache status for PT_LOAD now checks http://127.0.0.1/server-status on GENERIC/DA servers. You need to ensure that the server-status page has access from 127.0.0.1 in the apache server-status Location container Extended SU log file regex for Debian servers Sanitise UI file edit HTML output Improvements to the removal of alternative firewalls script Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS list via URL Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE, especially on Debian Improved detection of already blocked IP addresses 4.79 - Withdrawn 4.78 - Modified DA installation to overcome permissions problems on some systems preventing the UI from working 4.77 - Expanded dovecot regex matching Fixed the generic installation to install regex.custom.pm 4.76 - Added check for FrontPage extensions to Server Check as they should be considered a security risk as they were EOL in 2006 Added support for the impending cPanel v11.25 Security Tokens feature 4.75 - Added a [block] section to the Login Failure alert.txt template. This new report template will be copied to /etc/csf/alert.txt.new on existing installations, rename it to alert.txt to use it Modified existing lfd alerts to use currently used tags instead of appending block information to the IP address (alert.txt modified as above) Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for email sent via a local IP addresses, separating the trigger from RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf for more information Added Relay Tracking to Direct Admin running exim. See RT_* and SMTPRELAY_LOG in csf.conf for more information Added csf.mignore to allow ignoring of specified usernames or local IP addresses from RT_LOCALRELAY_ALERT Modified csf UI to use a single dropdown for all lfd ignore files Added proftpd regex matching for "UseReverseDNS on" in proftpd config 4.74 - Removed FUSER from csf.conf as it is no longer used Added UNZIP to csf.conf which is required for Country Code to CIDR functions Modified the Country Code allow/deny/allow_filter feature to generate CC CIDRs from the Maxmind GeoLite Country database instead of using iplocationtools.com. Note: GeoLite is much more accurate that the previous zones used. This also means that there are usually more CIDRs for each CC which adds to the burden of using this feature 4.73 - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's to prevent module failures New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses WHM via root. An IP address will be reported again 1 hour after the last tracked access (or if lfd is restarted) 4.72 - Modified mail sending code to use a common procedure that copes better with differing combinations and variations of From:, To:, LF_ALERT_TO and LF_ALERT_FROM settings for lfd alerts 4.71 - Code speedups in csf --grep Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note added to alert if ip match found Modified Server Check for Fedora v9 EOL now that Fedora v11 has been released Modified iptables output from csf.pl to exclude the Fedora v11 intrapositioned negation messages Fixed typo in integrity.txt alert template for new installations Modified the email header for csf --mail Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY Modified lfd output filehandle names to avoid read/write conflicts Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for an example Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where only listed Country Codes are allowed, however normal port and packet filter rules are still applied to those connections. All other connections are dropped 4.70 - Modified UI access to csf.sips to display checkboxes instead of direct editing, for ease of use Fixed problem where RELAYHOSTS setting wasn't always being honoured Modified mod_security configuration editor to handle HTML elements Rewritten RT_*_ALERT regex and counting code to better deal with a variety of exim log output formats Added recipient count to RT_*_ALERT to include emails sent to multiple recipients. This option requires that the exim log_selector setting in the exim configuration includes the option: +received_recipients So, the recommended log_selector setting is now: log_selector = +subject +arguments +received_recipients Modified Server Check cPanel version check to cater for x86_64 OS's Added check to prevent Server Check mail report cron duplicates Added abbreviated UI for mobile phone access to Quick Allow, Quick Deny and Remove Deny. Direct URLs: cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1 DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1 Webmin: https://1.2.3.4:10000/csf/?mobi=1 4.69 - Added Gentoo (generic) support Added Server Check for MySQL LOAD DATA LOCAL Modified Server Check for enable_dl to also check whether dl is in disable_functions 4.68 - Added ipv6 IP detection for proftpd login failures Removed ossec and webmin from the Server Check services section 4.67 - Modified the Country Code allow/deny feature to use iplocationtools.com now that ipdeny.com has gone offline 4.66 - Modified OS version check to prevent Fedora v10 obsolete false-positive in Server Check Modified the exim SMTP AUTH regex to use the latest cPanel/exim format Added failure notification for DYNDNS entry lookups in lfd if they fail to resolve or timeout 4.65 - Modified Firewall Security Level UI to set PS_LIMIT within range Fixed problem processing template for SU_ALERT Empty csf.dshield on upgrade to work around problem where DSHIELD blocked themselves in their own BLOCK list 4.64 - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work if SMTP_BLOCK isn't actually enabled Added new CLI option (csf -uf) which forces an update of csf+lfd Added new CLI option (csf -df) which removes and unblocks all entries in /etc/csf.deny (excluding those marked "do not delete") Added new UI option to that removes and unblocks all entries in csf.deny (excluding those marked "do not delete") and all temporary IP bans Added csf file names to the csf UI options 4.63 - New feature - Added new CLI option: csf --mail (or csf -m) which can take an email address as an argument. It will display the Server Check in HTML or send the output to the email address if present Added option to UI Server Check to schedule csf to generate the report and email the results to the address specied at the interval specified Removed MySQL check from cPanel DNSOnly Server Check Updated the perl v5.8.8 Server Check comment Fixed sanity check for RT_*_BLOCK Fixed copy of install.txt for generic installs and upgrades Modified UI for Deny Servers IPs > Change to indicate that csf needs restarting, not lfd Added built-in replacement function for the Messenger Service message files for [HOSTNAME] which will be replaced by the servers FQDN hostname. Updated the sample Messenger index templates Updated the uninstall scripts to remove the cronjob and logrotate files Added colour highlights to the Quick Allow and Quick Deny UI boxes 4.62 - Fixed problem with SU_ALERT alert report in v4.61 Modified the Server Check for cPanel update settings to check for daily updates more accurately Added Server Check for cPanel tree Upgraded IP::Country New feature - Added sanity check to configuration values in csf, UI Server Check and UI Firewall Configuration. In the UI Firewall Configuration: lines highlighted in red fall outside the recommended range; lines highlighted in pale green differ from the default on installation Added cPanel Security Check to check that at least one configured nameserver is on a different server Added proftpd checks to csf (for VPS servers) and in Server Check Added DirectAdmin Checks to UI Server Check for: SSL login to DA; proftpd cipher; nameserver on a different server; PHP version and configuration checks; Apache version; dovecot cipher Removed resolv.conf localhost check 4.61 - Modified lfd iptables command error handling to log errors and continue instead of terminating when in TESTING mode Removed loading of iptables modules from csftest.pl to avoid modprobe problems with some OS kernels Added Connection Tracking check for pre-existing block to cater for linux connection status timeouts Moved LF_CSF check to the start of the lfd processing interval New option LF_ALERT_FROM. If set, the value of this option will override the From: field in all of the lfd alert templates. This change also uses the From: field in the template (or this option if set) as the value for the SENDMAIL -f option Modified POP/IMAP Server Checks for the chosen mail server only on cPanel servers Modified FTP Server Checks for the chosen ftp server only on cPanel servers Added SMTP Tweak to Server Check on cPanel servers and removed block on csf starting if enabled 4.60 - Modified cipher checks to strip out quotes Modified Apache cipher message to remoind that you have to rebuild the Apache configuration and restart for changes to be effective 4.59 - Added proftpd regex for Plesk server log file format Modifed the Server Check cipher checks for pure-ftpd and Apache to use openssl to ensure SSLv2 is disabled Added cPanel Server Check checks for dovecot, courier-imap IMAP and POP3D SSL cipher list New option SAFECHAINUPDATE added. If enabled, all dynamic update chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN) will create a new chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the old dynamic chain and rename the new chain. See csf.conf for more information. This option is disabled by default, but we do recommend that it is enabled on non-VPS servers with restrictive numiptent values Added SAFECHAINUPDATE to the firewall Server Check (except for Virtuozzo VPS servers) Modified Server Check on cPanel to make the PHP v4 warning clear and to warn where PHP v5 and v4 have both been compiled (PHP v4 is obsolete and should not be used at all anymore) Added WHM checks for skipparentcheck and cpsrvd-domainlookup to Security Check New option LF_ALERT_TO. If set, the value of this option will override the To: field in all of the lfd alert templates 4.58 - Modified exim cipher check in Server Check to use openssl to test the expanded configured cipher suites to ensure SSLv2 is disabled 4.57 - Improved exim configuration option detection in Server Check Added Exim Configuration checks to DirectAdmin Server Check Modified csftest.pl to perform a modprobe on all used iptables modules before testing Added PASV port hole warning on VPS servers to the output of csf on start and to the cPanel (if using pure-ftpd) Server Check Added lfd to the DirectAdmin Service Monitor Added back a revised Firewall Security Level option to UI 4.56 - Added TCP_OUT port 2222 for the DA default configuration for new installations Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for more information and examples Updated readme.txt to reflect the Control Panel UI availability for cPanel, DirectAdmin and Webmin Modified mod_security configuration file check to the TLD only of /usr/local/apache/conf/ and only files ending in .conf 4.55 - Fixed issue with csf.conf not being loaded for the Server Check Report Removed erroneous chkconfig check from Server Check Report Disabled various checks in Server Check Report for non-cPanel servers Modified Debian/Ubuntu init entry creation and removal procedure Modified Server Check to search for multiple named.conf locations 4.54 - Bug fix to Exploit Check code Fixed problem with iptables logs not being collated if PS_INTERVAL is disabled but ST_ENABLE is enabled Fixed potential problem with SMTPRELAY_LOG not being scanned when RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled 4.53 - Upgraded the csf Webmin UI module to the new csf UI and added installation/upgrade instructions to the install.txt for Webmin Fixed image locations and javascript in DA and webmin UI Updated the uninstall scripts and the uninstall section of install.txt 4.52 - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd Added warning in DA UI to upgrade csf from the root shell due to restrictions in DirectAdmin NOTE: DA users should upgrade csf to this version from the root shell using "csf -u" and not use the Upgrade button in the UI 4.51 - Fixed csf --upgrade (csf -u) for DA installations 4.50 - Added restrictions information regarding the PORTFLOOD setting and ipt_recent to readme.txt (i.e. hit count max is 20) Modular development of csf UI Added DirectAdmin UI and installation support for csf/lfd Added Statistics options (ST_ENABLE, etc) to generic csf installation Added SMTP options (SMTP_BLOCK, etc) to generic csf installation Removed pre-configured firewall settings through UI for redevelopment as it has become out-dated Modify csf UI to signal lfd to start/restart/enable only. A one minute cron job will actually perform the signalled function. The CLI is unaffected and performs the command immediately. This is introduced to overcome fork issues from within an Apache session 4.41 - Added information about runing external iptables commands using csfpre.sh and/or csfpost.sh to readme.txt Added new CLI option csf --addrm (csf -ar) to remove an IP address from csf.allow and delete the associated iptables rules Removed the need for the MONOLITHIC_KERNEL option and made modprobe perform silently on csf startup. Added the relevant information regarding some Monolithic kernels and the need for a PASV port range hole to readme.txt Added timeout to csf modprobe to avoid startup hanging on buggy kernels 4.40 - Added workaround for php --info bug in Server Report when checking PHP configuration settings Modified LF_INTEGRITY to regenerate the md5sum comparison file immediately after a match is found instead of waitng for the next cycle Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty 4.39 - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and LF_NETBLOCK_COUNT with act if more than the number of hits are detected, not on the exact number set Modified csf WHM UI to use csf -u to upgrade csf when a new version is available Added new script /etc/csf/csftest.pl which will test the servers iptables modules for functionality. The tests are for the required iptables modules and the optional modules for the SMTP_BLOCK, PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool for kernel/iptables problems and to check whether the features above will function Added csf WHM UI option to run csftest.pl Updated the csf install.txt to run csftest.pl before running up csf 4.38 - Improved detection of working ipt_owner iptables module on VPS servers such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks will be automatically disabled and csf will continue to start 4.37 - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended setting for cPanel servers which use ping times to determine fastest mirrors for various update functions Modified PT_LOAD_ACTION code to stop duplicate load emails from being send by lfd Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter rules on VPS Servers for as ipt_owner is now apparently supported on the latest kernels. However, if the latest kernel isn't being used or the VPS host hasn't included the ipt_owner iptables module for the client VPS, then csf will fail with an error 4.36 - Modified Process Tracking to allow regex exceptions in csf.pignore for deleted executable processes 4.35 - Modified regex.pm detection of iptables kernel log lines to cater for alternative formatting Restored the substitution of the NULL separator with spaces for the /proc/PID/cmdline in Process Tracking 4.34 - Added code to Process Tracking to translate non-printable characters to especially help detect and report deleted executable file processes WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd and awstats.pl from lfd.pl. If you want to ignore such processes for Process Tracking, you will need to add appropriate ignore rules to csf.pignore for them 4.33 - Disable ST_LOOKUP by default on new installations Modified lfd stats performance when ST_LOOKUP is enabled and added a warning for this setting to csf.conf for when DROP_IP_LOGGING is enabled 4.32 - Modified the su tracking regex to better trap RHE/CentOS v5 su login attempts Added a Server Check for "FTP Logins with Root Password" Added new WHM UI option to display Last X iptables Log Lines. Note that the report will only display log lines since this update. The new statistics will be expanded in future developments. Added new ST_* options to the cPanel csf.conf to control the recording of stats Removed fwlogwatch from distro and will use self-produced reports 4.31 - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It is not a good idea to use that option Modified PT_USERKILL to not kill (deleted) processes (these should be restarted manually after investigation) as per the documentation 4.30 - If you add the text "do not delete" to the comments of an entry in csf.deny then DENY_IP_LIMIT will ignore those entries and not remove them. Updated csf.deny information text for new installations Made the (deleted) process text even more explicit for those that are not reading csf.conf or the FAQ for their explanation Updated DSHIELD information URL in csf.conf Added new feature - csf.rignore is an ignore file that lists domains and partial domains that lfd should ignore. Read /etc/csf/csf.rignore for more information. Note that .cpanel.net is always added on cPanel csf installations Option GOOGLEBOT removed. This feature is now performed using csf.rignore. If GOOGLEBOT was previously enabled it will be added to csf.rignore 4.29 - Added Slackware support (tested on v12.2.0) Added Fedora v10 support Added new option GOOGLEBOT - Prevent *.googlebot.com from being blocked by lfd. See csf.conf for more information Modified .cpanel.net check to use the same host lookup procedure as GOOGLEBOT to prevent domain spoofing Added csf version from/to to output from csf --update when upgrading 4.28 - Fixed GENERIC csf problem with csf.pl perl modules 4.27 - New Feature - Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports. This option limits the number of connections per time interval that new connections can be made to specific ports. See csf.conf and readme.txt for more information. This option is only available on servers with the ipt_recent kernel module cPanel DNSONLY compatibility added - Thanks to JJ for the assistance Improved Cipher suite checking and advice for Apache and FTP in Server Check Remove md5sum check from JS exploit check as it is covered by LF_INTEGRITY and causes confusion Added new option LOGFLOOD_ALERT which will send an email alert based on logfloodalert.txt if lfd skips logs lines due to log file processing problems Added new option PT_DELETED together with the FAQ explaination as to why lfd reports deleted processes. The option can be disabled to ignore such processes Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow exceptions to SMTP_BLOCK 4.26 - New Feature - Country Code to CIDR allow/deny. This feature can allow or deny whole country CIDR ranges. The CIDR blocks are downloaded from http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW, CC_DENY and CC_INTERVAL in csf.conf Expanded the dovecot regex to include more login failure permutations Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel servers SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default 4.25 - Fixed bug in csf --grep when CIDRs used in advanced port filters Fixed problems with aborted Server Check Report Fixed position of the lo device rule in the OUTPUT chain which broke SMTP_BLOCK Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all listed ports (not just port 25). This is populated on installation or when TESTING = 1 if an additional port is listed in "WHM > Service Manager > exim on another port". Otherwise, SMTP_PORTS needs to be updated manually. The default setting contains port 25 SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled 4.24 - Added workaround for issue with WHM image display in the addon header for cPanel v11.24 *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report *Added cPanel v11.24 FTP Cipher Suite checks in Server Report *Added cPanel v11.24 Apache Cipher Suite checks in Server Report *Added cPanel v11.24 Exim Cipher Suite checks in Server Report Added Fedora v8 to the obsolete OS list now that v10 is out Updated dovecot regex in regex.pm for v1.1.6 used by cPanel * Will only display if cPanel version is >= 11.24 4.23 - Added skip to connection and process tracking for empty tcp6 connection data Fixed PT_LOAD email output of ps and vmstat 4.22 - Additional fixes for an issue on VPS servers where temporary block removal from csf.tempban failed 4.21 - Fixed an issue on VPS servers where temporary block removal from csf.tempban failed 4.20 - Modified csf.tempban processing code in lfd to perform more stringent file locking to preserve temporary bans if lfd is writing during shutdown Modified Port Scan tracking of IP's to not attempt multiple blocks on the same IP address in the same log line processing batch Fixed broken timestamp in lfd.log for dates < 10th of the month Various code modifications to improve performance and stability 4.19 - Reverted the tied file changes as they were causing a deadlock situation locking csf.tempban Improved the process tracking detection of deleted executables of running processes 4.18 - Modified temporary IP address storage to use a tied file to preserve temporary bans if lfd is writing during shutdown 4.17 - Replaced the use of backticks in csf, lfd and the WHM UI with calls to IPC::Open3 Various lfd and csf code improvements and tidy up Ensure lfd parent dies cleanly on error Debug information improved and timer modified to use Time::HiRes for more accuracy 4.16 - Removed port 953 from the TCP and UDP allow lists for new csf installations as it's not necessary to whitelist as bind listens on the localhost device for such control connections by default Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login, exe:/usr/libexec/dovecot/imap-login to new and old cPanel installations csf.pignore to cater for cPanel support for both nsd and dovecot (currently in EDGE) Only use Cpanel::Rlimit if it's available in WHM UI 4.15 - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing connections from blocked IP addresses in csf.deny or temporary blocks. The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN, GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct this. Many thanks to Brian for his help in tracking this issue down. 4.14 - Implemented the use of cPanel routine Cpanel::Rlimit to remove process resource limit restrictions as the cPanel memory limitation setting was causing the Server Check to abort with memory allocations problems through WHM on some servers Modified port checking for 23 and 53 in Server Check to no longer use the fuser binary and use the port mappings directly from /proc Modified lfd and Server Check to check for IPv6 bound processes as the IPv4 and IPv6 connections are stored in a different file to IPv4 only bound processes 4.13 - Updated various comments in csf.conf Fixed call to csfpost.sh from csf 4.12 - Modified lfd Login Failure tracking to use a per IP address rolling LF_INTERVAL window rather than a static one for all tracked IPs. This makes login failure counting more accurate and blocking more responsive Added new feature - Block Reporting. lfd can run an external script when it performs and IP address block following for example a login failure. BLOCK_REPORT is to the full path of the external script. See readme.txt for format details If csf is installed or upgraded via an SSH session the connecting IP address will now be automatically added to csf.allow (note: it is not added to csf.ignore so lfd may still block it). This IP can be removed after testing if desired Modified the lfd.log format to the standard: :: lfd[]: If you parse lfd.log you will need to update your scripts! Added DEBUG option - for internal use only 4.11 - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain Added /etc/cron.d/lfdcron.sh to restart lfd daily Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+ As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic) Added informational text to Process Tracking email report if a process is running an executable that has been deleted Added csf version to the daemon startup log line in lfd.log 4.10 - Added /usr/libexec/hald-addon-keyboard to csf.pignore Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default) 4.09 - Modification to cPanel version to restart chkservd using /scripts/restartsr_chkservd instead of the init script as the latter is removed in the latest EDGE release that puts chkservd under the control of tailwatchd (/scripts/restartsrv_chkservd is a stub for restarting tailwatchd in the latest EDGE instead of a direct restart script in older cPanel versions). chkservd is restarted when csf is installed/uninstalled/upgraded/disabled/enabled 4.08 - Added a new timing system to more accurately trigger lfd tasks. This should alleviate timing issues such as those seen with LT_POP3D and LT_IMAPD and improve the overall effectiveness and performance of lfd Added new method for reaping child processes. If you find that zombie lfd processes start to build up you can revert to the old reaper by enabling new option OLD_REAPER 4.07 - Messenger service now supports advanced filter permanent port block redirection 4.06 - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the LOCALxxPUT chains so that the entries can be correctly listed with ACCEPT's at the top and DENY's at the bottom of the chain Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and OUTPUT chains so that bandwidth accounting is kept accurate Fixed a problem processing advanced port filters in GLOBAL_ALLOW and GLOBAL_DENY 4.05 - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains 4.04 - Fixed problem with rule placement for ETH_DEVICE_SKIP Ensure all ALLOW requests are inserted before DENY requests after csf has been restarted Ensure that fwlogwatch stats creation uses IPTABLES_LOG file Only perform operations on the nat table if MESSENGER service is enabled lfd Process Tracking will now ignore MESSENGER_USER messenger services Added new option PT_ALL_USERS so that all Linux accounts on a cPanel server are checked in Process Tracking, not just cPanel users. This option is disabled by default on cPanel servers. Enabling this option may require adding exceptions to csf.pignore Additional exceptions added to csf.pignore for cPanel servers for the new PT_ALL_USERS option PT_SKIP_HTTP now disabled by default for new installations Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check 4.03 - Fixed problem where the new LOCALxxPUT chains were only processing tcp requests Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule count in the OUTPUT chain under certain circumstances 4.02 - If csf fails with an error lfd will now die and require a restart after the issue with csf is resolved. csf commands apart from start and restart are also disabled Released from BETA 4.01 - Allow the Messenger Service to be used on VPS servers. However, if the ipt_REDIRECT module is missing csf will fail to start correctly and abort HTML Messenger service server now only reads a limited line length instead of unlimited input to prevent overflows 4.00 - New feature - Messenger Service. This feature allows the display of a message to a blocked connecting IP address to inform the user that they are blocked in the firewall. This can help when users get themselves blocked, e.g. due to multiple login failures. The service is provided by two daemons running on ports providing either an HTML or TEXT message. See csf.conf and readme.txt for more information (not available on VPS platforms and others missing the ipt_REDIRECT kernel module) Moved INPUT and OUTPUT chain rules for blocks and allows to their own respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP blocks will be listed in the INPUT or OUTPUT chains, but in the new ones Re-organised all of the INPUT and OUTPUT chain rules to give precedence to the LOCALINPUT rules before invoking other chains and port ALLOW rules Moved the SYNFLOOD protection chain rule to be the first chain rule after the LOCALINPUT chain rule Moved the lo device rules to the always be at the top of the INPUT and OUTPUT chains Modified the syslog regex matches to only match on local entries to cope with centralised syslog configurations 3.43 - Improved application IP block checking Restored the option LF_SCRIPT_PERM with additional checks for directories within the cPanel homedirs and for symlinks. Warning added to csf.conf for this option Added random query-source port setting for BIND to the Server Report 3.42 - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to be the same as the cPanel csf.conf If LF_SELECT is enabled make sure all cPanel ports are blocked on cpanel login failure. This was only doing ports 2082,2083 and will now block 2082,2083,2086,2087,2095,2096 3.41 - Added new mechanism to allow custom regular expression matching with individual settings for lfd login failure detection. See /etc/csf/regex.custom.pm for details Modified all timestamps in lfd reports to also include the standard timezone offset (i.e. from GMT) Added new setting CC_LOOKUPS to control the new Country Code lookups (enabled by default) DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled PS_INTERVAL enabled by default on new installations Doubled the number of lines before log file flooding detection will be triggered 3.40 - Added queuealert.txt to the WHM UI dropdown list for editing Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the check Added Country Code lookups for IP addresses. Any reported IP addresses will include the international CC where available. It should be noted that with international ISPs this may not be wholly accurate. Where possible the CC will be translated into the associated country name 3.39 - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP addresses listed in the csf.allow file and not block them Added new option LF_QUEUE_ALERT, which will send an email alert using queuealert.txt if the exim queue length exceeds the value it is set to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the ConfigServer MailScanner configuration is being used, both the MailScanner pending and exim delivery queues will be checked. This is a cPanel only option Added new option CT_PORTS to Connection Tracking so that you can specify which ports you want to count towards CT_LIMIT, e.g. 80,443 Modified Server Report check for register_globals in cPanel's php.ini incase the new cPanel WHM setting is being bypassed 3.38 - Additional SSHD regex added to regex.pm Improved the WHM UI reporting of the csf status: disabled, running, testing mode Added Enable/Start buttons to WHM UI next to the csf status if disabled/stopped Updated Server Report checks for csf status Changed the destination of the ConfigServer Services link at the bottom of the WHM UI to go to the csf web page 3.37 - Fixed an issue currently in cPanel EDGE that affects the use of the cPanel SafeFile module in WHM scripts 3.36 - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds Improved lfd internal timing system for event triggers Added new feature - Account Tracking. The new AT_* options configure an alert system for account modifications which will send an email if there are new accounts added, existing accounts deleted plus password uid gid login dir and login shell changes. Each of these changes can be enabled or disabled. You can also enable tracking for superuser accounts only. That latter is the default setting. This feature uses the email template accounttracking.txt Added reason text to temporary IP bans Added Server Report check for ini_set in PHP disable_functions Added ossec to list of processes to disable as it will conflict and duplicate csf functionality Changed Server Check scoring text to instead show a coloured table indicating score 3.35 - Changes to WHM UI script for cPanel v11 Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer supported Added # of temp blocks to WHM UI "Temporary IP Bans" on main page Modified Server Report check for register_globals in cPanel's php.ini to use the new cPanel WHM setting Added Server Report check for passwords in WHM email setting Added Server Report check for WHM root/reseller login to users cPanel Modified Server Report nobody cron check to only fail on non-zero cron file Modified Server Report check for Fedora now that Fedora 7 is EOL (2008-06-13) Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd blocking 3.34 - Modified regex matching to allow for trailing spaces in log lines Modified PT_LOAD routine to prevent multiple triggers resulting in more than one alert being email sent Removed the need for NETSTAT from lfd to reduce overheads and improve performance allowing CT_INTERVAL to be set lower. Now uses /proc/net/[protocol] 3.33 - Modified skip for su login checking from root to cater for (uid=0) Added option SYNFLOOD_BURST to allow configuration of --limit-burst when SYNFLOOD is enabled. Changed default values Added to --grep searches to csf.deny and temporary blocks in addition to iptables Modified SSH regex to improve login failures detection further Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations Added vsftpd regex for ftp login failures 3.32 - Modified SSH regex to check for ipv6 addresses Added another regex to improve SSH matching 3.31 - Modified -denyrm to abort if left blank instead of clearing all blocks Added lfd check for existing temporary block to avoid duplicates Fixed regex handling for courier-imap POP and IMAP login failures Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use this option, LF_DIRWATCH_FILE will likely trigger due to the changed output the first time you restart lfd after upgrading Fixed typo in Suhosin description in the Server Check Report Added Referrer Security to the Server Check Report Added register_globals check in cPanel php.ini to Server Check Report 3.30 - Security Fix: lfd vulnerabilities found which could lead to Local and Remote DOS attacks against the server running csf+lfd The DOS attacks could make lfd block innocent IP addresses and one attack could cause lfd to deplete server resources Modified the regular expressions in regex.pm to prevent them from being triggered by spoofed log line entries Option LF_SCRIPT_PERM removed Our thanks to Jeff Petersen for the detailed information describing these issues We recommend that all users of csf upgrade to this new version 3.28 - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke login tracking Modified relay tracking to not ignore RELAYHOST IP's Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's LF_SUHOSIN will now skip matches for "script tried to increase memory_limit" 3.27 - Modified csf -dr option to delete advanced filter IP matches as well as simple matches in csf.deny 3.26 - Added new CLI option to csf, -g --grep will search the iptables chains for a specified match which is either explicit or part of a CIDR Added WHM UI option for csf --grep Added new CLI option to csf, -dr --denyrm will remove an IP address from csf.deny and unblock it Added WHM UI option for csf --denyrm 3.25 - Added csf.suignore file where you can list usernames that are ignored during the LF_EXPLOIT SUPERUSER test New option PT_LOAD_ACTION added that can contain a script to be run if PT_LOAD triggers an event. See csf.conf for more information Added SUPERUSER check to Server Check Report Added Suhosin check to Server Check Report 3.24 - Allow comments after IP addresses in csf.dyndns Added new login failure option LF_SUHOSIN which detects alert messages and blocks the attacker IP after the configured number of matches Added a new exploit check for non-root superuser accounts Added a new configuration option LF_EXPLOIT_CHECK which allows you to configure which tests are performed by LF_EXPLOIT 3.23 - Modified the Server Report code for checking PHP variables to be more lenient when checking the output from /usr/local/bin/php -i Modified lfd calculation of Jiffies to use the POSIX::sysconf function to obtain the clock ticks instead of assuming 100 ticks for Linux Fix duplicate LF_INTEGRITY emails 3.22 - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this setting if you use Port Scan Tracking as it will cause redundant blocks Added tag [hostname] to all of the alert reports. You will need to add this manually to the report text Subject: line (or anywhere else in the report that you would like it) for existing installations Added "A note about FTP over TLS/SSL" to readme.txt 3.21 - Fixed problem in Server Check that caused an error in some situations Modified netblock caching code to prevent repeated block attempts 3.20 - Corrected net block logic so that after a net or perm block occurs, subsequent log entries that would incur the same block are ignored 3.19 - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have had X temporary blocks in the last Y seconds. Uses email template permblock.txt New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or C) if more than X IP addresses in a specified class have been blocked in the last Y seconds. This may help within some DDOS attacks launched from within a specific network class. Uses email template netblock.txt Modified MD5SUM comparision code to better reset md5sum checks after a hit Only issue Random JS Tookit warning if all the MD5SUM checks fail for the relevant files Removed POP flood Protection setting check from Server Report as it's no longer relevant to courier-imap Rewritten the Apache Check code for the Server Report to better detect the current running settings on all Apache and PHP versions Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they aren't relevant (as they apply to the host VPS configuration) for the Server Report 3.18 - Fixed bug in the generic csf release where the default csf.conf was missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim for the help in tracking the issue down 3.17 - Rewritten the update code so that a new csf.conf is creating when upgrading. It now uses the latest csf.conf and transfers the existing settings to the new configuration file. This way all installations are sure to have all new settings and the latest comments. It also makes the release process for new builds much simpler Other installation/update improvements Updated APF/BFD removal procedure 3.16 - Fixed bug introduced in v3.14 for generic installation only 3.15 - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf Modified csf.conf text for new installations to account for auto-configuration of ETH_DEV which has been the case for some time: # By default, csf will auto-configure iptables to filter all traffic except on # the local (lo:) device. If you only want iptables rules applied to a specific # NIC, then list it here (e.g. eth1, or eth+) ETH_DEVICE = "" # If you don't want iptables rules applied to specific NICs, then list them in # a comma separated list (e.g "eth1,eth2") ETH_DEVICE_SKIP = "" 3.14 - Added new format for cPanel (v11.18.3) login failures to regex.pm Added exe:/usr/libexec/gam_server to the default list of ignored binaries Fixed problem with SCRIPT_ALERT not picking up alternative /home directories from wwwacct.conf 3.13 - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans held in the temporary IP ban list to prevent iptables flooding. If the limit is reached, the oldest bans will be removed/allowed by lfd on the next unblock cycle regardless of remaining TTL for the entry Added LF_FLUSH for the flush interval of reported usernames, files and pids so that persistent problems continue to be reported. Default is set to the previously hard-coded value of 3600 seconds Fixed uw-imap ipop3d regex Added check for TESTING mode when using csf -a or csf -d to only add to the respective csf.allow or csf.deny files and not insert into iptables to prevent errors if iptables has been flushed after reaching TESTING_INTERVAL 3.12 - Added SMTP AUTH failure regex for Kerio MailServers Fixed an issue where a permanent Port Scanning alert would report as a temporary block, eventhough a permanent block was performed Added regex for failed SSH key authentication logins (thanks to Paul) 3.11 - Use /proc for Process Tracking instead of ps output incase of exploited system binaries and to better determine resource usage of each process 3.10 - Modified INPUT and OUTPUT chain rules to always specify the ethernet device csf now re-applies temporary IP blocks on restart Added new CLI command to add temporary IP bans. See csf -h for the new csf -td command Added new options to WHM csf UI to unblock temporary IP bans Added new option to WHM csf UI to block IP temporarily for a specified TTL 3.09 - Fixed missing copy for the portscan.txt report for generic installations Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking email alerts Added a sample of the port blocks that trigger the Port Scan to the report. This new report will be copied to /etc/csf/portscan.txt.new on existing installations, rename it to portscan.txt to use it Added Port Scan Tracking to WHM UI Firewall Security Level Added cPAddon update email setting check to Server Security Report Modified the SuEXEC link location to the cPanel v11 location in Server Security Report Added portscan.txt template to editable list in WHM UI Updated readme.txt 3.08 - Modified Port Scan Tracking to ignore blocked IP addresses incase DROP_IP_LOGGING is enabled 3.07 - Added Apache Server Status report to PT_LOAD for load average report monitoring. To benefit from this feature you will need to rename the new report file /etc/csf/loadalert.txt.new to loadalert.txt. The reports (ps, vmstat and apache) are now included as MIME attachments in the email report instead of inline text New feature: Port Scan Tracking. This feature tracks port blocks logged by iptables to syslog. It can help block hackers attempting to scan the server for open ports, or to block them while trying to access blocked standard ports, e.g. SSH. See csf.conf for more information Upgraded the urlget module 3.06 - Added System Exploit Checking. This enables lfd to check for the Random JS Toolkit and may check for others in the future: http://www.cpanel.net/security/notes/random_js_toolkit.html It compares md5sums of the binaries listed in the exploit above for changes and also attempts to create and remove a number directory. The open is enabled by default. The report is generated from the exploitalert.txt template file 3.05 - Added perl regex checking to csf.pignore with the new options puser, pexe and pcmd. Text added to csf.pignore for new installations: # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex[*] # puser:username as a perl regex[*] # pcmd:command line as a perl regex[*] # # [*]You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* 3.04 - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you to set the incoming and outgoing ICMP rate limits independently, or to disable rate limiting in either direction completely for ICMP packets 3.03 - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of "ls -laAR" Modified rules so that only icmp ping is blocked and all other icmp packets allowed if ping disabled in csf configuration. This may well help improve iptables performance if ping was disabled Added rate-limiting for all icmp packets to prevent inbound flooding New option SYNFLOOD configures iptables to offer some protection from tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet rate per IP so the option can be tailored Added SYN flag checking of state NEW tcp connections if PACKET_FILTER is enabled. NEW tcp connections should always starts with a SYN Moved PACKET_FILTER rules to their own iptables chain called INVALID Fixed issue where some drops were not logging when logging enabled Added hourly flush interval of reported usernames, files and pids so that persistent problems continue to be reported Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI 3.02 - Modified the text comments at the top of csf.allow for new installs: # Note: IP addressess listed in this file will NOT be ignored by lfd, so they # can still be blocked. If you do not want lfd to block an IP address you must # add it to csf.ignore Removed RELAYHOSTS check from Server Check report Don't show SMTP_BLOCK check if on a VPS in Server Check report PT_USERKILL, if set, will now also kill user processes that exceed PT_USERPROC Fixed problem where csf.tempusers was not being cleared down on an lfd restart Added two new csf command line options to flush IP's from the temporary ban list: -tr -tf (see csf -h for more information) 3.01 - Tightened DNS port configuration restrictions as the old rules were being catered for by iptables connection Added Kerio Mailserver POP3/IMAP regex's 3.00 - Added progress information to LWP downloads within csf Added numiptent checking for VPS servers. csf will flush iptables and lfd will stop blocking IP's if numiptent is nearly depleted. This should help prevent VPS lockouts due to insufficient server resources. If this happens, you will either need to reduce the number of iptables rules (e.g. disable Block List usage) or have the VPS provider increase numiptent. A value of ~700-1000 should be fine for most SPI firewall applications with full Block List configuration Added support for the BOGON List (Block List) with LF_BOGON - http://www.cymru.com/Bogons/ See link and csf.conf for more information Enhanced the cpanel.net lookup for httpdupdate.cpanel.net to workaround the lack of rDNS PTR records Fixed problem with RELAYHOSTS not working Removed use of the replace binary 2.95 - Reduced memory overhead and added large file skipping for LF_DIRWATCH Improved performance of LF_DIRWATCH trigger checks Fixed problem with LF_SELECT temporarily blocking outbound access on all ports. Now now only the relevant inbound only port(s) will be blocked if triggered 2.94 - Fixed linux line-endings in some configuration files from v2.93 - doesn't affect existing installations 2.93 - Improved mod_security v2 regex for filter triggers Added MySQL v5 check 2.92 - Improved the cPanel version check for < v11 and whether up to date Added new CLI option -t (--temp) which lists the temporary IP bans and the TTL before the IP is flushed from iptables Added "View Temporary IP Bans" to WHM UI Changed WHM UI lfd Log auto-refresh default to unchecked Added regex for dovecot "Aborted login" messages in /var/log/maillog Added support for displaying mod_security v2 logs in WHM UI 2.91 - Added Fedora Core v6 to the obsolete OS check Added php v4 check Added apache v2.2 check Added Perl v5.8.8 check Added cPanel v11 check Modified Sys::Syslog use to utilise the ndelay and nofatal options Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in a globally located ignore file Modified Connection Tracking so that lfd doesn't block IP addresses that resolve to *.cpanel.net (to prevent CT_LIMIT being triggered during a upcp upgrade of cPanel) Added new option CT_STATES to Connection Tracking so that you can specify which connection states you want to count towards CT_LIMIT, e.g. SYN_RECV 2.90 - Ensured that Process Tracking doesn't affect processes running under root Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and existing installations Added Apache v2 checks to Server Checks Report Removed mod_evasive from Server Checks Report as it appears to be less relevant, especially with Apache v2 2.89 - Fixed the csf webmin module Added updates to the webmin module Completely removed use of cat in the WHM module and wget/cat from the webmin module 2.88 - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD Modified the courier IMAP and POP3D regex's to include connections over SSL in lfd Modified lfd to ignore cpdavd processes Modified the cPanel regex's to include cPanel v11 variants in lfd 2.87 - Fixed duplication of settings during generic configuration upgrade procedure Only display version confirmation update message when running csf -u interactively (Thanks to Brian Coogan for the perl tip) Fixed issue with temporary files not being truncated before being written to, which caused problems e.g. with global allow/deny files Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from connection tracking Updated the csf webmin module to use the &ReadParse() routine to overcome problems when running through SSL (Thanks to Tim Ballantine for this tip) 2.86 - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive" on RedHat 2.85 - Fixed a problem with v2.84 which broke permanent IP blocking in lfd - it's been a long week :-/ 2.84 - Fixed problem with permanent LF blocks in lfd for individual application port blocks when set to permanent Added new SYSLOG option to csf.conf to allow additional lfd logging to SYSLOG (requires perl module Sys::Syslog) Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh interval of 3600 to prevent getting yourself blocked! 2.83 - Fixed broken Server Check from v2.82 2.82 - Fixed a documentation for LF_TRIGGER_PERM Fixed issue where RT_[relay]_ALERT set to "0" was being ignored Fixed condition from v2.80 which prevented SCRIPT_ALERT from working If killproc.conf does not exist the Server Check now links to the Background Process Killer page instead of issuing a file missing error 2.81 - Added exe:/usr/local/cpanel/cpdavd to csf.pignore Added option to disable refresh in WHM csf UI when viewing lfd.log Removed debug code that prevented IP blocking -- oops 2.80 - Added new lfd feature - Relay Tracking. This allows you to track email that is relayed through the server (cPanel only). It tracks general email sent into the server, email sent out after POP before SMTP and SMTP_AUTH authentication, local email sent from the server (e.g. web scripts). There are also options to send alerts and block IP addresses if the number of emails relayed per hour exceeds configured limits. The blocks can be either permanent or temporary. Currently blocking does not function for LOCALRELAY email. Introduced a new blocking mechanism in lfd that allows a choice of permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for details on how to configure the various blocking options to use temporary instead of permanent blocks, e.g. for Login Failure blocking Modified new installations to default to using seperate triggers for login failures, instead of the global LF_TRIGGER value 2.79 - Bug fixes Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK is enabled for the new cPanel Webmail configuration in v11 Added new configuration option DROP that allows you to choose the drop target for rejected packets (see csf.conf for more information) Remove /etc/cron.d/csf_update on uninstall 2.77 - Closed vulnerability with temporary file checking Tighted log file regex's to prevent spoofed remote IP block attacks 2.76 - Improved file checking in Server Check script to prevent WHM failures 2.75 - Modified Server Check to only look at pure-ftpd settings if installed Simplified throttling mechanism 2.74 - Modified PHP Server Checks to use the php binary output instead of trying to find the active php.ini file Added PHP Server Check for register_globals Improvements to the Server Check code Fixed bug in TCP port 23 check in Server Check Added new option --check (-c) to check whether the installed verison of csf is the latest, no update is performed Added multiple csf configuration checks to the Server Check report Added throttling to LF_INTEGRITY and increased the timeout proportionally 2.73 - Modified SMTP_BLOCK warning on VPS servers to only display if the option is enabled Modifed the Server Services Check text to omit using -del with chkconfig and better explain that a process is enabled even if it is not currently running and needs to be disabled to prevent startup on boot Removed reliance on wget for updates and version checks Coding improvements in csf.pl and addon_csf.cgi Added /var/log/lfd.log tail automatic refresh to WHM UI 2.72 - Fixed problem with DENY_IP_LIMIT not counting all IP entries in csf.deny correctly Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS since the Virtuozzo VPS kernel does not support ipt_owner Remove Shell/Fork Bomb Protection check in Server Check as the option breaks a Virtuozzo VPS if enabled Added more processes to check in Server Services Check Removed restriction on outbound source port rule construction 2.71 - Added CSS settings to support pre-v11 cPanel installations 2.70 - Modified to adopt cPanel v11 WHM theme Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new installations for v11 cPanel Added FC5 to the list of (or soon to be) unsupported OS's Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading 2.69 - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where a suspicious directory would not be removed Added perl module check for File::Path Added path configuration to tar and chattr in csf.conf Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login failures. When upgrading the new setting will be set to whatever you have LF_FTPD set to 2.68 - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead to arbitray code being executed in the context of the user running lfd , i.e. root. This option has been disabled in the code until further notice. You will have to manually remove any reported files. Tightened csf file ownerships on installation 2.67 - Security fix - A major security issue has been found in the LF_DIRWATCH code that can lead to arbitrary code being executed in the context of the user running lfd, i.e. root, if that option is enabled and a hacker has access to create a crafted filename in one of the watched directories. This update closes this hole. *ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL EXPLOITATION* 2.66 - Modified LF_CPANEL text in csf.conf for new installations to reflect the change in the SSL login handling by cPanel (i.e. it does now log SSL login IP's) Modified the log line monitoring in lfd to cope with log line flooding to prevent looping/excessive resource usage. Also recoded without the use of the POSIX routines lfd process name now shows which log file it is scanning 2.65 - New Feature: System Integrity Checking. This enables lfd to compare md5sums of the servers OS binary application files from the time when lfd starts. If the md5sum of a monitored file changes an alert is sent. This option is intended as an IDS (Intrusion Detection System) and is the last line of detection for a possible root compromise. See csf.conf for more information 2.64 - Modified lfd check for rotated system logs to re-open a log file if logs are emptied instead of rotated 2.63 - Added regex support for uw-imap (imap and pop3) login failures Added regex support for proftpd login failures Timeout version check incase version server is unavailable 2.62 - Fixed CIDR support issue with csf.ignore only recognising the first listed entry 2.61 - Fixed problem with lfd not being killed by /etc/init.d/lfd 2.60 - Added log file locations to csf.conf openSUSE v10 compatible (generic) Debian v3.1 (sarge) compatible (generic) Unbuntu v6.06 LTS compatible (generic) Added installation check for the LWP (libwww-perl) perl module Ran spell checker against the readme.txt file 2.59 - Fixed mod_security report not displaying if only 1 entry 2.58 - Tweaked the mod_security entry layout 2.57 - New feature: WHM UI mod_security v1 display last X entries in the audit_log New feature: WHM UI mod_security v1 edit files or directories in /usr/local/apache/conf/ that are prefixed with modsec or mod_sec Tweaked the pre-configured Firewall Security Level settings 2.56 - Fixed v2.55 fix for non-EDGE versions 2.55 - Fix to to support current EDGE in csf WHM UI 2.54 - Tightened the mod_security v1 regex after the changes in v2.52 2.53 - Modified Server Check to reflect withdrawn FedoraLegacy support for FC3 and FC4 which should now be considered insecure 2.52 - Separated the log file regex's into regex.pm for those feeling brave to tailor them for non-cPanel servers Unified installer for cPanel and non-cPanel installations - so that only install.sh needs to be run (checks for the existence of: /usr/local/cpanel/version If you install on a server intending to use cPanel before cPanel is installed, run the install.cpanel.sh script instead Added mod_security v2 regex when running Apache2 to lfd Added [iptext] tag for connectiontracking.txt to list all the connections of an offending IP. Add this manually for existing installations 2.51 - Major Enhancement: csf+lfd can now be installed and used on a generic Linux OS without cPanel using install.generic.sh - see readme.txt for more information PF INVDROP entries made bi-directional if PF logging enabled (reduces the number of INVDROP LOG rules by half) Fixed Process Tracking throttle control to correctly use PT_INTERVAL 2.50 - Removed option ALLOW_RES_PORTS from new installs, setting is ignored Check for LF at the end of form data for files edited through the WHM UI and append one if omitted Following the changes in 2.48 the LOGDROP chain doesn't distinguish between incoming and outgoing blocks. So, LOGDROP has now been split into LOGDROPIN and LOGDROPOUT 2.49 - Fixed issue if ETH_DEVICE was set and from changes in 2.48 2.48 - csf will now specify ! lo as the main ethernet device unless otherwise defined in ETH_DEVICE. This will mean that the firewall is applied to all ethernet devices on the server unless otherwise specified in the configuration 2.47 - Modified DYNDNS code to set listed domains IP addresses to be ignored as if they were listed in csf.ignore If adding an IP address to csf.allow that is already in csf.deny, the IP address will now be removed from csf.deny first and the DROP removed from iptables. It will then be added to csf.allow as normal 2.46 - Added auto-detection of additional exim port (same as SSH port) which will be added to TCP_IN on csf installation (or if in TESTING mode) Only report PT_USERMEM and PT_USERTIME PIDs once 2.45 - Added workaround to restart the bandmin acctboth chains if csf is stopped or (re)started Rewritten the way RELAYHOSTS works so instead of using an iptables chain a check is done at block time on the IP address and if it is in /etc/relayhosts then it will be treated as if it is listed in csf.ignore Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0) instead of a time interval Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore Added new options PT_USERMEM and PT_USERTIME to report excessive user process usage and optionally PT_USERKILL to kill such processes. An alert is sent using resalert.txt 2.44 - Added new option PT_LOAD which will detect if the server load average of choice exceeds a set threshold and send an alert Reduced the DROP_NOLOG default setting to not include ephemeral ports for new installations Moved DROP_NOLOG rules to the LOGDROP chain 2.43 - Added new option DROP_PF_LOGGING which will give detailed iptables log information on dropped packets that are INVALID or out of sequence. This can help tracking down why iptables may be blocking certain IP connections 2.42 - Improved the csf locking mechanism to avoid deadlocks 2.41 - Fixed syntax in lfd procedure for csf locking Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it will be run before any of the csf iptables rules are applied. If /etc/csf/csfpost.sh exists it will be run after all of the csf rules have been applied. This allows you run your own iptables commands within those files. Each file is passed through /bin/sh Added two new command line options to completely enable and disable csf and lfd Added Enable and Disable options to WHM UI 2.40 - Added csf lock procedure to avoid iptables race conditions if multiple /simultaneous instances of csf or lfd are executed Added check for child reaper looping to dramatically reduce lfd load 2.39 - Added OS check to Security Check to warn if using RH7/9 FC1/2 which are no longer supported (or about to be retired) Made lfd more lenient when it cannot open a log file (reports the error but continues to function) PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for php settings Added new option RELAYHOSTS to csf.conf which allows you to automatically allow access to IP's listed in /etc/relayhosts at a specified interval 2.38 - Fixed DYDNS (forgot to add the rule to redirect packets to the ALLOWDYN iptables chain) 2.37 - Added canna to the Security Check New feature - added support for dynamic dns (DYNDNS) records. See csf.conf for more information Added dyndns file edit to WHM UI 2.36 - Added runlevel check to Security Check Added nobody cron check to Security Check Added melange server check to Security Check Modified the regex for the php.ini disable_functions check Added timing function to lfd that logs how long each stage takes. This can be enabled by editing lfd.pl and setting $timing=1 - this can help in tracking down performance issues with lfd 2.35 - Added specific exclusion for proftpd in lfd.pl process tracking Fixed bug with LF_GLOBAL being ignored 2.34 - Added a new option (beta for now) PT_SMTP. This option will check for outgoing connections to port 25, ecluding root, exim and mailman. The purpose of the feature is to log SMTP connections if you believe you have a spammer on the server who is bypassing exim to send out spam emails - this is traditionally a very difficult form of spam to track down. The option currently logs relevant process information to lfd.log to avoid an email alert flood. 2.33 - Code modification to allow csf+lfd to run without erroring on cPanel DNS-Only installations Added forced error checking on SMTP blocking iptables commands Added check in csf and lfd for duplicate settings in csf.conf 2.32 - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25 for web scripts, etc, if SMTP_BLOCK is enabled Added check to csf startup to fail if "WHM > Tweak Security > SMTP Tweak" is enabled otherwise it can break SMTP traffic completely. The SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used instead 2.31 - Added automatic throttling code to help prevent lfd using excessive resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If the sub process takes too long to run, the interval between its next run is increased temporarily (for the duration lfd runs for, a restart will reset it) and will continue to extend this time to prevent excessive server load. However, it will also proportionately increase the time given for the sub process to complete so that it can at least attempt to get the check done. If you see throttling messages appearing in the lfd.log you should consider increasing the process interval as indicated permanently (i.e. within csf.conf) Added throttling to CT_INTERVAL 2.30 - Modified PT_USERPROC to respect all ignore entries in csf.pignore 2.29 - New feature - User Process Tracking. This option enables the tracking of the number of process any given cPanel account is running at one time. If the number of processes exceeds the value of the PT_USERPROC setting an email alert is sent with details of those processes. A user is only reported once, so lfd must be restarted to reinstate checking of all users. If you specify a user in csf.pignore it will be ignored. The alert file is useralert.txt Added useralert.txt for editing through the WHM UI Added PT_USERPROC to the Firewall Security Level settings 2.28 - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to csf.pignore Only perform strict iptables error checking when in TESTING mode 2.27 - Fixed another mis-configuation for outgoing global deny rule - Thanks again to Marie from Jagwire Hosting 2.26 - Fixed a mis-configuation for outgoing global deny rule - Thanks to Marie from Jagwire Hosting Allow advanced allow and block filters using the -a and -d options when running csf in CLI Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the application trigger levels set, you can now set LF_SELECT to "1" if you only want to block IP access to that application instead of a complete block Changed installer behaviour to only add SSH port to TCP_IN if TESTING is set to "1" - done to help those that don't want to always have the SSH port opened 2.25 - Modified lfd init procedure to use the init functions Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd will instead trigger blocks based on the value of the application trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3 mod_security alerts. Or if LF_POP3D is set to "10" then it will trigger on 10 pop3d login failures. When in this mode, i.e. with LF_TRIGGER set to "0", login failures for different triggers are not cumulative, whereis LF_TRIGGER set to a number > "0" they are cumulative as before Modification to csf.conf to reflect the changes to LF_TRIGGER - only applied to new installations Rewrite of the iptables command invocation in lfd.pl to trap iptables errors and shutdown firewall if any found - should help prevent lockouts Allow advanced rules in Global Allow and Deny lists. Input and Output direction support included. Added Global Allow and Deny lists to the OUTPUT chain as well as the INPUT chain Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to ignore. Updated WHM UI to allow easy file edits 2.24 - Fixed global allow/deny lists so that you can correctly not have to specify both an allow and a deny file 2.23 - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH from the cPanel configuration Added maildir check to Security Check Fixed a typo in advanced rules - Thank you to Victor from Touch Support for pointing this out Added binary executable check for LF_DIRWATCH files Added core dump check in cron directories to LF_DIRWATCH Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still find it timing out, make sure that you have been clearing down your tmp directories 2.22 - Added CIDR recognition to csf.ignore Rewrite of the iptables command invocation in csf.pl to trap iptables errors and shutdown firewall if any found - should help prevent lockouts 2.21 - Fixed a problem on some installations where the update process emptied out csf.conf. If this has happened, you will need to remove /etc/csf/csf.conf and then rerun the installation procedure and reconfigure the firewall. If you're already running at least v2.18 you can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf and then upgrade to this release 2.20 - Added workaround for different output from the fuser application in different OS's 2.19 - Added Security Check for recurions restrictions in named.conf Modified port 23 check to be quicker Added Security Check for localhost/127.0.0.1 entry in resolv.conf Added Security Check for webmin if running Added 3 more WHM Security Checks for domain parking Added Security Check for boxtrapper Added a Run Again button to the Security Check page Added Security Checks for cPanel and security package updates 2.18 - Fixed an issue with checking the /var/tmp symlink by comparing the inodes of /tmp and the symlink destination of /var/tmp Added checking of /usr/tmp Added checking of SSH PasswordAuthentication Modified update routine to take a copy of csf.conf before upgrading - the backup file is /etc/csf/csf.conf.preupdate Added check in /etc/cron.daily/logrotate for /tmp noexec workaround 2.17 - Fixed installation process where duplicate entries were being added to csf.conf for new settings. Routine added to remove duplicates and redundant settings Added logrotate script for for the lfd.log file 2.16 - Fixed syntax issue with the csf.deny application feature added in v2.15 that prevents csf adding the IP to csf.deny 2.15 - Added a list of the applications that lfd blocks a login failure for into csf.deny, e.g. (ftpd,mod_security) Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature will watch for changes in directories and files listed in csf.dirwatch using an md5sum for the ls output. If the md5sum changes between checks an email alert is sent using watchalert.txt Modified pid file locking for the lfd process to ensure duplicate processes won't run Completely reworked the child reaper code to prevent SIG_CHLD kernel errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs Added new option to csf.fignore that allows you to ignore files owned by a specific user by adding an entry in the format user:bob Fixed bug in LF_DSHIELD timer code Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch their respective data New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to specify a URL where csf can grab a centralised copy of an IP allow and/or deny block list of your own. They are both retrieved after a LF_GLOBAL interval in seconds by lfd Added WHM UI changes for LF_DIRWATCH_FILE 2.14 - Modification to /var/tmp check to cater for symlinks with a trailing slash Added check for native SSL support in cPanel in Server Check for those versions that now support it Added MySQL port check to Server Check Added missing comments when clickcing Display All Comments 2.13 - Added cPanel version check to Security Check Added suspicious symlink checking to LF_DIRWATCH Added a Display All Comments to Security Check Added hyperlinks to WHM URLs in Security Check comments Fixed the Apache Limits comments of the Security Check Added shell limit checks to Security Check Added Background Process Killer to Security Check 2.12 - Removed duplicate /var/tmp tests Fixed another typo 2.11 - Typo corrections in output text Removed dependencies on external modules for the Server Check report 2.10 - Fixed /dev/shm test 2.09 - Removed the nodev check on /tmp etc 2.08 - Changed app name to ConfigServer Security & Firewall New Feature - Added Server Security Check report to WHM UI 2.07 - Improved suspicious directory detection 2.06 - Document update Change directory watching to only check for suspicious sub directories 2.05 - Fixed log file error if DShield or Spamhaus block list retrieval fails Added perl regex matching in csf.fignore (see updated readme.txt) 2.04 - Added /tmp/.horde/* to csf.fignore 2.03 - Fixed a looping issue with the temporary Connection Tracking block code Added a 10 second timeout for the LF_DIRWATCH child to prevent looping 2.02 - In LF_DIRWATCH, allow wildcard matching at the end of a file name in csf.fignore, such that /tmp/clamav* will ignore any files starting with /tmp/clamav, e.g. /tmp/clamav-1234 Added a throttle to LF_DIRWATCH - if more than 10 emails are being emailed in one pass, LF_DIRWATCH will create the file /etc/csf/csf.dwdisable and then disable itself. To get it watching again, either restart lfd or delete that file Fixed a bug where LF_DIRWATCH always reported the same file when different files had been detected in a pass 2.01 - Added an LF_DIRWATCH exception for postgres /tmp files Prevent a file being reported more than once in an LF_DIRWATCH run Removed LF_DIRWATCH check for files being excecutable since too many apps set temporary files with the flag set, e.g. mod_gzip 2.00 - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp and /dev/shm and other pertinent directories for suspicious files, i.e. script exploits. These can optionally be moved into a tarball Directory Watching false-positives can be listed in csf.fignore which is accessible from the WHM UI 1.99 - Bug fix for multiple NICs in the lfd code 1.98 - Modified code to allow for multiple ethernet NICs so that all rules are applied to all NICs, for example, if you have IP's spread over eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+" 1.97 - Tightened DNS port 53 connections in accordance with: http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07 Moved no log dropping to the end of the chains Moved allowed IP's to before Block Lists 1.96 - Liberalised connections allowed to and from DNS port 53 1.95 - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to update from shell to get to v1.95 using: csf -u 1.94 - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore 1.93 - Fixed problem where external resolvers were being used and responses from them were being dropped because they were coming back on ephemeral ports - added a scan of /etc/resolv.conf and external nameservers now have whitelisted source port 53 to ephemeral ports Drop logging of failed attempts to access port 53 so they don't consume syslog Moved update from /tmp do /usr/src 1.92 - Fixed bug where the DShield and Spamhaus block lists weren't being periodically updated by lfd 1.90 - Minor fix to pre-configured settings 1.89 - Added Pre-configured settings for Low, Medium or High firewall security to WHM UI 1.88 - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain 1.87 - Modified drop list chains to use their own drop logging to differentiate from normal drop - if drop logging enabled 1.86 - Modified lfd connection tracking to drop udp as well as tcp packets when blocking Added support for the DShield Block List with LF_DSHIELD - http://www.dshield.org/block_list_info.php See csf.conf for more information Added support for the Spamhaus DROP List with LF_SPAMHAUS - http://www.spamhaus.org/drop/index.lasso See csf.conf for more information 1.85 - Workaround for spam PT false-positives Added exe:/usr/bin/spamc to csf.pignore Added csf version to title bar in WHM 1.84 - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native cPanel setup (currently in EDGE) 1.83 - Enhanced lfd.log logging for application failure detection lines Set lfd to ignore child processes to get rid of zombie children. If you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE, but you are likely to see harmless lfd zombie processes 1.82 - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled Extended the Advanced Allow/Deny Filters to allow use of UID and GID filtering for outgoing packets - see readme.txt for more details Modified code to deal with modprobe command output more cleanly 1.81 - Further modification for the newer xt iptables modules 1.80 - Modified iptables LKM modprobe code to cater for newer xt_* module naming scheme 1.79 - Added new feature to send an alert email if su is used to login from one account to another. Alerts are sent whether the attempt was successful or failed 1.78 - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd process tracking 1.77 - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels, e.g. RH9/FC1 Modified WHM UI textareas to expand to fit file contents 1.76 - Changed WHM interface to restart csf before lfd when restarting both 1.75 - Fix to prevent duplicates in csf.deny Added a slight pause between stop and start when restarting Code fix for TESTING mode crontab entry removal 1.74 - Fixed lfd to when reading csf.ignore when comments present 1.73 - Added new option LF_CSF to restart csf if iptables appears to have been flushed (i.e. stopped) Added new option LF_SCRIPT_PERM to disable directories identified by LF_SCRIPT_ALERT - see csf.conf for more information Workaround to child reaper when 2 children die at the same time Added workaround for PT spamd false-positives 1.72 - Fixed bug in (deleted) lfd checks 1.71 - Added some more exceptions to csf.pignore Lowered the default setting for LF_SCRIPT_LIMIT to 100 Modified PT to check for deleted binaries on exemptions which happen when upcp runs and the binaries are replaced 1.70 - PT now only reports processes with open ports 1.69 - lfd tweaks 1.68 - Additions to csf.pignore Added new option PT_SKIP_HTTP - see csf.conf/readme.txt Updated readme.txt regarding unavoidable false-positives and possible mitigation. 1.67 - More tweaks to PT with additions to csf.pignore 1.66 - Updated csf.pignore file with additional executables lfd code tweaks 1.65 - Added very simple ASCII obfuscation for lfd PT skip lines Fixed port typo for entropychat port 1.64 - Updated CLI help and readme.txt for new csf -u command from v1.63 Changed the format of the email templates for new installations - if you want to use the new format remove /etc/csf/*.txt and then install csf Added mechanism to prevent multiple email/block attempts from login attacks in lfd Added new feature - Process Tracking. This option enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information - readme.txt for details 1.63 - Added feature to WHM UI to enable editing of the email templates Modified WHM UI to use fixed-width larger font for command output and edit boxes Added notice to install.txt and readme.txt about enabling klogd (on VPS systems in particular) Added autoupdates system using AUTO_UPDATES - see csf.conf for details 1.62 - Added to APF/BFD removal in WHM UI the logrotate configuration files Added comments system to csf.allow and csf.deny - see readme.txt for more information 1.61 - Tighten up some of the csf rules Added new fature - LF_SCRIPT_ALERT when enabled will scan /var/log/exim_mainlog for extended exim logging lines that show the cwd= line for paths in /home which indicate emails sent from scripts. If LF_SCRIPT_LIMIT emails from the same path are sent within an hour, an email alert is sent using scriptalert.txt containing the first 10 probably exim mainlog line matches and also likely mailing scripts within the identifed path - an ideal tool to help identify spamming scripts sending out email through exim. The option is disabled by default as you do need to enable extended exim logging first as explained in the csf.conf file 1.60 - Modified lfd to use a child reaper instead of ignoring the CHLD signal Added login failure detection of cpanel, webmail and whm connections - this will only work for access to non-secure ports as cPanel doesn't know the IP address of the user when connection are over SSL due to the way stunnel works 1.59 - Added workaround to ethernet device detection for VPS servers 1.58 - Fixed problem where SSH port detection on installation would add an emtpy , if the SSH port had not been explicitly defined in sshd_config Modified csf and lfd ethernet device detection so that if specified in either csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded ethernet devices on some OS's 1.57 - Removed erroneous 's in lfd.log csf start automatically does a restart to avoid problems with any existing iptables rules or chains Added new option "Deny Server IPs" and associated file csf.sips to allow blocking of all traffic on server configured IP's if they're not in use Added notification to CLI and WHM UI if TESTING still enabled 1.56 - lfd modification to avoid a race condition with the ALRM calls Added new feature - /etc/csf/csf.ignore can contain IP addresses that are ignored by lfd. If an event is triggered it may be logged in lfd.log but will not result in an email alert - e.g. you could list your own IP address to avoid alerts from when you login over SSH, etc Added WHM UI option to edit the ignore file 1.55 - Fixed a strict refs issue in lfd 1.54 - Fixed IP DNS lookup routine to avoid empty () when no host found Added local DIE for ALRM calls for IP lookups and netstat commands Removed chkservd restart from /etc/init.d/lfd so that it behaves like other monitored services Improved error trapping routines to better report to lfd.log if the process dies 1.53 - Optimised logging in lfd Improved error handling and reporting in lfd Modified WHM UI report to include all data, not just a single day Improved DROP logging to SYSLOG Added logging of dropped ICMP connections Added new option DROP_IP_LOGGING to log IP addresses that have been blocked in csf.deny or by lfd with temporary connection tracking blocks 1.52 - beta test release 1.51 - Added DNS lookups for IP addresses in all lfd alert emails 1.5 - Added new feature - Connection Tracking. Enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than CT_LIMIT then the offending IP address is blocked in csf, or temporarily blocked in iptables. This can be used to help prevent some types of DOS attack Added new feature - SSH login alerts. An email is sent if a successful SSH login is detected Fixed a descriptive issue with the WHM UI Modified so that lfd checks that it doesn't block a server IP 1.42 - Modified lfd login tracking to check the csf.allow file for an offending IP address and to skip it if it's allowed - note this only works for specified full IP addresses (not CIDRs or advanced port/IP) 1.41 - Added an exception for 127.0.0.1 when checking ethernet interfaces as VPS servers are setup with that IP on both the loopback and main interface 1.4 - Fixed error routine iptables flush command typo Modified interface checking for non-english Linux distributions Modified interface checking for IP addresses assigned to multiple interfaces by mistake (I've just seen this happen!) Set FORWARD chain to ACCEPT on stopping firewall Reorganised csf.pl code Added advanced port+ip filtering within csf.allow and csf.deny with the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info) Added link to readme.txt in WHM interface Added iptables status (Running/Stopped) to WHM interface Added Quick Allow and Quick Deny IP address options to WHM interface 1.33 - Added blocking of SSL POP3 and IMAP ports to LT (993/995) Added option to Restart csf+lfd within WHM interface when appropriate Added buttons to WHM interface to remove APF or BFD if still installed Removed csf nat and mangle chain actions 1.32 - Modified log line checking to deal with syslog compression. This is where syslog will add a line "last message repeated X times" if the next line it were to add is identical to the last. This could lead to login attempts being missed. But no more - lfd now checks for that line and repeats the processing of the previous log line X times to count all the login failures 1.31 - Removed some redundant code from csf Display error in csf if IP already in allow/deny file Stopped install.sh from overwriting email templates Added email notification for login tracking including a new email template tracking.txt Added mod_security apache module IP blocking in lfd 1.3 - Fixed a problem with the tick time in the alert report Changed the way allow and deny IP addresses are inserted into iptables so that using the command line -a or -d doesn't require a firewall restart csf -l now shows iptables line numbers Added login tracking (LT) options to keep track of POP3 and IMAP logins and limit them to X connections per hour per account per IP address. Uses iptables to block offenders to the appropriate protocol port only and flushes them every hour. All of these blocks are temporary and can be cleared by restarting csf 1.21 - Added the real log file failure entry matches to the alert email. Existing installations will need to add a [text] variable into /etc/csf/alert.txt Added link in WHM to the ChangeLog if a new version is available 1.2 - Fixed uninstall script to remove lfd from chkservd Fixed lfd so that checks were not made on options where a log file is shared Fixed lfd stop/start to dis/enable chkservd option Added upgrade feature to WHM when a new version of csf is available 1.11 - Use full paths to chkconfig within the csf installation scripts Documentation improvements 1.1 - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks an IP address. lfd now forks a child process to handle the IP blocking and email so that it doesn't hinder the daemon process from scanning the logs. It uses a template file for the email. 1.0 - Initial public release Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading Check /var/log/messages and /var/log/secure for SSHD logins Clarified in the configuration file that only courier-imap/pop3 connections are trapped in lfd 1.0RC2 - Added filtering out of \r in WHM interface for allow and deny Fixed typo in WHM addon Added new configuration option ALLOW_RES_PORTS 1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch: http://sourceforge.net/projects/fwlogwatch/ This processes /var/log/messages and extracts the iptables log entries (if logging is enabled) and produces a simple HTML summary report 0.2b - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat module installed Modified lfd to use asterix in the log message when blocking to highlight in Thunderbird in the same way as the kernel log messages if you use the "Quote Colors" extension - http://quotecolors.mozdev.org/ Added list of TCP and UDP ports currently being listened on to install Set DNS_ZONE to default to 1 Removed backups of csf.conf files as the WHM interface is stable Added ipt_owner module load for SMTP Tweak on LKM kernels Added ipt_LOG to the required module list for LKM kernels to ensure drop logging to syslog Added new configuration option DENY_IP_LIMIT 0.1b - Initial beta release (24 May 2006)