saving uncommitted changes in /etc prior to dnf run

.etckeeper

@@ -370,11 +370,11 @@ maybe chmod 0600 'csf/csf.blocklists.new'
 maybe chmod 0600 'csf/csf.cloudflare'
 maybe chmod 0600 'csf/csf.conf'
 maybe chmod 0600 'csf/csf.conf.i360bak'
-maybe chmod 0640 'csf/csf.deny'
+maybe chmod 0600 'csf/csf.deny'
 maybe chmod 0600 'csf/csf.dirwatch'
 maybe chmod 0600 'csf/csf.dyndns'
 maybe chmod 0600 'csf/csf.fignore'
-maybe chmod 0640 'csf/csf.ignore'
+maybe chmod 0600 'csf/csf.ignore'
 maybe chmod 0600 'csf/csf.logfiles'
 maybe chmod 0600 'csf/csf.logignore'
 maybe chmod 0600 'csf/csf.mignore'
@@ -996,8 +996,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
-maybe chmod 0644 'httpd/conf.d/ssl.conf'
-maybe chmod 0640 'httpd/conf.d/ssl.conf_disabled'
+maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf.rpmnew'

cron.daily/csget

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 ###############################################################################
-# Copyright 2006-2020, Way to the Web Limited
+# Copyright 2006-2023, Way to the Web Limited
 # URL: http://www.configserver.com
 # Email: sales@waytotheweb.com
 ###############################################################################

csf/changelog.txt

@@ -1,5 +1,22 @@
 ChangeLog:
 
+14.18 - Added port 853 for DoT to all new installs
+
+        Added exe wpt-panopticon on cPanel servers to csf.pignore
+
+	Updated list of EOL PHP versions
+	
+	Modified HTACCESS regex to include "remote" as well as "client" log
+	lines
+
+	Implemented DA POST workaround for saving large text files via the UI
+
+	Modified MESSENGER to only send unblock email if a valid IP is
+	requested
+
+	Modified DA server check to look for multiple php versions in
+	/usr/local/php*
+
 14.17 - Removed Security Report recommendations that do not apply to
         unsupported control panels
 

csf/csf.conf

@@ -2621,7 +2621,6 @@ WGET = "/usr/bin/wget"
 # Note: File globs are only evaluated when lfd is started
 #
 HTACCESS_LOG = "/var/log/nginx/error.log"
-NGINX_LOG = "/var/log/nginx/*.access.log"
 MODSEC_LOG = ""
 SSHD_LOG = "/var/log/secure"
 SU_LOG = "/var/log/secure"

csf/csf.deny

@@ -327,3 +327,47 @@
 185.200.217.5 # lfd: (PERMBLOCK) 185.200.217.5 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:07:39 2023
 118.174.45.29 # lfd: (PERMBLOCK) 118.174.45.29 (TH/Thailand/-/-/node-10d.ll-118-174.static.totisp.net) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:56:08 2023
 47.74.66.206 # lfd: (PERMBLOCK) 47.74.66.206 (AU/Australia/New South Wales/Sydney/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 00:56:13 2023
+89.116.230.170 # lfd: (PERMBLOCK) 89.116.230.170 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 04:46:10 2023
+46.21.252.101 # lfd: (PERMBLOCK) 46.21.252.101 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 06:45:11 2023
+80.240.252.151 # lfd: (PERMBLOCK) 80.240.252.151 (RU/Russia/Kursk Oblast/Dmitriyev-Lgovsky/MSN-poll-net252-151.kursknet.ru) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 06:52:21 2023
+201.236.186.32 # lfd: (PERMBLOCK) 201.236.186.32 (CL/Chile/Tarapacá/Iquique/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 07:05:18 2023
+197.5.145.93 # lfd: (PERMBLOCK) 197.5.145.93 (TN/Tunisia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 08:24:30 2023
+178.128.73.254 # lfd: (PERMBLOCK) 178.128.73.254 (US/United States/California/Santa Clara/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 11:28:05 2023
+128.199.72.41 # lfd: (PERMBLOCK) 128.199.72.41 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 12:36:26 2023
+186.210.212.213 # lfd: (PERMBLOCK) 186.210.212.213 (BR/Brazil/Minas Gerais/Uberaba/186-210-212-213.xd-dynamic.algarnetsuper.com.br) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 16:31:08 2023
+89.175.49.2 # lfd: (PERMBLOCK) 89.175.49.2 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 16:58:10 2023
+43.156.128.15 # lfd: (PERMBLOCK) 43.156.128.15 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Apr 14 18:53:15 2023
+188.166.187.117 # lfd: (PERMBLOCK) 188.166.187.117 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:21:21 2023
+46.101.110.253 # lfd: (PERMBLOCK) 46.101.110.253 (DE/Germany/Hesse/Frankfurt am Main/daiwer.sa) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:28:02 2023
+190.103.240.133 # lfd: (PERMBLOCK) 190.103.240.133 (AR/Argentina/Entre Rios/Colon/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:28:02 2023
+188.166.208.174 # lfd: (PERMBLOCK) 188.166.208.174 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 02:29:17 2023
+165.227.114.124 # lfd: (PERMBLOCK) 165.227.114.124 (US/United States/New Jersey/Clifton/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:24:22 2023
+41.57.134.100 # lfd: (PERMBLOCK) 41.57.134.100 (ZA/South Africa/Gauteng/Pretoria/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:24:22 2023
+209.45.76.42 # lfd: (PERMBLOCK) 209.45.76.42 (PE/Peru/Lima/Lima/static7642.flx.com.pe) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:47:24 2023
+178.128.32.180 # lfd: (PERMBLOCK) 178.128.32.180 (GB/United Kingdom/England/London/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:47:49 2023
+202.82.148.197 # lfd: (PERMBLOCK) 202.82.148.197 (HK/Hong Kong/North/North/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:50:59 2023
+178.128.117.5 # lfd: (PERMBLOCK) 178.128.117.5 (SG/Singapore/-/-/iotserver.in.th-ubuntu-s-1vcpu-3gb-sgp1) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:54:30 2023
+47.243.16.237 # lfd: (PERMBLOCK) 47.243.16.237 (HK/Hong Kong/Central and Western District/Central/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 03:55:20 2023
+213.228.73.213 # lfd: (PERMBLOCK) 213.228.73.213 (RU/Russia/-/-/fx.nsk.net.ru) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 04:26:18 2023
+217.165.113.33 # lfd: (PERMBLOCK) 217.165.113.33 (AE/United Arab Emirates/Dubai/Dubai/bba-217-165-113-33.alshamil.net.ae) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 16:19:17 2023
+51.159.54.22 # lfd: (PERMBLOCK) 51.159.54.22 (FR/France/Île-de-France/Paris/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 17:03:31 2023
+62.109.12.149 # lfd: (PERMBLOCK) 62.109.12.149 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 18:34:24 2023
+82.196.5.221 # lfd: (PERMBLOCK) 82.196.5.221 (NL/Netherlands/North Holland/Amsterdam/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:06:22 2023
+223.26.214.16 # lfd: (PERMBLOCK) 223.26.214.16 (KR/South Korea/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:07:47 2023
+188.121.116.35 # lfd: (PERMBLOCK) 188.121.116.35 (IR/Iran/Tehran/Tehran/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:07:48 2023
+103.215.223.146 # lfd: (PERMBLOCK) 103.215.223.146 (IR/Iran/Bushehr Province/Bushehr/103-215-223-146.hosted-by.keloncloud.com) has had more than 2 temp blocks in the last 86400 secs - Sat Apr 15 20:24:29 2023
+5.181.217.125 # lfd: (PERMBLOCK) 5.181.217.125 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 08:59:56 2023
+187.170.43.58 # lfd: (PERMBLOCK) 187.170.43.58 (MX/Mexico/Mexico City/Cuauhtemoc/dsl-187-170-43-58-dyn.prod-infinitum.com.mx) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 11:02:27 2023
+178.128.125.217 # lfd: (PERMBLOCK) 178.128.125.217 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr 16 13:02:37 2023
+213.55.93.152 # lfd: (PERMBLOCK) 213.55.93.152 (ET/Ethiopia/-/-/ns1.moe.gov.et) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:10:52 2023
+82.212.85.204 # lfd: (PERMBLOCK) 82.212.85.204 (JO/Jordan/Amman Governorate/Amman/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:10:53 2023
+47.241.52.126 # lfd: (PERMBLOCK) 47.241.52.126 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:12:17 2023
+167.172.235.94 # lfd: (PERMBLOCK) 167.172.235.94 (US/United States/New Jersey/Clifton/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 05:12:18 2023
+178.62.214.85 # lfd: (PERMBLOCK) 178.62.214.85 (NL/Netherlands/North Holland/Amsterdam/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 07:47:06 2023
+47.251.40.158 # lfd: (PERMBLOCK) 47.251.40.158 (US/United States/California/Santa Clara/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 07:58:12 2023
+5.160.218.90 # lfd: (PERMBLOCK) 5.160.218.90 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 08:02:02 2023
+85.237.57.253 # lfd: (PERMBLOCK) 85.237.57.253 (RU/Russia/Penza Oblast/Kuznetsk/host-85-237-57-253.dsl.sura.ru) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 21:55:45 2023
+210.176.61.252 # lfd: (PERMBLOCK) 210.176.61.252 (HK/Hong Kong/Eastern/Eastern/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 17 23:55:26 2023
+47.254.244.224 # lfd: (PERMBLOCK) 47.254.244.224 (MY/Malaysia/Kuala Lumpur/Kuala Lumpur/-) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 07:50:19 2023
+120.210.206.165 # lfd: (PERMBLOCK) 120.210.206.165 (CN/China/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 08:16:17 2023
+87.148.127.47 # lfd: (PERMBLOCK) 87.148.127.47 (DE/Germany/Thuringia/Krombach/p57947f2f.dip0.t-ipconnect.de) has had more than 2 temp blocks in the last 86400 secs - Tue Apr 18 15:48:37 2023

csf/install.txt

@@ -1,5 +1,5 @@
 ###############################################################################
-# Copyright 2006-2018, Way to the Web Limited
+# Copyright 2006-2023, Way to the Web Limited
 # URL: http://www.configserver.com
 # Email: sales@waytotheweb.com
 ###############################################################################

csf/readme.txt

@@ -1,5 +1,5 @@
 ###############################################################################
-# Copyright 2006-2018, Way to the Web Limited
+# Copyright 2006-2023, Way to the Web Limited
 # URL: http://www.configserver.com
 # Email: sales@waytotheweb.com
 ###############################################################################

csf/version.txt

@@ -1 +1 @@
-14.17
+14.18

httpd/conf.d/ssl.conf

@@ -1,203 +0,0 @@
-#
-# When we also provide SSL we have to listen to the 
-# standard HTTPS port in addition.
-#
-Listen 443 https
-
-##
-##  SSL Global Context
-##
-##  All SSL configuration in this context applies both to
-##  the main server and all SSL-enabled virtual hosts.
-##
-
-#   Pass Phrase Dialog:
-#   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
-#   terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
-
-#   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
-#   to use and second the expiring timeout (in seconds).
-SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
-SSLSessionCacheTimeout  300
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names.  NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-
-##
-## SSL Virtual Host Context
-##
-
-<VirtualHost _default_:443>
-
-# General setup for the virtual host, inherited from global configuration
-#DocumentRoot "/var/www/html"
-#ServerName www.example.com:443
-
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
-#   SSL Engine Switch:
-#   Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-#   List the protocol versions which clients are allowed to connect with.
-#   The OpenSSL system profile is used by default.  See
-#   update-crypto-policies(8) for more details.
-#SSLProtocol all -SSLv3
-#SSLProxyProtocol all -SSLv3
-
-#   User agents such as web browsers are not configured for the user's
-#   own preference of either security or performance, therefore this
-#   must be the prerogative of the web server administrator who manages
-#   cpu load versus confidentiality, so enforce the server's cipher order.
-SSLHonorCipherOrder on
-
-#   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-#   The OpenSSL system profile is configured by default.  See
-#   update-crypto-policies(8) for more details.
-SSLCipherSuite PROFILE=SYSTEM
-SSLProxyCipherSuite PROFILE=SYSTEM
-
-#   Point SSLCertificateFile at a PEM encoded certificate.  If
-#   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that restarting httpd will prompt again.  Keep
-#   in mind that if you have both an RSA and a DSA certificate you
-#   can configure both in parallel (to also allow the use of DSA
-#   ciphers, etc.)
-#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
-#   require an ECC certificate which can also be configured in
-#   parallel.
-SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-
-#   Server Private Key:
-#   If the key is not combined with the certificate, use this
-#   directive to point at the key file.  Keep in mind that if
-#   you've both a RSA and a DSA private key you can configure
-#   both in parallel (to also allow the use of DSA ciphers, etc.)
-#   ECC keys, when in use, can also be configured in parallel
-SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
-#   Server Certificate Chain:
-#   Point SSLCertificateChainFile at a file containing the
-#   concatenation of PEM encoded CA certificates which form the
-#   certificate chain for the server certificate. Alternatively
-#   the referenced file can be the same as SSLCertificateFile
-#   when the CA certificates are directly appended to the server
-#   certificate for convenience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-#   Certificate Authority (CA):
-#   Set the CA certificate verification path where to find CA
-#   certificates for client authentication or alternatively one
-#   huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-#   Client Authentication (Type):
-#   Client certificate verification type and depth.  Types are
-#   none, optional, require and optional_no_ca.  Depth is a
-#   number which specifies how deeply to verify the certificate
-#   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
-
-#   Access Control:
-#   With SSLRequire you can do per-directory access control based
-#   on arbitrary complex boolean expressions containing server
-#   variable checks and other lookup directives.  The syntax is a
-#   mixture between C and Perl.  See the mod_ssl documentation
-#   for more details.
-#<Location />
-#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-#   SSL Engine Options:
-#   Set various options for the SSL engine.
-#   o FakeBasicAuth:
-#     Translate the client X.509 into a Basic Authorisation.  This means that
-#     the standard Auth/DBMAuth methods can be used for access control.  The
-#     user name is the `one line' version of the client's X.509 certificate.
-#     Note that no password is obtained from the user. Every entry in the user
-#     file needs this password: `xxj31ZMTZzkVA'.
-#   o ExportCertData:
-#     This exports two additional environment variables: SSL_CLIENT_CERT and
-#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-#     server (always existing) and the client (only existing when client
-#     authentication is used). This can be used to import the certificates
-#     into CGI scripts.
-#   o StdEnvVars:
-#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-#     Per default this exportation is switched off for performance reasons,
-#     because the extraction step is an expensive operation and is usually
-#     useless for serving static content. So one usually enables the
-#     exportation for CGI and SSI requests only.
-#   o StrictRequire:
-#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-#     under a "Satisfy any" situation, i.e. when it applies access is denied
-#     and no other module can change it.
-#   o OptRenegotiate:
-#     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<FilesMatch "\.(cgi|shtml|phtml|php)$">
-    SSLOptions +StdEnvVars
-</FilesMatch>
-<Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-</Directory>
-
-#   SSL Protocol Adjustments:
-#   The safe and default but still SSL/TLS standard compliant shutdown
-#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-#   the close notify alert from client. When you need a different shutdown
-#   approach you can use one of the following variables:
-#   o ssl-unclean-shutdown:
-#     This forces an unclean shutdown when the connection is closed, i.e. no
-#     SSL close notify alert is sent or allowed to be received.  This violates
-#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-#     this when you receive I/O errors because of the standard approach where
-#     mod_ssl sends the close notify alert.
-#   o ssl-accurate-shutdown:
-#     This forces an accurate shutdown when the connection is closed, i.e. a
-#     SSL close notify alert is sent and mod_ssl waits for the close notify
-#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-#     practice often causes hanging connections with brain-dead browsers. Use
-#     this only for browsers where you know that their SSL implementation
-#     works correctly. 
-#   Notice: Most problems of broken clients are also related to the HTTP
-#   keep-alive facility, so you usually additionally want to disable
-#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-#   "force-response-1.0" for this.
-BrowserMatch "MSIE [2-5]" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-#   Per-Server Logging:
-#   The home of a custom SSL log file. Use this when you want a
-#   compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>
-