Command-line Interface

For access to Imunify360 agent features from command-line interface, use the following command:

imunify360-agent

Optional arguments:

-h, --help Returns the help message
--console-log-level [ERROR,WARNING,INFO,DEBUG] Level of logging input to the console

Basic usage:

imunify360-agent [command] [--option1] [--option2]...

Available commands:

3rdparty Make Imunify360 the primary IDS
blacklist Return/Edit IP blacklist
blocked-port Return/Edit list of blocked ports
check-domains Send domain list check
clean Clean the incidents
checkdb Check database integrity
doctor Collect info about system and send it to CloudLinux
features Manage available features for Imunify360
get Returns list of incidents
graylist Return/Edit IP Gray List
import Import data
infected-domains Returns infected domain list
malware Allows to manage malware options
migratedb Check and repair database if it is corrupted
plugins Command for manipulating Imunify360 plugin
register Agent registration
rstatus Query the server to check if the license is valid
rules Allows user to manage disabled rules
unregister Unregistration the agent
vendors Command for manipulating Imunify360 vendors
version Show version
whitelist Return/Edit operator for IP and domain white list
proactive3.7.0+ Allows to manage Proactive Defense feature
check modsec directives Beta 3.9.0+ cPanel Allows to check whether the global ModSecurity
directives have values recommended by Imunify360
fix modsec directives Beta 3.9.0+ cPanel Fixes the non-recommended values (sets them to ones
recommended by Imunify360)
feature-management manage Imunify360 features available for users
feature-management native enable Beta 4.0+ cPanel activate the Native Features Management using WHM/cPanel package extensions.
feature-management native disable Beta 4.0+ cPanel deactivate the Native Features Management using WHM/cPanel package extensions and return the original Imunify360 Features Management back.

Optional arguments for the commands:

-h, --help Shows this help message.
--json Returns data in JSON format.
--by-country-code [country_code] Filters output by country code.
Requires valid country code as argument.
Find valid country codes here in column ISO ALPHA-2 CODE.
--by-ip [ip_address] Filters output by abuser's IP or by subnet in CIDR notation.
Example: --by-ip 1.2.3.0/24.
--by-list Can be:
  • any
  • gray (Gray List)
  • white (White List)
  • black (Black List)
Filters output based on the list type.
Example: --by-list black.
--by-comment Filters output by comment.
--limit limits the output with specified number of incidents.
Must be a number greater than zero. By default, equals 100.
--offset Offset for pagination. By default, equals 0.
--to Allows to set the end of the period for filter.
Format is a timestamp.
--manual Show only items that have been added manually.
--verbose, -v Allows to return data in good-looking view if
option --json is used.
--order-by List of fields to sort the results by.

3rdparty

Command for disabling 3rd party IDS (currently they are cPHulk and fail2ban) and make Imunify360 agent the primary IDS.

Usage:

imunify360-agent 3rdparty [-h]

command is a positional argument and can be:

conflicts Show conflicts with other software
list List other IDS that might be running concurrently with Imunify360

Optional arguments:

-h, --help Show this help message

Blacklist

This command allows to view or edit actual IPs in the Black List.

Usage:

imunify360-agent blacklist [subject] [command] <value> [--option]

subject is a positional argument and can be:

country Allows to manipulate with countries in the Black List
ip Allows to manipulate with IPs in the Black List

command is a second positional argument and can be:

add add item(-s) to Black List
delete remove item(-s) from Black List
move move item(-s) to Black List
edit edit comment on item in the Black List
list list items(-s) in Black List

Please note that by default list command outputs only first 100 items in the list as if it was run as blacklist ip list --limit 100. To check whether specific IP address is in the list, you can run the following command:

blacklist ip list --by-ip 12.34.56.78

where 12.34.56.78 is that specific IP address.

value is an item to manipulate with. It can be IP itself or a country code (find necessary country codes here in CIDR notation in the column ISO ALPHA-2 CODE).

option can be one or few of the optional arguments specified above and one more:

--comment allows to add comment to the item
--expiration allows to specify TTL for the blacklisted IP (in seconds since epoch)

Examples:

  • The following command adds IP 1.2.3.4 to the Black List with a comment “one bad IP”:
imunify360-agent blacklist ip add 1.2.3.4 --comment “one bad ip”
  • The following command returns a list of IPs in the Black List which are from Bolivia:
imunify360-agent blacklist --by-country-code BO

Blocked ports

This command allows to view or edit ports, IPs, and protocols in the list of blocked ports.

Usage:

imunify360-agent blocked-port [command] <value> [--option]

command is a first positional argument and can be:

add add item(-s) to blocked ports
delete remove item(-s) from blocked ports
edit edit comment on item in the blocked ports
list list items(-s) in blocked ports

value is an item to manipulate with. value is : separated pair of port number and protocol: 5432:tcp, 28:udp

option can be one or few of the optional arguments specified above and some more:

--comment allows to add comment to the item
--ips allows to add IP addresses to ignore list of the
blocked port (port won’t be blocked for this IP addresses)

Example:

The following command blocks port 5555 for tcp connections with a comment “Some comment”:

imunify360-agent blocked-port add 5555:tcp --comment “Some comment”

Check-domains

Allows to send domains list to check on Imunify360 central server. This command requires cPanel. After domains checked, the results is available via command infected-domains.

Note

The server requires some time for checking and the results may not be ready immediately.

Usage:

imunify360-agent check-domains [--optional arguments]

Optional arguments:

-h, --help show this help message
--json return data in JSON format
--verbose, -v allows to return data in good-looking view if option --json is used

Clean

Clean the incident list.

Usage:

imunify360-agent clean [--optional arguments]

Optional arguments:

-h, --help show this help message
--json return data in JSON format
--days cleanups incidents from database, if there are more than specified days quantity
Example: --days 5.
this option will cause deletion of all incidents that are older than 5 days from today
--limit leaves only limited number of the incidents in the database and deletes the others
Example: --limit 5000.
this option will leave only 5000 new incidents and delete the others

Checkdb

Checks database integrity. In case database is corrupt, then this command saves backup copy of the database at /var/imunify360 and tries to restore integrity of the original database. Note that if this command cannot restore database integrity, then it will destroy the original broken database. Use migratedb command to create new clean database.

Usage:

imunify360-agent checkdb [-h]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Doctor

Collecting information about Imunify360 state, generating the report and sending it to Imunify360 Support Team. This command can be used in case of any troubles or issues with Imunify360. This command will generate a key to be sent to Imunify360 Support Team. With that key Imunify360 Support Team can help with any problem as fast as possible.

Usage:

imunify360-agent doctor [-h]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Features

Allows to enable or disable additional CloudLinux software included in Imunify360 for free. The following software is available:

  • KernelCare – use kernelcare feature name
  • HardenedPHP – use hardened-php feature name
  • Invisible Captcha – use invisible-captcha feature name

Usage:

imunify360-agent features [-h] [command] <feature name>

command is a positional arguments and can be :

install allows to enable software
remove allows to disable software
status allows to check the status of the software
list allows to list all available software

Optional arguments:

-h, --help show this help message

Examples:

  1. The following command checks if KernelCare is installed:
imunify360-agent features status kernelcare
  1. The following command installs KernelCare:
imunify360-agent features install kernelcare
  1. The following command uninstalls KernelCare:
imunify360-agent features remove kernelcare

Get

The command returns the lists of incidents.

Usage:

imunify360-agent get [--required argument] [--optional argument]...

Option can be one or few of the optional arguments listed above and one more.

--period [period] Timeframe.
Allows to specify the amount of time starting from the current day.
Should be greater than (or equal to) 1 minute.
Can be specified in format:
  • <int>m – minutes, example --period 30m
  • <int>h – hours, example --period 4h
  • <int>d – days, example --period 7d
  • today – for today, example --period today
  • yesterday – for yesterday, example --period yesterday
For example, --period 5d will return a list of incidents for 5 days.
--since [timestamp] allows to set start time to filter the list of incidents by period
--to [timestamp] allows to set finish time to filter the list of incidents by period
--severity allows to set severity to filter the list of incidents
--search string to search incidents by

Example:

The following command shows the incidents (in JSON format) for recent one hour, filtered by country code UA and filtered by Black List IPs:

imunify360-agent get --period 1h --by-country-code UA --by-list black --json

Graylist

This command allows to view or edit actual IP Black List.

Usage:

imunify360-agent graylist ip [command] [--optional argument]

Available commands:

delete allows to remove IP from Gray List
list allows to list IPs in Gray List

Optional arguments:

-h, --help show this help message

Optional arguments for list:

--json Returns data in JSON format.
--by-country-code [country_code] Filters output by country code.
Requires valid country code as argument.
Find valid country codes
in CIDR notation in column ISO ALPHA-2 CODE.
--by-ip [ip_address] Filters output by abuser's IP or by subnet in CIDR notation.
Example: --by-ip 1.2.3.0/24
--limit Limits the output with specified number of IPs.
Must be a number greater than zero. By default, equals 100.
--offset Offset for pagination. By default, equals 0.
--verbose, -v Allows to return data in good-looking view
if option --json is used.

Please note that by default list command outputs only first 100 items in the list as if it was run as graylist ip list --limit 100. To check whether specific IP address is in the list, you can run the following command:

graylist ip list --by-ip 12.34.56.78

where 12.34.56.78 is that specific IP address.

Example:

The following command will remove IP 1.2.3.4 from the Gray List:

imunify360-agent graylist ip delete 1.2.3.4

Import

This command allows to import Black List and White List from the other 3rd party IDS (only CSF supported at the moment) to Imunify360 database. Note. If CSF is enabled, then it is not necessary to run the command because Imunify360 is integrated with CSF.

Usage:

imunify360-agent import [-h] {blocked-ports, wblist} ...

Positional arguments:

blocked-ports Import blocked-ports from other IDS
wblist Import White/Black List from other IDS

Optional arguments:

-h, --help Show this help message

Example:

The following command will import Black List and White List from the 3rd party IDS:

imunify360-agent import wblist

Infected-domains

Allows to retrieve infected domains list.

Usage:

imunify360-agent infected-domains [-h] [--optional arguments]

Optional arguments for list:

--json Returns data in JSON format.
--limit Limits the output with the specified number of domains.
Must be a number greater than zero. By default, equals 100.
--offset Offset for pagination. By default, equals 0.
--verbose, -v Allows to return data in a good-looking view if option --json is used.

Malware

Allows to manage malware options.

Usage:

imunify360-agent malware [command] [--optional arguments]

Available commands:

ignore malware Ignore List operations
malicious malware Malicious List operations
on-demand on-demand Scanner operations
suspicious malware Suspicious List operations
cleanup status show the status of the cleanup process
hash file hash white/blacklist related operations
history list lists the complete history of all malware-related incidents/actions (optional arguments available)

Optional arguments:

-h, --help Show this help message.
--json Returns data in JSON format.
--limit LIMIT Limits the output with the specified number of domains.
Must be a number greater than zero. By default, equals 100.
--offset OFFSET Offset for pagination. By default, equals 0.
--verbose, -v Allows to return data in a good-looking view if option --json is used.
--since SINCE Start date.
--to TO End date.
--user USER Returns results for a chosen user.
--order-by [ORDER_BY [ORDER_BY ...]] Sorting order.
--by-status [BY_STATUS [BY_STATUS ...]] Return items with selected status.
--by-scan-id BY_SCAN_ID Return items with selected ID.
--items ITEMS Return selected items.
--search SEARCH Search query.

action is the second positional argument for hash and can be one of the following:

list list White/Black-listed file hashes (optional arguments apply)
add add file hash(es) of the specified type
remove remove file hash(es) of the specified type

Positional arguments for add/remove are the list of SHA256 hashes calculated from the file contents

The argument that specifies which kind of hashes to add/remove:

--type - hash(es) type: Black or White

action is the second positional argument for ignore and can be one of the following:

add add a file PATH to the Ignore List
delete delete a file PATH from the Ignore List
list shows Ignore List entries (optional arguments apply)

command2 is the second positional argument for the malicious command and can be one of the following:

cleanup clean up infected ITEMS for a USER
cleanup-all clean up all files that have been detected as infected for all users
restore-original restore the original (malicious/infected) file to its original location
delete delete malicious/infected files
list list malicious/infected files
move-to-ignore move a Malicious List entry to the (malware) Ignore List
quarantine-malicious add malicious/infected files to the quarantine
remove-from-list remove malicious/infected files from the Malicious List
restore-from-backup restore a clean version of infected file from backup
restore-from-quarantine restore a quarantined file. The file will be automatically re-scanned

action is the second positional argument for on-demand and can be one of the following:

list list all on-demand scans performed
start --path PATH starts an on-demand scan for a specified PATH
status show the on-demand malware scanner status
stop stop on-demand malware scanner process

The optional arguments for on-demand start are:

--ignore-mask IGNORE_MASK
--follow-symlinks
--no-follow-symlinks
--file-mask FILE_MASK
--hash-filter
--no-hash-filter
--intensity {low,moderate,high}

action is the second positional argument for suspicious and can be one of:

delete delete a Suspicious List entry
list obtain the list of Suspicious List entries
move-to-ignore move a Suspicious List entry to the (malware) Ignore List
move-to-quarantine move a Suspicious List entry to the quarantine

Examples

  1. The following command adds a hash to the malware Black List:
imunify360-agent malware hash add --type black ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
  1. The following command starts on-demand scanner for the path specified after the start command:
imunify360-agent malware on-demand start --path /home/<username>/public_html/

Migratedb

Allows to create clean database if it was corrupted.

Note

Use checkdb to check database health.

Usage:

Imunify360-agent migratedb [-h]

Optional arguments:

--help, -h show this help message

Plugins

Command for manipulating Imunify360 plugins.

Usage:

imunify360-agent [command]

command is a positional argument and can be:

enable-plugin Enable Imunify360 plugin.
disable-plugin Disable Imunify360 plugin.

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Return data in good-looking view if option --json is used.

Register

Allows to register and activate Imunify360. You can use it in case if Imunify360 was not activated during installation process or in case if activation key of the Imunify360 was changed for any reason. If you do not know what is an activation key or have any problem with it then, please, read Installation guide or contact our support team.

Usage:

imunify360-agent register [--optional arguments] [KEY]

KEY is a positional argument:

KEY Register with activation key (use IPL to register by IP).

If you will use this command without the KEY argument, then it will try to register and activate current activation key.

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Example 1:

The following command will register and activate Imunify360 with the provided activation key:

imunify360-agent register IM250sdfkKK245kJHIL

Example 2:

If you have an IP-based license, you can use IPL argument to register and activate Imunify360:

imunify360-agent register IPL

Rstatus

Allows to check if Imunify360 server license is valid.

Usage:

imunify360-agent rstatus [--optional arguments]

Optional arguments:

-h, --help Show this help message.
-json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Rules

This command allows user to manage rules disabled for firewall plugins Imunify360 uses.

Usage:

imunify360-agent rules [command] [--option] <value> [--option] <value>

command is a positional argument and can be:

disable Add a new rule to the disabled rules list.
enable Remove a rule from the disabled rules list.
list-disabled Display the list of the disabled rules.

Option can be:

--id ID number of the rule provided by the firewall plugin.
--plugin Firewall plugin name. Can be one of the following:
  • modsec for ModSecurity
  • ossec for OSSEC
  • lfd Login Failure Daemon (can be used in CSF integration mode)
--name Name of the added rule or details of the rule from ModSecurity or OSSEC.
--domains List of domains to disable a rule for. Can only be used with modsec type.

Examples

  1. The following command adds a rule with id 42 and name ‘Rule name’ for the ModSecurity rules to the disabled rules list:
imunify360-agent rules disable --id 42 --plugin modsec --name 'Rule name'
  1. The following command removes a rule with id 42 for the ModSecurity rules from the disabled rules list:
imunify360-agent rules enable --id 42 --plugin modsec
  1. The following command displays the list of disabled rules:
imunify360-agent rules list-disabled

The list is displayed as follows:

{'plugin': 'modsec', 'id': '214920', 'domains': ['captchatest.com'], 'name': 'Imported from config'}

{'plugin': 'modsec', 'id': '42', 'domains': None, 'name': 'Rule name'}

{'plugin': 'ossec', 'id': '1003', 'domains': None, 'name': 'Imported from config'}

{'plugin': 'ossec', 'id': '2502', 'domains': None, 'name': 'User missed the password more than one time'}

Where

  • plugin — is a firewall plugin name (modsec for ModSecurity and ossec for OSSEC)
  • id — is id number of the rule provided by the firewall plugin
  • domains — the list of the domains for which the rule is disabled (None means all domains)*
  • name — rule description or details of the rule from ModSecurity or OSSEC

Note

Domains are specified only for ModSecurity rules. For OSSEC rules it is always applies to all domains.

Unregister

Allows to unregister and disable Imunify360 on the server.

Note

To remove Imunify360 from the server it needs to be uninstalled.

Usage:

imunify360-agent unregister [--optional arguments]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Vendors

Command for manipulating Imunify360 vendors.

Usage:

imunify360-agent [command]

command is a positional argument and can be:

install-vendors Install ModSecurity vendors.
This command will install Imunify360 vendor and
Comodo WAF if there are no conflicts with other installed vendors.
uninstall-vendors uninstall ModSecurity vendors.

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Return data in good-looking view if option --json is used.

Version

Allows to view the actual Imunify360 version installed on the server.

Usage:

imunify360-agent version [-h] [--json]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Submit false-positive/false-negative

To submit file as false positive (if Imunify360 considers file as a malicious but it actually doesn’t) you can use the following command:

imunify360-agent submit false-positive <file>

To submit file as false negative (if Imunify360 considers file as a non-malicious but it actually does) you can use the following command:

imunify360-agent submit false-negative <file>

Optional arguments:

--to Email to send.
--sender User email.
-h, --help Show this help message
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Whitelist

This command allows to view or edit actual IPs and domains in the White List.

Usage:

imunify360-agent whitelist [subject] [command] <value> [--option]

subject is a positional argument and can be:

ip Allows to manipulate with IPs in the White List.
domain Allows to manipulate with domains in the White List.

command is a second positional argument and can be:

add Add item(-s) to the White List.
delete Remove item(-s) from the White List.
move Move item(-s) to the White List.
edit Edit comment on the item in the White List.
list List items(-s) in the White List.
reset-to Replace whitelisted domains list with a new list.

Please note that by default list command outputs only first 100 items in the list as if it was run as whitelist ip list --limit 100. To check whether specific IP address is in the list, you can run the following command:

whitelist ip list --by-ip 12.34.56.78

where 12.34.56.78 is that specific IP address.

value is an item to manipulate with. It can be IP itself or a country code (find the necessary country codes in CIDR notation in ISO ALPHA-2 CODE column), or a domain name.

option can be one or few of the optional arguments from the table above and one more:

--comment Allows to add a comment to the item.
--full-access Only for move and edit commands.
Allows to grant full access to the IP or subnet ignoring the rules in Blocked ports.
--no-full-access Only for move and edit commands.
Allows to remove full access of the IP or subnet.
--expiration Allows to specify TTL for the blacklisted IP (in seconds since epoch).

Examples:

  1. The following commands adds IP 1.2.3.4 to the White List with a comment “one bad ip”:
imunify360-agent whitelist ip add 1.2.3.4 --comment “one good ip”
  1. The following command returns a list of IPs in the White List which are from Bolivia:
imunify360-agent whitelist --by-country-code BO
  1. The following command adds domain with a name example.com to the White List:
imunify360-agent whitelist domain add example.com
  1. The following command checks domains in the White List:
imunify360-agent whitelist domain list

Proactive

These commands allow to manage Proactive Defense feature.

Usage:

imunify360-agent proactive [command] [--option] <value>

Available commands:

ignore delete path allows to remove a file from Proactive Defense Ignore List.
ignore delete rule allows to remove a rule for a file from Proactive Defense Ignore List.
list allows to list Proactive Defense events.
details allows to show details for the event.
ignore list allows to list files included to Proactive Defense Ignore List.
ignore add allows to add a file to Proactive Defense Ignore List.

option can be one or few of the optional arguments listed above and one more.

--path for ignore add, ignore delete path, ignore delete rule commands.
Allows to specify a path to the file.
--id for details, ignore delete rule commands.
Allows to specify rule id.
--rule-id only for ignore add command.
Allows to specify rule id.
--rule-name only for ignore add command.
Allows to specify rule name.
--since [timestamp] allows to set start time to filter the list of incidents by period.
--to [timestamp] allows to set finish time to filter the list of incidents by period.
--user show events for a specific user.
--search string to search Proactive events by.

Examples:

  1. This command adds a file located at /home/user/index.php to Proactive Defense Ignore List for the rule id 12 and name Suspicious detection rule. It means that Proactive Defense will not analyze this file according to this rule:
imunify360-agent proactive ignore add --path /home/user/index.php --rule-id 12 --rule-name 'Suspicious detection rule'
  1. This command removes files located at <path to file 1> and <path to file 2> from Proactive Defense Ignore List:
imunify360-agent proactive ignore delete path <path to file 1> <path to file 2>

Check modsec directives

Note

Beta Imunify360 version 3.9.0+ cPanel only

Allows to check whether the global ModSecurity directives have values recommended by Imunify360.

Usage:

imunify360-agent check modsec directives [--optional arguments]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Fix modsec directives

Note

Beta Imunify360 version 3.9.0+ cPanel only

Fixes the non-recommended values (sets them to ones recommended by Imunify360)

Usage:

imunify360-agent fix modsec directives [--optional arguments]

Optional arguments:

-h, --help Show this help message.
--json Return data in JSON format.
--verbose, -v Allows to return data in good-looking view if option --json is used.

Feature-management

Allows to manage Imunify360 features available for users.

Usage:

imunify360-agent feature-management [command] [--optional argument]...

Command can be one of the following:

defaults show the default value for each feature that is applied for newly created user
disable disable a feature for some or all users
enable enable a feature for some or all users
get obtains the status of all available features for a USER
list list all available features

Optional argument for the enable/disable commands can be one of the following:

[--feature av] enable/disable Malware Cleanup
[--feature proactive] enable/disable Proactive Defense
[--users [USERS [USERS ...]]] specifies the list of users which will be affected, otherwise the default value will be changed

The mandatory argument for the get command:

[--user USER] specifies a user name to obtain the status of features for

Example:

The following command enables Malware Cleanup feature for the user1:

imunify360-agent feature-management enable --feature av --users user1

Feature-management native enable

Allows to activate the Native Features Management using WHM/cPanel package extensions.

Usage:

imunify360-agent feature-management native enable

Once the command executed, the following default Imunify360 Package Extension settings will be applied to all Packages:

  • Malware Scanner - View Reports Only
  • Proactive Defense - Available

Imunify360 Package Extensions will be auto-enabled for all packages disregarding the fact they have Imunify360 plugin enabled or not.

All existing Features Management settings will be overridden with the Imunify360 Package Extensions ones for all users.

Note

Features Management tab will be hidden on the User Interface.

Warning

feature-management enable/disable --feature av and feature-management enable/disable --feature proactive commands will stop functioning.

Feature-management native disable

Allows to deactivate the Native Features Management using WHM/cPanel package extensions and return the original Imunify360 Features Management back.

Usage:

imunify360-agent feature-management native disable

Once the command executed:

  • The Native Features Management will be deactivated
  • The Imunify360 Package Extensions will be removed from all packages
  • The original Imunify360 Features Management will be activated

Note

Imunify360 will keep applying users Features Management settings stored in their data bases after switching to the original Imunify360 Features Management.

Warning

feature-management enable/disable --feature av and feature-management enable/disable --feature proactive commands will start functioning.