Merge pull request #1 from Black-HOST/main

Pushing CSF to the upstream

Author: UptimeEnforcer

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,57 @@
+## Summary
+
+<!-- What does this PR change and why? -->
+
+
+## Related Issues
+
+<!-- Link issues (e.g. Closes #123, Fixes #456) -->
+
+
+## Type of Change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor
+- [ ] Docs / comments
+- [ ] CI / tooling
+- [ ] Security hardening
+
+
+## Affected Areas
+
+- [ ] Installer scripts (`install*.sh`)
+- [ ] Runtime scripts (`csf.pl`, `lfd.pl`, etc.)
+- [ ] Config defaults (`conf/*`)
+- [ ] Templates (`tpl/*`)
+- [ ] UI assets (`conf/ui/*`)
+- [ ] Packaging / release
+
+
+## Testing
+
+<!-- Describe what you tested and where -->
+
+Environment(s):
+- [ ] AlmaLinux
+- [ ] Rocky Linux
+- [ ] Ubuntu / Debian
+- [ ] Other: __________
+
+Validation performed:
+- [ ] Fresh install works
+- [ ] Upgrade path works
+- [ ] Paths/files copied to expected destinations
+- [ ] No regressions in existing behavior
+- [ ] CI checks pass
+
+Test notes:
+
+
+## Checklist
+
+- [ ] I reviewed changed paths and file references
+- [ ] I updated docs/comments if needed
+- [ ] I kept changes focused and minimal
+- [ ] I verified shell syntax for modified scripts
+- [ ] I confirmed no secrets or private data were added

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: CSF Tag & Release
+
+on:
+  push:
+    branches:
+      - main 
+    
+    paths:
+      - 'version.txt' # make new release only on version change
+
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get version
+        run: |
+          VERSION=$(cat version.txt | xargs)
+          echo "TAG=v$VERSION" >> $GITHUB_ENV
+
+      - name: Build release archive
+        run: git archive --format=tar.gz --prefix="csf/" -o "csf.tgz" HEAD
+
+      - name: Do the release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "$TAG" ./csf.tgz --repo="$GITHUB_REPOSITORY" --title="$TAG" --generate-notes

.github/workflows/remote-install.yml

@@ -0,0 +1,89 @@
+name: TEST - Remote Installation
+
+on:
+  push:
+    branches: [ "**" ]
+    paths:
+      - '**/install*'
+  
+  pull_request:
+    branches: [ "**" ]
+    paths:
+      - '**/install*'
+
+  workflow_dispatch: {}
+
+jobs:
+  remote-install:
+    name: Install on ${{ matrix.os-name }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Debian
+          - os-name: "Debian 12"
+            container: "debian:12"
+            setup-cmd: "apt-get update && apt-get install -y curl"
+          - os-name: "Debian 13 (Trixie)"
+            container: "debian:trixie-slim"
+            setup-cmd: "apt-get update && apt-get install -y curl"
+
+          # Ubuntu
+          - os-name: "Ubuntu 22.04"
+            container: "ubuntu:22.04"
+            setup-cmd: "apt-get update && apt-get install -y curl"
+          - os-name: "Ubuntu 24.04"
+            container: "ubuntu:24.04"
+            setup-cmd: "apt-get update && apt-get install -y curl"
+
+          # AlmaLinux
+          - os-name: "AlmaLinux 8"
+            container: "almalinux:8"
+            setup-cmd: "dnf install -y epel-release curl"
+          - os-name: "AlmaLinux 9"
+            container: "almalinux:9"
+            setup-cmd: "dnf install -y epel-release"
+          - os-name: "AlmaLinux 10"
+            container: "almalinux:10"
+            setup-cmd: "dnf install -y epel-release"
+
+    container:
+      image: ${{ matrix.container }}
+      options: --privileged
+
+    steps:
+      - name: Install minimal dependencies
+        if: ${{ matrix.setup-cmd }} 
+        run: ${{ matrix.setup-cmd }}
+
+      - name: Run Live Installer
+        shell: bash
+        run: |
+          bash <(curl -sL https://csf.black.host)
+
+      - name: Verify Configuration Exists
+        run: |
+          if [ -f "/etc/csf/csf.conf" ]; then
+            echo "csf.conf found"
+          else
+            echo "csf.conf NOT found"
+            exit 1
+          fi
+
+      - name: Verify Binary Exists
+        run: |
+          if [ -f "/usr/sbin/csf" ]; then
+            echo "csf binary found"
+          else
+            echo "csf binary NOT found"
+            exit 1
+          fi
+
+      - name: Check Version
+        run: |
+          # installer.sh might not put csftest.pl in path, but it should be in /usr/local/csf/bin
+          if [ -f "/usr/local/csf/bin/csftest.pl" ]; then
+             perl /usr/local/csf/bin/csftest.pl || true
+          fi
+          csf -v || true

CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing to CSF
+
+This repository is a community-maintained fork focused on keeping CSF secure, stable, and compatible with modern Linux systems.
+
+## Ground Rules
+
+- Keep changes focused and minimal.
+- Prefer backward-compatible behavior unless a breaking change is necessary and agreed by the community.
+- For security issues, **do not open a public issue**. See [SECURITY.md](SECURITY.md).
+
+## Development Workflow
+
+1. Fork the repository and create a feature branch from `main`.
+2. Make your changes in small, reviewable commits.
+3. Open a Pull Request with clear context:
+   - what changed
+   - why it changed
+   - how it was tested
+
+## Testing
+
+Before opening a PR, validate as much as possible:
+
+- syntax and path sanity of changed shell scripts
+- installer flow on at least one Debian/Ubuntu and one RHEL/Alma-based environment
+- CSF install output and basic checks (`csf -v`, `csftest.pl`)
+
+CI exists, but local/reproducible validation is still strongly encouraged.
+
+## Pull Request Checklist
+
+- [ ] Change is scoped and documented
+- [ ] Paths updated consistently across installer scripts
+- [ ] No secrets, tokens, or private material committed
+- [ ] Security-sensitive behavior explained
+- [ ] Testing notes included in PR description
+
+## Coding Style
+
+- Keep shell scripts POSIX-friendly where practical
+- Use consistent formatting with surrounding code
+- Avoid unrelated refactors in the same PR
+
+## License
+
+By contributing, you agree that your contributions are licensed under the same license as this project (GPLv3).
+
+Thanks for helping improve CSF ❤️

ConfigServer/AbuseIP.pm

@@ -0,0 +1,100 @@
+###############################################################################
+# Copyright (C) 2006-2025 Jonathan Michaelson
+#
+# https://github.com/waytotheweb/scripts
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, see <https://www.gnu.org/licenses>.
+###############################################################################
+## no critic (RequireUseWarnings, ProhibitExplicitReturnUndef, ProhibitMixedBooleanOperators, RequireBriefOpen)
+# start main
+package ConfigServer::AbuseIP;
+
+use strict;
+use lib '/usr/local/csf/lib';
+use Carp;
+use IPC::Open3;
+use Net::IP;
+use ConfigServer::Config;
+use ConfigServer::CheckIP qw(checkip);
+
+use Exporter qw(import);
+our $VERSION     = 1.03;
+our @ISA         = qw(Exporter);
+our @EXPORT_OK   = qw(abuseip);
+
+my $abusemsg = 'Abuse Contact for [ip]: [[contact]]
+
+The Abuse Contact of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here:
+
+https://abusix.com/global-reporting/abuse-contact-db
+
+abusix.com is neither responsible nor liable for the content or accuracy of this message.';
+
+my $config = ConfigServer::Config->loadconfig();
+my %config = $config->config();
+
+# end main
+###############################################################################
+# start abuseip
+sub abuseip {
+	my $ip = shift;
+	my $abuse = "";
+	my $netip;
+	my $reversed_ip;
+
+	if (checkip(\$ip)) {
+		eval {
+			local $SIG{__DIE__} = undef;
+			$netip = Net::IP->new($ip);
+			$reversed_ip = $netip->reverse_ip();
+		};
+		
+		if ($reversed_ip =~ /^(\S+)\.in-addr\.arpa/) {$reversed_ip = $1}
+		if ($reversed_ip =~ /^(\S+)\s+(\S+)\.in-addr\.arpa/) {$reversed_ip = $2}
+		if ($reversed_ip =~ /^(\S+)\.ip6\.arpa/) {$reversed_ip = $1}
+		if ($reversed_ip =~ /^(\S+)\s+(\S+)\.ip6\.arpa/) {$reversed_ip = $2}
+
+		if ($reversed_ip ne "") {
+			$reversed_ip .= ".abuse-contacts.abusix.org";
+
+			my $cmdpid;
+			eval {
+				local $SIG{__DIE__} = undef;
+				local $SIG{'ALRM'} = sub {die};
+				alarm(10);
+				my ($childin, $childout);
+				$cmdpid = open3($childin, $childout, $childout, $config{HOST},"-W","5","-t","TXT",$reversed_ip);
+				close $childin;
+				my @results = <$childout>;
+				waitpid ($cmdpid, 0);
+				chomp @results;
+				if ($results[0] =~ /^${reversed_ip}.+"(.*)"$/) {$abuse = $1}
+				alarm(0);
+			};
+			alarm(0);
+			if ($cmdpid =~ /\d+/ and $cmdpid > 1 and kill(0,$cmdpid)) {kill(9,$cmdpid)}
+
+			if ($abuse ne "") {
+				my $msg = $abusemsg;
+				$msg =~ s/\[ip\]/$ip/g;
+				$msg =~ s/\[contact\]/$abuse/g;
+				return $abuse, $msg;
+			}
+		}
+	}
+}
+# end abuseip
+###############################################################################
+
+1;