From 9e4b84c9511502305159b5020e06f5d99619dbac Mon Sep 17 00:00:00 2001 From: bms8197 Date: Tue, 18 Apr 2023 23:28:10 +0300 Subject: [PATCH] saving uncommitted changes in /etc prior to dnf run --- .etckeeper | 7 +- cron.daily/csget | 2 +- csf/changelog.txt | 17 ++++ csf/csf.conf | 1 - csf/csf.deny | 44 +++++++++ csf/install.txt | 2 +- csf/readme.txt | 2 +- csf/version.txt | 2 +- httpd/conf.d/ssl.conf | 203 ------------------------------------------ 9 files changed, 68 insertions(+), 212 deletions(-) delete mode 100644 httpd/conf.d/ssl.conf diff --git a/.etckeeper b/.etckeeper index 4b3282f..15224ae 100755 --- a/.etckeeper +++ b/.etckeeper @@ -370,11 +370,11 @@ maybe chmod 0600 'csf/csf.blocklists.new' maybe chmod 0600 'csf/csf.cloudflare' maybe chmod 0600 'csf/csf.conf' maybe chmod 0600 'csf/csf.conf.i360bak' -maybe chmod 0640 'csf/csf.deny' +maybe chmod 0600 'csf/csf.deny' maybe chmod 0600 'csf/csf.dirwatch' maybe chmod 0600 'csf/csf.dyndns' maybe chmod 0600 'csf/csf.fignore' -maybe chmod 0640 'csf/csf.ignore' +maybe chmod 0600 'csf/csf.ignore' maybe chmod 0600 'csf/csf.logfiles' maybe chmod 0600 'csf/csf.logignore' maybe chmod 0600 'csf/csf.mignore' @@ -996,8 +996,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew' maybe chmod 0644 'httpd/conf.d/php.conf' maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf' maybe chmod 0644 'httpd/conf.d/squid.conf' -maybe chmod 0644 'httpd/conf.d/ssl.conf' -maybe chmod 0640 'httpd/conf.d/ssl.conf_disabled' +maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled' maybe chmod 0644 'httpd/conf.d/userdir.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf.rpmnew' diff --git a/cron.daily/csget b/cron.daily/csget index 349bee8..a3e8876 100755 --- a/cron.daily/csget +++ b/cron.daily/csget @@ -1,6 +1,6 @@ #!/usr/bin/perl ############################################################################### -# Copyright 2006-2020, Way to the Web Limited +# Copyright 2006-2023, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### diff --git a/csf/changelog.txt b/csf/changelog.txt index bfa789e..51592ab 100644 --- a/csf/changelog.txt +++ b/csf/changelog.txt @@ -1,5 +1,22 @@ ChangeLog: +14.18 - Added port 853 for DoT to all new installs + + Added exe wpt-panopticon on cPanel servers to csf.pignore + + Updated list of EOL PHP versions + + Modified HTACCESS regex to include "remote" as well as "client" log + lines + + Implemented DA POST workaround for saving large text files via the UI + + Modified MESSENGER to only send unblock email if a valid IP is + requested + + Modified DA server check to look for multiple php versions in + /usr/local/php* + 14.17 - Removed Security Report recommendations that do not apply to unsupported control panels diff --git a/csf/csf.conf b/csf/csf.conf index bf76cdd..9792b82 100644 --- a/csf/csf.conf +++ b/csf/csf.conf @@ -2621,7 +2621,6 @@ WGET = "/usr/bin/wget" # Note: File globs are only evaluated when lfd is started # HTACCESS_LOG = "/var/log/nginx/error.log" -NGINX_LOG = "/var/log/nginx/*.access.log" MODSEC_LOG = "" SSHD_LOG = "/var/log/secure" SU_LOG = "/var/log/secure" diff --git a/csf/csf.deny b/csf/csf.deny index bc65cb9..3dea62d 100644 --- a/csf/csf.deny +++ b/csf/csf.deny @@ -327,3 +327,47 @@ 185.200.217.5 # lfd: (PERMBLOCK) 185.200.217.5 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:07:39 2023 118.174.45.29 # lfd: (PERMBLOCK) 118.174.45.29 (TH/Thailand/-/-/node-10d.ll-118-174.static.totisp.net) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:56:08 2023 47.74.66.206 # lfd: (PERMBLOCK) 47.74.66.206 (AU/Australia/New South Wales/Sydney/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:56:13 2023 +89.116.230.170 # lfd: (PERMBLOCK) 89.116.230.170 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 04:46:10 2023 +46.21.252.101 # lfd: (PERMBLOCK) 46.21.252.101 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 06:45:11 2023 +80.240.252.151 # lfd: (PERMBLOCK) 80.240.252.151 (RU/Russia/Kursk Oblast/Dmitriyev-Lgovsky/MSN-poll-net252-151.kursknet.ru) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 06:52:21 2023 +201.236.186.32 # lfd: (PERMBLOCK) 201.236.186.32 (CL/Chile/Tarapacá/Iquique/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 07:05:18 2023 +197.5.145.93 # lfd: (PERMBLOCK) 197.5.145.93 (TN/Tunisia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 08:24:30 2023 +178.128.73.254 # lfd: (PERMBLOCK) 178.128.73.254 (US/United States/California/Santa Clara/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 11:28:05 2023 +128.199.72.41 # lfd: (PERMBLOCK) 128.199.72.41 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 12:36:26 2023 +186.210.212.213 # lfd: (PERMBLOCK) 186.210.212.213 (BR/Brazil/Minas Gerais/Uberaba/186-210-212-213.xd-dynamic.algarnetsuper.com.br) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 16:31:08 2023 +89.175.49.2 # lfd: (PERMBLOCK) 89.175.49.2 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 16:58:10 2023 +43.156.128.15 # lfd: (PERMBLOCK) 43.156.128.15 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 18:53:15 2023 +188.166.187.117 # lfd: (PERMBLOCK) 188.166.187.117 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:21:21 2023 +46.101.110.253 # lfd: (PERMBLOCK) 46.101.110.253 (DE/Germany/Hesse/Frankfurt am Main/daiwer.sa) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:28:02 2023 +190.103.240.133 # lfd: (PERMBLOCK) 190.103.240.133 (AR/Argentina/Entre Rios/Colon/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:28:02 2023 +188.166.208.174 # lfd: (PERMBLOCK) 188.166.208.174 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:29:17 2023 +165.227.114.124 # lfd: (PERMBLOCK) 165.227.114.124 (US/United States/New Jersey/Clifton/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:24:22 2023 +41.57.134.100 # lfd: (PERMBLOCK) 41.57.134.100 (ZA/South Africa/Gauteng/Pretoria/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:24:22 2023 +209.45.76.42 # lfd: (PERMBLOCK) 209.45.76.42 (PE/Peru/Lima/Lima/static7642.flx.com.pe) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:47:24 2023 +178.128.32.180 # lfd: (PERMBLOCK) 178.128.32.180 (GB/United Kingdom/England/London/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:47:49 2023 +202.82.148.197 # lfd: (PERMBLOCK) 202.82.148.197 (HK/Hong Kong/North/North/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:50:59 2023 +178.128.117.5 # lfd: (PERMBLOCK) 178.128.117.5 (SG/Singapore/-/-/iotserver.in.th-ubuntu-s-1vcpu-3gb-sgp1) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:54:30 2023 +47.243.16.237 # lfd: (PERMBLOCK) 47.243.16.237 (HK/Hong Kong/Central and Western District/Central/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:55:20 2023 +213.228.73.213 # lfd: (PERMBLOCK) 213.228.73.213 (RU/Russia/-/-/fx.nsk.net.ru) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 04:26:18 2023 +217.165.113.33 # lfd: (PERMBLOCK) 217.165.113.33 (AE/United Arab Emirates/Dubai/Dubai/bba-217-165-113-33.alshamil.net.ae) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 16:19:17 2023 +51.159.54.22 # lfd: (PERMBLOCK) 51.159.54.22 (FR/France/Île-de-France/Paris/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 17:03:31 2023 +62.109.12.149 # lfd: (PERMBLOCK) 62.109.12.149 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 18:34:24 2023 +82.196.5.221 # lfd: (PERMBLOCK) 82.196.5.221 (NL/Netherlands/North Holland/Amsterdam/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:06:22 2023 +223.26.214.16 # lfd: (PERMBLOCK) 223.26.214.16 (KR/South Korea/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:07:47 2023 +188.121.116.35 # lfd: (PERMBLOCK) 188.121.116.35 (IR/Iran/Tehran/Tehran/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:07:48 2023 +103.215.223.146 # lfd: (PERMBLOCK) 103.215.223.146 (IR/Iran/Bushehr Province/Bushehr/103-215-223-146.hosted-by.keloncloud.com) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:24:29 2023 +5.181.217.125 # lfd: (PERMBLOCK) 5.181.217.125 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 08:59:56 2023 +187.170.43.58 # lfd: (PERMBLOCK) 187.170.43.58 (MX/Mexico/Mexico City/Cuauhtemoc/dsl-187-170-43-58-dyn.prod-infinitum.com.mx) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 11:02:27 2023 +178.128.125.217 # lfd: (PERMBLOCK) 178.128.125.217 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 13:02:37 2023 +213.55.93.152 # lfd: (PERMBLOCK) 213.55.93.152 (ET/Ethiopia/-/-/ns1.moe.gov.et) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:10:52 2023 +82.212.85.204 # lfd: (PERMBLOCK) 82.212.85.204 (JO/Jordan/Amman Governorate/Amman/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:10:53 2023 +47.241.52.126 # lfd: (PERMBLOCK) 47.241.52.126 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:12:17 2023 +167.172.235.94 # lfd: (PERMBLOCK) 167.172.235.94 (US/United States/New Jersey/Clifton/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:12:18 2023 +178.62.214.85 # lfd: (PERMBLOCK) 178.62.214.85 (NL/Netherlands/North Holland/Amsterdam/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 07:47:06 2023 +47.251.40.158 # lfd: (PERMBLOCK) 47.251.40.158 (US/United States/California/Santa Clara/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 07:58:12 2023 +5.160.218.90 # lfd: (PERMBLOCK) 5.160.218.90 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 08:02:02 2023 +85.237.57.253 # lfd: (PERMBLOCK) 85.237.57.253 (RU/Russia/Penza Oblast/Kuznetsk/host-85-237-57-253.dsl.sura.ru) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 21:55:45 2023 +210.176.61.252 # lfd: (PERMBLOCK) 210.176.61.252 (HK/Hong Kong/Eastern/Eastern/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 23:55:26 2023 +47.254.244.224 # lfd: (PERMBLOCK) 47.254.244.224 (MY/Malaysia/Kuala Lumpur/Kuala Lumpur/-) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 07:50:19 2023 +120.210.206.165 # lfd: (PERMBLOCK) 120.210.206.165 (CN/China/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 08:16:17 2023 +87.148.127.47 # lfd: (PERMBLOCK) 87.148.127.47 (DE/Germany/Thuringia/Krombach/p57947f2f.dip0.t-ipconnect.de) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 15:48:37 2023 diff --git a/csf/install.txt b/csf/install.txt index 147fc3f..cb02b24 100644 --- a/csf/install.txt +++ b/csf/install.txt @@ -1,5 +1,5 @@ ############################################################################### -# Copyright 2006-2018, Way to the Web Limited +# Copyright 2006-2023, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### diff --git a/csf/readme.txt b/csf/readme.txt index 68f1096..a6ba7b0 100644 --- a/csf/readme.txt +++ b/csf/readme.txt @@ -1,5 +1,5 @@ ############################################################################### -# Copyright 2006-2018, Way to the Web Limited +# Copyright 2006-2023, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### diff --git a/csf/version.txt b/csf/version.txt index ddc9289..29896b4 100644 --- a/csf/version.txt +++ b/csf/version.txt @@ -1 +1 @@ -14.17 \ No newline at end of file +14.18 \ No newline at end of file diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf deleted file mode 100644 index d28adf3..0000000 --- a/httpd/conf.d/ssl.conf +++ /dev/null @@ -1,203 +0,0 @@ -# -# When we also provide SSL we have to listen to the -# standard HTTPS port in addition. -# -Listen 443 https - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -SSLSessionCache shmcb:/run/httpd/sslcache(512000) -SSLSessionCacheTimeout 300 - -# -# Use "SSLCryptoDevice" to enable any supported hardware -# accelerators. Use "openssl engine -v" to list supported -# engine names. NOTE: If you enable an accelerator and the -# server does not start, consult the error logs and ensure -# your accelerator is functioning properly. -# -SSLCryptoDevice builtin -#SSLCryptoDevice ubsec - -## -## SSL Virtual Host Context -## - - - -# General setup for the virtual host, inherited from global configuration -#DocumentRoot "/var/www/html" -#ServerName www.example.com:443 - -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# List the protocol versions which clients are allowed to connect with. -# The OpenSSL system profile is used by default. See -# update-crypto-policies(8) for more details. -#SSLProtocol all -SSLv3 -#SSLProxyProtocol all -SSLv3 - -# User agents such as web browsers are not configured for the user's -# own preference of either security or performance, therefore this -# must be the prerogative of the web server administrator who manages -# cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -# The OpenSSL system profile is configured by default. See -# update-crypto-policies(8) for more details. -SSLCipherSuite PROFILE=SYSTEM -SSLProxyCipherSuite PROFILE=SYSTEM - -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that restarting httpd will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) -# require an ECC certificate which can also be configured in -# parallel. -SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -# ECC keys, when in use, can also be configured in parallel -SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convenience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is sent or allowed to be received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is sent and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - -