Imunify360 command-line interface (CLI) makes working with Imunify360 basics and features from your terminal even simpler.
For access to Imunify360 agent features from command-line interface (CLI), use the following command:
imunify360-agent
Basic usage:
imunify360-agent [command] [--option1] [--option2]...
The following options are available for all commands.
--console-log-level [ERROR,WARNING,INFO,DEBUG] | Level of logging input to the console |
-h , --help | Returns the help message |
--json | Returns data in JSON format |
-v , --verbose | Allows to return data in good-looking view if the--json option is used. |
This command returns help message for the 3rdparty
command:
imunify360-agent 3rdparty -h
This command returns data in JSON format in a good-looking view for the get
command:
imunify360-agent get --period 1h --by-country-code UA --by-list black --json --verbose
Available commands:
3rdparty | Make Imunify360 the primary IDS |
backup-systems | Allows to manage CloudLinux Backup |
blacklist | Return/Edit IP blacklist |
blocked-port | Return/Edit list of blocked ports |
blocked-port-ip | Allows to change the list of IPs that are excluded (allowed) for a certain blocked port |
checkdb | Check database integrity |
check-domains | Send domain list check |
check modsec directives | Allows to check whether the global ModSecurity directives have values recommended by Imunify360 |
clean | Clean the incidents |
config | Allows to update and show configuration file via CLI |
doctor | Collect info about system and send it to the Imunify support team |
eula | Allows to show and accept the end-user license agreement to automate installation |
features | Manage available features for Imunify360 |
feature-management | Manage Imunify360 features available for users |
fix modsec directives | Fixes the non-recommended values (sets them to ones recommended by Imunify360) |
get | Returns list of incidents |
graylist | Return/Edit IP Gray List |
hooks | Hooks-related commands |
import | Import data |
infected-domains | Returns infected domain list |
login | Allows to get a token which can be used for authentication in stand-alone Imunify UI. |
malware | Allows to manage malware options |
notifications-config | Allows to show and update notifications in the configuration file via CLI |
proactive | Allows to manage Proactive Defense feature |
register | Agent registration |
reload-lists | Allows to use external files with the list of Black/White-listed IPs. More details. |
remote-proxy | Allows to add an additional proxy subnet |
rstatus | Query the server to check if the license is valid |
rules | Allows user to manage disabled rules |
submit false-positive/false-negative | Allows to submit a file as false positive/false negative |
unregister | Unregister the agent |
vendors | Command for manipulating Imunify360 vendors |
version | Show version |
whitelist | Return/Edit operator for IP and domain white list |
whitelisted-crawlers | Allows do operate with search engine domains |
Optional arguments for the commands:
--by-country-code [country_code] | Filters output by country code. Requires valid country code as argument. Find valid country codes here in column ISO ALPHA-2 CODE. |
--by-ip [ip_address] | Filters output by abuser's IP or by subnet in CIDR notation. Example: --by-ip 1.2.3.0/24 . |
--by-list | Can be:
Example: --by-list black . |
--by-comment | Filters output by comment. |
--limit | limits the output with specified number of incidents. Must be a number greater than zero. By default, equals 100. |
--offset | Offset for pagination. By default, equals 0. |
--to | Allows to set the end of the period for filter. Format is a timestamp. |
--manual | Show only items that have been added manually. |
--order-by | List of fields to sort the results by. |
Command for disabling 3rd party IDS (currently they are cPHulk and fail2ban) and make Imunify360 agent the primary IDS.
Usage:
imunify360-agent 3rdparty
command
is a positional argument and can be:
conflicts | Show conflicts with other software |
list | List other IDS that might be running concurrently with Imunify360 |
Examples:
imunify360-agent 3rdparty conflicts
imunify360-agent 3rdparty list
fail2ban
Allows to manage backup systems integrated to Imunify360.
Usage:
imunify360-agent backup-systems [command] <value>
command
is a positional argument and can be:
list | List of all available backup systems. |
status | Returns backup system status including a current backup system and enabling status. |
extended-status | Returns extended status including log file path, error on executing, current backup system, enabling status, current state, and current backup progress bar. |
init | <value> must be in the list of available backup systems. Initializes <value> backup system. |
disable | Disables backup system. |
check | Returns licenses info. |
The status
command returns {'<key>': <value>}
(JSON formatted):
Key | Value |
---|---|
backup_system | Str with the name of the currently enabled backup system. |
enabled | If backups are enabled — True , else — False . |
The extended-status
command returns {'<key>': <value>}
(JSON formatted):
Key | Value |
---|---|
log_path | Str with the path to the log file. |
error | Str with a human-friendly error message. |
backup_system | Str with the name of the currently enabled backup system. |
enabled | If backups are enabled — True , else — False . |
state | Str with the current running condition. Statuses: not_running , init , backup , done , unpaid . |
progress | This key is optional. It represents the progress of backup if it is running. |
The check
command returns {'<key>': <value>}
(JSON formatted):
Key | Value |
---|---|
status | Str with the license status. Statuses: paid , unpaid . |
size | Int, which represents a paid size of backups in GB. E.g. 'size': 10 means that you paid for 10GB. |
Examples:
imunify360-agent backup-systems list
acronis
r1soft
cloudlinux
cpanel
imunify360-agent backup-systems init cloudlinux
Backup initialization process is in progress
imunify360-agent backup-systems check cloudlinux
{'url': 'https://cln.cloudlinux.com/clweb/cb/buy.html?id=YourServerIdHere', 'status': 'unpaid'}
At first, it shows that it isn't, so you should open the URL from the JSON response in the browser to activate the backup. Once this is done, it shows in the CLN.
Run the check again and now it returns the size and that the backup has been paid for.
imunify360-agent backup-systems check cloudlinux
The above commands create a new cloudlinuxbackup.com account and link that account to this server after following the link and confirming the payment of $0.00 for free 10GB.
This command allows you to view or edit actual IPs in the Black List.
Usage:
imunify360-agent blacklist [subject] [command] <value> [--option]
subject
is a positional argument and can be:
country | Allows to manipulate with countries in the Black List |
ip | Allows to manipulate with IPs in the Black List |
command
is a second positional argument and can be:
add | add item(-s) to Black List |
delete | remove item(-s) from Black List |
move | move item(-s) to Black List |
edit | edit comment on item in the Black List |
list | list items(-s) in Black List |
Please note that by default list
command outputs only first 100 items in the list as if it was run as imunify360-agent blacklist ip list --limit 100
.
To check whether specific IP address is in the list, you can run the following command:
imunify360-agent blacklist ip list --by-ip 12.34.56.78
where 12.34.56.78 is that specific IP address.
value
is an item to manipulate with. It can be IP itself or a country code (find necessary country codes here in CIDR notation in the column ISO ALPHA-2 CODE).
option
can be one or few of the optional arguments specified above and one more:
--comment | allows to add comment to the item |
--expiration | allows specifying expiration time for the blacklisted IP (in seconds since epoch) |
Examples:
imunify360-agent blacklist ip add 1.2.3.4 --comment “one bad ip”
imunify360-agent blacklist --by-country-code BO
IP TTL COUNTRY IMPORTED_FROM COMMENT
1.2.3.4
group
:imunify360-agent blacklist ip add 1.2.3.4 --scope group
OK
To blacklist multiple IP addresses, put them into a file and add to the black list as follows:
cat list.txt | xargs -n 1 imunify360-agent blacklist ip add
The alternative would be using the external white/black list feature.
Note
If an IP address has been added to the blacklist on a group of servers, it is enough to remove it from the blacklist on one of the servers, and it will be removed from the blacklist on all servers in the group.
Warning
For now, ipset supports only IPv6/64 networks. In most cases, it is enough to specify the mask /64
. An example of
a proper IPv6 address with the subnet mask: 2001:db8:abcd:0012::0/64
.
This command allows to view or edit ports, IPs, and protocols in the list of blocked ports.
Note
Imunify360 can block particular ports using the blocked-port
command, yet it doesn't support a paradigm to "block everything but the selected ports". That could be achieved via legacy Linux iptables.
Usage:
imunify360-agent blocked-port [command] <value> [--option]
command
is a first positional argument and can be:
add | add item(-s) to blocked ports |
delete | remove item(-s) from blocked ports |
edit | edit comment on item in the blocked ports |
list | list items(-s) in blocked ports |
value
is an item to manipulate with. value
is :
separated pair of port number and protocol: 5432:tcp
, 28:udp
option
can be one or few of the optional arguments specified above and some more:
--comment | allows to add comment to the item |
--ips | block port for all IP addresses except the specified |
Example:
The following command blocks port 5555 for tcp connections with a comment "Some comment":
imunify360-agent blocked-port add 5555:tcp --comment "Some comment"
This one includes the list of example IPs and ports blocked:
# imunify360-agent blocked-port list
COMMENT ID IPS PORT PROTO
1 [] 3306 tcp
Some comment 2 [{'comment': None, 'ip': '111.111.111.111'}, {'comment': None, 'ip': '22.22.22.22'}] 5555 tcp
This command allows to change the list of IPs that are excluded (allowed) for a certain blocked port.
Usage:
imunify360-agent blocked-port-ip [command] <value> [--option]
command
is a first positional argument and can be:
add | add IPs to blocked port |
delete | remove IPs from blocked port |
edit | edit comment on item in the blocked ports |
value
is an IP address and blocked port.
option
can be one or few of the optional arguments for all commands specified above and one more:
--comment | allows to add comment to the IP |
Example:
The following command adds IP address 12.34.56.78 to the blocked port 5555 for tcp connections with a comment 'Some comment':
imunify360-agent blocked-port-ip add 5555:tcp --ips 12.34.56.78 --comment 'Some comment'
OK
Checks database integrity. In case database is corrupt, then this command saves backup copy of the database at the /var/imunify360
and tries to restore integrity of the original database. Note that if this command cannot restore database integrity, then it will destroy the original broken database.
Usage:
imunify360-agent checkdb
Example:
The following command checks the database integrity:
imunify360-agent checkdb
Allows to send domains list for a check to the Imunify360 central server. After domains checked, the results is available via command infected-domains
.
Note
check-domains
command may take a few minutes to complete.
Usage:
imunify360-agent check-domains [--optional arguments]
Example:
The following command sends the domains list for a check to the Imunify360 central server:
imunify360-agent check-domains
OK
Allows to check whether the global ModSecurity directives have values recommended by Imunify360.
Usage:
imunify360-agent check modsec directives [--optional arguments]
Example:
The following command checks whether the global ModSecurity directives have values recommended by Imunify360.
imunify360-agent check modsec directives
WARNING: {'ignored': False, 'id': '1000', 'fix': 'Run `imunify360-agent fix modsec directives` command', 'title': "Wrong value for SecConnEngine ModSecurity directive. Expected: 'Off' Got: None", 'url': 'https://docs.imunify360.com/'}
WARNING: {'ignored': False, 'id': '1000', 'fix': 'Run `imunify360-agent fix modsec directives` command', 'title': "Wrong value for SecAuditEngine ModSecurity directive. Expected: 'RelevantOnly' Got: None", 'url': 'https://docs.imunify360.com/'}
WARNING: {'ignored': False, 'id': '1000', 'fix': 'Run `imunify360-agent fix modsec directives` command', 'title': "Wrong value for SecRuleEngine ModSecurity directive. Expected: 'On' Got: None", 'url': 'https://docs.imunify360.com/'}
Clean the incident list.
Usage:
imunify360-agent clean [--optional arguments]
Optional arguments:
--days | cleanups incidents from database, if there are more than specified days quantity Example: --days 5 .this option will cause deletion of all incidents that are older than 5 days from today |
--limit | leaves only limited number of the incidents in the database and deletes the others Example: --limit 5000 .this option will leave only 5000 new incidents and delete the others |
Example:
The following command deletes all incidents that are older than 5 days from today and leave only 5000 new incidents. The output identifies the number of the incidents cleaned.
# imunify360-agent clean --days 5 --limit 5000
2521
Allows to update and show configuration file via CLI.
Usage:
imunify360-agent config [command] [configuration options]
command
can be:
show | show configuration file |
update | update configuration file |
You can find all configuration options here and instructions on how to apply configuration changes from CLI here.
Example:
Set MALWARE_SCAN_INTENSITY.cpu = 5
configuration option from a command line:
imunify360-agent config update '{"MALWARE_SCAN_INTENSITY": {"cpu": 5}}'
The successful output should display the configuration file content.
Collecting information about Imunify360 state, generating the report and sending it to Imunify360 Support Team. This command can be used in case of any troubles or issues with Imunify360. This command will generate a key to be sent to Imunify360 Support Team. With that key Imunify360 Support Team can help with any problem as fast as possible.
Usage:
imunify360-agent doctor
Please, provide this key:
SSXX11xXXXxxxxXX.1a1bcd1e-222f-33g3-hi44-5551k5lmn555
to Imunify360 Support Team
Allows to show and accept the end-user license agreement to automate installation.
Usage:
imunify360-agent eula [command]
command
can be one of the following:
accept | accept end-user license agreement |
show | show end-user license agreement |
Example:
Show the end-user license agreement:
imunify360-agent eula show
Allows to enable or disable additional CloudLinux software included in Imunify360 for free. The following software is available:
kernelcare
feature namehardened-php
feature nameinvisible-captcha
feature nameNote
You cannot install arbitrary 3rd party components or anything besides the features listed above. Please, use legacy linux package installation process for that
Usage:
imunify360-agent features [command] <feature name>
command
is a positional arguments and can be :
install | allows to enable software |
remove | allows to disable software |
status | allows to check the status of the software |
list | allows to list all available software |
Examples:
imunify360-agent features status kernelcare
{'status': 'not_installed', 'message': 'KernelCare is not installed'}
imunify360-agent features install kernelcare
imunify360-agent features remove kernelcare
Allows to manage Imunify360 features available for users.
Usage:
imunify360-agent feature-management [command] [--optional argument]...
Command
can be one of the following:
defaults | show the default value for each feature that is applied for newly created user |
disable | disable a feature for some or all users |
enable | enable a feature for some or all users |
get | obtains the status of all available features for a USER |
list | list all available features |
native | allows to enable/disable the Native Features Management using WHM/cPanel package extensions |
show | allows to show enabled features |
Optional argument
for the enable/disable
commands can be one of the following:
[--feature av] | enable/disable Malware Cleanup |
[--feature proactive] | enable/disable Proactive Defense |
[--users [USERS [USERS ...]]] | specifies the list of users which will be affected, otherwise the default value will be changed |
The mandatory argument for the get
command:
[--user USER] | specifies a user name to obtain the status of features for |
The mandatory argument for the native
command:
disable | disable the Native Features Management using WHM/cPanel package extensions and return the original Imunify360 Features Management back |
enable | enable the Native Features Management using WHM/cPanel package extensions |
Example:
user1
:imunify360-agent feature-management enable --feature av --users user1
imunify360-agent feature-management native disable
Once the command executed:
Note
Imunify360 will keep applying users Features Management settings stored in their data bases after switching to the original Imunify360 Features Management.
Warning
feature-management enable/disable --feature av
and feature-management enable/disable --feature proactive
commands will start functioning.
imunify360-agent feature-management native enable
OK
Once the command executed, the following default Imunify360 Package Extension settings will be applied to all Packages:
Imunify360 Package Extensions will be auto-enabled for all packages disregarding the fact they have Imunify360 plugin enabled or not.
All existing Features Management settings will be overridden with the Imunify360 Package Extensions ones for all users.
Note
Features Management tab will be hidden on the User Interface.
Warning
feature-management enable/disable --feature av
and feature-management enable/disable --feature proactive
commands will stop functioning.
Fixes the non-recommended values (sets them to ones recommended by Imunify360)
Usage:
imunify360-agent fix modsec directives [--optional arguments]
Example:
The following command sets the ModSecurity directives values to ones recommended by Imunify360:
imunify360-agent fix modsec directives
OK
If the execution was unsuccessful, the actual error message will be displayed if there are any issues with that.
The command returns the lists of incidents.
Usage:
imunify360-agent get [--required argument] [--optional argument]...
Option can be one or few of the optional arguments listed above and one more.
--order-by [ORDER_BY [ORDER_BY ...]] | Sorting order. |
--limit | Limits the output with specified number of IPs. Must be a number greater than zero. By default, equals 50. |
--by-country-code [country_code] | Filters output by country code. Requires valid country code as argument. Find valid country codes in CIDR notation in column ISO ALPHA-2 CODE. |
--period [period] | Timeframe. Allows to specify the amount of time starting from the current day. Should be greater than (or equal to) 1 minute. Can be specified in format:
--period 5d will return a list of incidents for 5 days. |
--since [timestamp] | allows to set start time to filter the list of incidents by period |
--to [timestamp] | allows to set finish time to filter the list of incidents by period |
--severity | allows to set severity to filter the list of incidents |
--offset OFFSET | offset for pagination. By default, equals 0 |
--by-abuser-ip [BY_ABUSER_IP] | selection based on abuser IP address |
--json | return data in JSON format |
--search | string to search incidents by |
--by-list | Can be:
Example: --by-list black . |
Example:
The following command shows the incidents (in JSON format) for recent one hour, filtered by country code UA and filtered by Black List IPs:
imunify360-agent get --period 1h --by-country-code UA --by-list black --json
This one will show the incidents with the severity level 5 of triggered rules, e.g.:
# imunify360-agent get --period 20d --severity 5
TIMESTAMP ABUSER COUNTRY TIMES NAME SEVERITY
1600162404 11.22.33.44 CN 1 SSHD authentication failed. 5
1600154599 11.22.33.44 CN 1 SSHD authentication failed. 5
1600138163 11.22.33.44 CN 1 Process exiting (killed). 5
To get more detailed output to check the plugin or the rule ID these incidents belong to, use the --json
argument.
This command allows to view or edit IP Gray List.
Usage:
imunify360-agent graylist ip [command] [--optional argument]
Available commands:
delete | allows to remove IP from Gray List |
list | allows to list IPs in Gray List |
Optional arguments for list
:
--by-country-code [country_code] | Filters output by country code. Requires valid country code as argument. Find valid country codes in CIDR notation in column ISO ALPHA-2 CODE. |
--by-ip [ip_address] | Filters output by abuser's IP or by subnet in CIDR notation. Example: --by-ip 1.2.3.0/24 |
--limit | Limits the output with specified number of IPs. Must be a number greater than zero. By default, equals 100. |
--offset | Offset for pagination. By default, equals 0. |
Please note that by default list
command outputs only first 100 items in the list as if it was run as graylist ip list --limit 100
.
To check whether specific IP address is in the list, you can run the following command:
imunify360-agent graylist ip list --by-ip 12.34.56.78
where 12.34.56.78
is that specific IP address.
Example:
The following command will remove IP 1.2.3.4
from the Gray List:
imunify360-agent graylist ip delete 1.2.3.4
OK
You can find more about hooks here.
This command allows to manage hooks.
Usage:
imunify360-agent hook [command] --event [event_name|all] [--path </path/to/hook_script>]
command
can be one of the following:
add | register a new event handler |
delete | unregister existing event handler |
list | show existing event handlers |
add-native | register a new native event handler |
--event [event_name|all] | defines a particular event that invokes a registered handler as opposed to all keyword |
--path </path/to/hook_script> | shall contain a valid path to a handler of the event, it shall be any executable or Python Native event handlers that agent will run upon a registered event |
Example:
The following command shows existing event handlers. If you have any hooks configured, the output will include something similar to this:
imunify360-agent hook list --event all
Event: malware-detected, Path: /root/directory/im360mwscannereventhooks/get_user.py
This command allows to import Black List and White List from the other 3rd party IDS (only CSF supported at the moment) to Imunify360 database. Note. If CSF is enabled, then it is not necessary to run the command because Imunify360 is integrated with CSF.
Usage:
imunify360-agent import {blocked-ports, wblist} ...
Positional arguments:
blocked-ports | Import blocked-ports from other IDS |
wblist | Import White/Black List from other IDS |
Example:
The following command will import Black List and White List from the 3rd party IDS:
imunify360-agent import wblist
Allows to retrieve infected domains list.
Usage:
imunify360-agent infected-domains [--optional arguments]
Optional arguments:
--limit | Limits the output with the specified number of domains. Must be a number greater than zero. By default, equals 100. |
--offset | Offset for pagination. By default, equals 0. |
Example:
The following command displays the results of the check-domains
command. In case there are no infected domains located on the server, you will see no output. If there are any, you will get the following output:
imunify360-agent infected-domains
'domain1.com'
'domain2.com'
Allows to get a token which can be used for authentication in stand-alone Imunify UI.
Usage:
imunify360-agent login [command] [--optional arguments]
command
can be one of the following:
get | returns a token for USERNAME (must be executed by root) |
pam | uses PAM to check the provided credential and returns a token for USERNAME if PASSWORD is correct |
Optional arguments for get
:
--username USERNAME |
Optional arguments for pam
:
--username USERNAME |
--password PASSWORD |
Example:
login get
command to implement your own authorization mechanism for stand-alone Imunify.
For example, you can generate tokens for users which are already authorized in your system/panel, and redirect to stand-alone Imunify UI with https://example.com/#/login?token=<TOKEN>
or https://example.com/#?token=<TOKEN>
in URL. (You can also set it in localStorage: localStorage.setItem('I360_AUTH_TOKEN', '<TOKEN>');
). The output will display similar to the following:imunify360-agent login get --username my-user1
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MDAyNDQwMTAuMDk5MzE5LCJ1c2VyX3R5cGUiOiJjbGllbnQiLCJ1c2VybmFtZSI6ImNsdGVzdCJ9.V_Q03hYw4dNLX5cewEb_h46hOw96KWBWP0E0ChbP3dA
imunify360-agent login pam --username my-user1 --password ********
Allows to manage malware options.
Usage:
imunify360-agent malware [command] [--optional arguments]
Available commands:
ignore | malware Ignore List operations |
malicious | malware Malicious List operations |
on-demand | on-demand Scanner operations |
suspicious | malware Suspicious List operations |
cleanup status | show the status of the cleanup process |
history list | lists the complete history of all malware-related incidents/actions (optional arguments available) |
rebuild patterns | allows to save changes after editing watched and excluded patterns for Malware Scanner. See details here. |
user | allows to perform Malware Scanner operations for a user |
Optional arguments:
--limit LIMIT | Limits the output with the specified number of domains. Must be a number greater than zero. By default, equals 100. |
--offset OFFSET | Offset for pagination. By default, equals 0. |
--since SINCE | Start date. |
--to TO | End date. |
--user USER | Returns results for a chosen user. |
--order-by [ORDER_BY [ORDER_BY ...]] | Sorting order. |
--by-status [BY_STATUS [BY_STATUS ...]] | Return items with selected status. |
--by-scan-id BY_SCAN_ID | Return items with selected ID. |
--items ITEMS | Return selected items. |
--search SEARCH | Search query. |
action
is the second positional argument for ignore
and can be one of the following:
add | add file PATHS to the Ignore List |
delete | delete file PATHS from the Ignore List |
list | shows Ignore List entries (optional arguments apply) |
where PATHS are the absolute paths to files or folders divided by a whitespace.
command2
is the second positional argument for the malicious
command and can be one of the following:
cleanup | clean up infected ITEMS for a USER |
cleanup-all | clean up all files that have been detected as infected for all users |
restore-original | restore the original (malicious/infected) file to its original location |
list | list malicious/infected files |
move-to-ignore | move a Malicious List entry to the (malware) Ignore List |
remove-from-list | remove malicious/infected files from the Malicious List |
restore-from-backup | restore a clean version of infected file from backup |
restore-from-quarantine | deprecated in ver. 5.9. Restore a quarantined file. The file will be automatically re-scanned |
action
is the second positional argument for on-demand
and can be one of the following:
list | list all on-demand scans performed |
start --path PATH | starts an on-demand scan for a specified PATH |
status | show the on-demand malware scanner status |
stop | stop on-demand malware scanner process |
queue put | put file PATHS to the queue for on-demand scan |
queue remove | remove scans from the queue for on-demand scan |
The optional arguments for on-demand start
and on-demand queue put
are:
--ignore-mask IGNORE_MASK |
--follow-symlinks |
--no-follow-symlinks |
--file-mask FILE_MASK |
--intensity-cpu {1 to 7} 1 means the lowest intensity, 7 means the highest intensity |
--intensity-io {1 to 7} 1 means the lowest intensity, 7 means the highest intensity |
action
is the second positional argument for suspicious
and can be one of:
list | obtain the list of Suspicious List entries |
move-to-ignore | move a Suspicious List entry to the (malware) Ignore List |
action
is the second positional argument for user
and can be one of the following:
cleanup USER | clean all infected files for a user |
restore-original USER | restore all original files for a user |
list | list all users and their current infection status |
scan | scan all users |
Examples
start
command:imunify360-agent malware on-demand start --path /home/<username>/public_html/
ignore-mask
usage when you have to scan all d*
folders except for the dixon77w.com
and dunnrrr.com
:imunify360-agent malware on-demand start --path='/var/www/vhosts/d*' --ignore-mask='/var/www/vhosts/dixon77w.com/*,/var/www/vhosts/dunnrrr.com/*'
imunify360-agent malware on-demand queue put "/home/user1/some folder" "/home/user2" --file-mask="*.php"
imunify360-agent malware on-demand list # get scan_ids for the selected scans from the malicious list
imunify360-agent malware on-demand queue remove 84f043211dc045ae8e6d641f3b9fdb0a 8c4ee39d4d8f43e296e893940c8e791a
imunify360-agent malware on-demand stop
imunify360-agent malware on-demand stop --all
imunify360-agent malware malicious list --user cltest --limit 500
The list of the infected files found will be looking in the following way:
CLEANED_AT CREATED EXTRA_DATA FILE HASH ID MALICIOUS SCAN_ID SCAN_TYPE SIZE STATUS TYPE USERNAME
None 1599955297 {} /home/cltest/public_html/test/TsMeJD.php 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f 1627 True 1996cd86e6b14b12a1c165e79e3540d9 background 68 found SMW-SA-05057-eicar.tst-4 cltest
None 1599955297 {} /home/cltest/public_html/test/TZlfnU.php 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f 1628 True 1996cd86e6b14b12a1c165e79e3540d9 background 68 found SMW-SA-05057-eicar.tst-4 cltest
None 1599955297 {} /home/cltest/public_html/test/Ke7V8n.php 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f 1629 True 1996cd86e6b14b12a1c165e79e3540d9 background 68 found SMW-SA-05057-eicar.tst-4 cltest
None 1599955297 {} /home/cltest/public_html/yoUq0L.php 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f 1630 True 1996cd86e6b14b12a1c165e79e3540d9 background 68 found SMW-SA-05057-eicar.tst-4 cltest
None 1599955297 {} /home/cltest/public_html/test/PKiuhY.php 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f 1631 True 1996cd86e6b14b12a1c165e79e3540d9 background 68 found SMW-SA-05057-eicar.tst-4 cltest
None 1599955297 {} /home/cltest/public_html/public_html/Zqrsvh.php 275a021bbfb6489e54d471899f7db9d1663fc695
imunify360-agent malware ignore add /home/user1/public_html/ "/home/some user/public_html/index.php"
imunify360-agent malware rebuild patterns
imunify360-agent malware user list
The successful initiation/stopping of a scanning process or adding of ignore directories/files should give you OK
in the output.
Allows administrators to do the following:
Usage:
imunify360-agent notifications-config [command] [configuration options]
command
can be:
show | returns the full config as a JSON |
update | updates the config (partial update is supported) and returns the full updated config as a JSON |
We advise administrators to use the notifications-config show
to get the full config, pick what they want to edit, and feed it to the notifications-config update
.
The general structure of the imunify360-agent notifications-config show
command output:
{
"rules": {
"SCRIPT_BLOCKED": {
"SCRIPT": {
"scripts": [],
"period": 1,
"enabled": False
},
"ADMIN": {
"period": 1,
"admin_emails": [],
"enabled": False
}
},
"USER_SCAN_FINISHED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"USER_SCAN_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"enabled": False
},
"ADMIN": {
"admin_emails": [],
"enabled": False
}
},
"USER_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"REALTIME_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"period": 1,
"enabled": False
},
"ADMIN": {
"period": 1,
"admin_emails": [],
"enabled": False
}
},
"CUSTOM_SCAN_FINISHED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"enabled": False
},
"ADMIN": {
"admin_emails": [],
"enabled": False
}
}
},
"admin": {
"notify_from_email": None,
"default_emails": []
}
}
Let's review all the options.
Rules:
Admin:
Let's review all options for a specific event on the REALTIME_MALWARE_FOUND example:
"REALTIME_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"period": 1,
"enabled": False
},
"ADMIN": {
"period": 1,
"admin_emails": [],
"enabled": False
}
SCRIPT
True
) a script (event handler) upon event occurrence.ADMIN:
default
to use the default administrator emails and/or specify your emails for notifications.True
) the administrator and a custom user list via email upon event occurrence.Examples:
imunify360-agent notifications-config update '{"admin": {"default_emails": ["email1@email.com", "email2@email.com"]}}'
imunify360-agent notifications-config update '{"rules": {"REALTIME_MALWARE_FOUND": {"ADMIN": {"enabled": true, "period": 3600, "admin_emails": ["email3@email.com", "email4@email.com", "default"]}}}}'
After the successful execution, the imunify360-agent notifications-config update
command returns the full config with changes.
The imunify360-agent notifications-config show
command output after applying the examples 1 and 2:
{
"rules": {
"SCRIPT_BLOCKED": {
"ADMIN": {
"admin_emails": [],
"period": 1,
"enabled": False
},
"SCRIPT": {
"scripts": [],
"period": 1,
"enabled": False
}
},
"USER_SCAN_FINISHED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"USER_SCAN_MALWARE_FOUND": {
"ADMIN": {
"admin_emails": [],
"enabled": False
},
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"REALTIME_MALWARE_FOUND": {
"ADMIN": {
"admin_emails": ['email3@email.com', 'email4@email.com', 'default'],
"period": 3600,
"enabled": True
},
"SCRIPT": {
"scripts": [],
"period": 1,
"enabled": False
}
},
"USER_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_FINISHED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_MALWARE_FOUND": {
"ADMIN": {
"admin_emails": [],
"enabled": False
},
"SCRIPT": {
"scripts": [],
"enabled": False
}
}
},
"admin": {
"notify_from_email": None,
"default_emails": ["email1@email.com", "email2@email.com"]
}
}
More examples:
imunify360-agent notifications-config update '{"rules": {"USER_SCAN_FINISHED": {"SCRIPT": {"scripts": ["/script/my-handler.py"], "enabled": true}}}}'
imunify360-agent notifications-config update '{"rules": {"REALTIME_MALWARE_FOUND": {"SCRIPT": {"period": 60}}}}'
After the successful execution, the imunify360-agent notifications-config update
command returns the full config with changes.
The imunify360-agent notifications-config show
command output after applying the examples 3 and 4:
{
"rules": {
"CUSTOM_SCAN_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"enabled": False
},
"ADMIN": {
"enabled": False,
"admin_emails": []
}
},
"USER_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"CUSTOM_SCAN_FINISHED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"SCRIPT_BLOCKED": {
"SCRIPT": {
"period": 1,
"scripts": [],
"enabled": False
},
"ADMIN": {
"period": 1,
"enabled": False,
"admin_emails": []
}
},
"CUSTOM_SCAN_STARTED": {
"SCRIPT": {
"scripts": [],
"enabled": False
}
},
"USER_SCAN_MALWARE_FOUND": {
"SCRIPT": {
"scripts": [],
"enabled": False
},
"ADMIN": {
"enabled": False,
"admin_emails": []
}
},
"REALTIME_MALWARE_FOUND": {
"SCRIPT": {
"period": 60,
"scripts": [],
"enabled": False
},
"ADMIN": {
"period": 3600,
"enabled": True,
"admin_emails": ['email3@email.com', 'email4@email.com', 'default']
}
},
"USER_SCAN_FINISHED": {
"SCRIPT": {
"scripts": ['/script/my-handler.py'],
"enabled": True
}
}
},
"admin": {
"notify_from_email": None,
"default_emails": ["email1@email.com", "email2@email.com"]
}
}
Simple and generic scripts aiming to be a reference/template to create custom scripts to use with imunify-notifier.
For notifications subsystem:
For hooks subsystem:
You can use these scripts as a reference and customize them.
Note
Set the +x
bits to your script file to make it executable. Your script also has to be readable by the special _imunify
user, so make sure of setting group's permission accordingly:
chown root:_imunify hook_script.sh
The agent generates messages of different types on hook events. The ‘if chain’ in the script calls the particular method corresponding to type of the event that came from the agent.
For example, if you'd like to block sites for all users, that were detected as infected by realtime scan you can use the handle_realtime_malware_found
method.
To unblock user sites which were scanned as clean, you can use the handle_user_scan_finished
method.
Add your path to the related hook (or multiple hooks) and implement the custom logic of blocking and unblocking sites.
Also in this script you could find the way to parse JSON that come from Imunify360 and description of this JSON schema in every possible case. Such descriptions are provided by docstring of the handle
methods.
Imunify Notifications Engine supports adding custom email messages either the header or body. It may be useful for adding warnings or any message.
To add a custom email template, follow these steps:
CUSTOM_SCAN_MALWARE_FOUND
event. It is triggered by a malware caught by on-demand scan:imunify360-agent notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND": {"ADMIN": {"enabled": true, "admin_emails": ["your-email@example.domain"]}}}}'
mkdir -p /etc/imunify360/emails/custom_scan_malware_found
cat <<EOF > /etc/imunify360/emails/custom_scan_malware_found/en.json
[
{
"id": "subject",
"other": "TESTING templates on {{serverName}}"
},
{
"id": "scan_description_section",
"other": "Hello World, from custom template test"
}
]
EOF
cat <<EOF > /etc/imunify360/emails/custom_scan_malware_found/t.tmpl
From: {{.mail_from}}
To: {{.mail_to}}
Subject: {{.messages.subject}}
{{.messages.scan_description_section}}
EOF
More examples are available at: /usr/share/imunify-notifier/templates/
These commands allow to manage Proactive Defense feature.
Usage:
imunify360-agent proactive [command] [--option] <value>
Available commands:
ignore delete path | allows to remove a file from Proactive Defense Ignore List. |
ignore delete rule | allows to remove a rule for a file from Proactive Defense Ignore List. |
list | allows to list Proactive Defense events. |
details | allows to show details for the event. |
ignore list | allows to list files included to Proactive Defense Ignore List. |
ignore add | allows to add a file to Proactive Defense Ignore List. |
option
can be one or few of the optional arguments listed above and one more.
--path | for ignore add , ignore delete path , ignore delete rule commands.Allows to specify a path to the file. |
--id | for details , ignore delete rule commands.Allows to specify rule id. |
--rule-id | only for ignore add command.Allows to specify rule id. |
--rule-name | only for ignore add command.Allows to specify rule name. |
--since [timestamp] | allows to set start time to filter the list of incidents by period. |
--to [timestamp] | allows to set finish time to filter the list of incidents by period. |
--user | show events for a specific user. |
--search | string to search Proactive events by. |
Examples:
/home/user/index.php
to Proactive Defense Ignore List for the rule id 12 and name Suspicious detection rule
.
It means that Proactive Defense will not analyze this file according to this rule:imunify360-agent proactive ignore add --path /home/user/index.php --rule-id 12 --rule-name 'Suspicious detection rule'
OK
<path to file 1>
and <path to file 2>
from Proactive Defense Ignore List:imunify360-agent proactive ignore delete path <path to file 1> <path to file 2>
OK
Allows to register and activate Imunify360. You can use it in case if Imunify360 was not activated during installation process or in case if activation key of the Imunify360 was changed for any reason. If you do not know what is an activation key or have any problem with it then, please, read Installation guide or contact our support team.
Usage:
imunify360-agent register [--optional arguments] [KEY]
KEY
is a positional argument:
KEY | Register with activation key (use IPL to register by IP). |
If you will use this command without the KEY
argument, then it will try to register and activate current activation key.
In case when the number of users on the server changes and one license is replaced by another, it is necessary to run the following command to update the license:
imunify360-agent update-license
OK
Example 1:
The following command will register and activate Imunify360 with the provided activation key:
imunify360-agent register IM250sdfkKK245kJHIL
OK
Example 2:
If you have an IP-based license, you can use IPL
argument to register and activate Imunify360:
imunify360-agent register IPL
OK
Allows to use external files with the list of Black/White-listed IPs.
Usage:
imunify360-agent reload-lists
Example:
To use external files with the list of Black/White-listed IPs, you should place this list into one of the following directories:
/etc/imunify360/whitelist/*.txt
for the White list and /etc/imunify360/blacklist/*.txt
for the Black list. Then in order to apply the IP lists, you should run the following command:
imunify360-agent reload-lists
OK
Allows to add an additional proxy subnet.
Usage:
imunify360-agent remote-proxy [commands] [--optional arguments]
Positional arguments:
add | Add proxy subnet in CIDR notation |
delete | Delete proxy subnet in CIDR notation |
list | List of manually added proxies |
group | Manage proxies by name |
Positional arguments for add
:
NETWORKS | Subnet in CIDR notation |
Optional arguments for add
:
--name NAME | Name of an added proxy |
Positional arguments for delete
:
NETWORKS | Subnet in CIDR notation |
Optional arguments for list
:
--by-group BY_GROUP | Sort by GROUP |
--by-source BY_SOURCE | Sort by SOURCE |
Positional arguments for group
:
enable | Enable group |
disable | Disable group |
Positional arguments for enable
/disable
:
name | Name of your proxy subnet |
Optional arguments for enable
/disable
:
--source SOURCE | Enable/disable a group by SOURCE |
Examples
The following command adds proxy subnet 1.1.2.0/24 with name my_own_proxy
imunify360-agent remote-proxy add 1.1.2.0/24 --name "my_own_proxy"
OK
Allows to check if Imunify360 server license is valid.
Usage:
imunify360-agent rstatus [--optional arguments]
An extended variation (otherwise, you receive OK
if everything is fine with the license registered):
imunify360-agent rstatus --json -v
{
"expiration": null,
"id": "SSXX11xXXXxxxxXX",
"license": {
"expiration": null,
"id": "SSXX11xXXXxxxxXX",
"license_type": "imunify360",
"message": "",
"redirect_url": " ",
"status": true,
"user_count": 100,
"user_limit": 2147483647
},
"license_type": "imunify360",
"message": "",
"redirect_url": " ",
"status": true,
"strategy": "PRIMARY_IDS",
"user_count": 100,
"user_limit": 2147483647,
"version": "5.1.2-1"
}
This command allows user to manage rules disabled for firewall plugins Imunify360 uses.
Usage:
imunify360-agent rules [command] [--option] <value> [--option] <value>
command
is a positional argument and can be:
disable | add a new rule to the disabled rules list |
enable | remove a rule from the disabled rules list |
list-disabled | display the list of the disabled rules |
update-app-specific-rules | allows to update WAF ruleset configurator immediately (generally, executed by cron) |
Option can be:
--id | ID number of the rule provided by the firewall plugin. |
--plugin | Firewall plugin name. Can be one of the following:
|
--name | Name of the added rule or details of the rule from ModSecurity or OSSEC. |
--domains | List of domains to disable a rule for. Can only be used with modsec type. |
Examples
imunify360-agent rules disable --id 42 --plugin modsec --name 'Rule name'
OK
imunify360-agent rules enable --id 42 --plugin modsec
OK
imunify360-agent rules list-disabled
The list is displayed as follows:
{'plugin': 'modsec', 'id': '214920', 'domains': ['captchatest.com'], 'name': 'Imported from config'}
{'plugin': 'modsec', 'id': '42', 'domains': None, 'name': 'Rule name'}
{'plugin': 'ossec', 'id': '1003', 'domains': None, 'name': 'Imported from config'}
{'plugin': 'ossec', 'id': '2502', 'domains': None, 'name': 'User missed the password more than one time'}
Where
Note
Domains are specified only for ModSecurity rules. For OSSEC rules it is always applies to all domains.
4. The following command updates the WAF ruleset configurator immediately:
imunify360-agent rules update-app-specific-rules
OK
To submit file as false positive (if Imunify360 considers file as a malicious but it actually isn't) you can use the following command. Make sure to specify the file name. Relative paths are also supported as well as full paths.
imunify360-agent submit false-positive --reason <reason> <file>
Note
--scanner
argument is deprecated and will be ignored, because there is only one vendor now: ai-bolit
To submit file as false negative (if Imunify360 considers file as a non-malicious but it actually does) you can use the following command (please make sure to specify the file name along with full path):
imunify360-agent submit false-negative <file>
OK
Optional arguments:
--to | Email to send. |
--sender | User email. |
Allows to unregister and disable Imunify360 on the server.
Note
To remove Imunify360 from the server it needs to be uninstalled.
Usage:
imunify360-agent unregister [--optional arguments]
OK
Command for manipulating Imunify360 vendors.
Usage:
imunify360-agent [command]
command
is a positional argument and can be:
install-vendors | Install ModSecurity vendors. This command will install the Imunify360 vendor if there are no conflicts with other installed vendors. |
uninstall-vendors | uninstall ModSecurity vendors. |
Example:
The following command uninstalls the ModSecurity vendors:
imunify360-agent uninstall-vendors
OK
Allows to view the actual Imunify360 version installed on the server.
Usage:
imunify360-agent version [--json]
4.9.5-3
This command allows to view or edit actual IPs and domains in the White List.
Usage:
imunify360-agent whitelist [subject] [command] <value> [--option]
subject
is a positional argument and can be:
ip | Allows to manipulate with IPs in the White List. |
domain | Allows to manipulate with domains in the White List. |
country | Allows to manipulate with countries in the White List. |
Note
A domain whitelisting will affect only greylisted IPs. It will not affect ModSecurity rules and blacklisted IPs.
command
is a second positional argument and can be:
add | Add item(-s) to the White List. |
delete | Remove item(-s) from the White List. |
move | Move item(-s) to the White List. |
edit | Edit TTL, comment and other parameters of the Whitelisted item. |
list | List items(-s) in the White List. |
reset-to | Replace whitelisted domains list with a new list. |
Please note that by default list
command outputs only first 100 items in the list as if it was run as imunify360-agent whitelist ip list --limit 100
.
To check whether specific IP address is in the list, you can run the following command:
imunify360-agent whitelist ip list --by-ip 12.34.56.78
where 12.34.56.78
is that specific IP address.
value
is an item to manipulate with. It can be IP itself or a country code (find the necessary country codes in CIDR notation in ISO ALPHA-2 CODE column), or a domain name.
option
can be one or few of the optional arguments from the table above and one more:
--comment | Allows to add a comment to the item. |
--full-access | Only for move and edit commands.Allows to grant full access to the IP or subnet ignoring the rules in Blocked ports. |
--no-full-access | Only for move and edit commands.Allows to remove full access of the IP or subnet. |
--expiration | Allows specifying TTL for the whitelisted IP (in seconds since epoch). |
--scope | Allows to set the scope to Global/Local. Accepts two values: local (a default value, means "add IP on this server only") and group (means "add IP for the whole group in which this server is"). |
Examples:
1.2.3.4
to the White List with a comment “one good ip”:imunify360-agent whitelist ip add 1.2.3.4 --comment "one good ip"
OK
imunify360-agent whitelist --by-country-code BO
example.com
to the White List:imunify360-agent whitelist domain add example.com
OK
imunify360-agent whitelist domain list
OK
group
:imunify360-agent whitelist ip add 1.2.3.4 --scope group
OK
imunify360-agent whitelist country add BO
OK
--json
key can be used to get additional details about the IP address. For example, whether it has full access on the server or has just been added to a whitelist:imunify360-agent whitelist ip list --by-ip 1.2.3.4 -v --json
...
{
"auto_whitelisted": false,
"comment": "Manually added on 2022-09-05 05:16:54",
"country": {
"code": "US",
"id": "1234001",
"name": "United States"
},
"ctime": 1662355015,
"deep": null,
"expiration": 0,
"full_access": true,
"imported_from": null,
"ip": "1.2.3.4",
"listname": "WHITE",
"manual": true,
"netmask": 1234967295,
"network_address": 123495478,
"scope": "local",
"version": 4
}
...
To whitelist multiple IP addresses, put them into a file and add to the white list as follows:
cat list.txt | xargs -n 1 imunify360-agent whitelist ip add
The alternative would be using the external white/black list feature.
Allows do operate with search engine domains.
Usage:
imunify360-agent whitelisted-crawlers [command]
command
can be one of the following:
add NAME | add a search engine to the list of whitelisted crawlers |
delete NAME | delete a search engine to the list of whitelisted crawlers |
list | list all added whitelisted crawlers |
Examples:
This command adds two search engines to the list of whitelisted crawlers:
imunify360-agent whitelisted-crawlers add yandex.com google.com
OK
This command deletes a search engine to the list of whitelisted crawlers
imunify360-agent whitelisted-crawlers delete yandex.com
OK
This command lists all added whitelisted crawlers
imunify360-agent whitelisted-crawlers list
DESCRIPTION DOMAINS ID
Google ['.google.com', '.googlebot.com'] 1
Yandex ['.yandex.ru', '.yandex.com', '.yandex.net'] 2