4.87   - Ignore csf.rignore for LT_POP3D and LT_IMAPD

         Removed unnecessary csf.locks during some GLOBAL list updates

	 Updated Copyright notice

	 Modified the block message for LF_MODSEC and LF_SUHOSIN to be more
	 appropriate (i.e. not "login failures")

	 Added new block options for BIND denied requests: LF_BIND,
	 LF_BIND_PERM, BIND_LOG. This works in the same way as the other
	 similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have
	 had BIND (named) requests denied more than LF_BIND times in
	 LF_INTERVAL seconds. Currently named client denied log lines for
	 "update" and "zone transfer" trigger the option

	 Modified GLOBAL_ routines to continue if retrieval for one fails
	 instead of immediately exiting

	 Added IPv6 check to Server Check

	 Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled
	 on single line comments (lfd.log, csf.deny, etc)

	 Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the
	 respective email alerts can be disabled

	 Updated IP::Country

4.86   - Added Dovecot regex checking for LT_POP3D and LT_IMAPD

	 Modified Server Check for Fedora v10 EOL now that Fedora v12 has been
	 released

	 Improved Dovecot IMAP and POP3D login failure regex

	 Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD

	 Fixed TLSCipherSuite Server Check for proftpd

	 Added SSHD regex for "Did not receive identification string from IP"
	 failures

4.85   - Further improvements to ICMP rule filters

       - Added backup mod_security log viewer for non-cPanel servers

4.84   - Mod_security log viewer removed from csf in favour of cmc

         Improved ICMP rule filters. This could help some hosts that experience
	 connection issues with csf

	 Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS
	 to include this, i.e. to Port Scan for all ports use:
	 PS_PORTS = "0:65535,ICMP"
	 This is now the default on new installations

4.83   - Added multiple checks to the Server Check for new cPanel v11.25 
         security settings

	 Tidied up and rearranged the main UI
	 
	 Removed redundant UI options

	 Added total perm bans to UI

4.82   - Removed the need for UI lfd cron restart jobs on Direct Admin

4.81   - Fixed case sensitivity issue introduced in v4.80 with port specific
         lfd deny lines being ignored

4.80   - Modified WHM login regex to only trap successful root page displays
         for LF_CPANEL_ALERT

         Apache status for PT_LOAD now checks http://127.0.0.1/server-status on
	 GENERIC/DA servers. You need to ensure that the server-status page
	 has access from 127.0.0.1 in the apache server-status Location
	 container

	 Extended SU log file regex for Debian servers

	 Sanitise UI file edit HTML output

	 Improvements to the removal of alternative firewalls script

	 Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and
	 GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS
	 list via URL

	 Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE,
	 especially on Debian

	 Improved detection of already blocked IP addresses

4.79   - Withdrawn

4.78   - Modified DA installation to overcome permissions problems on some
         systems preventing the UI from working

4.77   - Expanded dovecot regex matching

         Fixed the generic installation to install regex.custom.pm

4.76   - Added check for FrontPage extensions to Server Check as they should be
         considered a security risk as they were EOL in 2006

	 Added support for the impending cPanel v11.25 Security Tokens feature

4.75   - Added a [block] section to the Login Failure alert.txt template. This
         new report template will be copied to /etc/csf/alert.txt.new on
	 existing installations, rename it to alert.txt to use it

	 Modified existing lfd alerts to use currently used tags instead of
	 appending block information to the IP address (alert.txt modified as
	 above)

	 Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for
	 email sent via a local IP addresses, separating the trigger from
	 RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf
	 for more information

	 Added Relay Tracking to Direct Admin running exim. See RT_* and
	 SMTPRELAY_LOG in csf.conf for more information

	 Added csf.mignore to allow ignoring of specified usernames or local IP
	 addresses from RT_LOCALRELAY_ALERT

	 Modified csf UI to use a single dropdown for all lfd ignore files

	 Added proftpd regex matching for "UseReverseDNS on" in proftpd config

4.74   - Removed FUSER from csf.conf as it is no longer used

         Added UNZIP to csf.conf which is required for Country Code to CIDR
	 functions

	 Modified the Country Code allow/deny/allow_filter feature to generate
	 CC CIDRs from the Maxmind GeoLite Country database instead of using
	 iplocationtools.com. Note: GeoLite is much more accurate that the 
	 previous zones used. This also means that there are usually more CIDRs
	 for each CC which adds to the burden of using this feature

4.73   - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's
         to prevent module failures

	 New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses
	 WHM via root. An IP address will be reported again 1 hour after the
	 last tracked access (or if lfd is restarted)

4.72   - Modified mail sending code to use a common procedure that copes better
         with differing combinations and variations of From:, To:, LF_ALERT_TO
	 and LF_ALERT_FROM settings for lfd alerts

4.71   - Code speedups in csf --grep

         Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note
	 added to alert if ip match found

	 Modified Server Check for Fedora v9 EOL now that Fedora v11 has been
	 released

	 Modified iptables output from csf.pl to exclude the Fedora v11
	 intrapositioned negation messages

	 Fixed typo in integrity.txt alert template for new installations

	 Modified the email header for csf --mail

	 Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY

	 Modified lfd output filehandle names to avoid read/write conflicts

	 Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for
	 an example

	 Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where
	 only listed Country Codes are allowed, however normal port and packet
	 filter rules are still applied to those connections. All other
	 connections are dropped

4.70   - Modified UI access to csf.sips to display checkboxes instead of direct
         editing, for ease of use

	 Fixed problem where RELAYHOSTS setting wasn't always being honoured

	 Modified mod_security configuration editor to handle HTML elements

	 Rewritten RT_*_ALERT regex and counting code to better deal with a
	 variety of exim log output formats
	 
	 Added recipient count to RT_*_ALERT to include emails sent to multiple
	 recipients. This option requires that the exim log_selector setting in
	 the exim configuration includes the option: +received_recipients
	 So, the recommended log_selector setting is now:
	   log_selector = +subject +arguments +received_recipients

	 Modified Server Check cPanel version check to cater for x86_64 OS's

	 Added check to prevent Server Check mail report cron duplicates

	 Added abbreviated UI for mobile phone access to Quick Allow, Quick
	 Deny and Remove Deny. Direct URLs:
	   cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1
	   DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1
	   Webmin: https://1.2.3.4:10000/csf/?mobi=1

4.69   - Added Gentoo (generic) support

         Added Server Check for MySQL LOAD DATA LOCAL

	 Modified Server Check for enable_dl to also check whether dl is in
	 disable_functions

4.68   - Added ipv6 IP detection for proftpd login failures

         Removed ossec and webmin from the Server Check services section

4.67   - Modified the Country Code allow/deny feature to use
         iplocationtools.com now that ipdeny.com has gone offline

4.66   - Modified OS version check to prevent Fedora v10 obsolete
         false-positive in Server Check

	 Modified the exim SMTP AUTH regex to use the latest cPanel/exim format

	 Added failure notification for DYNDNS entry lookups in lfd if they
	 fail to resolve or timeout

4.65   - Modified Firewall Security Level UI to set PS_LIMIT within range

         Fixed problem processing template for SU_ALERT

	 Empty csf.dshield on upgrade to work around problem where DSHIELD
	 blocked themselves in their own BLOCK list

4.64   - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work
         if SMTP_BLOCK isn't actually enabled

	 Added new CLI option (csf -uf) which forces an update of csf+lfd

	 Added new CLI option (csf -df) which removes and unblocks all entries
	 in /etc/csf.deny (excluding those marked "do not delete")

	 Added new UI option to that removes and unblocks all entries in
	 csf.deny (excluding those marked "do not delete") and all temporary IP
	 bans

	 Added csf file names to the csf UI options

4.63   - New feature - Added new CLI option: csf --mail (or csf -m) which can
         take an email address as an argument. It will display the Server Check
	 in HTML or send the output to the email address if present

	 Added option to UI Server Check to schedule csf to generate the report
	 and email the results to the address specied at the interval specified

         Removed MySQL check from cPanel DNSOnly Server Check

         Updated the perl v5.8.8 Server Check comment

	 Fixed sanity check for RT_*_BLOCK

	 Fixed copy of install.txt for generic installs and upgrades

	 Modified UI for Deny Servers IPs > Change to indicate that csf needs
	 restarting, not lfd

	 Added built-in replacement function for the Messenger Service message
	 files for [HOSTNAME] which will be replaced by the servers FQDN
	 hostname. Updated the sample Messenger index templates

	 Updated the uninstall scripts to remove the cronjob and logrotate
	 files

	 Added colour highlights to the Quick Allow and Quick Deny UI boxes

4.62   - Fixed problem with SU_ALERT alert report in v4.61

         Modified the Server Check for cPanel update settings to check for
	 daily updates more accurately

	 Added Server Check for cPanel tree

	 Upgraded IP::Country

	 New feature - Added sanity check to configuration values in csf, UI
	 Server Check and UI Firewall Configuration. In the UI Firewall
	 Configuration: lines highlighted in red fall outside the recommended
	 range; lines highlighted in pale green differ from the default on
	 installation

	 Added cPanel Security Check to check that at least one configured
	 nameserver is on a different server

	 Added proftpd checks to csf (for VPS servers) and in Server Check

	 Added DirectAdmin Checks to UI Server Check for: SSL login to DA;
	 proftpd cipher; nameserver on a different server; PHP version and
	 configuration checks; Apache version; dovecot cipher

	 Removed resolv.conf localhost check

4.61   - Modified lfd iptables command error handling to log errors and
         continue instead of terminating when in TESTING mode

	 Removed loading of iptables modules from csftest.pl to avoid modprobe
	 problems with some OS kernels

	 Added Connection Tracking check for pre-existing block to cater for
	 linux connection status timeouts

	 Moved LF_CSF check to the start of the lfd processing interval

	 New option LF_ALERT_FROM. If set, the value of this option will
	 override the From: field in all of the lfd alert templates. This
	 change also uses the From: field in the template (or this option if
	 set) as the value for the SENDMAIL -f option

	 Modified POP/IMAP Server Checks for the chosen mail server only on
	 cPanel servers
	 
	 Modified FTP Server Checks for the chosen ftp server only on cPanel
	 servers

	 Added SMTP Tweak to Server Check on cPanel servers and removed block
	 on csf starting if enabled

4.60   - Modified cipher checks to strip out quotes

         Modified Apache cipher message to remoind that you have to rebuild the
	 Apache configuration and restart for changes to be effective

4.59   - Added proftpd regex for Plesk server log file format

         Modifed the Server Check cipher checks for pure-ftpd and Apache to use
	 openssl to ensure SSLv2 is disabled

	 Added cPanel Server Check checks for dovecot, courier-imap IMAP and
	 POP3D SSL cipher list

	 New option SAFECHAINUPDATE added. If enabled, all dynamic update
	 chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY,
	 ALLOWDYN) will create a new chain when updating, and insert it into
	 the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the
	 old dynamic chain and rename the new chain. See csf.conf for more
	 information. This option is disabled by default, but we do recommend
	 that it is enabled on non-VPS servers with restrictive numiptent
	 values

	 Added SAFECHAINUPDATE to the firewall Server Check (except for
	 Virtuozzo VPS servers)

	 Modified Server Check on cPanel to make the PHP v4 warning clear and
	 to warn where PHP v5 and v4 have both been compiled (PHP v4 is
	 obsolete and should not be used at all anymore)

	 Added WHM checks for skipparentcheck and cpsrvd-domainlookup to
	 Security Check

	 New option LF_ALERT_TO. If set, the value of this option will override
	 the To: field in all of the lfd alert templates

4.58   - Modified exim cipher check in Server Check to use openssl to test the
         expanded configured cipher suites to ensure SSLv2 is disabled

4.57   - Improved exim configuration option detection in Server Check

         Added Exim Configuration checks to DirectAdmin Server Check

         Modified csftest.pl to perform a modprobe on all used iptables modules
         before testing

	 Added PASV port hole warning on VPS servers to the output of csf on
	 start and to the cPanel (if using pure-ftpd) Server Check

	 Added lfd to the DirectAdmin Service Monitor

	 Added back a revised Firewall Security Level option to UI

4.56   - Added TCP_OUT port 2222 for the DA default configuration for new
         installations

	 Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for
	 more information and examples

	 Updated readme.txt to reflect the Control Panel UI availability for
	 cPanel, DirectAdmin and Webmin

	 Modified mod_security configuration file check to the TLD only of
	 /usr/local/apache/conf/ and only files ending in .conf

4.55   - Fixed issue with csf.conf not being loaded for the Server Check Report

         Removed erroneous chkconfig check from Server Check Report

	 Disabled various checks in Server Check Report for non-cPanel servers

	 Modified Debian/Ubuntu init entry creation and removal procedure

	 Modified Server Check to search for multiple named.conf locations

4.54   - Bug fix to Exploit Check code

         Fixed problem with iptables logs not being collated if PS_INTERVAL is
	 disabled but ST_ENABLE is enabled

	 Fixed potential problem with SMTPRELAY_LOG not being scanned when
	 RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled

4.53   - Upgraded the csf Webmin UI module to the new csf UI and added
         installation/upgrade instructions to the install.txt for Webmin

	 Fixed image locations and javascript in DA and webmin UI

	 Updated the uninstall scripts and the uninstall section of install.txt

4.52   - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd

         Added warning in DA UI to upgrade csf from the root shell due to
	 restrictions in DirectAdmin

	 NOTE: DA users should upgrade csf to this version from the root shell
	 using "csf -u" and not use the Upgrade button in the UI

4.51   - Fixed csf --upgrade (csf -u) for DA installations

4.50   - Added restrictions information regarding the PORTFLOOD setting and
         ipt_recent to readme.txt (i.e. hit count max is 20)

	 Modular development of csf UI

	 Added DirectAdmin UI and installation support for csf/lfd

	 Added Statistics options (ST_ENABLE, etc) to generic csf installation

	 Added SMTP options (SMTP_BLOCK, etc) to generic csf installation

	 Removed pre-configured firewall settings through UI for redevelopment
	 as it has become out-dated

	 Modify csf UI to signal lfd to start/restart/enable only. A one
	 minute cron job will actually perform the signalled function. The CLI
	 is unaffected and performs the command immediately. This is introduced
	 to overcome fork issues from within an Apache session

4.41   - Added information about runing external iptables commands using
         csfpre.sh and/or csfpost.sh to readme.txt

	 Added new CLI option csf --addrm (csf -ar) to remove an IP address
	 from csf.allow and delete the associated iptables rules

	 Removed the need for the MONOLITHIC_KERNEL option and made modprobe
	 perform silently on csf startup. Added the relevant information
	 regarding some Monolithic kernels and the need for a PASV port range
	 hole to readme.txt

	 Added timeout to csf modprobe to avoid startup hanging on buggy
	 kernels

4.40   - Added workaround for php --info bug in Server Report when checking PHP
         configuration settings

	 Modified LF_INTEGRITY to regenerate the md5sum comparison file
	 immediately after a match is found instead of waitng for the next
	 cycle

	 Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty

4.39   - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and
         LF_NETBLOCK_COUNT with act if more than the number of hits are
	 detected, not on the exact number set

	 Modified csf WHM UI to use csf -u to upgrade csf when a new version is
	 available

	 Added new script /etc/csf/csftest.pl which will test the servers
	 iptables modules for functionality. The tests are for the required
	 iptables modules and the optional modules for the SMTP_BLOCK,
	 PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool
	 for kernel/iptables problems and to check whether the features above
	 will function

	 Added csf WHM UI option to run csftest.pl

	 Updated the csf install.txt to run csftest.pl before running up csf

4.38   - Improved detection of working ipt_owner iptables module on VPS servers
         such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks
	 will be automatically disabled and csf will continue to start

4.37   - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended
         setting for cPanel servers which use ping times to determine fastest
	 mirrors for various update functions

         Modified PT_LOAD_ACTION code to stop duplicate load emails from being
	 send by lfd

	 Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains

	 Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter
	 rules on VPS Servers for as ipt_owner is now apparently supported on
	 the latest kernels. However, if the latest kernel isn't being used or
	 the VPS host hasn't included the ipt_owner iptables module for the
	 client VPS, then csf will fail with an error

4.36   - Modified Process Tracking to allow regex exceptions in csf.pignore for
         deleted executable processes

4.35   - Modified regex.pm detection of iptables kernel log lines to cater for
         alternative formatting

	 Restored the substitution of the NULL separator with spaces for the
	 /proc/PID/cmdline in Process Tracking

4.34   - Added code to Process Tracking to translate non-printable characters to
         especially help detect and report deleted executable file processes

	 WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd
	 and awstats.pl from lfd.pl. If you want to ignore such processes for
	 Process Tracking, you will need to add appropriate ignore rules to
	 csf.pignore for them

4.33   - Disable ST_LOOKUP by default on new installations

         Modified lfd stats performance when ST_LOOKUP is enabled and added a
	 warning for this setting to csf.conf for when DROP_IP_LOGGING is
	 enabled

4.32   - Modified the su tracking regex to better trap RHE/CentOS v5 su login
         attempts

	 Added a Server Check for "FTP Logins with Root Password"

	 Added new WHM UI option to display Last X iptables Log Lines. Note
	 that the report will only display log lines since this update. The
	 new statistics will be expanded in future developments. Added new ST_*
	 options to the cPanel csf.conf to control the recording of stats

	 Removed fwlogwatch from distro and will use self-produced reports

4.31   - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It
         is not a good idea to use that option

	 Modified PT_USERKILL to not kill (deleted) processes (these should be
	 restarted manually after investigation) as per the documentation

4.30   - If you add the text "do not delete" to the comments of an entry in
         csf.deny then DENY_IP_LIMIT will ignore those entries and not remove
	 them. Updated csf.deny information text for new installations

	 Made the (deleted) process text even more explicit for those that are
	 not reading csf.conf or the FAQ for their explanation

	 Updated DSHIELD information URL in csf.conf

	 Added new feature - csf.rignore is an ignore file that lists domains
	 and partial domains that lfd should ignore. Read /etc/csf/csf.rignore
	 for more information. Note that .cpanel.net is always added on cPanel
	 csf installations

	 Option GOOGLEBOT removed. This feature is now performed using
	 csf.rignore. If GOOGLEBOT was previously enabled it will be added to
	 csf.rignore

4.29   - Added Slackware support (tested on v12.2.0)

         Added Fedora v10 support

	 Added new option GOOGLEBOT - Prevent *.googlebot.com from being
	 blocked by lfd. See csf.conf for more information

	 Modified .cpanel.net check to use the same host lookup procedure as
	 GOOGLEBOT to prevent domain spoofing

	 Added csf version from/to to output from csf --update when upgrading

4.28   - Fixed GENERIC csf problem with csf.pl perl modules

4.27   - New Feature - Port Flood Protection. This option configures iptables
         to offer protection from DOS attacks against specific ports. This
	 option limits the number of connections per time interval that new
	 connections can be made to specific ports. See csf.conf and readme.txt
	 for more information. This option is only available on servers with
	 the ipt_recent kernel module

         cPanel DNSONLY compatibility added - Thanks to JJ for the assistance

         Improved Cipher suite checking and advice for Apache and FTP in Server
	 Check

	 Remove md5sum check from JS exploit check as it is covered by
	 LF_INTEGRITY and causes confusion

	 Added new option LOGFLOOD_ALERT which will send an email alert based
	 on logfloodalert.txt if lfd skips logs lines due to log file
	 processing problems

	 Added new option PT_DELETED together with the FAQ explaination as to
	 why lfd reports deleted processes. The option can be disabled to
	 ignore such processes

	 Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow
	 exceptions to SMTP_BLOCK

4.26   - New Feature - Country Code to CIDR allow/deny. This feature can allow
         or deny whole country CIDR ranges. The CIDR blocks are downloaded from
         http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW,
	 CC_DENY and CC_INTERVAL in csf.conf

         Expanded the dovecot regex to include more login failure permutations

	 Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel
	 servers

	 SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default

4.25   - Fixed bug in csf --grep when CIDRs used in advanced port filters

         Fixed problems with aborted Server Check Report

	 Fixed position of the lo device rule in the OUTPUT chain which broke
	 SMTP_BLOCK

	 Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all
	 listed ports (not just port 25). This is populated on installation or
	 when TESTING = 1 if an additional port is listed in "WHM > Service
	 Manager > exim on another port". Otherwise, SMTP_PORTS needs to be
	 updated manually. The default setting contains port 25

	 SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled

4.24   - Added workaround for issue with WHM image display in the addon header
         for cPanel v11.24

	 *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report

	 *Added cPanel v11.24 FTP Cipher Suite checks in Server Report

	 *Added cPanel v11.24 Apache Cipher Suite checks in Server Report

	 *Added cPanel v11.24 Exim Cipher Suite checks in Server Report

	 Added Fedora v8 to the obsolete OS list now that v10 is out

	 Updated dovecot regex in regex.pm for v1.1.6 used by cPanel

	 * Will only display if cPanel version is >= 11.24

4.23   - Added skip to connection and process tracking for empty tcp6 
         connection data

	 Fixed PT_LOAD email output of ps and vmstat

4.22   - Additional fixes for an issue on VPS servers where temporary block
         removal from csf.tempban failed

4.21   - Fixed an issue on VPS servers where temporary block removal from
         csf.tempban failed

4.20   - Modified csf.tempban processing code in lfd to perform more stringent
         file locking to preserve temporary bans if lfd is writing during
	 shutdown

	 Modified Port Scan tracking of IP's to not attempt multiple blocks on
	 the same IP address in the same log line processing batch

	 Fixed broken timestamp in lfd.log for dates < 10th of the month

	 Various code modifications to improve performance and stability

4.19   - Reverted the tied file changes as they were causing a deadlock
         situation locking csf.tempban

	 Improved the process tracking detection of deleted executables of
         running processes

4.18   - Modified temporary IP address storage to use a tied file to preserve
         temporary bans if lfd is writing during shutdown

4.17   - Replaced the use of backticks in csf, lfd and the WHM UI with calls to
         IPC::Open3

	 Various lfd and csf code improvements and tidy up

	 Ensure lfd parent dies cleanly on error

	 Debug information improved and timer modified to use Time::HiRes for
	 more accuracy

4.16   - Removed port 953 from the TCP and UDP allow lists for new csf
         installations as it's not necessary to whitelist as bind listens on
	 the localhost device for such control connections by default

	 Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login,
	 exe:/usr/libexec/dovecot/imap-login to new and old cPanel
	 installations csf.pignore to cater for cPanel support for both nsd and
	 dovecot (currently in EDGE)

	 Only use Cpanel::Rlimit if it's available in WHM UI

4.15   - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing
         connections from blocked IP addresses in csf.deny or temporary blocks.
	 The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN,
	 GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct
	 this. Many thanks to Brian for his help in tracking this issue down.

4.14   - Implemented the use of cPanel routine Cpanel::Rlimit to remove process
         resource limit restrictions as the cPanel memory limitation setting
	 was causing the Server Check to abort with memory allocations problems
	 through WHM on some servers

	 Modified port checking for 23 and 53 in Server Check to no longer use
	 the fuser binary and use the port mappings directly from /proc

	 Modified lfd and Server Check to check for IPv6 bound processes as the
	 IPv4 and IPv6 connections are stored in a different file to IPv4 only
	 bound processes

4.13   - Updated various comments in csf.conf

         Fixed call to csfpost.sh from csf

4.12   - Modified lfd Login Failure tracking to use a per IP address rolling
         LF_INTERVAL window rather than a static one for all tracked IPs. This
	 makes login failure counting more accurate and blocking more
	 responsive

	 Added new feature - Block Reporting. lfd can run an external script
	 when it performs and IP address block following for example a login
	 failure. BLOCK_REPORT is to the full path of the external script. See
	 readme.txt for format details

	 If csf is installed or upgraded via an SSH session the connecting IP
	 address will now be automatically added to csf.allow (note: it is not
	 added to csf.ignore so lfd may still block it). This IP can be removed
	 after testing if desired

	 Modified the lfd.log format to the standard:
	 <mon> <mday> <hour>:<min>:<sec> <host> lfd[<pid>]: <text>
	 If you parse lfd.log you will need to update your scripts!

	 Added DEBUG option - for internal use only

4.11   - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore
         for existing installations

	 Modified the calculation for the position of LOCALOUTPUT in the OUTPUT
	 chain 

	 Added /etc/cron.d/lfdcron.sh to restart lfd daily

	 Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3
	 and exe:/usr/sbin/mysqld_safe to csf.pignore

	 Modified SCRIPT_ALERT regex to cope with exim log format changes in
	 FC8+

	 As per RFC5322, adding port 587 to the default TCP_IN list of ports
	 for new installations (i.e. it is now recommended for SMTP servers to
	 offer port 587 access for MUA to MTA traffic rather than port 25 which
	 is for MTA to MTA traffic)

	 Added informational text to Process Tracking email report if a process
	 is running an executable that has been deleted

	 Added csf version to the daemon startup log line in lfd.log

4.10   - Added /usr/libexec/hald-addon-keyboard to csf.pignore

         Modified the static DNS port rules to always allow all OUTGOING (only)
	 connections to/from port 53 udp/tcp. This should help the situation
	 where some servers iptables block outgoing port 53 udp connections
	 despite the port being open

	 Added new option DNS_STRICT which will remove all static DNS rules and
	 allow access only through SPI. For stability reasons, it would be
	 advisable to leave this option disabled (default)

4.09   - Modification to cPanel version to restart chkservd using
         /scripts/restartsr_chkservd instead of the init script as the latter
	 is removed in the latest EDGE release that puts chkservd under the
	 control of tailwatchd (/scripts/restartsrv_chkservd is a stub for
	 restarting tailwatchd in the latest EDGE instead of a direct restart
	 script in older cPanel versions). chkservd is restarted when csf
	 is installed/uninstalled/upgraded/disabled/enabled

4.08   - Added a new timing system to more accurately trigger lfd tasks. This
         should alleviate timing issues such as those seen with LT_POP3D and
	 LT_IMAPD and improve the overall effectiveness and performance of lfd

	 Added new method for reaping child processes. If you find that zombie
	 lfd processes start to build up you can revert to the old reaper by
	 enabling new option OLD_REAPER

4.07   - Messenger service now supports advanced filter permanent port block
         redirection

4.06   - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the
         LOCALxxPUT chains so that the entries can be correctly listed with
	 ACCEPT's at the top and DENY's at the bottom of the chain

         Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and
	 OUTPUT chains so that bandwidth accounting is kept accurate

	 Fixed a problem processing advanced port filters in GLOBAL_ALLOW and
	 GLOBAL_DENY

4.05   - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains

4.04   - Fixed problem with rule placement for ETH_DEVICE_SKIP

         Ensure all ALLOW requests are inserted before DENY requests after csf
	 has been restarted

	 Ensure that fwlogwatch stats creation uses IPTABLES_LOG file

	 Only perform operations on the nat table if MESSENGER service is
	 enabled

	 lfd Process Tracking will now ignore MESSENGER_USER messenger services

	 Added new option PT_ALL_USERS so that all Linux accounts on a cPanel
	 server are checked in Process Tracking, not just cPanel users. This
	 option is disabled by default on cPanel servers. Enabling this option
	 may require adding exceptions to csf.pignore

	 Additional exceptions added to csf.pignore for cPanel servers for the
	 new PT_ALL_USERS option

	 PT_SKIP_HTTP now disabled by default for new installations

	 Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check

4.03   - Fixed problem where the new LOCALxxPUT chains were only processing tcp
         requests

	 Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule
	 count in the OUTPUT chain under certain circumstances

4.02   - If csf fails with an error lfd will now die and require a restart
         after the issue with csf is resolved. csf commands apart from start
	 and restart are also disabled

	 Released from BETA

4.01   - Allow the Messenger Service to be used on VPS servers. However, if the
         ipt_REDIRECT module is missing csf will fail to start correctly and
	 abort

	 HTML Messenger service server now only reads a limited line length
	 instead of unlimited input to prevent overflows

4.00   - New feature - Messenger Service. This feature allows the display of a
	 message to a blocked connecting IP address to inform the user that
	 they are blocked in the firewall. This can help when users get
	 themselves blocked, e.g. due to multiple login failures. The service
	 is provided by two daemons running on ports providing either an HTML
	 or TEXT message. See csf.conf and readme.txt for more information	 
	 (not available on VPS platforms and others missing the ipt_REDIRECT
	 kernel module)

         Moved INPUT and OUTPUT chain rules for blocks and allows to their own
         respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP
	 blocks will be listed in the INPUT or OUTPUT chains, but in the new
	 ones

	 Re-organised all of the INPUT and OUTPUT chain rules to give
	 precedence to the LOCALINPUT rules before invoking other chains and
	 port ALLOW rules

	 Moved the SYNFLOOD protection chain rule to be the first chain rule
	 after the LOCALINPUT chain rule

	 Moved the lo device rules to the always be at the top of the INPUT and
	 OUTPUT chains

	 Modified the syslog regex matches to only match on local entries to
	 cope with centralised syslog configurations

3.43   - Improved application IP block checking

         Restored the option LF_SCRIPT_PERM with additional checks for
	 directories within the cPanel homedirs and for symlinks. Warning
	 added to csf.conf for this option

	 Added random query-source port setting for BIND to the Server Report

3.42   - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to
         be the same as the cPanel csf.conf

	 If LF_SELECT is enabled make sure all cPanel ports are blocked on
	 cpanel login failure. This was only doing ports 2082,2083 and will now
	 block 2082,2083,2086,2087,2095,2096

3.41   - Added new mechanism to allow custom regular expression matching with
         individual settings for lfd login failure detection. See
	 /etc/csf/regex.custom.pm for details

	 Modified all timestamps in lfd reports to also include the standard
	 timezone offset (i.e. from GMT)

	 Added new setting CC_LOOKUPS to control the new Country Code lookups
	 (enabled by default)

	 DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled

	 PS_INTERVAL enabled by default on new installations

	 Doubled the number of lines before log file flooding detection will be
	 triggered

3.40   - Added queuealert.txt to the WHM UI dropdown list for editing

         Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the
	 check

	 Added Country Code lookups for IP addresses. Any reported IP addresses
	 will include the international CC where available. It should be noted
	 that with international ISPs this may not be wholly accurate. Where
	 possible the CC will be translated into the associated country name

3.39   - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP
         addresses listed in the csf.allow file and not block them

	 Added new option LF_QUEUE_ALERT, which will send an email alert using
	 queuealert.txt if the exim queue length exceeds the value it is set
	 to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the
	 ConfigServer MailScanner configuration is being used, both the
	 MailScanner pending and exim delivery queues will be checked. This is
	 a cPanel only option

	 Added new option CT_PORTS to Connection Tracking so that you can 
	 specify which ports you want to count towards CT_LIMIT, e.g. 80,443

	 Modified Server Report check for register_globals in cPanel's php.ini
	 incase the new cPanel WHM setting is being bypassed

3.38   - Additional SSHD regex added to regex.pm

         Improved the WHM UI reporting of the csf status: disabled, running,
	 testing mode

	 Added Enable/Start buttons to WHM UI next to the csf status if
	 disabled/stopped

	 Updated Server Report checks for csf status

	 Changed the destination of the ConfigServer Services link at the
	 bottom of the WHM UI to go to the csf web page

3.37   - Fixed an issue currently in cPanel EDGE that affects the use of the
         cPanel SafeFile module in WHM scripts

3.36   - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds

         Improved lfd internal timing system for event triggers

	 Added new feature - Account Tracking. The new AT_* options configure
	 an alert system for account modifications which will send an email if
	 there are new accounts added, existing accounts deleted plus password
	 uid gid login dir and login shell changes. Each of these changes can
	 be enabled or disabled. You can also enable tracking for superuser
	 accounts only. That latter is the default setting. This feature uses
	 the email template accounttracking.txt

	 Added reason text to temporary IP bans

	 Added Server Report check for ini_set in PHP disable_functions

	 Added ossec to list of processes to disable as it will conflict and
	 duplicate csf functionality

	 Changed Server Check scoring text to instead show a coloured table
	 indicating score

3.35   - Changes to WHM UI script for cPanel v11

	 Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer
	 supported

         Added # of temp blocks to WHM UI "Temporary IP Bans" on main page

	 Modified Server Report check for register_globals in cPanel's php.ini
	 to use the new cPanel WHM setting

	 Added Server Report check for passwords in WHM email setting

	 Added Server Report check for WHM root/reseller login to users cPanel

	 Modified Server Report nobody cron check to only fail on non-zero cron
	 file

	 Modified Server Report check for Fedora now that Fedora 7 is EOL
	 (2008-06-13)

	 Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd
	 blocking

3.34   - Modified regex matching to allow for trailing spaces in log lines

         Modified PT_LOAD routine to prevent multiple triggers resulting in
	 more than one alert being email sent

	 Removed the need for NETSTAT from lfd to reduce overheads and improve
	 performance allowing CT_INTERVAL to be set lower. Now uses
	 /proc/net/[protocol]

3.33   - Modified skip for su login checking from root to cater for (uid=0)

         Added option SYNFLOOD_BURST to allow configuration of --limit-burst
	 when SYNFLOOD is enabled. Changed default values

         Added to --grep searches to csf.deny and temporary blocks in addition
	 to iptables

	 Modified SSH regex to improve login failures detection further

	 Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations

	 Added vsftpd regex for ftp login failures

3.32   - Modified SSH regex to check for ipv6 addresses

         Added another regex to improve SSH matching

3.31   - Modified -denyrm to abort if left blank instead of clearing all blocks

         Added lfd check for existing temporary block to avoid duplicates

	 Fixed regex handling for courier-imap POP and IMAP login failures

	 Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use
	 this option, LF_DIRWATCH_FILE will likely trigger due to the changed
	 output the first time you restart lfd after upgrading

	 Fixed typo in Suhosin description in the Server Check Report

	 Added Referrer Security to the Server Check Report

	 Added register_globals check in cPanel php.ini to Server Check Report

3.30   - Security Fix: lfd vulnerabilities found which could lead to Local and
         Remote DOS attacks against the server running csf+lfd

	 The DOS attacks could make lfd block innocent IP addresses and one
	 attack could cause lfd to deplete server resources

         Modified the regular expressions in regex.pm to prevent them from
	 being triggered by spoofed log line entries

	 Option LF_SCRIPT_PERM removed

	 Our thanks to Jeff Petersen for the detailed information describing
	 these issues

	 We recommend that all users of csf upgrade to this new version

3.28   - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke
         login tracking

	 Modified relay tracking to not ignore RELAYHOST IP's

	 Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's

	 LF_SUHOSIN will now skip matches for "script tried to increase
	 memory_limit"

3.27   - Modified csf -dr option to delete advanced filter IP matches as well
         as simple matches in csf.deny

3.26   - Added new CLI option to csf, -g --grep will search the iptables chains
         for a specified match which is either explicit or part of a CIDR

	 Added WHM UI option for csf --grep
         
	 Added new CLI option to csf, -dr --denyrm will remove an IP address
	 from csf.deny and unblock it

	 Added WHM UI option for csf --denyrm

3.25   - Added csf.suignore file where you can list usernames that are ignored
         during the LF_EXPLOIT SUPERUSER test

	 New option PT_LOAD_ACTION added that can contain a script to be run if
	 PT_LOAD triggers an event. See csf.conf for more information

	 Added SUPERUSER check to Server Check Report

	 Added Suhosin check to Server Check Report

3.24   - Allow comments after IP addresses in csf.dyndns

         Added new login failure option LF_SUHOSIN which detects alert messages
	 and blocks the attacker IP after the configured number of matches

	 Added a new exploit check for non-root superuser accounts

	 Added a new configuration option LF_EXPLOIT_CHECK which allows you to
	 configure which tests are performed by LF_EXPLOIT

3.23   - Modified the Server Report code for checking PHP variables to be more
         lenient when checking the output from /usr/local/bin/php -i

	 Modified lfd calculation of Jiffies to use the POSIX::sysconf function
	 to obtain the clock ticks instead of assuming 100 ticks for Linux

	 Fix duplicate LF_INTEGRITY emails

3.22   - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this
         setting if you use Port Scan Tracking as it will cause redundant
	 blocks

	 Added tag [hostname] to all of the alert reports. You will need to add
	 this manually to the report text Subject: line (or anywhere else in
	 the report that you would like it) for existing installations

	 Added "A note about FTP over TLS/SSL" to readme.txt

3.21   - Fixed problem in Server Check that caused an error in some situations

         Modified netblock caching code to prevent repeated block attempts

3.20   - Corrected net block logic so that after a net or perm block occurs,
         subsequent log entries that would incur the same block are ignored

3.19   - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have
         had X temporary blocks in the last Y seconds. Uses email template
	 permblock.txt

	 New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or
	 C) if more than X IP addresses in a specified class have been blocked
	 in the last Y seconds. This may help within some DDOS attacks launched
	 from within a specific network class. Uses email template netblock.txt

	 Modified MD5SUM comparision code to better reset md5sum checks after a
	 hit
	 
	 Only issue Random JS Tookit warning if all the MD5SUM checks fail for
	 the relevant files

	 Removed POP flood Protection setting check from Server Report as it's
	 no longer relevant to courier-imap

	 Rewritten the Apache Check code for the Server Report to better
	 detect the current running settings on all Apache and PHP versions

	 Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they
	 aren't relevant (as they apply to the host VPS configuration) for the
	 Server Report

3.18   - Fixed bug in the generic csf release where the default csf.conf was
         missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim
	 for the help in tracking the issue down

3.17   - Rewritten the update code so that a new csf.conf is creating when
         upgrading. It now uses the latest csf.conf and transfers the existing
	 settings to the new configuration file. This way all installations are
	 sure to have all new settings and the latest comments. It also makes
	 the release process for new builds much simpler

	 Other installation/update improvements

	 Updated APF/BFD removal procedure

3.16   - Fixed bug introduced in v3.14 for generic installation only

3.15   - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf

         Modified csf.conf text for new installations to account for
	 auto-configuration of ETH_DEV which has been the case for some time:

# By default, csf will auto-configure iptables to filter all traffic except on
# the local (lo:) device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""

# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""

3.14   - Added new format for cPanel (v11.18.3) login failures to regex.pm

         Added exe:/usr/libexec/gam_server to the default list of ignored
	 binaries

	 Fixed problem with SCRIPT_ALERT not picking up alternative /home
	 directories from wwwacct.conf

3.13   - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans
         held in the temporary IP ban list to prevent iptables flooding. If the
	 limit is reached, the oldest bans will be removed/allowed by lfd on
	 the next unblock cycle regardless of remaining TTL for the entry

	 Added LF_FLUSH for the flush interval of reported usernames, files and
	 pids so that persistent problems continue to be reported. Default is
	 set to the previously hard-coded value of 3600 seconds

	 Fixed uw-imap ipop3d regex

	 Added check for TESTING mode when using csf -a or csf -d to only add
	 to the respective csf.allow or csf.deny files and not insert into
	 iptables to prevent errors if iptables has been flushed after reaching
	 TESTING_INTERVAL

3.12   - Added SMTP AUTH failure regex for Kerio MailServers

         Fixed an issue where a permanent Port Scanning alert would report as
	 a temporary block, eventhough a permanent block was performed

	 Added regex for failed SSH key authentication logins (thanks to Paul)

3.11   - Use /proc for Process Tracking instead of ps output incase of
         exploited system binaries and to better determine resource usage of
	 each process

3.10   - Modified INPUT and OUTPUT chain rules to always specify the ethernet
         device

	 csf now re-applies temporary IP blocks on restart

	 Added new CLI command to add temporary IP bans. See csf -h for the
	 new csf -td command

	 Added new options to WHM csf UI to unblock temporary IP bans

	 Added new option to WHM csf UI to block IP temporarily for a specified
	 TTL

3.09   - Fixed missing copy for the portscan.txt report for generic
         installations

	 Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking
	 email alerts

	 Added a sample of the port blocks that trigger the Port Scan to the
	 report. This new report will be copied to /etc/csf/portscan.txt.new on
	 existing installations, rename it to portscan.txt to use it

	 Added Port Scan Tracking to WHM UI Firewall Security Level

	 Added cPAddon update email setting check to Server Security Report

	 Modified the SuEXEC link location to the cPanel v11 location in Server
	 Security Report

	 Added portscan.txt template to editable list in WHM UI

	 Updated readme.txt

3.08   - Modified Port Scan Tracking to ignore blocked IP addresses incase
         DROP_IP_LOGGING is enabled

3.07   - Added Apache Server Status report to PT_LOAD for load average report
         monitoring. To benefit from this feature you will need to rename the
	 new report file /etc/csf/loadalert.txt.new to loadalert.txt. The 
	 reports (ps, vmstat and apache) are now included as MIME attachments
	 in the email report instead of inline text

	 New feature: Port Scan Tracking. This feature tracks port blocks
	 logged by iptables to syslog. It can help block hackers attempting to
	 scan the server for open ports, or to block them while trying to
	 access blocked standard ports, e.g. SSH. See csf.conf for more
	 information
	 
	 Upgraded the urlget module

3.06   - Added System Exploit Checking. This enables lfd to check for the
         Random JS Toolkit and may check for others in the future:
	 http://www.cpanel.net/security/notes/random_js_toolkit.html
	 It compares md5sums of the binaries listed in the exploit above for
	 changes and also attempts to create and remove a number directory. The
	 open is enabled by default. The report is generated from the
	 exploitalert.txt template file

3.05   - Added perl regex checking to csf.pignore with the new options puser,
         pexe and pcmd. Text added to csf.pignore for new installations:

# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

3.04   - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you
         to set the incoming and outgoing ICMP rate limits independently, or to
	 disable rate limiting in either direction completely for ICMP packets

3.03   - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of
         "ls -laAR"

         Modified rules so that only icmp ping is blocked and all other icmp
	 packets allowed if ping disabled in csf configuration. This may well
	 help improve iptables performance if ping was disabled

	 Added rate-limiting for all icmp packets to prevent inbound flooding

	 New option SYNFLOOD configures iptables to offer some protection from
	 tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet
	 rate per IP so the option can be tailored

	 Added SYN flag checking of state NEW tcp connections if PACKET_FILTER
	 is enabled. NEW tcp connections should always starts with a SYN

	 Moved PACKET_FILTER rules to their own iptables chain called INVALID

	 Fixed issue where some drops were not logging when logging enabled

	 Added hourly flush interval of reported usernames, files and pids so
	 that persistent problems continue to be reported

	 Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI

3.02   - Modified the text comments at the top of csf.allow for new installs:

# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

         Removed RELAYHOSTS check from Server Check report

	 Don't show SMTP_BLOCK check if on a VPS in Server Check report

	 PT_USERKILL, if set, will now also kill user processes that exceed
	 PT_USERPROC

	 Fixed problem where csf.tempusers was not being cleared down on an lfd
	 restart

	 Added two new csf command line options to flush IP's from the
	 temporary ban list: -tr -tf (see csf -h for more information)

3.01   - Tightened DNS port configuration restrictions as the old rules were
         being catered for by iptables connection

	 Added Kerio Mailserver POP3/IMAP regex's

3.00   - Added progress information to LWP downloads within csf

         Added numiptent checking for VPS servers. csf will flush iptables and
	 lfd will stop blocking IP's if numiptent is nearly depleted. This
	 should help prevent VPS lockouts due to insufficient server
	 resources. If this happens, you will either need to reduce the number
	 of iptables rules (e.g. disable Block List usage) or have the VPS
	 provider increase numiptent. A value of ~700-1000 should be fine for
	 most SPI firewall applications with full Block List configuration

	 Added support for the BOGON List (Block List) with LF_BOGON - 
	 http://www.cymru.com/Bogons/
	 See link and csf.conf for more information

	 Enhanced the cpanel.net lookup for httpdupdate.cpanel.net to
	 workaround the lack of rDNS PTR records

	 Fixed problem with RELAYHOSTS not working

	 Removed use of the replace binary

2.95   - Reduced memory overhead and added large file skipping for LF_DIRWATCH

	 Improved performance of LF_DIRWATCH trigger checks

         Fixed problem with LF_SELECT temporarily blocking outbound access on
	 all ports. Now now only the relevant inbound only port(s) will be
	 blocked if triggered

2.94   - Fixed linux line-endings in some configuration files from v2.93 -
         doesn't affect existing installations

2.93   - Improved mod_security v2 regex for filter triggers

         Added MySQL v5 check

2.92   - Improved the cPanel version check for < v11 and whether up to date

         Added new CLI option -t (--temp) which lists the temporary IP bans and
	 the TTL before the IP is flushed from iptables

	 Added "View Temporary IP Bans" to WHM UI

	 Changed WHM UI lfd Log auto-refresh default to unchecked

         Added regex for dovecot "Aborted login" messages in /var/log/maillog

         Added support for displaying mod_security v2 logs in WHM UI

2.91   - Added Fedora Core v6 to the obsolete OS check

         Added php v4 check

	 Added apache v2.2 check

	 Added Perl v5.8.8 check

         Added cPanel v11 check

	 Modified Sys::Syslog use to utilise the ndelay and nofatal options

	 Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in
	 a globally located ignore file

	 Modified Connection Tracking so that lfd doesn't block IP addresses
	 that resolve to *.cpanel.net (to prevent CT_LIMIT being triggered
	 during a upcp upgrade of cPanel)

	 Added new option CT_STATES to Connection Tracking so that you can
	 specify which connection states you want to count towards CT_LIMIT,
	 e.g. SYN_RECV

2.90   - Ensured that Process Tracking doesn't affect processes running under
         root

	 Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and
	 existing installations

	 Added Apache v2 checks to Server Checks Report

	 Removed mod_evasive from Server Checks Report as it appears to be less
	 relevant, especially with Apache v2

2.89   - Fixed the csf webmin module

         Added updates to the webmin module

	 Completely removed use of cat in the WHM module and wget/cat from the
	 webmin module

2.88   - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD

         Modified the courier IMAP and POP3D regex's to include connections
	 over SSL in lfd

	 Modified lfd to ignore cpdavd processes

	 Modified the cPanel regex's to include cPanel v11 variants in lfd

2.87   - Fixed duplication of settings during generic configuration upgrade
         procedure

         Only display version confirmation update message when running csf -u
	 interactively (Thanks to Brian Coogan for the perl tip)

	 Fixed issue with temporary files not being truncated before being
	 written to, which caused problems e.g. with global allow/deny files

	 Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from
	 connection tracking

	 Updated the csf webmin module to use the &ReadParse() routine to
	 overcome problems when running through SSL (Thanks to Tim Ballantine
	 for this tip)

2.86   - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive"
         on RedHat

2.85   - Fixed a problem with v2.84 which broke permanent IP blocking in lfd -
         it's been a long week :-/

2.84   - Fixed problem with permanent LF blocks in lfd for individual
         application port blocks when set to permanent

	 Added new SYSLOG option to csf.conf to allow additional lfd logging to
	 SYSLOG (requires perl module Sys::Syslog)

	 Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh
	 interval of 3600 to prevent getting yourself blocked!

2.83   - Fixed broken Server Check from v2.82

2.82   - Fixed a documentation for LF_TRIGGER_PERM

         Fixed issue where RT_[relay]_ALERT set to "0" was being ignored

	 Fixed condition from v2.80 which prevented SCRIPT_ALERT from working

	 If killproc.conf does not exist the Server Check now links to the
	 Background Process Killer page instead of issuing a file missing error

2.81   - Added exe:/usr/local/cpanel/cpdavd to csf.pignore

         Added option to disable refresh in WHM csf UI when viewing lfd.log

	 Removed debug code that prevented IP blocking -- oops

2.80   - Added new lfd feature - Relay Tracking. This allows you to track email
         that is relayed through the server (cPanel only). It tracks general
	 email sent into the server, email sent out after POP before SMTP and
	 SMTP_AUTH authentication, local email sent from the server (e.g. web
	 scripts). There are also options to send alerts and block IP addresses
	 if the number of emails relayed per hour exceeds configured limits.
	 The blocks can be either permanent or temporary. Currently blocking
	 does not function for LOCALRELAY email.

	 Introduced a new blocking mechanism in lfd that allows a choice of
	 permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for
	 details on how to configure the various blocking options to use
	 temporary instead of permanent blocks, e.g. for Login Failure blocking

	 Modified new installations to default to using seperate triggers for
	 login failures, instead of the global LF_TRIGGER value

2.79   - Bug fixes

         Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK
	 is enabled for the new cPanel Webmail configuration in v11

	 Added new configuration option DROP that allows you to choose the drop
	 target for rejected packets (see csf.conf for more information)

	 Remove /etc/cron.d/csf_update on uninstall

2.77   - Closed vulnerability with temporary file checking

         Tighted log file regex's to prevent spoofed remote IP block attacks

2.76   - Improved file checking in Server Check script to prevent WHM failures

2.75   - Modified Server Check to only look at pure-ftpd settings if installed

         Simplified throttling mechanism


2.74   - Modified PHP Server Checks to use the php binary output instead of
         trying to find the active php.ini file

	 Added PHP Server Check for register_globals

	 Improvements to the Server Check code

	 Fixed bug in TCP port 23 check in Server Check

	 Added new option --check (-c) to check whether the installed verison
	 of csf is the latest, no update is performed

	 Added multiple csf configuration checks to the Server Check report

 	 Added throttling to LF_INTEGRITY and increased the timeout
	 proportionally

2.73   - Modified SMTP_BLOCK warning on VPS servers to only display if the
         option is enabled

	 Modifed the Server Services Check text to omit using -del with
	 chkconfig and better explain that a process is enabled even if it is
	 not currently running and needs to be disabled to prevent startup on
	 boot

	 Removed reliance on wget for updates and version checks

	 Coding improvements in csf.pl and addon_csf.cgi

	 Added /var/log/lfd.log tail automatic refresh to WHM UI

2.72   - Fixed problem with DENY_IP_LIMIT not counting all IP entries in
         csf.deny correctly

	 Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS
	 since the Virtuozzo VPS kernel does not support ipt_owner

	 Remove Shell/Fork Bomb Protection check in Server Check as the option
	 breaks a Virtuozzo VPS if enabled

	 Added more processes to check in Server Services Check

	 Removed restriction on outbound source port rule construction

2.71   - Added CSS settings to support pre-v11 cPanel installations

2.70   - Modified to adopt cPanel v11 WHM theme

         Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new
	 installations for v11 cPanel

	 Added FC5 to the list of (or soon to be) unsupported OS's

	 Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading

2.69   - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where
         a suspicious directory would not be removed

	 Added perl module check for File::Path

	 Added path configuration to tar and chattr in csf.conf

	 Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login
	 failures. When upgrading the new setting will be set to whatever you
	 have LF_FTPD set to

2.68   - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead
         to arbitray code being executed in the context of the user running lfd
	 , i.e. root. This option has been disabled in the code until further
	 notice. You will have to manually remove any reported files.

	 Tightened csf file ownerships on installation

2.67   - Security fix - A major security issue has been found in the
         LF_DIRWATCH code that can lead to arbitrary code being executed in the
	 context of the user running lfd, i.e. root, if that option is enabled
	 and a hacker has access to create a crafted filename in one of the
	 watched directories. This update closes this hole.

	 *ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL
	 EXPLOITATION*

2.66   - Modified LF_CPANEL text in csf.conf for new installations to reflect
         the change in the SSL login handling by cPanel (i.e. it does now log
	 SSL login IP's)

	 Modified the log line monitoring in lfd to cope with log line flooding
	 to prevent looping/excessive resource usage. Also recoded without the
	 use of the POSIX routines

	 lfd process name now shows which log file it is scanning

2.65   - New Feature: System Integrity Checking. This enables lfd to compare
         md5sums of the servers OS binary application files from the time when
	 lfd starts. If the md5sum of a monitored file changes an alert is
	 sent. This option is intended as an IDS (Intrusion Detection System)
	 and is the last line of detection for a possible root compromise. See
	 csf.conf for more information

2.64   - Modified lfd check for rotated system logs to re-open a log file if
         logs are emptied instead of rotated

2.63   - Added regex support for uw-imap (imap and pop3) login failures

         Added regex support for proftpd login failures

	 Timeout version check incase version server is unavailable

2.62   - Fixed CIDR support issue with csf.ignore only recognising the first
         listed entry

2.61   - Fixed problem with lfd not being killed by /etc/init.d/lfd

2.60   - Added log file locations to csf.conf

         openSUSE v10 compatible (generic)

	 Debian v3.1 (sarge) compatible (generic)

	 Unbuntu v6.06 LTS compatible (generic)

	 Added installation check for the LWP (libwww-perl) perl module

	 Ran spell checker against the readme.txt file

2.59   - Fixed mod_security report not displaying if only 1 entry

2.58   - Tweaked the mod_security entry layout

2.57   - New feature: WHM UI mod_security v1 display last X entries in the
         audit_log

         New feature: WHM UI mod_security v1 edit files or directories in
         /usr/local/apache/conf/ that are prefixed with modsec or mod_sec

	 Tweaked the pre-configured Firewall Security Level settings

2.56   - Fixed v2.55 fix for non-EDGE versions

2.55   - Fix to to support current EDGE in csf WHM UI

2.54   - Tightened the mod_security v1 regex after the changes in v2.52

2.53   - Modified Server Check to reflect withdrawn FedoraLegacy support for
         FC3 and FC4 which should now be considered insecure

2.52   - Separated the log file regex's into regex.pm for those feeling brave
         to tailor them for non-cPanel servers

	 Unified installer for cPanel and non-cPanel installations - so that
	 only install.sh needs to be run (checks for the existence of:
	 /usr/local/cpanel/version
	 If you install on a server intending to use cPanel before cPanel is
	 installed, run the install.cpanel.sh script instead

	 Added mod_security v2 regex when running Apache2 to lfd

	 Added [iptext] tag for connectiontracking.txt to list all the
	 connections of an offending IP. Add this manually for existing
	 installations

2.51   - Major Enhancement: csf+lfd can now be installed and used on a generic
         Linux OS without cPanel using install.generic.sh - see readme.txt for
	 more information

         PF INVDROP entries made bi-directional if PF logging enabled (reduces
	 the number of INVDROP LOG rules by half)

	 Fixed Process Tracking throttle control to correctly use PT_INTERVAL

2.50   - Removed option ALLOW_RES_PORTS from new installs, setting is ignored

         Check for LF at the end of form data for files edited through the WHM
	 UI and append one if omitted

	 Following the changes in 2.48 the LOGDROP chain doesn't distinguish
	 between incoming and outgoing blocks. So, LOGDROP has now been split
	 into LOGDROPIN and LOGDROPOUT

2.49   - Fixed issue if ETH_DEVICE was set and from changes in 2.48

2.48   - csf will now specify ! lo as the main ethernet device unless otherwise
         defined in ETH_DEVICE. This will mean that the firewall is applied to
	 all ethernet devices on the server unless otherwise specified in the
	 configuration

2.47   - Modified DYNDNS code to set listed domains IP addresses to be ignored
         as if they were listed in csf.ignore

	 If adding an IP address to csf.allow that is already in csf.deny, the
	 IP address will now be removed from csf.deny first and the DROP 
	 removed from iptables. It will then be added to csf.allow as normal

2.46   - Added auto-detection of additional exim port (same as SSH port) which
         will be added to TCP_IN on csf installation (or if in TESTING mode)

	 Only report PT_USERMEM and PT_USERTIME PIDs once

2.45   - Added workaround to restart the bandmin acctboth chains if csf is
         stopped or (re)started

	 Rewritten the way RELAYHOSTS works so instead of using an iptables
	 chain a check is done at block time on the IP address and if it is in
	 /etc/relayhosts then it will be treated as if it is listed in
	 csf.ignore

	 Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0)
	 instead of a time interval

	 Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore

	 Added new options PT_USERMEM and PT_USERTIME to report excessive user
	 process usage and optionally PT_USERKILL to kill such processes. An
	 alert is sent using resalert.txt

2.44   - Added new option PT_LOAD which will detect if the server load average
         of choice exceeds a set threshold and send an alert

	 Reduced the DROP_NOLOG default setting to not include ephemeral ports
	 for new installations

	 Moved DROP_NOLOG rules to the LOGDROP chain

2.43   - Added new option DROP_PF_LOGGING which will give detailed iptables log
         information on dropped packets that are INVALID or out of sequence.
	 This can help tracking down why iptables may be blocking certain IP
	 connections

2.42   - Improved the csf locking mechanism to avoid deadlocks

2.41   - Fixed syntax in lfd procedure for csf locking

         Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it
	 will be run before any of the csf iptables rules are applied. If
	 /etc/csf/csfpost.sh exists it will be run after all of the csf rules
	 have been applied. This allows you run your own iptables commands
	 within those files. Each file is passed through /bin/sh

	 Added two new command line options to completely enable and disable
	 csf and lfd

	 Added Enable and Disable options to WHM UI

2.40   - Added csf lock procedure to avoid iptables race conditions if multiple
         /simultaneous instances of csf or lfd are executed

	 Added check for child reaper looping to dramatically reduce lfd load

2.39   - Added OS check to Security Check to warn if using RH7/9 FC1/2 which
         are no longer supported (or about to be retired)

	 Made lfd more lenient when it cannot open a log file (reports the
	 error but continues to function)

	 PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for
	 php settings

	 Added new option RELAYHOSTS to csf.conf which allows you to
	 automatically allow access to IP's listed in /etc/relayhosts at a
	 specified interval

2.38   - Fixed DYDNS (forgot to add the rule to redirect packets to the
         ALLOWDYN iptables chain)

2.37   - Added canna to the Security Check

         New feature - added support for dynamic dns (DYNDNS) records. See
	 csf.conf for more information

	 Added dyndns file edit to WHM UI

2.36   - Added runlevel check to Security Check

         Added nobody cron check to Security Check

	 Added melange server check to Security Check

	 Modified the regex for the php.ini disable_functions check

	 Added timing function to lfd that logs how long each stage takes. This
	 can be enabled by editing lfd.pl and setting $timing=1 - this can help
	 in tracking down performance issues with lfd

2.35   - Added specific exclusion for proftpd in lfd.pl process tracking

         Fixed bug with LF_GLOBAL being ignored

2.34   - Added a new option (beta for now) PT_SMTP. This option will check for
         outgoing connections to port 25, ecluding root, exim and mailman. The
	 purpose of the feature is to log SMTP connections if you believe you
	 have a spammer on the server who is bypassing exim to send out spam
	 emails - this is traditionally a very difficult form of spam to track
	 down. The option currently logs relevant process information to
	 lfd.log to avoid an email alert flood.

2.33   - Code modification to allow csf+lfd to run without erroring on cPanel
         DNS-Only installations

	 Added forced error checking on SMTP blocking iptables commands

	 Added check in csf and lfd for duplicate settings in csf.conf

2.32   - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25
         for web scripts, etc, if SMTP_BLOCK is enabled

	 Added check to csf startup to fail if "WHM > Tweak Security > SMTP
	 Tweak" is enabled otherwise it can break SMTP traffic completely. The
	 SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used
	 instead

2.31   - Added automatic throttling code to help prevent lfd using excessive
         resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If
	 the sub process takes too long to run, the interval between its next
	 run is increased temporarily (for the duration lfd runs for, a restart
	 will reset it) and will continue to extend this time to prevent
	 excessive server load. However, it will also proportionately increase
	 the time given for the sub process to complete so that it can at least
	 attempt to get the check done. If you see throttling messages
	 appearing in the lfd.log you should consider increasing the process
	 interval as indicated permanently (i.e. within csf.conf)

	 Added throttling to CT_INTERVAL

2.30   - Modified PT_USERPROC to respect all ignore entries in csf.pignore

2.29   - New feature - User Process Tracking. This option enables the tracking
         of the number of process any given cPanel account is running at one
	 time. If the number of processes exceeds the value of the PT_USERPROC
	 setting an email alert is sent with details of those processes. A user
	 is only reported once, so lfd must be restarted to reinstate checking
	 of all users. If you specify a user in csf.pignore it will be ignored.
	 The alert file is useralert.txt

	 Added useralert.txt for editing through the WHM UI

	 Added PT_USERPROC to the Firewall Security Level settings

2.28   - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to
         csf.pignore

	 Only perform strict iptables error checking when in TESTING mode

2.27   - Fixed another mis-configuation for outgoing global deny rule - Thanks
         again to Marie from Jagwire Hosting

2.26   - Fixed a mis-configuation for outgoing global deny rule - Thanks to
         Marie from Jagwire Hosting

	 Allow advanced allow and block filters using the -a and -d options
	 when running csf in CLI

	 Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the
	 application trigger levels set, you can now set LF_SELECT to "1" if
	 you only want to block IP access to that application instead of a
	 complete block

	 Changed installer behaviour to only add SSH port to TCP_IN if TESTING
	 is set to "1" - done to help those that don't want to always have the
	 SSH port opened

2.25   - Modified lfd init procedure to use the init functions

         Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd
	 will instead trigger blocks based on the value of the application
	 trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3
	 mod_security alerts. Or if LF_POP3D is set to "10" then it will
	 trigger on 10 pop3d login failures. When in this mode, i.e. with
	 LF_TRIGGER set to "0", login failures for different triggers are not
	 cumulative, whereis LF_TRIGGER set to a number > "0" they are
	 cumulative as before

	 Modification to csf.conf to reflect the changes to LF_TRIGGER - only
	 applied to new installations

         Rewrite of the iptables command invocation in lfd.pl to trap iptables
	 errors and shutdown firewall if any found - should help prevent
	 lockouts

	 Allow advanced rules in Global Allow and Deny lists. Input and Output
	 direction support included.

	 Added Global Allow and Deny lists to the OUTPUT chain as well as the
	 INPUT chain

	 Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to
	 ignore. Updated WHM UI to allow easy file edits

2.24   - Fixed global allow/deny lists so that you can correctly not have to
         specify both an allow and a deny file

2.23   - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH
         from the cPanel configuration

	 Added maildir check to Security Check

	 Fixed a typo in advanced rules - Thank you to Victor from Touch
	 Support for pointing this out

	 Added binary executable check for LF_DIRWATCH files

	 Added core dump check in cron directories to LF_DIRWATCH

	 Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match

	 Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still
	 find it timing out, make sure that you have been clearing down your
	 tmp directories

2.22   - Added CIDR recognition to csf.ignore

         Rewrite of the iptables command invocation in csf.pl to trap iptables
	 errors and shutdown firewall if any found - should help prevent
	 lockouts

2.21   - Fixed a problem on some installations where the update process emptied
         out csf.conf. If this has happened, you will need to remove
	 /etc/csf/csf.conf and then rerun the installation procedure and
	 reconfigure the firewall. If you're already running at least v2.18 you
	 can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf
	 and then upgrade to this release

2.20   - Added workaround for different output from the fuser application in
         different OS's

2.19   - Added Security Check for recurions restrictions in named.conf

         Modified port 23 check to be quicker

	 Added Security Check for localhost/127.0.0.1 entry in resolv.conf

	 Added Security Check for webmin if running

	 Added 3 more WHM Security Checks for domain parking

	 Added Security Check for boxtrapper

	 Added a Run Again button to the Security Check page

	 Added Security Checks for cPanel and security package updates

2.18   - Fixed an issue with checking the /var/tmp symlink by comparing the
         inodes of /tmp and the symlink destination of /var/tmp

         Added checking of /usr/tmp

	 Added checking of SSH PasswordAuthentication

	 Modified update routine to take a copy of csf.conf before upgrading -
	 the backup file is /etc/csf/csf.conf.preupdate

	 Added check in /etc/cron.daily/logrotate for /tmp noexec workaround

2.17   - Fixed installation process where duplicate entries were being added to
         csf.conf for new settings. Routine added to remove duplicates and
	 redundant settings

         Added logrotate script for for the lfd.log file

2.16   - Fixed syntax issue with the csf.deny application feature added in
         v2.15 that prevents csf adding the IP to csf.deny

2.15   - Added a list of the applications that lfd blocks a login failure for
         into csf.deny, e.g. (ftpd,mod_security)

	 Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature
	 will watch for changes in directories and files listed in csf.dirwatch
	 using an md5sum for the ls output. If the md5sum changes between
	 checks an email alert is sent using watchalert.txt

	 Modified pid file locking for the lfd process to ensure duplicate
	 processes won't run

	 Completely reworked the child reaper code to prevent SIG_CHLD kernel
	 errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs

	 Added new option to csf.fignore that allows you to ignore files owned
	 by a specific user by adding an entry in the format user:bob

	 Fixed bug in LF_DSHIELD timer code

	 Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch
	 their respective data

	 New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to
	 specify a URL where csf can grab a centralised copy of an IP allow
	 and/or deny block list of your own. They are both retrieved after a
	 LF_GLOBAL interval in seconds by lfd

	 Added WHM UI changes for LF_DIRWATCH_FILE

2.14   - Modification to /var/tmp check to cater for symlinks with a trailing
         slash

	 Added check for native SSL support in cPanel in Server Check for those
	 versions that now support it

	 Added MySQL port check to Server Check

	 Added missing comments when clickcing Display All Comments

2.13   - Added cPanel version check to Security Check

         Added suspicious symlink checking to LF_DIRWATCH

	 Added a Display All Comments to Security Check

	 Added hyperlinks to WHM URLs in Security Check comments

	 Fixed the Apache Limits comments of the Security Check

	 Added shell limit checks to Security Check

	 Added Background Process Killer to Security Check

2.12   - Removed duplicate /var/tmp tests

         Fixed another typo

2.11   - Typo corrections in output text

         Removed dependencies on external modules for the Server Check report

2.10   - Fixed /dev/shm test

2.09   - Removed the nodev check on /tmp etc

2.08   - Changed app name to ConfigServer Security & Firewall

         New Feature - Added Server Security Check report to WHM UI

2.07   - Improved suspicious directory detection

2.06   - Document update

         Change directory watching to only check for suspicious sub directories

2.05   - Fixed log file error if DShield or Spamhaus block list retrieval fails

         Added perl regex matching in csf.fignore (see updated readme.txt)

2.04   - Added /tmp/.horde/* to csf.fignore

2.03   - Fixed a looping issue with the temporary Connection Tracking block
         code

         Added a 10 second timeout for the LF_DIRWATCH child to prevent looping

2.02   - In LF_DIRWATCH, allow wildcard matching at the end of a file name in
         csf.fignore, such that /tmp/clamav* will ignore any files starting
	 with /tmp/clamav, e.g. /tmp/clamav-1234

	 Added a throttle to LF_DIRWATCH - if more than 10 emails are being
	 emailed in one pass, LF_DIRWATCH will create the file
	 /etc/csf/csf.dwdisable and then disable itself. To get it watching
	 again, either restart lfd or delete that file

	 Fixed a bug where LF_DIRWATCH always reported the same file when
	 different files had been detected in a pass

2.01   - Added an LF_DIRWATCH exception for postgres /tmp files

         Prevent a file being reported more than once in an LF_DIRWATCH run

	 Removed LF_DIRWATCH check for files being excecutable since too many
	 apps set temporary files with the flag set, e.g. mod_gzip

2.00   - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp
         and /dev/shm and other pertinent directories for suspicious files,
	 i.e. script exploits. These can optionally be moved into a tarball

	 Directory Watching false-positives can be listed in csf.fignore which
	 is accessible from the WHM UI

1.99   - Bug fix for multiple NICs in the lfd code

1.98   - Modified code to allow for multiple ethernet NICs so that all rules
         are applied to all NICs, for example, if you have IP's spread over
	 eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+"

1.97   - Tightened DNS port 53 connections in accordance with:
         http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07

	 Moved no log dropping to the end of the chains

	 Moved allowed IP's to before Block Lists

1.96   - Liberalised connections allowed to and from DNS port 53

1.95   - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to
         update from shell to get to v1.95 using:
	 csf -u

1.94   - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic

         Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore

1.93   - Fixed problem where external resolvers were being used and responses
         from them were being dropped because they were coming back on
	 ephemeral ports - added a scan of /etc/resolv.conf and external
	 nameservers now have whitelisted source port 53 to ephemeral ports

	 Drop logging of failed attempts to access port 53 so they don't
	 consume syslog

	 Moved update from /tmp do /usr/src

1.92   - Fixed bug where the DShield and Spamhaus block lists weren't being
         periodically updated by lfd

1.90   - Minor fix to pre-configured settings

1.89   - Added Pre-configured settings for Low, Medium or High firewall security
         to WHM UI

1.88   - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain

1.87   - Modified drop list chains to use their own drop logging to
         differentiate from normal drop - if drop logging enabled

1.86   - Modified lfd connection tracking to drop udp as well as tcp packets
         when blocking

	 Added support for the DShield Block List with LF_DSHIELD -
	 http://www.dshield.org/block_list_info.php
	 See csf.conf for more information

	 Added support for the Spamhaus DROP List with LF_SPAMHAUS -
	 http://www.spamhaus.org/drop/index.lasso
	 See csf.conf for more information

1.85   - Workaround for spam PT false-positives

         Added exe:/usr/bin/spamc to csf.pignore

	 Added csf version to title bar in WHM

1.84   - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native
         cPanel setup (currently in EDGE)

1.83   - Enhanced lfd.log logging for application failure detection lines

         Set lfd to ignore child processes to get rid of zombie children. If
	 you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can
	 revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE,
	 but you are likely to see harmless <defunct> lfd zombie processes

1.82   - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled

         Extended the Advanced Allow/Deny Filters to allow use of UID and GID
	 filtering for outgoing packets - see readme.txt for more details

	 Modified code to deal with modprobe command output more cleanly

1.81   - Further modification for the newer xt iptables modules

1.80   - Modified iptables LKM modprobe code to cater for newer xt_* module
         naming scheme

1.79   - Added new feature to send an alert email if su is used to login from
         one account to another. Alerts are sent whether the attempt was
	 successful or failed

1.78   - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd
         process tracking

1.77   - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels,
         e.g. RH9/FC1

	 Modified WHM UI textareas to expand to fit file contents

1.76   - Changed WHM interface to restart csf before lfd when restarting both

1.75   - Fix to prevent duplicates in csf.deny

         Added a slight pause between stop and start when restarting

	 Code fix for TESTING mode crontab entry removal

1.74   - Fixed lfd to when reading csf.ignore when comments present

1.73   - Added new option LF_CSF to restart csf if iptables appears to have
         been flushed (i.e. stopped)

         Added new option LF_SCRIPT_PERM to disable directories identified by
	 LF_SCRIPT_ALERT - see csf.conf for more information

	 Workaround to child reaper when 2 children die at the same time

	 Added workaround for PT spamd false-positives

1.72   - Fixed bug in (deleted) lfd checks

1.71   - Added some more exceptions to csf.pignore

	 Lowered the default setting for LF_SCRIPT_LIMIT to 100

	 Modified PT to check for deleted binaries on exemptions which happen
	 when upcp runs and the binaries are replaced

1.70   - PT now only reports processes with open ports

1.69   - lfd tweaks

1.68   - Additions to csf.pignore

         Added new option PT_SKIP_HTTP - see csf.conf/readme.txt

	 Updated readme.txt regarding unavoidable false-positives and possible
	 mitigation.

1.67   - More tweaks to PT with additions to csf.pignore

1.66   - Updated csf.pignore file with additional executables

	 lfd code tweaks

1.65   - Added very simple ASCII obfuscation for lfd PT skip lines

	 Fixed port typo for entropychat port

1.64   - Updated CLI help and readme.txt for new csf -u command from v1.63

	 Changed the format of the email templates for new installations -
	 if you want to use the new format remove /etc/csf/*.txt and then
	 install csf

	 Added mechanism to prevent multiple email/block attempts from login
	 attacks in lfd

	 Added new feature - Process Tracking. This option enables tracking of
	 user and nobody processes and examines them for suspicious executables
	 or open network ports. Its purpose is to identify potential exploit
	 processes that are running on the server, even if they are obfuscated
	 to appear as system services. If a suspicious process is found an
	 alert email is sent with relevant information - readme.txt for details

1.63   - Added feature to WHM UI to enable editing of the email templates

	 Modified WHM UI to use fixed-width larger font for command output and
	 edit boxes

	 Added notice to install.txt and readme.txt about enabling klogd (on
	 VPS systems in particular)

	 Added autoupdates system using AUTO_UPDATES - see csf.conf for details

1.62   - Added to APF/BFD removal in WHM UI the logrotate configuration files

	 Added comments system to csf.allow and csf.deny - see readme.txt for
	 more information

1.61   - Tighten up some of the csf rules

	 Added new fature - LF_SCRIPT_ALERT when enabled will scan
	 /var/log/exim_mainlog for extended exim logging lines that show the
	 cwd= line for paths in /home which indicate emails sent from scripts.
	 If LF_SCRIPT_LIMIT emails from the same path are sent within an hour,
	 an email alert is sent using scriptalert.txt containing the first 10
	 probably exim mainlog line matches and also likely mailing scripts
	 within the identifed path - an ideal tool to help identify spamming
	 scripts sending out email through exim. The option is disabled by
	 default as you do need to enable extended exim logging first as
	 explained in the csf.conf file

1.60   - Modified lfd to use a child reaper instead of ignoring the CHLD signal

	 Added login failure detection of cpanel, webmail and whm connections -
	 this will only work for access to non-secure ports as cPanel doesn't
	 know the IP address of the user when connection are over SSL due to
	 the way stunnel works

1.59   - Added workaround to ethernet device detection for VPS servers

1.58   - Fixed problem where SSH port detection on installation would add an emtpy , if
         the SSH port had not been explicitly defined in sshd_config

	 Modified csf and lfd ethernet device detection so that if specified in either
	 csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded
	 ethernet devices on some OS's

1.57   - Removed erroneous <CR>'s in lfd.log

         csf start automatically does a restart to avoid problems with any
	 existing iptables rules or chains

	 Added new option "Deny Server IPs" and associated file csf.sips to
	 allow blocking of all traffic on server configured IP's if they're
	 not in use

	 Added notification to CLI and WHM UI if TESTING still enabled

1.56   - lfd modification to avoid a race condition with the ALRM calls

	 Added new feature - /etc/csf/csf.ignore can contain IP addresses that
	 are ignored by lfd. If an event is triggered it may be logged in
	 lfd.log but will not result in an email alert - e.g. you could list
	 your own IP address to avoid alerts from when you login over SSH, etc

	 Added WHM UI option to edit the ignore file

1.55   - Fixed a strict refs issue in lfd

1.54   - Fixed IP DNS lookup routine to avoid empty () when no host found

	 Added local DIE for ALRM calls for IP lookups and netstat commands

	 Removed chkservd restart from /etc/init.d/lfd so that it behaves like
	 other monitored services

	 Improved error trapping routines to better report to lfd.log if the
	 process dies

1.53   - Optimised logging in lfd

	 Improved error handling and reporting in lfd

	 Modified WHM UI report to include all data, not just a single day

	 Improved DROP logging to SYSLOG

	 Added logging of dropped ICMP connections

	 Added new option DROP_IP_LOGGING to log IP addresses that have been
	 blocked in csf.deny or by lfd with temporary connection tracking
	 blocks

1.52   - beta test release

1.51   - Added DNS lookups for IP addresses in all lfd alert emails

1.5    - Added new feature - Connection Tracking. Enables tracking of all
         connections from IP addresses to the server. If the total number of
	 connections is greater than CT_LIMIT then the offending IP address is
	 blocked in csf, or temporarily blocked in iptables. This can be used
	 to help prevent some types of DOS attack

	 Added new feature - SSH login alerts. An email is sent if a successful
	 SSH login is detected

	 Fixed a descriptive issue with the WHM UI

	 Modified so that lfd checks that it doesn't block a server IP

1.42   - Modified lfd login tracking to check the csf.allow file for an
         offending IP address and to skip it if it's allowed - note this only
	 works for specified full IP addresses (not CIDRs or advanced port/IP)

1.41   - Added an exception for 127.0.0.1 when checking ethernet interfaces as
         VPS servers are setup with that IP on both the loopback and main
	 interface

1.4    - Fixed error routine iptables flush command typo

	 Modified interface checking for non-english Linux distributions

	 Modified interface checking for IP addresses assigned to multiple
	 interfaces by mistake (I've just seen this happen!)

	 Set FORWARD chain to ACCEPT on stopping firewall

	 Reorganised csf.pl code

	 Added advanced port+ip filtering within csf.allow and csf.deny with
	 the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info)

	 Added link to readme.txt in WHM interface

	 Added iptables status (Running/Stopped) to WHM interface

	 Added Quick Allow and Quick Deny IP address options to WHM interface

1.33   - Added blocking of SSL POP3 and IMAP ports to LT (993/995)

	 Added option to Restart csf+lfd within WHM interface when appropriate

	 Added buttons to WHM interface to remove APF or BFD if still installed

	 Removed csf nat and mangle chain actions

1.32   - Modified log line checking to deal with syslog compression. This is
         where syslog will add a line "last message repeated X times" if the
	 next line it were to add is identical to the last. This could lead to
	 login attempts being missed. But no more - lfd now checks for that
	 line and repeats the processing of the previous log line X times to
	 count all the login failures

1.31   - Removed some redundant code from csf

	 Display error in csf if IP already in allow/deny file

	 Stopped install.sh from overwriting email templates

	 Added email notification for login tracking including a new email
	 template tracking.txt

	 Added mod_security apache module IP blocking in lfd

1.3    - Fixed a problem with the tick time in the alert report

	 Changed the way allow and deny IP addresses are inserted into iptables
	 so that using the command line -a or -d doesn't require a firewall
	 restart

	 csf -l now shows iptables line numbers

	 Added login tracking (LT) options to keep track of POP3 and IMAP
	 logins and limit them to X connections per hour per account per IP
	 address. Uses iptables to block offenders to the appropriate protocol
	 port only and flushes them every hour. All of these blocks are
	 temporary and can be cleared by restarting csf

1.21   - Added the real log file failure entry matches to the alert email. Existing
         installations will need to add a [text] variable into
	 /etc/csf/alert.txt

	 Added link in WHM to the ChangeLog if a new version is available

1.2    - Fixed uninstall script to remove lfd from chkservd

	 Fixed lfd so that checks were not made on options where a log file is
	 shared

	 Fixed lfd stop/start to dis/enable chkservd option

	 Added upgrade feature to WHM when a new version of csf is available

1.11   - Use full paths to chkconfig within the csf installation scripts

	 Documentation improvements

1.1    - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks
         an IP address. lfd now forks a child process to handle the IP blocking
	 and email so that it doesn't hinder the daemon process from scanning
	 the logs. It uses a template file for the email.

1.0    - Initial public release

         Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading

	 Check /var/log/messages and /var/log/secure for SSHD logins

	 Clarified in the configuration file that only courier-imap/pop3
	 connections are trapped in lfd

1.0RC2 - Added filtering out of \r in WHM interface for allow and deny

	 Fixed typo in WHM addon

	 Added new configuration option ALLOW_RES_PORTS

1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch:
         http://sourceforge.net/projects/fwlogwatch/
	 This processes /var/log/messages and extracts the iptables log entries
	 (if logging is enabled) and produces a simple HTML summary report

0.2b   - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat
         module installed

	 Modified lfd to use asterix in the log message when blocking to
	 highlight in Thunderbird in the same way as the kernel log messages if
	 you use the "Quote Colors" extension - http://quotecolors.mozdev.org/

	 Added list of TCP and UDP ports currently being listened on to install

	 Set DNS_ZONE to default to 1

	 Removed backups of csf.conf files as the WHM interface is stable

	 Added ipt_owner module load for SMTP Tweak on LKM kernels

	 Added ipt_LOG to the required module list for LKM kernels to ensure
	 drop logging to syslog

	 Added new configuration option DENY_IP_LIMIT

0.1b   - Initial beta release (24 May 2006)
