CSF Integration

Navigation:  IDS Integrations >

CSF Integration

Previous pageReturn to chapter overviewNext page

ConfigServer Security & Firewall (CSF) integration is intended to allow to use CSF along with Imunify360. When CSF integration is enabled, Imunify360 uses Login Failure Daemon (LFD) as the source for security events instead of OSSEC.

 

CSF integration is enabled automatically when Imunify360 detects that CSF is running. No additional configuration is needed.

 

With CSF integration enabled, Imunify360 uses CSF as the source of black and white listing thus managing such lists in Imunify360 is disabled. It is still possible to view and to manage gray lists in Imunify360 interface.

 

cdf_int

 

If CSF is switched off, then Imunify360 becomes primary IDS and loads black/white lists from CSF so that they will work without any additional actions, and imports Closed ports with whitelisted IPs for it

 

It is possible to enable CSF when Imunify360 is already running. All black and white lists from Imunify360 will be exported to CSF. Imunify360 White list will be exported to CSF Ignore list and Imunify360 Black list will be exported to CSF Deny list. In about 30 seconds after CSF started, Imunify360 switches to CSF Integration mode. In Imunify360 choose Firewall tab and go to White list section to check if there is a warning message "White list management disabled" (see screenshot above). It means that CSF and Imunify360 integration processed successfully.

 

To get events from Login Failure Daemon (LFD), Imunify360 automatically replaces BLOCK_REPORT variable to the file path of Imunify360 script.

 

In CSF integration mode, when some IP address is blocked by LFD, Imunify360 adds this IP address to its Graylist and then removes it from CSF deny/tempdeny lists. The latter is done to enable access for IP to the Captcha and to store all automatically blocked IP addresses in a single place. Thus, no IP automatically added to CSF deny/tempdeny lists.

 

Mod_security recommendation

 

When mod_security is configured with SecRuleEngine On (blocking mode), CSF blocks IP addresses by mod_security events. The number of events to block IP address is defined by LF_MODSEC variable in csf.conf. This can lead to a large number of false positives.

 

We recommend either use:

 

SecRuleEngine DetectionOnly 

 

or set LF_MODSEC variable to 0.

 

In this case, Imunify360 will block IPs only by mod_security events with high severity.