Unfortunately, syslog and rsyslog allow end-users to log messages to some system logs via the same unix socket that other local services use. This means that any log line shown in these system logs that syslog or rsyslog maintain can be spoofed (they are exactly the same as real log lines).
Since some of the features of lfd rely on such log lines, spoofed messages can cause false-positive matches which can lead to confusion at best, or blocking of any innocent IP address or making the server inaccessible at worst.
Any option that relies on the log entries in the files listed in /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered vulnerable to exploitation by end-users and scripts run by end-users.
There is a new RESTRICT_SYSLOG option that disables all those features that rely on affected logs. This option is NOT enabled by default.
See /etc/csf/csf.conf and /etc/csf/readme.txt for more information about this issue and mitigation advice
NOTE: This issue affects all scripts that process information from syslog/rsyslog logs, not just lfd. So you should use other such scripts with care
Our thanks go to Rack911.com for bringing this issue to our attention
UI design updates and fixes
Modify Apache regex to support log lines containing thread ID
Prevent lfd from blocking CIDRs triggered from log lines