6.08   - Added IPV6_SPI workaround for CentOS/RedHat v5 and custom kernels that
         do not support IPv6 connection tracking by opening ephemeral port
	 range 32768:61000. This is only applied if IPV6_SPI is not enabled.
	 This is the same workaround implemented by RedHat in the sampe default
	 IPv6 rules

6.07   - Fixed issue with processing /proc/PID/stat for process information

6.06   - Prevent csf/lfd from failing to run if a non-critical configuration
         file does not exist

	 In webmin, force table stylesheet to override webmin css. Requires
	 webmin module reinstall on existing installations

6.05   - Improvements to minimal perl module detection on new installs

         Bugfix for default lfd.pl perl shebang

6.04   - Implement slurp routine for configuration files to cater for incorrect
         linefeeds

	 Ignore leading and trailing spaces from lines in configuration files

	 Fixed Include statements in csf.ignore not implemented in lfd

	 Additional debug logging for RT_*_LIMIT added

	 Replaced call to Time::HiRes::sleep with standard sleep

	 Additional dovecot entries in csf.pignore for new installations

6.03   - Switched from using LWP to HTTP::Tiny to reduce memory footprint and
         reliance on the LWP perl module. The HTTP::Tiny module is included in
	 the distribution, so no further action is necessary

	 Modified lfd perl module loading to be conditional where possible to
	 reduce lfd memory footprint

	 Modify initial file processing to reduce lfd memory footprint

	 Modify PS_PORTS processing to reduce lfd memory footprint

	 Moved init of Geo::IP::PurePerl into iplookup subroutine

	 Removed "DEFERRED" login failure checking from CPANEL_LOG regex due to
	 false-positives

	 Modify LF_DIRWATCH_DISABLE so that only files are added to
	 suspicious.tar and removed. Suspicious directories will no longer be
	 removed

	 Removed File::Path - no longer required

6.02   - Modify MESSENGER HTML header to return code 403 instead of 200

         Modify UI daemon to fallback to IPv4 if IPV6 setting is not enabled

	 Added new options LF_SYMLINK and LF_SYMLINK_PERM. This feature enables
	 detection of repeated Apache symlink race condition triggers from the
	 Apache patch provided by:
	 http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
	 This patch has also been included by cPanel via the easyapache option:
	 "Symlink Race Condition Protection"

6.01   - Ensure all binaries are called with their full paths for the scheduled
         Server Security Check reports

	 Allow csf -u/-uf/--update and -c/--check when csf is disabled

	 Make RT_* checks IPv6 compatible

	 Added dns query caching for ip lookups during lfd process lifetime

	 Modify TOR rule loading to use FASTSTART in lfd if enabled

	 Added iptables locking to FASTSTART code

	 LF_INTERVAL now defaults to 3600 on new installations to better cope
	 with slow brute force login attempts

	 Removed references to .cpanel.net being ignored from the changelog as
	 they no longer apply and could cause confusion

	 Fix csf.rignore loader regex causing unnecessary DNS lookups if file
	 has no entries

	 Added "DEFERRED" login failure checking to CPANEL_LOG regex

6.00   - Major new option - FASTSTART:

	 This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
	 IP6TABLES_RESTORE in two ways:

	 1. On a clean server reboot the entire csf iptables configuration is
	    saved and then restored, where possible, to provide a near instant
	    firewall startup[*] during the boot sequence

	 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS,
	    DSHIELD, BOGON, TOR are loaded using this method in a fraction of
	    the time than if this setting is disabled

	 [*] Not supported on all OS platforms

	 FASTSTART allows for very quick startup at reboot and during
	 uptime. If the Country Code blocking options (CC_*) are used, their
	 tables are loaded by csf and lfd almost instantly, compared to many
	 minutes for large countries previously

	 FASTSTART is enabled on new installations (or those in TESTING
	 mode). Existing installations will need to enable it manually

	 Other Changes:
	 
	 Improvements to csf and lfd init routines

	 LF_QUICKSTART renamed to LFDSTART, setting value preserved

	 Fixed a problem with scheduled Server Security Check reports

	 Crypt::CBC upgraded to v2.32

5.79   - Modified csf error routine to store failing error in csf.error and
         display an instructional message

	 Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM

	 Modified the Server Report proxysubdomains check on cPanel servers

	 Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP,
	 CC_DENY_PORTS_UDP. This feature denies access from the countries
	 listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using
	 this FTP access port 21 could be blocked to only the specified
	 countries

5.78   - Due to issues that some are experiencing with the switch from the
         state to the conntrack module a new settings has been added
	 USE_CONNTRACK which is disabled by default except on servers running
	 kernel 3.7+ where on new installations it will be enabled

5.77   - Add an exception for the useless Virtuozzo kernels iptables
         implementation so that csf uses the deprecated state module instead of
	 conntrack

5.76   - Only add the /128 IPv6 bound address per NIC instead of the whole /64
         to the local IPv6 addresses

	 Modify SSHD and SU regexes to allow for empty hostname field in log
	 file

	 Added new option UNBLOCK_REPORT. This option will run an external
	 script when a temporary block is unblocked

	 Additional entries in csf.logignore on new installations

	 Switched from using the iptables state module to using the conntrack
	 module in preparation of the formers obsolescence

	 Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so
	 that new tests can be easily added and then ignored desired

	 Added new LF_EXPLOIT check SSHDSPAM to check for the existence of
	 /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See:
	 http://www.webhostingtalk.com/showthread.php?t=1235797

5.75   - Fixed issue with single quotes appearing in CC lookup names leading to
         lfd IP blocks to fail

5.74   - Additional entries in csf.pignore for the cPanel installation to cater
         for v11.36 processes on new installations

	 Added workaround for cPanel /etc/cpupdate.conf check in Server Report
	 for changes in v11.36

	 Additional entries in csf.logignore on new installations

	 Try harder to get a CPU temperature if lm_sensors is installed for
	 System Statistics

	 Enforce PORTFLOOD setting restrictions and issue warning if entry
	 discarded

	 Correct location of CC_ALLOWF in LOCALINPUT after update from lfd

	 Make CC_[chain] actions more verbose in lfd.log

	 Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP,
	 CC_ALLOW_PORTS_UDP. This feature allows access from the countries
	 listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using
	 this FTP access port 21 could be restricted to only the specified
	 countries

	 Moved temporary and csf.allow/csf.deny rules from
	 LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new
	 CC_ALLOW_PORTS feature

	 Modified SMTP_PORTS to include ports 465 and 587 on new installations

	 Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks
	 the number of processes with the same session id and if greater than
	 the value set, the whole session tree is terminated and an alert sent

5.73   - Fixed issue with crontab line for TESTING option not being detected
         and removed when TESTING mode is disabled

5.72   - Added missing DD setting in DA and generic installations for ST_DISKW

         Modified IPv6 port settings to reflect IPv4 port settings for new
	 installs in csf.conf

	 If a deleted executable process is detected and reported then do not
	 further report children of the parent (or the parent itself if a child
	 triggered the report) if the parent is also a deleted executable
	 process

	 Parent PID added to PT_DELETED_ACTION parameters

	 In the Server Report allow for spaces before Apache directives

	 Updated instructions for modifying log_selector for exim
	 configurations in readme.txt and Server Report

	 Modify DD calculation for ST_DISKW for disks that report in GB/s

	 Updated to use the new cPanel 11.36+ integrated perl binary if exists

5.71   - Fixed problem processing dd output for ST_DISKW on some systems

         Fixed dovecot imap login failure regex processing

	 Added regexes for dovecot pop3 and imap raw logs (i.e. not syslog)

5.70   - Fixed an issue with PERMBLOCK introduced in v5.68

5.69   - Fixed duplicate entries in csf.conf on GENERIC installations

5.68   - New feature added - LF_DIST_INTERVAL. This option provides a separate
         timing interval for both LF_DISTFTP and LF_DISTSMTP. By default it is
	 set to 300 seconds

	 Implemented better handling of repeat blocks when an IP is already
	 temporarily or permanenetly blocked

	 Added missing inclusion of Time::HiRes in csf.pl

	 Silence LF_DISTFTP and LF_DISTSMTP ignored IP logging to lfd.log
	 unless DEBUG enabled

	 Silence DYNDNS IP address updates to lfd.log unless DEBUG enabled

	 RELAYHOSTS setting now defaults to "0" to improve security on cPanel
	 servers

	 Increased default value of DENY_IP_LIMIT to 200

5.67   - Fixed a problem with permanent IP blocking when using LF_SELECT

5.66   - Implemented a new locking system to try to mitigate an iptables bug
         when issuing concurrent iptables commands

	 Implement flushing on the lfd pid file so that it is always accurate

	 Improvements to csf --grep [ip] to escape regular expression matching

	 New feature added - LF_REPEATBLOCK. This option instructs csf to deny
	 an already blocked IP address the number of times set. See csf.conf
	 for more information

	 New feature added - LF_BLOCKINONLY. This option instructs csf to only
	 block inbound traffic from those IP's and so reduces the number of
	 iptables rules, but at the expense of effectiveness. See csf.conf for
	 more information

	 New feature added - ST_DISKW. This option adds disk write performance
	 statistics to the stats graphs. See csf.conf for more information

	 Fixed file location for Debian and derivative OS's for
	 /etc/mysql/my.cnf in Server Check

5.65   - Removed some of the command locking as it was causing hangs

5.63   - Implemented a locking and retry system to try to mitigate an iptables
         bug when issuing concurrent iptables commands

5.62   - Added ModSecurity connection dropping to the LF_MODSEC regex

         Added new option - ETH6_DEVICE. By adding a device to this option,
	 ip6tables can be configured only on the specified device. Otherwise,
	 ETH_DEVICE and then the default setting will be used

	 Added new option - LF_SCRIPT_ACTION. On cPanel servers, this can
	 contain the path to a script that is run whenever LF_SCRIPT_ALERT is
	 triggered

	 Fixed stats graph average calculation and display if average equals 0

	 Split Slow MySQL Queries stats graphs from MySQL Queries

	 Improvements to Apache CPU Usage stats graphs

5.61   - On Debian systems, check for my.cnf in /etc/mysql/my.cnf in Server
         Check

	 Add missing/changed images in the DA/Webmin installs. For webmin, the
	 csf webmin module will need to be reinstalled

	 Another fix for LF_NETBLOCK to skip IPv6 addresses

	 Fixed csf --tempallow where -d [direction] was performing inout when
	 in requested

	 Fixed UI option "Edit the Log Scanner file (csf.logfiles)" which was
	 incorrectly overwriting csf.dyndns instead of writing to csf.logfiles

	 Changed ETH_DEVICE_SKIP device check from a failure to a warning

	 Skip checks for register_globals and suhosin if running PHP v5.4.* in
	 Server Check report

5.60   - Added new options to include the Spamhaus Extended DROP list. These
         additional netblocks are included in the main Spamhaus chain. The
	 feature uses LF_SPAMHAUS_EXTENDED and LF_SPAMHAUS_EXTENDED_URL which
	 are enabled by default, but used only if LF_SPAMHAUS is enabled. To
	 force a reload of the SPAMHAUS list to include the Extended list,
	 delete /etc/csf/csf.spamhaus file after upgrading to this version and
	 then restart lfd

	 Added new options to allow blocking of TOR Bulk Exit nodes. This works
	 in the same manner as the LF_SPAMHAUS and LF_DSHIELD options. The
	 feature uses LF_TOR and LF_TOR_URL and is disabled by default.
	 Warning: This could block legitimate users who are trying to protect
	 their anonymity, so use with caution

	 Fix LF_NETBLOCK to skip IPv6 addresses as it is unsupported as has
	 long been stated in csf.conf

	 Added missing </pre> html elements in UI

	 Added unblock button to UI IP searches when results is either in
	 csf.deny or a temporary block

	 Implemented a locking system to mitigate iptables stability issues
	 when loading concurrent iptables chains in lfd

	 Fixed bug in the display of the 30 days ST_SYSTEM stats

	 Added new option ST_SYSTEM_MAXDAYS. This allows you to define the
	 maximum number of days of stats to collect (default 30 days)

	 Increased stats graph sizes

	 Added CIDR checking of csf.allow to the CLI command csf --deny

	 Added checking of csf.ignore to the CLI command csf --deny

5.59   - Fixed a loop which caused high load when using GLOBAL_IGNORE

         Improvements to GLOBAL_IGNORE load speed and effectiveness

	 Improvements to CC_IGNORE load speed

5.58   - Corrected ST_APACHE error message return text

         Add meaningful message if stats graph generation fails in UI

	 Added new icon in UI for "Quick Allow" that inserts the current
	 visitors IP address

	 Added new icon in UI for "Quick Ignore" that inserts the current
	 visitors IP address

	 Replaced some of the included icons

5.57   - Added new option PT_APACHESTATUS to configure the URL to the Apache
         Status URL during PT_LOAD alert report

	 Added Apache Statistics to ST_SYSTEM. A new option ST_APACHE must be
	 set to collect these statistics and PT_APACHESTATUS must be correctly
	 set. ST_APACHE is disabled by default

	 Modification to SYSLOG option to remove the later introduced "nofatal"
	 option to improve backwards compatibility, also enable the "pid"
	 option to log the process ID

	 Added new options SYSLOG_CHECK and SYSLOG_LOG to check whether syslog
	 is running. See csf.conf for more information. This option is disabled
	 by default, but we recommend that it is enabled on all servers

	 Added SYSLOG_CHECK to Server Check Report recommended settings

5.56   - Improvements to ST_MYSQL password detection in /root/.my.cnf where the
         password is quoted

	 Improvements to the SMTP AUTH regex to cope with differing settings in
	 exim log_selector

	 Removed debugging code in SMTP AUTH regex detection

5.55   - Update Fedora version check now that v17 has been released

         Added MySQL Connection and Thread statistics to ST_MYSQL/ST_SYSTEM

	 Modified Server Check Report for cPanel servers see whether mod_ruid2
	 has been enabled making the Apache suEXEC check moot

	 Improvements to the SMTP AUTH regex to cope with differing settings in
	 exim log_selector

5.54   - Modified ST_MYSQL connection errors to advise disabling ST_MYSQL if it
         is not used

	 ST_MYSQL now disabled by default on new csf installations

5.53   - Added Email Usage to the ST_SYSTEM System Statistics feature when RT_*
         options are enabled

	 Fixed incorrect Min/Max calculations in System Statistics

	 Improvements to Disk Usage stats in System Statistics for some virtual
	 environments

	 Added CPU Temperature to the ST_SYSTEM System Statistics feature when
	 lm-sensors/coretemp installed and enabled (highest core temp recorded)

	 Added MySQL graphs to the ST_SYSTEM System Statistics feature when
	 ST_MYSQL is installed and enabled - requires DBI and DBD::mysql perl
	 modules. Authentication is via new ST_MYSQL* options. The option is
	 enabled on cPanel servers by default, disabled on others

	 Modified stats collection routine to append data to the stats file on
	 each minute interval and to clean up only on lfd startup. This is to
	 help minimise the risk of the stats file being incomplete due to
	 process termination

	 Added new options LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM.
	 This option will keep track of successful SMTP logins. If the number
	 of successful logins to an individual account is at least LF_DISTSMTP
	 in LF_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all
	 of the IP addresses will be blocked. This option can help mitigate the
	 common SMTP account compromise attacks that use a distributed network
	 of zombies to send spam (exim MTA only). Not enabled by default

	 Modified Server Check Report for cPanel servers see whether mod_ruid2
	 has been enabled making the PHP Handler check moot

	 Modified the ModSecurity regex to cater for the paid Atomic rules
	 Apache error log non-standard format

	 Modified non-cPanel new installs to disable ST_SYSTEM by default

5.52   - Alternative kill and status methods employed for lfd init process on
         Debian/Ubuntu

	 Added new feature: System Statistics. This option will gather basic
	 system statstics. Through the UI it displays various graphs for disk,
	 cpu, memory, network, etc usage. The feature requires the perl module
	 GD::Graph. It is enabled by default with the ST_SYSTEM option

5.51   - Updated Donation buttons

5.50   - Removed check for Melange on cPanel servers from Server Check Report

         Improvements to the cPanel exim SMTP AUTH login failure regex after
	 changes in cPanel v11.32

	 Added exe:/usr/local/cpanel/3rdparty/sbin/mydns to csf.pignore for new
	 installs on cPanel servers

	 Additional cmd/pcmd suggestions added to csf.pignore for new installs
	 on cPanel servers (not enabled)

5.49   - Remove atd from Service Check in Server Check Report

         Ensure all DNS traffic between non-local IP addresses in
	 /etc/resolv.conf is allowed through the firewall when DNS_STRICT_NS is
	 not enabled

	 Added exim to example script pt_deleted_action.pl

	 Added /var/log/cxswatch.log to csf.logfiles for new installations

	 Added new option LF_ALERT_SMTP which allows lfd to be configured to
	 send alert emails via SMTP instead of through the SENDMAIL binary.
	 LF_ALERT_SMTP needs to be set to the name or IP address of the SMTP
	 server to use this feature

	 Added new option CC_DROP_CIDR. Set this option to a valid CIDR to
	 ignore CIDR blocks smaller than this value when implementing
	 CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can help reduce the number of
	 CC entries and may improve iptables throughput

	 Improved installation procedure for checking required perl modules

5.48   - New option LF_QOS added which matches hits against the mod_qos Apache
         module

	 New option LF_CXS added which matches hits against the mod_security
	 Apache module rule for cxs if implemented

5.47   - Improvements to non-core perl module loading

         Improvements to PT_LOAD Apache Status retrieval and messages

	 Regex modifications to cater for Dovecot v2.1+

	 On cPanel servers, block additional ports that exim uses in the WHM >
	 Service Manager for RT_*_BLOCK

5.46   - Modified upgrade warning for integrated UI to not use the DA warning
         text

	 Validate local IP addresses

	 Only check local IPv6 addresses if IPV6 is enabled in config

	 Separate IPv4 from IPv6 ignore CIDRs due to Net::CIDR::Lite
	 restrictions

	 Improvements to ignore files IP address validation

	 Add server check for PHP v5.2.* to the obsolete/security risk list

	 Add server check for RedHat/CentOS v4.* and Fedora < v15 to the
	 obsolete/security risk list

	 Removed server checks for RLimitMEM/RLimitCPU

5.45   - Only log Log Scanner in lfd.log if DEBUG set to 2 to allow empty
         reports if monitoring lfd.log

	 Added new option LF_BOGON_SKIP. If you don't want BOGON rules applied
	 to specific NICs, then list them in a comma separated list

	 Added new option LF_CONSOLE_EMAIL_ALERT which will send an email if
	 there is a root login to the server console. This is enabled by
	 default

5.44   - New feature - Log Scanner. This feature will send out an email summary
         of the log lines of each log listed in /etc/csf/csf.logfiles. All
	 lines will be reported unless they match a regular expression in
	 /etc/csf/csf.logignore

         Set LWP::UserAgent agent to "csf/[version]" instead of the default

5.43   - csf and lfd modified to better handle !lo interface for compatibility
         with newer iptables versions

	 Removed use of Sys::Hostname::Long

	 Added new options LF_APACHE_403 and LF_APACHE_403_PERM. This option
	 will keep track of the number of "client denied by server
	 configuration" errors in HTACCESS_LOG. If the number of hits is more
	 than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be
	 blocked. See csf.conf for more information

5.42   - SECURITY FIX. Anyone running csf on a DirectAdmin server should
         upgrade to this release immediately:

         Add check for successful open of admin.list on DA servers to avoid
         a segfault, which could lead to a buffer overflow

5.41   - Added text description of allow/deny made by cPanel Resellers via UI
         in csf.allow and csf.deny

	 If cPanel UI Resellers email alerts are enabled, a csf grep will be
	 performed before an IP adress is unblocked and the output included in
	 the alert email, together with the results of the UNBLOCK

	 If cPanel UI Resellers email alerts are enabled, the results of an
	 ALLOW or DENY will be included in the alert email

	 Added logging of cPanel UI Reseller actions ALLOW/DENY/UNBLOCK to
	 /var/log/lfd.log

	 Update to urlget to not fail on empty file if successfully retrieved

	 Take Integrated UI out of BETA as no reported issues

	 Take csf.redirect out of BETA as no reported issues

5.40   - Added new feature - csf UI Reseller functions for cPanel. See
	 /etc/csf/csf.resellers and WHM UI
	 
	 Improvements to cse Integrated UI

         Modified redundant cPanel function calls in UI

	 Removed ModSecurity functionality in UI

	 Modified WHM UI "Remove Deny" to be "Quick Unblock" that now removes
	 a specified IP address entries from csf.deny and/or temporary blocks

5.39   - Fixed detection of the nat tables on some Virtuozzo VPS servers

5.38   - Modification to the Integrated UI to allow access to cxs if it is
         installed via UI_CXS

         Include an updated cse with csf for use with the Integrated UI via
	 UI_CSE

	 Added option UI_CIPHER to allow the SSL cipher suite to be set
	 manually for the Integrated UI

	 Added HTTP request internal memory limits to the Integrated UI

5.37   - Added new BETA feature - User Interface. This feature provides a HTML
         UI to csf and lfd, without requiring a control panel or web server.
	 The UI runs as a sub process to the lfd daemon. See csf.conf and
	 readme.txt for information and requirements

	 Fixed issue with RT_* regex routine ignoring 127.0.0.1

	 Fixed detection of DNSONLY cPanel installs

	 Added Security Check on cPanel server checks for disabled "Proxy
	 subdomains" and "Proxy subdomain creation"

	 Added new option LF_CPANEL_ALERT_ACTION. If a LF_CPANEL_ALERT event is
	 triggered, then if LF_CPANEL_ALERT_ACTION contains the path to a
	 script, it will run the script and passed the ip and username and the
	 DNS IP lookup result as 3 arguments

5.36   - Fix for the lfd child lock mechanism effectiveness

5.35   - Added new BETA feature - Port/IP address Redirection. This feature
         uses the file /etc/csf/csf.redirect to redirect connections from/to
	 IP/port combinations to alternative IP/ports. See readme.txt for more
	 information

         Updated syslog daemon checking in Server Report

         Set PT_DELETED to 0 by default on new installations

	 Improvements to csf startup locking within lfd

	 Improvements to error trapping between csf and lfd

	 Check minimum values for interval settings and set to recommended
	 values if too low during lfd startup to improve stability

	 Added lfd child locks to improve stability due too server or network
	 resource issues or too low an interval setting

	 Updated Sanity Checks for settings

	 lfd will now not start if TESTING is enabled

	 Do not require write permissions to /etc/crontab when no changes
	 required for TESTING mode enable/disable

	 Prevent parricide by lfd children unless required

	 Added nat table check in csf

	 Fixed bug in csf --grep not matching the nat table

5.34   - Improvement to dovecot account name sanitisation checks in lfd

         Modified cronjobs for new installs to be compatible with anacron

	 Added new option CLUSTER_BLOCK which is enabled by default. This
	 allows you to disable automatic sharing of lfd blocks around a csf
	 cluster, e.g. if you only wish to use the CLUSTER option to share
	 settings and manual blocks and allows

	 Added new option RT_ACTION. If an RT_* event is triggered,
	 then if RT_ACTION contains the path to a script, it will be run in a
	 child process and be passed a list of items (see csf.conf - for cPanel
	 and DA only)

	 Fix to DYNDNS Advanced Allow/Deny Filters using pipe separator

	 Set permissions to 700 on *.sh, *.pl and *.php in /etc/csf/ instead of
	 a blanket 600 of non-csf scripts

5.33   - Add link to the Changelog when csf is upgraded

         Extended urlget timeout to 300 seconds to help cope with the large
	 MaxMind City Database download where enabled

	 Include cpdavd login failures for LF_CPANEL. Added port 2077 and 2078
	 to the cPanel block ports when LF_SELECT enabled

	 Disable ftp Server Check reports if ftp server disabled in cPanel
	 
	 Added regex validation to any specified csf.pignore or csf.figonre
	 entries to lfd

	 Updated cPanel tier checks to cope with old STABLE and DNSONLY
	 releases and newer v11.30+

	 Improvement to account name sanitisation checks in lfd

5.32   - AUTO_UPDATES enabled for new installations in csf.conf

         Removed the JS LF_EXPLOIT_CHECK as it is no longer prevalent. If still
	 set in csf.conf it will be ignored

	 Check MESSENGER service to ensure privileges are dropped before
	 starting the daemon

	 Drop privileges when performing removal during LF_DIRWATCH_DISABLE

	 For new installations, IPV6 enabled if IP6TABLES exists and an IPv6
	 address is found in the output from IFCONFIG. IPV6_SPI is set
	 according to the kernel version (i.e. whether SPI is supported or not)

5.31   - Updated the LF_TRIGGER_PERM explaination in csf.conf to properly
         reflect the possible settings of LF_TRIGGER

	 Perform account name sanitisation checks in lfd

5.30   - Fixed a SECURITY BUG that can be exploited remotely via log file
         spoofing resulting in root privilege escalation. Our thanks to Jeff
	 Petersen for reporting this issue

	 All csf users should upgrade to this release immediately

5.22   - New feature: Connection Limit Protection (CONNLIMIT,
         CONNLIMIT_LOGGING). This option configures iptables to offer more
	 protection from DOS attacks against specific ports. It can also be
	 used as a way to simply limit resource usage by IP address to specific
	 server services. This option limits the number of concurrent new
	 connections per IP address that can be made to specific ports. See
	 csf.conf and readme.txt for more information and about the format of
	 the CONNLIMIT option and its limitations

	 Minor csf UI Firewall Configuration virtual pagination improvements

	 Updated cPanel Server Check update settings for v11.30+

	 Removed cPanel Server Check for new versions due to changes in the
	 v11.30+ versioning system making this redundant

	 Updated MySQL Server Check for v5.1.*

	 Added a warning to csf.conf for SYNFLOOD to only enable the option if
	 you know you are under a SYN flood attack as it will restrict all new
	 connection to the server if triggered

5.21   - Added port 500 to DROP_NOLOG for new installations

         Corrected the LF_APACHE_404 lfd log line output

	 Added startup failure on invalid PORTFLOOD settings

	 Make csf.pignore item selector case-insensitive (e.g. exe: and EXE:)

	 All user: item selector examples removed from the default csf.pignore
	 for all new installations (e.g. user:mailman). csf.pignore examples
	 for some common processes can be found here:
	 http://forum.configserver.com/viewtopic.php?f=6&t=2059

	 Updated DA and GENERIC default csf.pignore files for new installations

	 csf UI Firewall Configuration virtual pagination improvements

	 Updated Sanity checks for settings in csf.conf

	 Modified Sanity checks for settings in csf.conf to always show the
	 recommended range in the UI

	 Set LF_GLOBAL to 0 instead of an empty string by default on new
	 installations

	 Added new option LF_LOOKUPS to toggle rDNS IP address lookups

5.20   - Updated installation scripts to distinguish between IPv4 and IPv6 port
         report

	 Modified Virtuozzo VPS numiptent check to distinguish between host and
	 client servers

	 Added exe:/usr/sbin/ntpd to csf.pignore on new installations

	 Don't perform the runlevel check on Debian/Ubuntu servers as it isn't
	 indicative of a potential security issue as with other Linux distros

	 Added new option PT_DELETED_ACTION which if defined with an executable
	 script will run if PT_DELETED is triggered passing the process PID,
	 executable and account. An example script is provided in:
	 /etc/csf/pt_deleted_action.pl

	 If CC_LOOKUPS enable for the MaxMind City Database then also display
	 the Region, where available

	 Added csf UI Firewall Configuration virtual pagination

	 Rearranged csf.conf for csf UI Firewall Configuration virtual
	 pagination

	 Re-instated sanity check highlights in csf UI Firewall Configuration

	 Improved Server Check recursion checking in included configuration
	 files

	 Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option
	 will keep track of the number of "File does not exist" errors in
	 HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in
	 LF_INTERVAL seconds then the IP address will be blocked. See csf.conf
	 for more information

5.19   - Added stats workaround for February/March calculations

         Added new option CC_IGNORE - this Country Code list will prevent lfd
	 from blocking IP address hits for the listed CC's

	 Reduced CC_* memory usage when loading zones

	 Modified lfd logging for regex.pm and regex.custom.pm login failures
	 to lfd.log to use the return reason from the regex match instead of a
	 generic message. This does mean that the format for these messages has
	 changed

	 DA Server Check for proftpd - check whether pureftp=1 in DA config

	 Replaced IP::Country and Geography::Countries with Geo::IP::PurePerl
	 using the MaxMind GeoLite Country database for CC_LOOKUPS

	 Added new option GUNZIP which is required to expand the MaxMind
	 GeoLite Country database

	 Extended CC_LOOKUPS which can now be configured to report Country Code
	 and Country and City using the MaxMind City Database. See csf.conf for
	 more information

	 Added Donation buttons to csf UI main page

5.18   - Remove RT_POPRELAY_* from csf.conf on DA servers as it does not apply

         Improved Server Check for cPanel Update configuration check
	 
	 Modifed csf restart to not start bandmin during the stop phase

	 Modified LF_DIRWATCH to remove dependency on File::Type

	 Modified LF_DIRWATCH for speedups and removed the need for a file size
	 limit

	 Debian v6 support confirmed

	 Added /etc/bind/named.conf.options to the list of named.conf files to
	 check for recursion settings (for Debian)

5.17   - Updated Server Check for cPanel Update configuration check to cater
         for the new format

	 Disable LFD service in DA on uninstall of csf using SED instead of
	 REPLACE

5.16   - Fixed missing perm.png from DA install

         Fixed Temporary IP Entries table headers in UI

	 If DENY_IP_LIMIT is reached, remove excess IPs from iptables as well
	 as csf.deny (previously only removed from csf.deny)

	 csf on cPanel servers automatically re-enables the cPanel Bandwith
	 chains after iptables is configured. If bandmin is not functioning, or
	 you don't use the bandmin stats you can disable this new option
	 LF_CPANEL_BANDMIN (enabled by default on cPanel servers)

5.15   - Check for multiple Ports settings for sshd in /etc/ssh/sshd_config
         when the LF_SELECT option is enabled

	 Updated SMTPAUTH regex to detect more login authentication methods

	 Updated AUTHRELAY regex to detect more login authentication methods

	 Added option to UI to permanently block temporarily blocked IP's

5.14   - Updated RELAY regex to detect the dovecot/courier login authentication
         methods on cPanel servers

	 Updated Server Check Report to reflect cPanel/WHM changes in v11.28,
	 including additional checks and updating reference text

	 Added checks to LF_DIRWATCH_FILE to ensure watched resources exist on
	 startup and while running a check. Those that do not exist are ignored
	 and logged in lfd.log

5.13   - Added obsolete OS checks for Fedora v11 and v12, plus RedHat/CentOS v2
         and v3 in Server Check

	 Fixed broken reference URL's in Server Check for cPanel servers

	 Modified statistics to not display pie chart if no data is available

	 Sort LF_DIRWATCHFILE output by time to improve the reported results

	 Added new setting for AT_ALERT to only trigger on modification to the
	 root account (i.e. not all superuser accounts)

	 Tested successfully for support on Fedora v14 and Ubuntu v10.10

5.12   - Added some lfd blocking statistics which can be viewed via the UI.
         Requires gd graphics library and the GD::Graph perl module with all
	 dependent modules

	 Added 8th argument to BLOCK_REPORT for the setting that triggered the
	 block

	 Added setting that triggered a block to lfd log lines

5.11   - Removed erroneous Port Knocking messages in lfd.log when
         PORTKNOCKING_ALERT not enabled

	 Added 'exe:/usr/bin/postgres' to the cPanel csf.pignore for new
	 installations

	 Added retry timeout in WHM UI for checking www.configserver.com for
	 new version information (to avoid repeated hangs when unreachable)

	 Fixed LF_PERMBLOCK issue that flushed all temporary IP blocks, not
	 just the IP being permanently blocked

	 Added check to PHP Server Check that php -i output is complete

5.10   - Always report UID:GID of a DIRWATCH file incase the user account
         owning a reported file no longer exists

	 Report error gracefully on CIDR->add failures and continue

	 Added "query (cache)" check to BIND flooding regex

	 Fix issue with killing Advanced Port blocks using the pipe separator

	 Update warning messages to include xt_owner with ipt_owner

	 Replace URL in Server Check for instructions on disabling IPv6

	 Fixed a bug in LF_CPANEL_ALERT ip address tracking

	 Added new option LF_CPANEL_ALERT_USERS to be used with LF_CPANEL_ALERT
	 to alert for a specified list of WHM/cPanel account logins. See
	 csf.conf for more information

	 Added new feature: Port Knocking. See csf.conf and readme.txt for more
	 information on the PORTKNOCKING, PORTKNOCKING_LOG and
	 PORTKNOCKING_ALERT options

	 Added new UI option: Quick Ignore, for IP addresses

5.09   - Added Server Check report check that klogd is running if using syslogd
         or that klog module is loaded if running rsyslogd

	 Added Server Check report, checks for apache settings: TraceEnable,
	 ServerSignature, ServerTokens and FileETag on cPanel servers

	 Fixed ip6tables IPV6_SPI check warning for older kernels

	 Added instruction to open outgoing TCP6 and UDP6 ports when using an
	 older kernel for ip6tables

	 IPv6 Final (no longer Beta)

	 Added new option LT_SKIPPERMBLOCK. If LF_PERMBLOCK is enabled but you
	 do not want this to apply to LT_POP3D/LT_IMAPD, then enable this
	 option

	 Added new option PT_USER_ACTION. If a PT_* event is triggered, then
	 PT_USER_ACTION will be run in a child process and passed the PID(s) of
	 the process(es)

5.08   - New option CLUSTER_MASTER which is the IP of the master node in a
         cluster allowed to send CLUSTER_CONFIG changes. This must be set in
	 order to use CLUSTER_CONFIG options

	 Added new Cluster CLI option --cfile (-cf) for sending a file to
	 cluster members. The file will only be uploaded to the /etc/csf/
	 directory

	 Added new Cluster CLI option --crestart (-crs) to initiate a restart
	 of csf and lfd on all cluster members

	 Removed CLI option -ccr, --cconfigr [name] [value] in favour of the
	 new --crs, --crestart option

	 Modified regular expressions to cater for RFC3339 date format in log
	 files. For example, RFC3339 date format used by default in rsyslog on
	 CentOS v5.5

5.07   - Fixed bug introduced in v5.04 that ommitted two outgoing DNS lookup
         rules that could affect servers where iptables connection tracking
	 isn't working correctly

5.06   - Increased PT_USERMEM default to 200 from 100 for new installations

         Fixed bug introduced in 5.04 when checking the GLOBAL_ALLOW list for
	 report generation in lfd which caused lfd to fail in Net::CIDR::Lite

5.05   - Updated the Server Check report IPv6 text

         Fixed ip6tables command execution in iptables firewall during startup

5.04   - Added BETA IPv6 support. See csf.conf for more information on the new
         settings: IPV6 IP6TABLES IPV6_ICMP_STRICT IPV6_SPI TCP6_IN TCP6_OUT
	 UDP6_IN UDP6_OUT

         New CLI option csf --status6 (csf -l6) added to list ip6tables rules

         Changed temporary DENY and ACCEPT working file formats to use a
	 different record separator to cater for future IPv6 support

	 Advanced Allow/Deny Filters now use | as the separator character to
	 cope with IPv6 addresses. Legacy support remains for the old :
	 separator for IPv4 addresses, though these should also now use | as
	 the field separator

	 In Server Check report, don't issue IPv6 warning if only ::1/128 is 
	 bound to a NIC (i.e. loopback)

	 Upgraded Net::CIDR::Lite to v0.21

	 Upgraded from IP::Countries to Geography::Countries

5.03   - Added new option LF_DISTATTACK_UNIQ so that you can specify how many
         unique IP addresses are required to trigger LF_DISTATTACK

	 Added new options LF_DISTFTP, LF_DISTFTP_UNIQ and LF_DISTFTP_PERM.
	 This option will keep track of successful FTP logins. If the number of
	 successful logins to an individual account is at least LF_DISTFTP in
	 LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of
	 the IP addresses will be blocked. This option can help mitigate the
	 common FTP account compromise attacks that use a distributed network
	 of zombies to deface websites

	 Changed DA default configuration of FTPD_LOG to "/var/log/secure"

5.02   - Added new options X_ARF, X_ARF_FROM and X_ARF_TO which allows sending
         X_ARF reports (see http://www.x-arf.org/specification.html). See
	 csf.conf for more information

         Added new options SMTP_ALLOWUSER and SMTP_ALLOWGROUP so that users and
	 groups that can bypass SMTP_BLOCK can be easily added. These default
	 to the original values previously hard-coded
	 
	 Modified SMTP_ALLOWLOCAL to use the loopback device (lo) instead of
	 127.0.0.1 to cater for multiple loopback devices and allows connection
	 to locally configured IPs as well

	 Modified lfd code to ignore any 127.0.0.0/8 address not just 127.0.0.1

	 Added new option CLUSTER_LOCALADDR to send out cluster requests on an
	 IP other than the default IP

	 Added lfd check to enforce 0600 permissions on /etc/csf/

5.01   - Added a new 7th argument to BLOCK_REPORT that includes the log lines
         that triggered the block (excludes LF_NETBLOCK and LF_PERMBLOCK)

	 Added new CLI option csf --tempallow (csf -ta) which works in exactly
	 the same way as csf --tempdeny (csf -td) except it provides a method
	 of temporary IP allows for a given duration. csf -t, csf -tf and
	 csf -tr now apply to both deny and allow entries

	 Allow the use of a duration suffix in csf -ta and csf -td for m, h and
	 d (minutes, hours and days). Only one suffix allowed and only integers

	 Updated UI entry for adding and removing temporary allows and blocks

	 Display temporary block TTL in days hours minutes and seconds

	 Added new CLI option csf --watch [ip] (csf -w [ip]) and configuration
	 option WATCH_MODE. This new option logs SYN packets from a specified
	 source as they traverse the iptables chains. This can be extremely
	 useful in tracking where that IP is being DROPed or ACCEPTed by
	 iptables. See readme.txt for more information

	 Modified csf and lfd init scripts to be LSB-compliant

	 Modified BOGON/DSHIELD/SPAMHAUS block list retrieval to only download
	 the list if it has not already been retrieved within the configured
	 interval. This is to help prevent blacklisting by the list provider
	 for repeated downloads after frequent lfd restarts

	 Fixed problem with csf -q and csf -sf not restarting the firewall if
	 there was a previous startup error

5.00   - lfd Clustering, final release. This new set of options (CLUSTER*) in
	 csf.conf allows the configuration of an lfd cluster environment where
	 a group of servers can share blocks and, via the CLI, configuration
	 option changes, allows and removes. See the readme.txt file for more
	 information and details, setup and security implications

	 Added new option LF_DISTATTACK. Distributed Account Attack detection.
	 This option will keep track of login failures from distributed IPs to
	 a specific application account. If the number of failures matches the
	 trigger value, ALL of the IP addresses involved in the attack will be
	 blocked. This option is currently disabled by default - see csf.conf
	 for more information

	 Added new option PT_USERKILL_ALERT if you want to disable email alerts
	 for PT_USERKILL triggers. This option is enabled by default, i.e.
	 alerts are sent

	 Added new options LF_QUICKSTART in csf.conf and CLI options -q,
	 --startq, -sf, --startf to allow deferral of csf startup to lfd
	 instead of waiting for the CLI to perform the work. See the CLI help
	 and csf.conf for more information

	 Added UI option for "Firewall Quick Restart" which uses csf -q,
	 "Firewall Restart" uses csf -sf

	 lfd now restarts csf (if stopped and LF_CSF enabled) within the main
	 process to enhance the integrity of the firewall

	 Multiple login failure regex detection improvements

	 Fixed typos in permblock.txt

4.99   - Improved csf locking to enhance the integrity of the firewall

         Log lfd csf deny failures

	 New SSHD regex added

	 Improved the dovecot regex's

	 New Beta option: lfd Clustering. This new set of options (CLUSTER*) in
	 csf.conf allows the configuration of an lfd cluster environment where
	 a group of servers can share blocks and, via the CLI, configuration
	 option changes, allows and removes. See the readme.txt file for more
	 information and details, setup and security implications

4.89   - New SSHD regex added

         Added Server Check to check whether SSHD UseDNS is set to "no" - it
	 should be disabled

	 Added an Important Note to the readme.txt regarding the sshd UseDNS
	 setting

	 Speedup for LF_DIRWATCH regex matching

4.88   - Fixed URL's in Server Check report for cPanel if Security Tokens are
         enabled in v11.25+

	 Added ipv6 explanation that the information is determined from the
	 output from ifconfig and display ipv6 addresses found

	 Added the ability to use Include statements in csf.deny and csf.allow,
	 see readme.txt for information and restrictions

4.87   - Ignore csf.rignore for LT_POP3D and LT_IMAPD

         Removed unnecessary csf.locks during some GLOBAL list updates

	 Updated Copyright notice

	 Modified the block message for LF_MODSEC and LF_SUHOSIN to be more
	 appropriate (i.e. not "login failures")

	 Added new block options for BIND denied requests: LF_BIND,
	 LF_BIND_PERM, BIND_LOG. This works in the same way as the other
	 similar blocks, e.g. LF_SUHOSIN. It will block IP addresses that have
	 had BIND (named) requests denied more than LF_BIND times in
	 LF_INTERVAL seconds. Currently named client denied log lines for
	 "update" and "zone transfer" trigger the option

	 Modified GLOBAL_ routines to continue if retrieval for one fails
	 instead of immediately exiting

	 Added IPv6 check to Server Check

	 Display DNS lookup results for IP addresses if CC_LOOKUPS is enabled
	 on single line comments (lfd.log, csf.deny, etc)

	 Added new options LF_PERMBLOCK_ALERT and LF_NETBLOCK_ALERT so that the
	 respective email alerts can be disabled

	 Updated IP::Country

4.86   - Added Dovecot regex checking for LT_POP3D and LT_IMAPD

	 Modified Server Check for Fedora v10 EOL now that Fedora v12 has been
	 released

	 Improved Dovecot IMAP and POP3D login failure regex

	 Ignore RELAYHOSTS setting for LT_POP3D and LT_IMAPD

	 Fixed TLSCipherSuite Server Check for proftpd

	 Added SSHD regex for "Did not receive identification string from IP"
	 failures

4.85   - Further improvements to ICMP rule filters

       - Added backup mod_security log viewer for non-cPanel servers

4.84   - Mod_security log viewer removed from csf in favour of cmc

         Improved ICMP rule filters. This could help some hosts that experience
	 connection issues with csf

	 Added ICMP regex checking to Port Scan Tracking. Add ICMP to PS_PORTS
	 to include this, i.e. to Port Scan for all ports use:
	 PS_PORTS = "0:65535,ICMP"
	 This is now the default on new installations

4.83   - Added multiple checks to the Server Check for new cPanel v11.25 
         security settings

	 Tidied up and rearranged the main UI
	 
	 Removed redundant UI options

	 Added total perm bans to UI

4.82   - Removed the need for UI lfd cron restart jobs on Direct Admin

4.81   - Fixed case sensitivity issue introduced in v4.80 with port specific
         lfd deny lines being ignored

4.80   - Modified WHM login regex to only trap successful root page displays
         for LF_CPANEL_ALERT

         Apache status for PT_LOAD now checks http://127.0.0.1/server-status on
	 GENERIC/DA servers. You need to ensure that the server-status page
	 has access from 127.0.0.1 in the apache server-status Location
	 container

	 Extended SU log file regex for Debian servers

	 Sanitise UI file edit HTML output

	 Improvements to the removal of alternative firewalls script

	 Added new options GLOBAL_DYNDNS, GLOBAL_DYNDNS_INTERVAL and
	 GLOBAL_DYNDNS_IGNORE which provide for retrieval of a global DYNDNS
	 list via URL

	 Improved firewall log lines detection for PS_INTERVAL and ST_ENABLE,
	 especially on Debian

	 Improved detection of already blocked IP addresses

4.79   - Withdrawn

4.78   - Modified DA installation to overcome permissions problems on some
         systems preventing the UI from working

4.77   - Expanded dovecot regex matching

         Fixed the generic installation to install regex.custom.pm

4.76   - Added check for FrontPage extensions to Server Check as they should be
         considered a security risk as they were EOL in 2006

	 Added support for the impending cPanel v11.25 Security Tokens feature

4.75   - Added a [block] section to the Login Failure alert.txt template. This
         new report template will be copied to /etc/csf/alert.txt.new on
	 existing installations, rename it to alert.txt to use it

	 Modified existing lfd alerts to use currently used tags instead of
	 appending block information to the IP address (alert.txt modified as
	 above)

	 Added new options trigger for RT_LOCALHOSTRELAY_* to csf.conf for
	 email sent via a local IP addresses, separating the trigger from
	 RT_LOCALRELAY_* which is now only for /usr/sbin/sendmail. See csf.conf
	 for more information

	 Added Relay Tracking to Direct Admin running exim. See RT_* and
	 SMTPRELAY_LOG in csf.conf for more information

	 Added csf.mignore to allow ignoring of specified usernames or local IP
	 addresses from RT_LOCALRELAY_ALERT

	 Modified csf UI to use a single dropdown for all lfd ignore files

	 Added proftpd regex matching for "UseReverseDNS on" in proftpd config

4.74   - Removed FUSER from csf.conf as it is no longer used

         Added UNZIP to csf.conf which is required for Country Code to CIDR
	 functions

	 Modified the Country Code allow/deny/allow_filter feature to generate
	 CC CIDRs from the Maxmind GeoLite Country database instead of using
	 iplocationtools.com. Note: GeoLite is much more accurate that the 
	 previous zones used. This also means that there are usually more CIDRs
	 for each CC which adds to the burden of using this feature

4.73   - Added checks before Net::CIDR:Lite calls to ensure inputs are CIDR's
         to prevent module failures

	 New feature - LF_CPANEL_ALERT. Send an email alert if anyone accesses
	 WHM via root. An IP address will be reported again 1 hour after the
	 last tracked access (or if lfd is restarted)

4.72   - Modified mail sending code to use a common procedure that copes better
         with differing combinations and variations of From:, To:, LF_ALERT_TO
	 and LF_ALERT_FROM settings for lfd alerts

4.71   - Code speedups in csf --grep

         Added csf.allow and GLOBAL_ALLOW lookups during lfd blocking and note
	 added to alert if ip match found

	 Modified Server Check for Fedora v9 EOL now that Fedora v11 has been
	 released

	 Modified iptables output from csf.pl to exclude the Fedora v11
	 intrapositioned negation messages

	 Fixed typo in integrity.txt alert template for new installations

	 Modified the email header for csf --mail

	 Fix Relay Tracking from 127.0.0.1 to always report as a LOCALRELAY

	 Modified lfd output filehandle names to avoid read/write conflicts

	 Added Advanced Allow/Deny Filters for csf.dyndns. See readme.txt for
	 an example

	 Added new option CC_ALLOW_FILTER as an alternative to CC_ALLOW where
	 only listed Country Codes are allowed, however normal port and packet
	 filter rules are still applied to those connections. All other
	 connections are dropped

4.70   - Modified UI access to csf.sips to display checkboxes instead of direct
         editing, for ease of use

	 Fixed problem where RELAYHOSTS setting wasn't always being honoured

	 Modified mod_security configuration editor to handle HTML elements

	 Rewritten RT_*_ALERT regex and counting code to better deal with a
	 variety of exim log output formats
	 
	 Added recipient count to RT_*_ALERT to include emails sent to multiple
	 recipients. This option requires that the exim log_selector setting in
	 the exim configuration includes the option: +received_recipients
	 So, the recommended log_selector setting is now:
	   log_selector = +subject +arguments +received_recipients

	 Modified Server Check cPanel version check to cater for x86_64 OS's

	 Added check to prevent Server Check mail report cron duplicates

	 Added abbreviated UI for mobile phone access to Quick Allow, Quick
	 Deny and Remove Deny. Direct URLs:
	   cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1
	   DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1
	   Webmin: https://1.2.3.4:10000/csf/?mobi=1

4.69   - Added Gentoo (generic) support

         Added Server Check for MySQL LOAD DATA LOCAL

	 Modified Server Check for enable_dl to also check whether dl is in
	 disable_functions

4.68   - Added ipv6 IP detection for proftpd login failures

         Removed ossec and webmin from the Server Check services section

4.67   - Modified the Country Code allow/deny feature to use
         iplocationtools.com now that ipdeny.com has gone offline

4.66   - Modified OS version check to prevent Fedora v10 obsolete
         false-positive in Server Check

	 Modified the exim SMTP AUTH regex to use the latest cPanel/exim format

	 Added failure notification for DYNDNS entry lookups in lfd if they
	 fail to resolve or timeout

4.65   - Modified Firewall Security Level UI to set PS_LIMIT within range

         Fixed problem processing template for SU_ALERT

	 Empty csf.dshield on upgrade to work around problem where DSHIELD
	 blocked themselves in their own BLOCK list

4.64   - Removed SMTP_BLOCK warning on VPS servers where ipt_owner doesn't work
         if SMTP_BLOCK isn't actually enabled

	 Added new CLI option (csf -uf) which forces an update of csf+lfd

	 Added new CLI option (csf -df) which removes and unblocks all entries
	 in /etc/csf.deny (excluding those marked "do not delete")

	 Added new UI option to that removes and unblocks all entries in
	 csf.deny (excluding those marked "do not delete") and all temporary IP
	 bans

	 Added csf file names to the csf UI options

4.63   - New feature - Added new CLI option: csf --mail (or csf -m) which can
         take an email address as an argument. It will display the Server Check
	 in HTML or send the output to the email address if present

	 Added option to UI Server Check to schedule csf to generate the report
	 and email the results to the address specied at the interval specified

         Removed MySQL check from cPanel DNSOnly Server Check

         Updated the perl v5.8.8 Server Check comment

	 Fixed sanity check for RT_*_BLOCK

	 Fixed copy of install.txt for generic installs and upgrades

	 Modified UI for Deny Servers IPs > Change to indicate that csf needs
	 restarting, not lfd

	 Added built-in replacement function for the Messenger Service message
	 files for [HOSTNAME] which will be replaced by the servers FQDN
	 hostname. Updated the sample Messenger index templates

	 Updated the uninstall scripts to remove the cronjob and logrotate
	 files

	 Added colour highlights to the Quick Allow and Quick Deny UI boxes

4.62   - Fixed problem with SU_ALERT alert report in v4.61

         Modified the Server Check for cPanel update settings to check for
	 daily updates more accurately

	 Added Server Check for cPanel tree

	 Upgraded IP::Country

	 New feature - Added sanity check to configuration values in csf, UI
	 Server Check and UI Firewall Configuration. In the UI Firewall
	 Configuration: lines highlighted in red fall outside the recommended
	 range; lines highlighted in pale green differ from the default on
	 installation

	 Added cPanel Security Check to check that at least one configured
	 nameserver is on a different server

	 Added proftpd checks to csf (for VPS servers) and in Server Check

	 Added DirectAdmin Checks to UI Server Check for: SSL login to DA;
	 proftpd cipher; nameserver on a different server; PHP version and
	 configuration checks; Apache version; dovecot cipher

	 Removed resolv.conf localhost check

4.61   - Modified lfd iptables command error handling to log errors and
         continue instead of terminating when in TESTING mode

	 Removed loading of iptables modules from csftest.pl to avoid modprobe
	 problems with some OS kernels

	 Added Connection Tracking check for pre-existing block to cater for
	 linux connection status timeouts

	 Moved LF_CSF check to the start of the lfd processing interval

	 New option LF_ALERT_FROM. If set, the value of this option will
	 override the From: field in all of the lfd alert templates. This
	 change also uses the From: field in the template (or this option if
	 set) as the value for the SENDMAIL -f option

	 Modified POP/IMAP Server Checks for the chosen mail server only on
	 cPanel servers
	 
	 Modified FTP Server Checks for the chosen ftp server only on cPanel
	 servers

	 Added SMTP Tweak to Server Check on cPanel servers and removed block
	 on csf starting if enabled

4.60   - Modified cipher checks to strip out quotes

         Modified Apache cipher message to remoind that you have to rebuild the
	 Apache configuration and restart for changes to be effective

4.59   - Added proftpd regex for Plesk server log file format

         Modifed the Server Check cipher checks for pure-ftpd and Apache to use
	 openssl to ensure SSLv2 is disabled

	 Added cPanel Server Check checks for dovecot, courier-imap IMAP and
	 POP3D SSL cipher list

	 New option SAFECHAINUPDATE added. If enabled, all dynamic update
	 chains (GALLOW, GDENY, SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY,
	 ALLOWDYN) will create a new chain when updating, and insert it into
	 the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the
	 old dynamic chain and rename the new chain. See csf.conf for more
	 information. This option is disabled by default, but we do recommend
	 that it is enabled on non-VPS servers with restrictive numiptent
	 values

	 Added SAFECHAINUPDATE to the firewall Server Check (except for
	 Virtuozzo VPS servers)

	 Modified Server Check on cPanel to make the PHP v4 warning clear and
	 to warn where PHP v5 and v4 have both been compiled (PHP v4 is
	 obsolete and should not be used at all anymore)

	 Added WHM checks for skipparentcheck and cpsrvd-domainlookup to
	 Security Check

	 New option LF_ALERT_TO. If set, the value of this option will override
	 the To: field in all of the lfd alert templates

4.58   - Modified exim cipher check in Server Check to use openssl to test the
         expanded configured cipher suites to ensure SSLv2 is disabled

4.57   - Improved exim configuration option detection in Server Check

         Added Exim Configuration checks to DirectAdmin Server Check

         Modified csftest.pl to perform a modprobe on all used iptables modules
         before testing

	 Added PASV port hole warning on VPS servers to the output of csf on
	 start and to the cPanel (if using pure-ftpd) Server Check

	 Added lfd to the DirectAdmin Service Monitor

	 Added back a revised Firewall Security Level option to UI

4.56   - Added TCP_OUT port 2222 for the DA default configuration for new
         installations

	 Added ICMP protocol to Advanced Allow/Deny Filters. See readme.txt for
	 more information and examples

	 Updated readme.txt to reflect the Control Panel UI availability for
	 cPanel, DirectAdmin and Webmin

	 Modified mod_security configuration file check to the TLD only of
	 /usr/local/apache/conf/ and only files ending in .conf

4.55   - Fixed issue with csf.conf not being loaded for the Server Check Report

         Removed erroneous chkconfig check from Server Check Report

	 Disabled various checks in Server Check Report for non-cPanel servers

	 Modified Debian/Ubuntu init entry creation and removal procedure

	 Modified Server Check to search for multiple named.conf locations

4.54   - Bug fix to Exploit Check code

         Fixed problem with iptables logs not being collated if PS_INTERVAL is
	 disabled but ST_ENABLE is enabled

	 Fixed potential problem with SMTPRELAY_LOG not being scanned when
	 RT_RELAY_ALERT, RT_AUTHRELAY_ALERT or RT_POPRELAY_ALERT enabled

4.53   - Upgraded the csf Webmin UI module to the new csf UI and added
         installation/upgrade instructions to the install.txt for Webmin

	 Fixed image locations and javascript in DA and webmin UI

	 Updated the uninstall scripts and the uninstall section of install.txt

4.52   - Reverted lfd signalling on cPanel servers to allow UI restarts of lfd

         Added warning in DA UI to upgrade csf from the root shell due to
	 restrictions in DirectAdmin

	 NOTE: DA users should upgrade csf to this version from the root shell
	 using "csf -u" and not use the Upgrade button in the UI

4.51   - Fixed csf --upgrade (csf -u) for DA installations

4.50   - Added restrictions information regarding the PORTFLOOD setting and
         ipt_recent to readme.txt (i.e. hit count max is 20)

	 Modular development of csf UI

	 Added DirectAdmin UI and installation support for csf/lfd

	 Added Statistics options (ST_ENABLE, etc) to generic csf installation

	 Added SMTP options (SMTP_BLOCK, etc) to generic csf installation

	 Removed pre-configured firewall settings through UI for redevelopment
	 as it has become out-dated

	 Modify csf UI to signal lfd to start/restart/enable only. A one
	 minute cron job will actually perform the signalled function. The CLI
	 is unaffected and performs the command immediately. This is introduced
	 to overcome fork issues from within an Apache session

4.41   - Added information about runing external iptables commands using
         csfpre.sh and/or csfpost.sh to readme.txt

	 Added new CLI option csf --addrm (csf -ar) to remove an IP address
	 from csf.allow and delete the associated iptables rules

	 Removed the need for the MONOLITHIC_KERNEL option and made modprobe
	 perform silently on csf startup. Added the relevant information
	 regarding some Monolithic kernels and the need for a PASV port range
	 hole to readme.txt

	 Added timeout to csf modprobe to avoid startup hanging on buggy
	 kernels

4.40   - Added workaround for php --info bug in Server Report when checking PHP
         configuration settings

	 Modified LF_INTEGRITY to regenerate the md5sum comparison file
	 immediately after a match is found instead of waitng for the next
	 cycle

	 Fixed LF_INTEGRITY aborting if the temporary md5sum file is empty

4.39   - Updated csf.conf to clarify that LF_PERMBLOCK_COUNT and
         LF_NETBLOCK_COUNT with act if more than the number of hits are
	 detected, not on the exact number set

	 Modified csf WHM UI to use csf -u to upgrade csf when a new version is
	 available

	 Added new script /etc/csf/csftest.pl which will test the servers
	 iptables modules for functionality. The tests are for the required
	 iptables modules and the optional modules for the SMTP_BLOCK,
	 PORTFLOOD and MESSENGER features. This adds a useful diagnostic tool
	 for kernel/iptables problems and to check whether the features above
	 will function

	 Added csf WHM UI option to run csftest.pl

	 Updated the csf install.txt to run csftest.pl before running up csf

4.38   - Improved detection of working ipt_owner iptables module on VPS servers
         such that if ipt_owner does not work SMTP_BLOCK and UID/GID blocks
	 will be automatically disabled and csf will continue to start

4.37   - Default setting for ICMP_OUT_RATE set to 0 - this is the recommended
         setting for cPanel servers which use ping times to determine fastest
	 mirrors for various update functions

         Modified PT_LOAD_ACTION code to stop duplicate load emails from being
	 send by lfd

	 Moved ETH_DEVICE_SKIP to the top of the INPUT/OUTPUT chains

	 Allow enabling of SMTP_BLOCK and use of UID/GID advanced port filter
	 rules on VPS Servers for as ipt_owner is now apparently supported on
	 the latest kernels. However, if the latest kernel isn't being used or
	 the VPS host hasn't included the ipt_owner iptables module for the
	 client VPS, then csf will fail with an error

4.36   - Modified Process Tracking to allow regex exceptions in csf.pignore for
         deleted executable processes

4.35   - Modified regex.pm detection of iptables kernel log lines to cater for
         alternative formatting

	 Restored the substitution of the NULL separator with spaces for the
	 /proc/PID/cmdline in Process Tracking

4.34   - Added code to Process Tracking to translate non-printable characters to
         especially help detect and report deleted executable file processes

	 WARNING: Removed hard-coded exceptions for spamd, cpanellogd, cpdavd
	 and awstats.pl from lfd.pl. If you want to ignore such processes for
	 Process Tracking, you will need to add appropriate ignore rules to
	 csf.pignore for them

4.33   - Disable ST_LOOKUP by default on new installations

         Modified lfd stats performance when ST_LOOKUP is enabled and added a
	 warning for this setting to csf.conf for when DROP_IP_LOGGING is
	 enabled

4.32   - Modified the su tracking regex to better trap RHE/CentOS v5 su login
         attempts

	 Added a Server Check for "FTP Logins with Root Password"

	 Added new WHM UI option to display Last X iptables Log Lines. Note
	 that the report will only display log lines since this update. The
	 new statistics will be expanded in future developments. Added new ST_*
	 options to the cPanel csf.conf to control the recording of stats

	 Removed fwlogwatch from distro and will use self-produced reports

4.31   - Added warning for those that enable PT_USERKILL in csf.conf - i.e. It
         is not a good idea to use that option

	 Modified PT_USERKILL to not kill (deleted) processes (these should be
	 restarted manually after investigation) as per the documentation

4.30   - If you add the text "do not delete" to the comments of an entry in
         csf.deny then DENY_IP_LIMIT will ignore those entries and not remove
	 them. Updated csf.deny information text for new installations

	 Made the (deleted) process text even more explicit for those that are
	 not reading csf.conf or the FAQ for their explanation

	 Updated DSHIELD information URL in csf.conf

	 Added new feature - csf.rignore is an ignore file that lists domains
	 and partial domains that lfd should ignore. Read /etc/csf/csf.rignore
	 for more information

	 Option GOOGLEBOT removed. This feature is now performed using
	 csf.rignore. If GOOGLEBOT was previously enabled it will be added to
	 csf.rignore

4.29   - Added Slackware support (tested on v12.2.0)

         Added Fedora v10 support

	 Added new option GOOGLEBOT - Prevent *.googlebot.com from being
	 blocked by lfd. See csf.conf for more information

	 Added csf version from/to to output from csf --update when upgrading

4.28   - Fixed GENERIC csf problem with csf.pl perl modules

4.27   - New Feature - Port Flood Protection. This option configures iptables
         to offer protection from DOS attacks against specific ports. This
	 option limits the number of connections per time interval that new
	 connections can be made to specific ports. See csf.conf and readme.txt
	 for more information. This option is only available on servers with
	 the ipt_recent kernel module

         cPanel DNSONLY compatibility added - Thanks to JJ for the assistance

         Improved Cipher suite checking and advice for Apache and FTP in Server
	 Check

	 Remove md5sum check from JS exploit check as it is covered by
	 LF_INTEGRITY and causes confusion

	 Added new option LOGFLOOD_ALERT which will send an email alert based
	 on logfloodalert.txt if lfd skips logs lines due to log file
	 processing problems

	 Added new option PT_DELETED together with the FAQ explaination as to
	 why lfd reports deleted processes. The option can be disabled to
	 ignore such processes

	 Rearranged LOCALINPUT and LOCALOUTPUT rule positions to allow
	 exceptions to SMTP_BLOCK

4.26   - New Feature - Country Code to CIDR allow/deny. This feature can allow
         or deny whole country CIDR ranges. The CIDR blocks are downloaded from
         http://www.ipdeny.com/ipblocks/. For more information, see CC_ALLOW,
	 CC_DENY and CC_INTERVAL in csf.conf

         Expanded the dovecot regex to include more login failure permutations

	 Added exe:/var/cpanel/3rdparty/bin/php to csf.pignore on cPanel
	 servers

	 SMTP_ALLOWLOCAL set to 1 on new cPanel installations by default

4.25   - Fixed bug in csf --grep when CIDRs used in advanced port filters

         Fixed problems with aborted Server Check Report

	 Fixed position of the lo device rule in the OUTPUT chain which broke
	 SMTP_BLOCK

	 Added new option SMTP_PORTS which is used by SMTP_BLOCK to block all
	 listed ports (not just port 25). This is populated on installation or
	 when TESTING = 1 if an additional port is listed in "WHM > Service
	 Manager > exim on another port". Otherwise, SMTP_PORTS needs to be
	 updated manually. The default setting contains port 25

	 SMTP_BLOCKs will now log if DROP_IP_LOGGING is enabled

4.24   - Added workaround for issue with WHM image display in the addon header
         for cPanel v11.24

	 *Added cPanel v11.24 FTP Anonymous Upload checks in Server Report

	 *Added cPanel v11.24 FTP Cipher Suite checks in Server Report

	 *Added cPanel v11.24 Apache Cipher Suite checks in Server Report

	 *Added cPanel v11.24 Exim Cipher Suite checks in Server Report

	 Added Fedora v8 to the obsolete OS list now that v10 is out

	 Updated dovecot regex in regex.pm for v1.1.6 used by cPanel

	 * Will only display if cPanel version is >= 11.24

4.23   - Added skip to connection and process tracking for empty tcp6 
         connection data

	 Fixed PT_LOAD email output of ps and vmstat

4.22   - Additional fixes for an issue on VPS servers where temporary block
         removal from csf.tempban failed

4.21   - Fixed an issue on VPS servers where temporary block removal from
         csf.tempban failed

4.20   - Modified csf.tempban processing code in lfd to perform more stringent
         file locking to preserve temporary bans if lfd is writing during
	 shutdown

	 Modified Port Scan tracking of IP's to not attempt multiple blocks on
	 the same IP address in the same log line processing batch

	 Fixed broken timestamp in lfd.log for dates < 10th of the month

	 Various code modifications to improve performance and stability

4.19   - Reverted the tied file changes as they were causing a deadlock
         situation locking csf.tempban

	 Improved the process tracking detection of deleted executables of
         running processes

4.18   - Modified temporary IP address storage to use a tied file to preserve
         temporary bans if lfd is writing during shutdown

4.17   - Replaced the use of backticks in csf, lfd and the WHM UI with calls to
         IPC::Open3

	 Various lfd and csf code improvements and tidy up

	 Ensure lfd parent dies cleanly on error

	 Debug information improved and timer modified to use Time::HiRes for
	 more accuracy

4.16   - Removed port 953 from the TCP and UDP allow lists for new csf
         installations as it's not necessary to whitelist as bind listens on
	 the localhost device for such control connections by default

	 Added exe:/usr/sbin/nsd, exe:/usr/libexec/dovecot/pop3-login,
	 exe:/usr/libexec/dovecot/imap-login to new and old cPanel
	 installations csf.pignore to cater for cPanel support for both nsd and
	 dovecot (currently in EDGE)

	 Only use Cpanel::Rlimit if it's available in WHM UI

4.15   - Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing
         connections from blocked IP addresses in csf.deny or temporary blocks.
	 The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN,
	 GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct
	 this. Many thanks to Brian for his help in tracking this issue down.

4.14   - Implemented the use of cPanel routine Cpanel::Rlimit to remove process
         resource limit restrictions as the cPanel memory limitation setting
	 was causing the Server Check to abort with memory allocations problems
	 through WHM on some servers

	 Modified port checking for 23 and 53 in Server Check to no longer use
	 the fuser binary and use the port mappings directly from /proc

	 Modified lfd and Server Check to check for IPv6 bound processes as the
	 IPv4 and IPv6 connections are stored in a different file to IPv4 only
	 bound processes

4.13   - Updated various comments in csf.conf

         Fixed call to csfpost.sh from csf

4.12   - Modified lfd Login Failure tracking to use a per IP address rolling
         LF_INTERVAL window rather than a static one for all tracked IPs. This
	 makes login failure counting more accurate and blocking more
	 responsive

	 Added new feature - Block Reporting. lfd can run an external script
	 when it performs and IP address block following for example a login
	 failure. BLOCK_REPORT is to the full path of the external script. See
	 readme.txt for format details

	 If csf is installed or upgraded via an SSH session the connecting IP
	 address will now be automatically added to csf.allow (note: it is not
	 added to csf.ignore so lfd may still block it). This IP can be removed
	 after testing if desired

	 Modified the lfd.log format to the standard:
	 <mon> <mday> <hour>:<min>:<sec> <host> lfd[<pid>]: <text>
	 If you parse lfd.log you will need to update your scripts!

	 Added DEBUG option - for internal use only

4.11   - Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore
         for existing installations

	 Modified the calculation for the position of LOCALOUTPUT in the OUTPUT
	 chain 

	 Added /etc/cron.d/lfdcron.sh to restart lfd daily

	 Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3
	 and exe:/usr/sbin/mysqld_safe to csf.pignore

	 Modified SCRIPT_ALERT regex to cope with exim log format changes in
	 FC8+

	 As per RFC5322, adding port 587 to the default TCP_IN list of ports
	 for new installations (i.e. it is now recommended for SMTP servers to
	 offer port 587 access for MUA to MTA traffic rather than port 25 which
	 is for MTA to MTA traffic)

	 Added informational text to Process Tracking email report if a process
	 is running an executable that has been deleted

	 Added csf version to the daemon startup log line in lfd.log

4.10   - Added /usr/libexec/hald-addon-keyboard to csf.pignore

         Modified the static DNS port rules to always allow all OUTGOING (only)
	 connections to/from port 53 udp/tcp. This should help the situation
	 where some servers iptables block outgoing port 53 udp connections
	 despite the port being open

	 Added new option DNS_STRICT which will remove all static DNS rules and
	 allow access only through SPI. For stability reasons, it would be
	 advisable to leave this option disabled (default)

4.09   - Modification to cPanel version to restart chkservd using
         /scripts/restartsr_chkservd instead of the init script as the latter
	 is removed in the latest EDGE release that puts chkservd under the
	 control of tailwatchd (/scripts/restartsrv_chkservd is a stub for
	 restarting tailwatchd in the latest EDGE instead of a direct restart
	 script in older cPanel versions). chkservd is restarted when csf
	 is installed/uninstalled/upgraded/disabled/enabled

4.08   - Added a new timing system to more accurately trigger lfd tasks. This
         should alleviate timing issues such as those seen with LT_POP3D and
	 LT_IMAPD and improve the overall effectiveness and performance of lfd

	 Added new method for reaping child processes. If you find that zombie
	 lfd processes start to build up you can revert to the old reaper by
	 enabling new option OLD_REAPER

4.07   - Messenger service now supports advanced filter permanent port block
         redirection

4.06   - Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the
         LOCALxxPUT chains so that the entries can be correctly listed with
	 ACCEPT's at the top and DENY's at the bottom of the chain

         Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and
	 OUTPUT chains so that bandwidth accounting is kept accurate

	 Fixed a problem processing advanced port filters in GLOBAL_ALLOW and
	 GLOBAL_DENY

4.05   - Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains

4.04   - Fixed problem with rule placement for ETH_DEVICE_SKIP

         Ensure all ALLOW requests are inserted before DENY requests after csf
	 has been restarted

	 Ensure that fwlogwatch stats creation uses IPTABLES_LOG file

	 Only perform operations on the nat table if MESSENGER service is
	 enabled

	 lfd Process Tracking will now ignore MESSENGER_USER messenger services

	 Added new option PT_ALL_USERS so that all Linux accounts on a cPanel
	 server are checked in Process Tracking, not just cPanel users. This
	 option is disabled by default on cPanel servers. Enabling this option
	 may require adding exceptions to csf.pignore

	 Additional exceptions added to csf.pignore for cPanel servers for the
	 new PT_ALL_USERS option

	 PT_SKIP_HTTP now disabled by default for new installations

	 Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check

4.03   - Fixed problem where the new LOCALxxPUT chains were only processing tcp
         requests

	 Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule
	 count in the OUTPUT chain under certain circumstances

4.02   - If csf fails with an error lfd will now die and require a restart
         after the issue with csf is resolved. csf commands apart from start
	 and restart are also disabled

	 Released from BETA

4.01   - Allow the Messenger Service to be used on VPS servers. However, if the
         ipt_REDIRECT module is missing csf will fail to start correctly and
	 abort

	 HTML Messenger service server now only reads a limited line length
	 instead of unlimited input to prevent overflows

4.00   - New feature - Messenger Service. This feature allows the display of a
	 message to a blocked connecting IP address to inform the user that
	 they are blocked in the firewall. This can help when users get
	 themselves blocked, e.g. due to multiple login failures. The service
	 is provided by two daemons running on ports providing either an HTML
	 or TEXT message. See csf.conf and readme.txt for more information	 
	 (not available on VPS platforms and others missing the ipt_REDIRECT
	 kernel module)

         Moved INPUT and OUTPUT chain rules for blocks and allows to their own
         respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP
	 blocks will be listed in the INPUT or OUTPUT chains, but in the new
	 ones

	 Re-organised all of the INPUT and OUTPUT chain rules to give
	 precedence to the LOCALINPUT rules before invoking other chains and
	 port ALLOW rules

	 Moved the SYNFLOOD protection chain rule to be the first chain rule
	 after the LOCALINPUT chain rule

	 Moved the lo device rules to the always be at the top of the INPUT and
	 OUTPUT chains

	 Modified the syslog regex matches to only match on local entries to
	 cope with centralised syslog configurations

3.43   - Improved application IP block checking

         Restored the option LF_SCRIPT_PERM with additional checks for
	 directories within the cPanel homedirs and for symlinks. Warning
	 added to csf.conf for this option

	 Added random query-source port setting for BIND to the Server Report

3.42   - Corrected information for LF_TRIGGER_PERM in the generic csf.conf to
         be the same as the cPanel csf.conf

	 If LF_SELECT is enabled make sure all cPanel ports are blocked on
	 cpanel login failure. This was only doing ports 2082,2083 and will now
	 block 2082,2083,2086,2087,2095,2096

3.41   - Added new mechanism to allow custom regular expression matching with
         individual settings for lfd login failure detection. See
	 /etc/csf/regex.custom.pm for details

	 Modified all timestamps in lfd reports to also include the standard
	 timezone offset (i.e. from GMT)

	 Added new setting CC_LOOKUPS to control the new Country Code lookups
	 (enabled by default)

	 DROP_IP_LOGGING automatically disabled if PS_INTERVAL is enabled

	 PS_INTERVAL enabled by default on new installations

	 Doubled the number of lines before log file flooding detection will be
	 triggered

3.40   - Added queuealert.txt to the WHM UI dropdown list for editing

         Clarified in csf.conf that setting LF_QUEUE_ALERT to 0 disables the
	 check

	 Added Country Code lookups for IP addresses. Any reported IP addresses
	 will include the international CC where available. It should be noted
	 that with international ISPs this may not be wholly accurate. Where
	 possible the CC will be translated into the associated country name

3.39   - Added new option IGNORE_ALLOW which, if enabled, lfd will ignore IP
         addresses listed in the csf.allow file and not block them

	 Added new option LF_QUEUE_ALERT, which will send an email alert using
	 queuealert.txt if the exim queue length exceeds the value it is set
	 to. The check is repeated every LF_QUEUE_INTERVAL seconds. If the
	 ConfigServer MailScanner configuration is being used, both the
	 MailScanner pending and exim delivery queues will be checked. This is
	 a cPanel only option

	 Added new option CT_PORTS to Connection Tracking so that you can 
	 specify which ports you want to count towards CT_LIMIT, e.g. 80,443

	 Modified Server Report check for register_globals in cPanel's php.ini
	 incase the new cPanel WHM setting is being bypassed

3.38   - Additional SSHD regex added to regex.pm

         Improved the WHM UI reporting of the csf status: disabled, running,
	 testing mode

	 Added Enable/Start buttons to WHM UI next to the csf status if
	 disabled/stopped

	 Updated Server Report checks for csf status

	 Changed the destination of the ConfigServer Services link at the
	 bottom of the WHM UI to go to the csf web page

3.37   - Fixed an issue currently in cPanel EDGE that affects the use of the
         cPanel SafeFile module in WHM scripts

3.36   - Increased the IP lookup timeout for reported IP's from 5 to 10 seconds

         Improved lfd internal timing system for event triggers

	 Added new feature - Account Tracking. The new AT_* options configure
	 an alert system for account modifications which will send an email if
	 there are new accounts added, existing accounts deleted plus password
	 uid gid login dir and login shell changes. Each of these changes can
	 be enabled or disabled. You can also enable tracking for superuser
	 accounts only. That latter is the default setting. This feature uses
	 the email template accounttracking.txt

	 Added reason text to temporary IP bans

	 Added Server Report check for ini_set in PHP disable_functions

	 Added ossec to list of processes to disable as it will conflict and
	 duplicate csf functionality

	 Changed Server Check scoring text to instead show a coloured table
	 indicating score

3.35   - Changes to WHM UI script for cPanel v11

	 Removed cPanel v10 backported WHM UI settings, i.e. v10 no longer
	 supported

         Added # of temp blocks to WHM UI "Temporary IP Bans" on main page

	 Modified Server Report check for register_globals in cPanel's php.ini
	 to use the new cPanel WHM setting

	 Added Server Report check for passwords in WHM email setting

	 Added Server Report check for WHM root/reseller login to users cPanel

	 Modified Server Report nobody cron check to only fail on non-zero cron
	 file

	 Modified Server Report check for Fedora now that Fedora 7 is EOL
	 (2008-06-13)

	 Added new option DYNDNS_IGNORE to ignore DYNDNS entries when lfd
	 blocking

3.34   - Modified regex matching to allow for trailing spaces in log lines

         Modified PT_LOAD routine to prevent multiple triggers resulting in
	 more than one alert being email sent

	 Removed the need for NETSTAT from lfd to reduce overheads and improve
	 performance allowing CT_INTERVAL to be set lower. Now uses
	 /proc/net/[protocol]

3.33   - Modified skip for su login checking from root to cater for (uid=0)

         Added option SYNFLOOD_BURST to allow configuration of --limit-burst
	 when SYNFLOOD is enabled. Changed default values

         Added to --grep searches to csf.deny and temporary blocks in addition
	 to iptables

	 Modified SSH regex to improve login failures detection further

	 Enabled LF_PERMBLOCK, PT_USERPROC by default on new installations

	 Added vsftpd regex for ftp login failures

3.32   - Modified SSH regex to check for ipv6 addresses

         Added another regex to improve SSH matching

3.31   - Modified -denyrm to abort if left blank instead of clearing all blocks

         Added lfd check for existing temporary block to avoid duplicates

	 Fixed regex handling for courier-imap POP and IMAP login failures

	 Added --full-time to the ls command for LF_DIRWATCH_FILE. If you use
	 this option, LF_DIRWATCH_FILE will likely trigger due to the changed
	 output the first time you restart lfd after upgrading

	 Fixed typo in Suhosin description in the Server Check Report

	 Added Referrer Security to the Server Check Report

	 Added register_globals check in cPanel php.ini to Server Check Report

3.30   - Security Fix: lfd vulnerabilities found which could lead to Local and
         Remote DOS attacks against the server running csf+lfd

	 The DOS attacks could make lfd block innocent IP addresses and one
	 attack could cause lfd to deplete server resources

         Modified the regular expressions in regex.pm to prevent them from
	 being triggered by spoofed log line entries

	 Option LF_SCRIPT_PERM removed

	 Our thanks to Jeff Petersen for the detailed information describing
	 these issues

	 We recommend that all users of csf upgrade to this new version

3.28   - Fixed a bug with LT_POP3D and LT_IMAPD introduced in v2.88 which broke
         login tracking

	 Modified relay tracking to not ignore RELAYHOST IP's

	 Modified LF_SSH_EMAIL_ALERT to not ignore RELAYHOST IP's

	 LF_SUHOSIN will now skip matches for "script tried to increase
	 memory_limit"

3.27   - Modified csf -dr option to delete advanced filter IP matches as well
         as simple matches in csf.deny

3.26   - Added new CLI option to csf, -g --grep will search the iptables chains
         for a specified match which is either explicit or part of a CIDR

	 Added WHM UI option for csf --grep
         
	 Added new CLI option to csf, -dr --denyrm will remove an IP address
	 from csf.deny and unblock it

	 Added WHM UI option for csf --denyrm

3.25   - Added csf.suignore file where you can list usernames that are ignored
         during the LF_EXPLOIT SUPERUSER test

	 New option PT_LOAD_ACTION added that can contain a script to be run if
	 PT_LOAD triggers an event. See csf.conf for more information

	 Added SUPERUSER check to Server Check Report

	 Added Suhosin check to Server Check Report

3.24   - Allow comments after IP addresses in csf.dyndns

         Added new login failure option LF_SUHOSIN which detects alert messages
	 and blocks the attacker IP after the configured number of matches

	 Added a new exploit check for non-root superuser accounts

	 Added a new configuration option LF_EXPLOIT_CHECK which allows you to
	 configure which tests are performed by LF_EXPLOIT

3.23   - Modified the Server Report code for checking PHP variables to be more
         lenient when checking the output from /usr/local/bin/php -i

	 Modified lfd calculation of Jiffies to use the POSIX::sysconf function
	 to obtain the clock ticks instead of assuming 100 ticks for Linux

	 Fix duplicate LF_INTEGRITY emails

3.22   - Changed DROP_IP_LOGGING logging advice in csf.conf to NOT use this
         setting if you use Port Scan Tracking as it will cause redundant
	 blocks

	 Added tag [hostname] to all of the alert reports. You will need to add
	 this manually to the report text Subject: line (or anywhere else in
	 the report that you would like it) for existing installations

	 Added "A note about FTP over TLS/SSL" to readme.txt

3.21   - Fixed problem in Server Check that caused an error in some situations

         Modified netblock caching code to prevent repeated block attempts

3.20   - Corrected net block logic so that after a net or perm block occurs,
         subsequent log entries that would incur the same block are ignored

3.19   - New feature - LF_PERMBLOCK. Permanently blocks IP addresses that have
         had X temporary blocks in the last Y seconds. Uses email template
	 permblock.txt

	 New feature - LF_NETBLOCK. Permanently blocks network classes (A, B or
	 C) if more than X IP addresses in a specified class have been blocked
	 in the last Y seconds. This may help within some DDOS attacks launched
	 from within a specific network class. Uses email template netblock.txt

	 Modified MD5SUM comparision code to better reset md5sum checks after a
	 hit
	 
	 Only issue Random JS Tookit warning if all the MD5SUM checks fail for
	 the relevant files

	 Removed POP flood Protection setting check from Server Report as it's
	 no longer relevant to courier-imap

	 Rewritten the Apache Check code for the Server Report to better
	 detect the current running settings on all Apache and PHP versions

	 Don't check Apache RLimitCPU/RLimitCPU limits on VPS servers as they
	 aren't relevant (as they apply to the host VPS configuration) for the
	 Server Report

3.18   - Fixed bug in the generic csf release where the default csf.conf was
         missing the DROP, CT_STATES and GLOBAL_IGNORE settings - Thanks to Jim
	 for the help in tracking the issue down

3.17   - Rewritten the update code so that a new csf.conf is creating when
         upgrading. It now uses the latest csf.conf and transfers the existing
	 settings to the new configuration file. This way all installations are
	 sure to have all new settings and the latest comments. It also makes
	 the release process for new builds much simpler

	 Other installation/update improvements

	 Updated APF/BFD removal procedure

3.16   - Fixed bug introduced in v3.14 for generic installation only

3.15   - Auto-whitelist all DNS traffic to/from IPs in /etc/resolv.conf

         Modified csf.conf text for new installations to account for
	 auto-configuration of ETH_DEV which has been the case for some time:

# By default, csf will auto-configure iptables to filter all traffic except on
# the local (lo:) device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""

# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""

3.14   - Added new format for cPanel (v11.18.3) login failures to regex.pm

         Added exe:/usr/libexec/gam_server to the default list of ignored
	 binaries

	 Fixed problem with SCRIPT_ALERT not picking up alternative /home
	 directories from wwwacct.conf

3.13   - Added new option DENY_TEMP_IP_LIMIT which limits the number of IP bans
         held in the temporary IP ban list to prevent iptables flooding. If the
	 limit is reached, the oldest bans will be removed/allowed by lfd on
	 the next unblock cycle regardless of remaining TTL for the entry

	 Added LF_FLUSH for the flush interval of reported usernames, files and
	 pids so that persistent problems continue to be reported. Default is
	 set to the previously hard-coded value of 3600 seconds

	 Fixed uw-imap ipop3d regex

	 Added check for TESTING mode when using csf -a or csf -d to only add
	 to the respective csf.allow or csf.deny files and not insert into
	 iptables to prevent errors if iptables has been flushed after reaching
	 TESTING_INTERVAL

3.12   - Added SMTP AUTH failure regex for Kerio MailServers

         Fixed an issue where a permanent Port Scanning alert would report as
	 a temporary block, eventhough a permanent block was performed

	 Added regex for failed SSH key authentication logins (thanks to Paul)

3.11   - Use /proc for Process Tracking instead of ps output incase of
         exploited system binaries and to better determine resource usage of
	 each process

3.10   - Modified INPUT and OUTPUT chain rules to always specify the ethernet
         device

	 csf now re-applies temporary IP blocks on restart

	 Added new CLI command to add temporary IP bans. See csf -h for the
	 new csf -td command

	 Added new options to WHM csf UI to unblock temporary IP bans

	 Added new option to WHM csf UI to block IP temporarily for a specified
	 TTL

3.09   - Fixed missing copy for the portscan.txt report for generic
         installations

	 Added new option PS_EMAIL_ALERT to enable/disable Port Scan Tracking
	 email alerts

	 Added a sample of the port blocks that trigger the Port Scan to the
	 report. This new report will be copied to /etc/csf/portscan.txt.new on
	 existing installations, rename it to portscan.txt to use it

	 Added Port Scan Tracking to WHM UI Firewall Security Level

	 Added cPAddon update email setting check to Server Security Report

	 Modified the SuEXEC link location to the cPanel v11 location in Server
	 Security Report

	 Added portscan.txt template to editable list in WHM UI

	 Updated readme.txt

3.08   - Modified Port Scan Tracking to ignore blocked IP addresses incase
         DROP_IP_LOGGING is enabled

3.07   - Added Apache Server Status report to PT_LOAD for load average report
         monitoring. To benefit from this feature you will need to rename the
	 new report file /etc/csf/loadalert.txt.new to loadalert.txt. The 
	 reports (ps, vmstat and apache) are now included as MIME attachments
	 in the email report instead of inline text

	 New feature: Port Scan Tracking. This feature tracks port blocks
	 logged by iptables to syslog. It can help block hackers attempting to
	 scan the server for open ports, or to block them while trying to
	 access blocked standard ports, e.g. SSH. See csf.conf for more
	 information
	 
	 Upgraded the urlget module

3.06   - Added System Exploit Checking. This enables lfd to check for the
         Random JS Toolkit and may check for others in the future:
	 http://www.cpanel.net/security/notes/random_js_toolkit.html
	 It compares md5sums of the binaries listed in the exploit above for
	 changes and also attempts to create and remove a number directory. The
	 open is enabled by default. The report is generated from the
	 exploitalert.txt template file

3.05   - Added perl regex checking to csf.pignore with the new options puser,
         pexe and pcmd. Text added to csf.pignore for new installations:

# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

3.04   - Added two new options ICMP_IN_RATE and ICMP_OUT_RATE which allow you
         to set the incoming and outgoing ICMP rate limits independently, or to
	 disable rate limiting in either direction completely for ICMP packets

3.03   - Modified LF_DIRWATCH_FILE to use the output from "ls -lAR" instead of
         "ls -laAR"

         Modified rules so that only icmp ping is blocked and all other icmp
	 packets allowed if ping disabled in csf configuration. This may well
	 help improve iptables performance if ping was disabled

	 Added rate-limiting for all icmp packets to prevent inbound flooding

	 New option SYNFLOOD configures iptables to offer some protection from
	 tcp SYN packet DOS attempts. SYNFLOOD_RATE sets the inbound packet
	 rate per IP so the option can be tailored

	 Added SYN flag checking of state NEW tcp connections if PACKET_FILTER
	 is enabled. NEW tcp connections should always starts with a SYN

	 Moved PACKET_FILTER rules to their own iptables chain called INVALID

	 Fixed issue where some drops were not logging when logging enabled

	 Added hourly flush interval of reported usernames, files and pids so
	 that persistent problems continue to be reported

	 Added RELAYHOSTS and SYNFLOOD to Firewall Security Level in UI

3.02   - Modified the text comments at the top of csf.allow for new installs:

# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

         Removed RELAYHOSTS check from Server Check report

	 Don't show SMTP_BLOCK check if on a VPS in Server Check report

	 PT_USERKILL, if set, will now also kill user processes that exceed
	 PT_USERPROC

	 Fixed problem where csf.tempusers was not being cleared down on an lfd
	 restart

	 Added two new csf command line options to flush IP's from the
	 temporary ban list: -tr -tf (see csf -h for more information)

3.01   - Tightened DNS port configuration restrictions as the old rules were
         being catered for by iptables connection

	 Added Kerio Mailserver POP3/IMAP regex's

3.00   - Added progress information to LWP downloads within csf

         Added numiptent checking for VPS servers. csf will flush iptables and
	 lfd will stop blocking IP's if numiptent is nearly depleted. This
	 should help prevent VPS lockouts due to insufficient server
	 resources. If this happens, you will either need to reduce the number
	 of iptables rules (e.g. disable Block List usage) or have the VPS
	 provider increase numiptent. A value of ~700-1000 should be fine for
	 most SPI firewall applications with full Block List configuration

	 Added support for the BOGON List (Block List) with LF_BOGON - 
	 http://www.cymru.com/Bogons/
	 See link and csf.conf for more information

	 Fixed problem with RELAYHOSTS not working

	 Removed use of the replace binary

2.95   - Reduced memory overhead and added large file skipping for LF_DIRWATCH

	 Improved performance of LF_DIRWATCH trigger checks

         Fixed problem with LF_SELECT temporarily blocking outbound access on
	 all ports. Now now only the relevant inbound only port(s) will be
	 blocked if triggered

2.94   - Fixed linux line-endings in some configuration files from v2.93 -
         doesn't affect existing installations

2.93   - Improved mod_security v2 regex for filter triggers

         Added MySQL v5 check

2.92   - Improved the cPanel version check for < v11 and whether up to date

         Added new CLI option -t (--temp) which lists the temporary IP bans and
	 the TTL before the IP is flushed from iptables

	 Added "View Temporary IP Bans" to WHM UI

	 Changed WHM UI lfd Log auto-refresh default to unchecked

         Added regex for dovecot "Aborted login" messages in /var/log/maillog

         Added support for displaying mod_security v2 logs in WHM UI

2.91   - Added Fedora Core v6 to the obsolete OS check

         Added php v4 check

	 Added apache v2.2 check

	 Added Perl v5.8.8 check

         Added cPanel v11 check

	 Modified Sys::Syslog use to utilise the ndelay and nofatal options

	 Added new option GLOBAL_IGNORE which makes lfd ignore IP's listed in
	 a globally located ignore file

	 Added new option CT_STATES to Connection Tracking so that you can
	 specify which connection states you want to count towards CT_LIMIT,
	 e.g. SYN_RECV

2.90   - Ensured that Process Tracking doesn't affect processes running under
         root

	 Added /usr/local/cpanel/bin/cpwrap to the csf.pignore file for new and
	 existing installations

	 Added Apache v2 checks to Server Checks Report

	 Removed mod_evasive from Server Checks Report as it appears to be less
	 relevant, especially with Apache v2

2.89   - Fixed the csf webmin module

         Added updates to the webmin module

	 Completely removed use of cat in the WHM module and wget/cat from the
	 webmin module

2.88   - Fixed typo in csf.conf for new installs LF_LOAD -> PT_LOAD

         Modified the courier IMAP and POP3D regex's to include connections
	 over SSL in lfd

	 Modified lfd to ignore cpdavd processes

	 Modified the cPanel regex's to include cPanel v11 variants in lfd

2.87   - Fixed duplication of settings during generic configuration upgrade
         procedure

         Only display version confirmation update message when running csf -u
	 interactively (Thanks to Brian Coogan for the perl tip)

	 Fixed issue with temporary files not being truncated before being
	 written to, which caused problems e.g. with global allow/deny files

	 Added new option CT_SKIP_TIME_WAIT to exclude TIME_WAIT state from
	 connection tracking

	 Updated the csf webmin module to use the &ReadParse() routine to
	 overcome problems when running through SSL (Thanks to Tim Ballantine
	 for this tip)

2.86   - Added regex for SSH on Debian v4 and for "Failed keyboard-interactive"
         on RedHat

2.85   - Fixed a problem with v2.84 which broke permanent IP blocking in lfd -
         it's been a long week :-/

2.84   - Fixed problem with permanent LF blocks in lfd for individual
         application port blocks when set to permanent

	 Added new SYSLOG option to csf.conf to allow additional lfd logging to
	 SYSLOG (requires perl module Sys::Syslog)

	 Added a minimum to LF_DSHIELD and LF_SPAMHAUS ip block lists refresh
	 interval of 3600 to prevent getting yourself blocked!

2.83   - Fixed broken Server Check from v2.82

2.82   - Fixed a documentation for LF_TRIGGER_PERM

         Fixed issue where RT_[relay]_ALERT set to "0" was being ignored

	 Fixed condition from v2.80 which prevented SCRIPT_ALERT from working

	 If killproc.conf does not exist the Server Check now links to the
	 Background Process Killer page instead of issuing a file missing error

2.81   - Added exe:/usr/local/cpanel/cpdavd to csf.pignore

         Added option to disable refresh in WHM csf UI when viewing lfd.log

	 Removed debug code that prevented IP blocking -- oops

2.80   - Added new lfd feature - Relay Tracking. This allows you to track email
         that is relayed through the server (cPanel only). It tracks general
	 email sent into the server, email sent out after POP before SMTP and
	 SMTP_AUTH authentication, local email sent from the server (e.g. web
	 scripts). There are also options to send alerts and block IP addresses
	 if the number of emails relayed per hour exceeds configured limits.
	 The blocks can be either permanent or temporary. Currently blocking
	 does not function for LOCALRELAY email.

	 Introduced a new blocking mechanism in lfd that allows a choice of
	 permanent or temporary IP blocking. See csf.conf (LF_TRIGGER_PERM) for
	 details on how to configure the various blocking options to use
	 temporary instead of permanent blocks, e.g. for Login Failure blocking

	 Modified new installations to default to using seperate triggers for
	 login failures, instead of the global LF_TRIGGER value

2.79   - Bug fixes

         Added ACCEPT rule to 127.0.0.1:25 for the "cpanel" user if SMTP_BLOCK
	 is enabled for the new cPanel Webmail configuration in v11

	 Added new configuration option DROP that allows you to choose the drop
	 target for rejected packets (see csf.conf for more information)

	 Remove /etc/cron.d/csf_update on uninstall

2.77   - Closed vulnerability with temporary file checking

         Tighted log file regex's to prevent spoofed remote IP block attacks

2.76   - Improved file checking in Server Check script to prevent WHM failures

2.75   - Modified Server Check to only look at pure-ftpd settings if installed

         Simplified throttling mechanism


2.74   - Modified PHP Server Checks to use the php binary output instead of
         trying to find the active php.ini file

	 Added PHP Server Check for register_globals

	 Improvements to the Server Check code

	 Fixed bug in TCP port 23 check in Server Check

	 Added new option --check (-c) to check whether the installed verison
	 of csf is the latest, no update is performed

	 Added multiple csf configuration checks to the Server Check report

 	 Added throttling to LF_INTEGRITY and increased the timeout
	 proportionally

2.73   - Modified SMTP_BLOCK warning on VPS servers to only display if the
         option is enabled

	 Modifed the Server Services Check text to omit using -del with
	 chkconfig and better explain that a process is enabled even if it is
	 not currently running and needs to be disabled to prevent startup on
	 boot

	 Removed reliance on wget for updates and version checks

	 Coding improvements in csf.pl and addon_csf.cgi

	 Added /var/log/lfd.log tail automatic refresh to WHM UI

2.72   - Fixed problem with DENY_IP_LIMIT not counting all IP entries in
         csf.deny correctly

	 Ignore and issue a warning if SMTP_BLOCK is enabled on a Vituozzo VPS
	 since the Virtuozzo VPS kernel does not support ipt_owner

	 Remove Shell/Fork Bomb Protection check in Server Check as the option
	 breaks a Virtuozzo VPS if enabled

	 Added more processes to check in Server Services Check

	 Removed restriction on outbound source port rule construction

2.71   - Added CSS settings to support pre-v11 cPanel installations

2.70   - Modified to adopt cPanel v11 WHM theme

         Added ports 2077 and 2078 (cPanel WebDAV server) to csf.conf for new
	 installations for v11 cPanel

	 Added FC5 to the list of (or soon to be) unsupported OS's

	 Fixed LF_SMTPAUTH not correctly being set to LF_FTPD when upgrading

2.69   - Added back LF_DIRWATCH_DISABLE functionality securely. Fixed bug where
         a suspicious directory would not be removed

	 Added perl module check for File::Path

	 Added path configuration to tar and chattr in csf.conf

	 Added new option LF_SMTPAUTH which checks for SMTP AUTH exim login
	 failures. When upgrading the new setting will be set to whatever you
	 have LF_FTPD set to

2.68   - Security Fix - If you have LF_DIRWATCH_DISABLE on then this can lead
         to arbitray code being executed in the context of the user running lfd
	 , i.e. root. This option has been disabled in the code until further
	 notice. You will have to manually remove any reported files.

	 Tightened csf file ownerships on installation

2.67   - Security fix - A major security issue has been found in the
         LF_DIRWATCH code that can lead to arbitrary code being executed in the
	 context of the user running lfd, i.e. root, if that option is enabled
	 and a hacker has access to create a crafted filename in one of the
	 watched directories. This update closes this hole.

	 *ALL INSTALLATIONS SHOULD BE UPGRADED ASAP TO AVOID POTENTIAL
	 EXPLOITATION*

2.66   - Modified LF_CPANEL text in csf.conf for new installations to reflect
         the change in the SSL login handling by cPanel (i.e. it does now log
	 SSL login IP's)

	 Modified the log line monitoring in lfd to cope with log line flooding
	 to prevent looping/excessive resource usage. Also recoded without the
	 use of the POSIX routines

	 lfd process name now shows which log file it is scanning

2.65   - New Feature: System Integrity Checking. This enables lfd to compare
         md5sums of the servers OS binary application files from the time when
	 lfd starts. If the md5sum of a monitored file changes an alert is
	 sent. This option is intended as an IDS (Intrusion Detection System)
	 and is the last line of detection for a possible root compromise. See
	 csf.conf for more information

2.64   - Modified lfd check for rotated system logs to re-open a log file if
         logs are emptied instead of rotated

2.63   - Added regex support for uw-imap (imap and pop3) login failures

         Added regex support for proftpd login failures

	 Timeout version check incase version server is unavailable

2.62   - Fixed CIDR support issue with csf.ignore only recognising the first
         listed entry

2.61   - Fixed problem with lfd not being killed by /etc/init.d/lfd

2.60   - Added log file locations to csf.conf

         openSUSE v10 compatible (generic)

	 Debian v3.1 (sarge) compatible (generic)

	 Unbuntu v6.06 LTS compatible (generic)

	 Added installation check for the LWP (libwww-perl) perl module

	 Ran spell checker against the readme.txt file

2.59   - Fixed mod_security report not displaying if only 1 entry

2.58   - Tweaked the mod_security entry layout

2.57   - New feature: WHM UI mod_security v1 display last X entries in the
         audit_log

         New feature: WHM UI mod_security v1 edit files or directories in
         /usr/local/apache/conf/ that are prefixed with modsec or mod_sec

	 Tweaked the pre-configured Firewall Security Level settings

2.56   - Fixed v2.55 fix for non-EDGE versions

2.55   - Fix to to support current EDGE in csf WHM UI

2.54   - Tightened the mod_security v1 regex after the changes in v2.52

2.53   - Modified Server Check to reflect withdrawn FedoraLegacy support for
         FC3 and FC4 which should now be considered insecure

2.52   - Separated the log file regex's into regex.pm for those feeling brave
         to tailor them for non-cPanel servers

	 Unified installer for cPanel and non-cPanel installations - so that
	 only install.sh needs to be run (checks for the existence of:
	 /usr/local/cpanel/version
	 If you install on a server intending to use cPanel before cPanel is
	 installed, run the install.cpanel.sh script instead

	 Added mod_security v2 regex when running Apache2 to lfd

	 Added [iptext] tag for connectiontracking.txt to list all the
	 connections of an offending IP. Add this manually for existing
	 installations

2.51   - Major Enhancement: csf+lfd can now be installed and used on a generic
         Linux OS without cPanel using install.generic.sh - see readme.txt for
	 more information

         PF INVDROP entries made bi-directional if PF logging enabled (reduces
	 the number of INVDROP LOG rules by half)

	 Fixed Process Tracking throttle control to correctly use PT_INTERVAL

2.50   - Removed option ALLOW_RES_PORTS from new installs, setting is ignored

         Check for LF at the end of form data for files edited through the WHM
	 UI and append one if omitted

	 Following the changes in 2.48 the LOGDROP chain doesn't distinguish
	 between incoming and outgoing blocks. So, LOGDROP has now been split
	 into LOGDROPIN and LOGDROPOUT

2.49   - Fixed issue if ETH_DEVICE was set and from changes in 2.48

2.48   - csf will now specify ! lo as the main ethernet device unless otherwise
         defined in ETH_DEVICE. This will mean that the firewall is applied to
	 all ethernet devices on the server unless otherwise specified in the
	 configuration

2.47   - Modified DYNDNS code to set listed domains IP addresses to be ignored
         as if they were listed in csf.ignore

	 If adding an IP address to csf.allow that is already in csf.deny, the
	 IP address will now be removed from csf.deny first and the DROP 
	 removed from iptables. It will then be added to csf.allow as normal

2.46   - Added auto-detection of additional exim port (same as SSH port) which
         will be added to TCP_IN on csf installation (or if in TESTING mode)

	 Only report PT_USERMEM and PT_USERTIME PIDs once

2.45   - Added workaround to restart the bandmin acctboth chains if csf is
         stopped or (re)started

	 Rewritten the way RELAYHOSTS works so instead of using an iptables
	 chain a check is done at block time on the IP address and if it is in
	 /etc/relayhosts then it will be treated as if it is listed in
	 csf.ignore

	 Enabled RELAYHOSTS by default, which is now a boolean on off (1 or 0)
	 instead of a time interval

	 Added exe:/usr/local/cpanel/bin/logrunner to csf.pignore

	 Added new options PT_USERMEM and PT_USERTIME to report excessive user
	 process usage and optionally PT_USERKILL to kill such processes. An
	 alert is sent using resalert.txt

2.44   - Added new option PT_LOAD which will detect if the server load average
         of choice exceeds a set threshold and send an alert

	 Reduced the DROP_NOLOG default setting to not include ephemeral ports
	 for new installations

	 Moved DROP_NOLOG rules to the LOGDROP chain

2.43   - Added new option DROP_PF_LOGGING which will give detailed iptables log
         information on dropped packets that are INVALID or out of sequence.
	 This can help tracking down why iptables may be blocking certain IP
	 connections

2.42   - Improved the csf locking mechanism to avoid deadlocks

2.41   - Fixed syntax in lfd procedure for csf locking

         Added pre and post csf job detection. If /etc/csf/csfpre.sh exists it
	 will be run before any of the csf iptables rules are applied. If
	 /etc/csf/csfpost.sh exists it will be run after all of the csf rules
	 have been applied. This allows you run your own iptables commands
	 within those files. Each file is passed through /bin/sh

	 Added two new command line options to completely enable and disable
	 csf and lfd

	 Added Enable and Disable options to WHM UI

2.40   - Added csf lock procedure to avoid iptables race conditions if multiple
         /simultaneous instances of csf or lfd are executed

	 Added check for child reaper looping to dramatically reduce lfd load

2.39   - Added OS check to Security Check to warn if using RH7/9 FC1/2 which
         are no longer supported (or about to be retired)

	 Made lfd more lenient when it cannot open a log file (reports the
	 error but continues to function)

	 PHP Server Check - if /opt/suphp_php_bin/php.ini exists use that for
	 php settings

	 Added new option RELAYHOSTS to csf.conf which allows you to
	 automatically allow access to IP's listed in /etc/relayhosts at a
	 specified interval

2.38   - Fixed DYDNS (forgot to add the rule to redirect packets to the
         ALLOWDYN iptables chain)

2.37   - Added canna to the Security Check

         New feature - added support for dynamic dns (DYNDNS) records. See
	 csf.conf for more information

	 Added dyndns file edit to WHM UI

2.36   - Added runlevel check to Security Check

         Added nobody cron check to Security Check

	 Added melange server check to Security Check

	 Modified the regex for the php.ini disable_functions check

	 Added timing function to lfd that logs how long each stage takes. This
	 can be enabled by editing lfd.pl and setting $timing=1 - this can help
	 in tracking down performance issues with lfd

2.35   - Added specific exclusion for proftpd in lfd.pl process tracking

         Fixed bug with LF_GLOBAL being ignored

2.34   - Added a new option (beta for now) PT_SMTP. This option will check for
         outgoing connections to port 25, ecluding root, exim and mailman. The
	 purpose of the feature is to log SMTP connections if you believe you
	 have a spammer on the server who is bypassing exim to send out spam
	 emails - this is traditionally a very difficult form of spam to track
	 down. The option currently logs relevant process information to
	 lfd.log to avoid an email alert flood.

2.33   - Code modification to allow csf+lfd to run without erroring on cPanel
         DNS-Only installations

	 Added forced error checking on SMTP blocking iptables commands

	 Added check in csf and lfd for duplicate settings in csf.conf

2.32   - Added new option SMTP_ALLOWLOCAL to allow local connections to port 25
         for web scripts, etc, if SMTP_BLOCK is enabled

	 Added check to csf startup to fail if "WHM > Tweak Security > SMTP
	 Tweak" is enabled otherwise it can break SMTP traffic completely. The
	 SMTP_BLOCK and SMTP_ALLOWLOCAL options in csf.conf should be used
	 instead

2.31   - Added automatic throttling code to help prevent lfd using excessive
         resources. Currently only added for LF_DIRWATCH and PT_INTERVAL. If
	 the sub process takes too long to run, the interval between its next
	 run is increased temporarily (for the duration lfd runs for, a restart
	 will reset it) and will continue to extend this time to prevent
	 excessive server load. However, it will also proportionately increase
	 the time given for the sub process to complete so that it can at least
	 attempt to get the check done. If you see throttling messages
	 appearing in the lfd.log you should consider increasing the process
	 interval as indicated permanently (i.e. within csf.conf)

	 Added throttling to CT_INTERVAL

2.30   - Modified PT_USERPROC to respect all ignore entries in csf.pignore

2.29   - New feature - User Process Tracking. This option enables the tracking
         of the number of process any given cPanel account is running at one
	 time. If the number of processes exceeds the value of the PT_USERPROC
	 setting an email alert is sent with details of those processes. A user
	 is only reported once, so lfd must be restarted to reinstate checking
	 of all users. If you specify a user in csf.pignore it will be ignored.
	 The alert file is useralert.txt

	 Added useralert.txt for editing through the WHM UI

	 Added PT_USERPROC to the Firewall Security Level settings

2.28   - Added /usr/local/apache1/bin/httpd and /usr/local/apache2/bin/httpd to
         csf.pignore

	 Only perform strict iptables error checking when in TESTING mode

2.27   - Fixed another mis-configuation for outgoing global deny rule - Thanks
         again to Marie from Jagwire Hosting

2.26   - Fixed a mis-configuation for outgoing global deny rule - Thanks to
         Marie from Jagwire Hosting

	 Allow advanced allow and block filters using the -a and -d options
	 when running csf in CLI

	 Added new option LF_SELECT. If you have LF_TRIGGER set to "0" and the
	 application trigger levels set, you can now set LF_SELECT to "1" if
	 you only want to block IP access to that application instead of a
	 complete block

	 Changed installer behaviour to only add SSH port to TCP_IN if TESTING
	 is set to "1" - done to help those that don't want to always have the
	 SSH port opened

2.25   - Modified lfd init procedure to use the init functions

         Modified behaviour of LF_TRIGGER. If LF_TRIGGER is set to "0" then lfd
	 will instead trigger blocks based on the value of the application
	 trigger, e.g. if LF_MODSEC is set to "3" then it will trigger on 3
	 mod_security alerts. Or if LF_POP3D is set to "10" then it will
	 trigger on 10 pop3d login failures. When in this mode, i.e. with
	 LF_TRIGGER set to "0", login failures for different triggers are not
	 cumulative, whereis LF_TRIGGER set to a number > "0" they are
	 cumulative as before

	 Modification to csf.conf to reflect the changes to LF_TRIGGER - only
	 applied to new installations

         Rewrite of the iptables command invocation in lfd.pl to trap iptables
	 errors and shutdown firewall if any found - should help prevent
	 lockouts

	 Allow advanced rules in Global Allow and Deny lists. Input and Output
	 direction support included.

	 Added Global Allow and Deny lists to the OUTPUT chain as well as the
	 INPUT chain

	 Added csf.signore where you can list scripts for LF_SCRIPT_ALERT to
	 ignore. Updated WHM UI to allow easy file edits

2.24   - Fixed global allow/deny lists so that you can correctly not have to
         specify both an allow and a deny file

2.23   - Modified LF_SCRIPT checking to also look for HOMEDIR and HOMEMATCH
         from the cPanel configuration

	 Added maildir check to Security Check

	 Fixed a typo in advanced rules - Thank you to Victor from Touch
	 Support for pointing this out

	 Added binary executable check for LF_DIRWATCH files

	 Added core dump check in cron directories to LF_DIRWATCH

	 Added /var/tmp check to LF_DIRWATCH if inode with /tmp does not match

	 Increased LF_DIRWATCH timeout from 10 to 20 seconds - if you still
	 find it timing out, make sure that you have been clearing down your
	 tmp directories

2.22   - Added CIDR recognition to csf.ignore

         Rewrite of the iptables command invocation in csf.pl to trap iptables
	 errors and shutdown firewall if any found - should help prevent
	 lockouts

2.21   - Fixed a problem on some installations where the update process emptied
         out csf.conf. If this has happened, you will need to remove
	 /etc/csf/csf.conf and then rerun the installation procedure and
	 reconfigure the firewall. If you're already running at least v2.18 you
	 can probably simply restore /etc/csf/csf.conf.preupdate to csf.conf
	 and then upgrade to this release

2.20   - Added workaround for different output from the fuser application in
         different OS's

2.19   - Added Security Check for recurions restrictions in named.conf

         Modified port 23 check to be quicker

	 Added Security Check for localhost/127.0.0.1 entry in resolv.conf

	 Added Security Check for webmin if running

	 Added 3 more WHM Security Checks for domain parking

	 Added Security Check for boxtrapper

	 Added a Run Again button to the Security Check page

	 Added Security Checks for cPanel and security package updates

2.18   - Fixed an issue with checking the /var/tmp symlink by comparing the
         inodes of /tmp and the symlink destination of /var/tmp

         Added checking of /usr/tmp

	 Added checking of SSH PasswordAuthentication

	 Modified update routine to take a copy of csf.conf before upgrading -
	 the backup file is /etc/csf/csf.conf.preupdate

	 Added check in /etc/cron.daily/logrotate for /tmp noexec workaround

2.17   - Fixed installation process where duplicate entries were being added to
         csf.conf for new settings. Routine added to remove duplicates and
	 redundant settings

         Added logrotate script for for the lfd.log file

2.16   - Fixed syntax issue with the csf.deny application feature added in
         v2.15 that prevents csf adding the IP to csf.deny

2.15   - Added a list of the applications that lfd blocks a login failure for
         into csf.deny, e.g. (ftpd,mod_security)

	 Extended LF_DIRWATCH with a new option LF_DIRWATCH_FILE. This feature
	 will watch for changes in directories and files listed in csf.dirwatch
	 using an md5sum for the ls output. If the md5sum changes between
	 checks an email alert is sent using watchalert.txt

	 Modified pid file locking for the lfd process to ensure duplicate
	 processes won't run

	 Completely reworked the child reaper code to prevent SIG_CHLD kernel
	 errors. Removed DISABLE_SIG_CHLD_IGNORE from csf.conf for new installs

	 Added new option to csf.fignore that allows you to ignore files owned
	 by a specific user by adding an entry in the format user:bob

	 Fixed bug in LF_DSHIELD timer code

	 Wrapped LF_DSHIELD and LF_SPAMHAUS in a 10 second timeout to fetch
	 their respective data

	 New Feature - GLOBAL_ALLOW and GLOBAL_DENY options allow you to
	 specify a URL where csf can grab a centralised copy of an IP allow
	 and/or deny block list of your own. They are both retrieved after a
	 LF_GLOBAL interval in seconds by lfd

	 Added WHM UI changes for LF_DIRWATCH_FILE

2.14   - Modification to /var/tmp check to cater for symlinks with a trailing
         slash

	 Added check for native SSL support in cPanel in Server Check for those
	 versions that now support it

	 Added MySQL port check to Server Check

	 Added missing comments when clickcing Display All Comments

2.13   - Added cPanel version check to Security Check

         Added suspicious symlink checking to LF_DIRWATCH

	 Added a Display All Comments to Security Check

	 Added hyperlinks to WHM URLs in Security Check comments

	 Fixed the Apache Limits comments of the Security Check

	 Added shell limit checks to Security Check

	 Added Background Process Killer to Security Check

2.12   - Removed duplicate /var/tmp tests

         Fixed another typo

2.11   - Typo corrections in output text

         Removed dependencies on external modules for the Server Check report

2.10   - Fixed /dev/shm test

2.09   - Removed the nodev check on /tmp etc

2.08   - Changed app name to ConfigServer Security & Firewall

         New Feature - Added Server Security Check report to WHM UI

2.07   - Improved suspicious directory detection

2.06   - Document update

         Change directory watching to only check for suspicious sub directories

2.05   - Fixed log file error if DShield or Spamhaus block list retrieval fails

         Added perl regex matching in csf.fignore (see updated readme.txt)

2.04   - Added /tmp/.horde/* to csf.fignore

2.03   - Fixed a looping issue with the temporary Connection Tracking block
         code

         Added a 10 second timeout for the LF_DIRWATCH child to prevent looping

2.02   - In LF_DIRWATCH, allow wildcard matching at the end of a file name in
         csf.fignore, such that /tmp/clamav* will ignore any files starting
	 with /tmp/clamav, e.g. /tmp/clamav-1234

	 Added a throttle to LF_DIRWATCH - if more than 10 emails are being
	 emailed in one pass, LF_DIRWATCH will create the file
	 /etc/csf/csf.dwdisable and then disable itself. To get it watching
	 again, either restart lfd or delete that file

	 Fixed a bug where LF_DIRWATCH always reported the same file when
	 different files had been detected in a pass

2.01   - Added an LF_DIRWATCH exception for postgres /tmp files

         Prevent a file being reported more than once in an LF_DIRWATCH run

	 Removed LF_DIRWATCH check for files being excecutable since too many
	 apps set temporary files with the flag set, e.g. mod_gzip

2.00   - New feature: Directory Watching. LF_DIRWATCH enables lfd to check /tmp
         and /dev/shm and other pertinent directories for suspicious files,
	 i.e. script exploits. These can optionally be moved into a tarball

	 Directory Watching false-positives can be listed in csf.fignore which
	 is accessible from the WHM UI

1.99   - Bug fix for multiple NICs in the lfd code

1.98   - Modified code to allow for multiple ethernet NICs so that all rules
         are applied to all NICs, for example, if you have IP's spread over
	 eth0 and eth1. To do this you have to set ETH_DEVICE = "eth+"

1.97   - Tightened DNS port 53 connections in accordance with:
         http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07

	 Moved no log dropping to the end of the chains

	 Moved allowed IP's to before Block Lists

1.96   - Liberalised connections allowed to and from DNS port 53

1.95   - Fixed WHM UI update. If you're running v1.93 or v1.94 you'll have to
         update from shell to get to v1.95 using:
	 csf -u

1.94   - Set DROP_IP_LOGGING to 0 by default to cut down on syslog traffic

         Added exe:/usr/local/cpanel/bin/cppop-ssl to csf.pignore

1.93   - Fixed problem where external resolvers were being used and responses
         from them were being dropped because they were coming back on
	 ephemeral ports - added a scan of /etc/resolv.conf and external
	 nameservers now have whitelisted source port 53 to ephemeral ports

	 Drop logging of failed attempts to access port 53 so they don't
	 consume syslog

	 Moved update from /tmp do /usr/src

1.92   - Fixed bug where the DShield and Spamhaus block lists weren't being
         periodically updated by lfd

1.90   - Minor fix to pre-configured settings

1.89   - Added Pre-configured settings for Low, Medium or High firewall security
         to WHM UI

1.88   - Fixed csf DSHIELD block logging so it now goes to the BLOCKDROP chain

1.87   - Modified drop list chains to use their own drop logging to
         differentiate from normal drop - if drop logging enabled

1.86   - Modified lfd connection tracking to drop udp as well as tcp packets
         when blocking

	 Added support for the DShield Block List with LF_DSHIELD -
	 http://www.dshield.org/block_list_info.php
	 See csf.conf for more information

	 Added support for the Spamhaus DROP List with LF_SPAMHAUS -
	 http://www.spamhaus.org/drop/index.lasso
	 See csf.conf for more information

1.85   - Workaround for spam PT false-positives

         Added exe:/usr/bin/spamc to csf.pignore

	 Added csf version to title bar in WHM

1.84   - Added new cpsrvd-ssl executable to csf.pignore for the new SSL native
         cPanel setup (currently in EDGE)

1.83   - Enhanced lfd.log logging for application failure detection lines

         Set lfd to ignore child processes to get rid of zombie children. If
	 you see kernel messages regarding SIG_CHLD (it's a kernel bug) you can
	 revert to the child reaper method by enabling DISABLE_SIG_CHLD_IGNORE,
	 but you are likely to see harmless <defunct> lfd zombie processes

1.82   - Modified to only load LKM ipt_owner if SMTP_BLOCK enabled

         Extended the Advanced Allow/Deny Filters to allow use of UID and GID
	 filtering for outgoing packets - see readme.txt for more details

	 Modified code to deal with modprobe command output more cleanly

1.81   - Further modification for the newer xt iptables modules

1.80   - Modified iptables LKM modprobe code to cater for newer xt_* module
         naming scheme

1.79   - Added new feature to send an alert email if su is used to login from
         one account to another. Alerts are sent whether the attempt was
	 successful or failed

1.78   - Added workaround for non-ASCII codes after /usr/sbin/pure-ftpd in lfd
         process tracking

1.77   - Added option DISABLE_SIG_CHLD_IGNORE for servers running old kernels,
         e.g. RH9/FC1

	 Modified WHM UI textareas to expand to fit file contents

1.76   - Changed WHM interface to restart csf before lfd when restarting both

1.75   - Fix to prevent duplicates in csf.deny

         Added a slight pause between stop and start when restarting

	 Code fix for TESTING mode crontab entry removal

1.74   - Fixed lfd to when reading csf.ignore when comments present

1.73   - Added new option LF_CSF to restart csf if iptables appears to have
         been flushed (i.e. stopped)

         Added new option LF_SCRIPT_PERM to disable directories identified by
	 LF_SCRIPT_ALERT - see csf.conf for more information

	 Workaround to child reaper when 2 children die at the same time

	 Added workaround for PT spamd false-positives

1.72   - Fixed bug in (deleted) lfd checks

1.71   - Added some more exceptions to csf.pignore

	 Lowered the default setting for LF_SCRIPT_LIMIT to 100

	 Modified PT to check for deleted binaries on exemptions which happen
	 when upcp runs and the binaries are replaced

1.70   - PT now only reports processes with open ports

1.69   - lfd tweaks

1.68   - Additions to csf.pignore

         Added new option PT_SKIP_HTTP - see csf.conf/readme.txt

	 Updated readme.txt regarding unavoidable false-positives and possible
	 mitigation.

1.67   - More tweaks to PT with additions to csf.pignore

1.66   - Updated csf.pignore file with additional executables

	 lfd code tweaks

1.65   - Added very simple ASCII obfuscation for lfd PT skip lines

	 Fixed port typo for entropychat port

1.64   - Updated CLI help and readme.txt for new csf -u command from v1.63

	 Changed the format of the email templates for new installations -
	 if you want to use the new format remove /etc/csf/*.txt and then
	 install csf

	 Added mechanism to prevent multiple email/block attempts from login
	 attacks in lfd

	 Added new feature - Process Tracking. This option enables tracking of
	 user and nobody processes and examines them for suspicious executables
	 or open network ports. Its purpose is to identify potential exploit
	 processes that are running on the server, even if they are obfuscated
	 to appear as system services. If a suspicious process is found an
	 alert email is sent with relevant information - readme.txt for details

1.63   - Added feature to WHM UI to enable editing of the email templates

	 Modified WHM UI to use fixed-width larger font for command output and
	 edit boxes

	 Added notice to install.txt and readme.txt about enabling klogd (on
	 VPS systems in particular)

	 Added autoupdates system using AUTO_UPDATES - see csf.conf for details

1.62   - Added to APF/BFD removal in WHM UI the logrotate configuration files

	 Added comments system to csf.allow and csf.deny - see readme.txt for
	 more information

1.61   - Tighten up some of the csf rules

	 Added new fature - LF_SCRIPT_ALERT when enabled will scan
	 /var/log/exim_mainlog for extended exim logging lines that show the
	 cwd= line for paths in /home which indicate emails sent from scripts.
	 If LF_SCRIPT_LIMIT emails from the same path are sent within an hour,
	 an email alert is sent using scriptalert.txt containing the first 10
	 probably exim mainlog line matches and also likely mailing scripts
	 within the identifed path - an ideal tool to help identify spamming
	 scripts sending out email through exim. The option is disabled by
	 default as you do need to enable extended exim logging first as
	 explained in the csf.conf file

1.60   - Modified lfd to use a child reaper instead of ignoring the CHLD signal

	 Added login failure detection of cpanel, webmail and whm connections -
	 this will only work for access to non-secure ports as cPanel doesn't
	 know the IP address of the user when connection are over SSL due to
	 the way stunnel works

1.59   - Added workaround to ethernet device detection for VPS servers

1.58   - Fixed problem where SSH port detection on installation would add an emtpy , if
         the SSH port had not been explicitly defined in sshd_config

	 Modified csf and lfd ethernet device detection so that if specified in either
	 csf.conf or /etc/wwwacct.conf dup IP's aren't checked - useful for bonded
	 ethernet devices on some OS's

1.57   - Removed erroneous <CR>'s in lfd.log

         csf start automatically does a restart to avoid problems with any
	 existing iptables rules or chains

	 Added new option "Deny Server IPs" and associated file csf.sips to
	 allow blocking of all traffic on server configured IP's if they're
	 not in use

	 Added notification to CLI and WHM UI if TESTING still enabled

1.56   - lfd modification to avoid a race condition with the ALRM calls

	 Added new feature - /etc/csf/csf.ignore can contain IP addresses that
	 are ignored by lfd. If an event is triggered it may be logged in
	 lfd.log but will not result in an email alert - e.g. you could list
	 your own IP address to avoid alerts from when you login over SSH, etc

	 Added WHM UI option to edit the ignore file

1.55   - Fixed a strict refs issue in lfd

1.54   - Fixed IP DNS lookup routine to avoid empty () when no host found

	 Added local DIE for ALRM calls for IP lookups and netstat commands

	 Removed chkservd restart from /etc/init.d/lfd so that it behaves like
	 other monitored services

	 Improved error trapping routines to better report to lfd.log if the
	 process dies

1.53   - Optimised logging in lfd

	 Improved error handling and reporting in lfd

	 Modified WHM UI report to include all data, not just a single day

	 Improved DROP logging to SYSLOG

	 Added logging of dropped ICMP connections

	 Added new option DROP_IP_LOGGING to log IP addresses that have been
	 blocked in csf.deny or by lfd with temporary connection tracking
	 blocks

1.52   - beta test release

1.51   - Added DNS lookups for IP addresses in all lfd alert emails

1.5    - Added new feature - Connection Tracking. Enables tracking of all
         connections from IP addresses to the server. If the total number of
	 connections is greater than CT_LIMIT then the offending IP address is
	 blocked in csf, or temporarily blocked in iptables. This can be used
	 to help prevent some types of DOS attack

	 Added new feature - SSH login alerts. An email is sent if a successful
	 SSH login is detected

	 Fixed a descriptive issue with the WHM UI

	 Modified so that lfd checks that it doesn't block a server IP

1.42   - Modified lfd login tracking to check the csf.allow file for an
         offending IP address and to skip it if it's allowed - note this only
	 works for specified full IP addresses (not CIDRs or advanced port/IP)

1.41   - Added an exception for 127.0.0.1 when checking ethernet interfaces as
         VPS servers are setup with that IP on both the loopback and main
	 interface

1.4    - Fixed error routine iptables flush command typo

	 Modified interface checking for non-english Linux distributions

	 Modified interface checking for IP addresses assigned to multiple
	 interfaces by mistake (I've just seen this happen!)

	 Set FORWARD chain to ACCEPT on stopping firewall

	 Reorganised csf.pl code

	 Added advanced port+ip filtering within csf.allow and csf.deny with
	 the format: tcp/udp:in/out:s/d=port:s/d=ip (see readme.txt for info)

	 Added link to readme.txt in WHM interface

	 Added iptables status (Running/Stopped) to WHM interface

	 Added Quick Allow and Quick Deny IP address options to WHM interface

1.33   - Added blocking of SSL POP3 and IMAP ports to LT (993/995)

	 Added option to Restart csf+lfd within WHM interface when appropriate

	 Added buttons to WHM interface to remove APF or BFD if still installed

	 Removed csf nat and mangle chain actions

1.32   - Modified log line checking to deal with syslog compression. This is
         where syslog will add a line "last message repeated X times" if the
	 next line it were to add is identical to the last. This could lead to
	 login attempts being missed. But no more - lfd now checks for that
	 line and repeats the processing of the previous log line X times to
	 count all the login failures

1.31   - Removed some redundant code from csf

	 Display error in csf if IP already in allow/deny file

	 Stopped install.sh from overwriting email templates

	 Added email notification for login tracking including a new email
	 template tracking.txt

	 Added mod_security apache module IP blocking in lfd

1.3    - Fixed a problem with the tick time in the alert report

	 Changed the way allow and deny IP addresses are inserted into iptables
	 so that using the command line -a or -d doesn't require a firewall
	 restart

	 csf -l now shows iptables line numbers

	 Added login tracking (LT) options to keep track of POP3 and IMAP
	 logins and limit them to X connections per hour per account per IP
	 address. Uses iptables to block offenders to the appropriate protocol
	 port only and flushes them every hour. All of these blocks are
	 temporary and can be cleared by restarting csf

1.21   - Added the real log file failure entry matches to the alert email. Existing
         installations will need to add a [text] variable into
	 /etc/csf/alert.txt

	 Added link in WHM to the ChangeLog if a new version is available

1.2    - Fixed uninstall script to remove lfd from chkservd

	 Fixed lfd so that checks were not made on options where a log file is
	 shared

	 Fixed lfd stop/start to dis/enable chkservd option

	 Added upgrade feature to WHM when a new version of csf is available

1.11   - Use full paths to chkconfig within the csf installation scripts

	 Documentation improvements

1.1    - Added option LF_EMAIL_ALERT which enables email alerts if lfd blocks
         an IP address. lfd now forks a child process to handle the IP blocking
	 and email so that it doesn't hinder the daemon process from scanning
	 the logs. It uses a template file for the email.

1.0    - Initial public release

         Set ALLOW_RES_PORTS to default to 1 after further RFC 1700 reading

	 Check /var/log/messages and /var/log/secure for SSHD logins

	 Clarified in the configuration file that only courier-imap/pop3
	 connections are trapped in lfd

1.0RC2 - Added filtering out of \r in WHM interface for allow and deny

	 Fixed typo in WHM addon

	 Added new configuration option ALLOW_RES_PORTS

1.0RC1 - Added iptables reporting to WHM interface using fwlogwatch:
         http://sourceforge.net/projects/fwlogwatch/
	 This processes /var/log/messages and extracts the iptables log entries
	 (if logging is enabled) and produces a simple HTML summary report

0.2b   - Fixed modprobe errors on MONOLITHIC kernels that don't have the nat
         module installed

	 Modified lfd to use asterix in the log message when blocking to
	 highlight in Thunderbird in the same way as the kernel log messages if
	 you use the "Quote Colors" extension - http://quotecolors.mozdev.org/

	 Added list of TCP and UDP ports currently being listened on to install

	 Set DNS_ZONE to default to 1

	 Removed backups of csf.conf files as the WHM interface is stable

	 Added ipt_owner module load for SMTP Tweak on LKM kernels

	 Added ipt_LOG to the required module list for LKM kernels to ensure
	 drop logging to syslog

	 Added new configuration option DENY_IP_LIMIT

0.1b   - Initial beta release (24 May 2006)
