Config File Description

Imunify360 config file is available on the following location after installation:

/etc/sysconfig/imunify360/imunify360.config

In the config file it is possible to set up Imunify360 configuration. The following options are available:

AUTO_WHITELIST:
timeout: 1440# set in minutes how long to keep automatically whitelisted IP
after_unblock_timeout: 1440 # set in minutes for how long IP will be added to the White List after it passes Imunify360 CAPTCHA
DOS:
enabled: false# allows to enable (true) or disable (false) DOS detection
interval: 30# interval in seconds between DoS detection system activation
default_limit: 250# maximum default limit of connections from remote IP to local port before DoS protection will be triggered. Cannot be set lower than 100
port_limits:# allows to set limits per local port
80: 150 # limit on port 80 is set to 150 connections
INCIDENT_LOGGING:
min_log_level: 4# minimum severity level for incidents displayed in UI. Please find the levels description here
num_days: 100# incidents older than num_days are automatically deleted
limit: 100000# how many incidents should be stored in Imunify360 log file
ui_autorefresh_timeout: 10# set auto refresh time for incidents in user interface
MOD_SEC: # defines ModSecurity settings
ruleset: FULL# defines what ruleset to use: FULL (default value) or MINIMAL. If the amount of RAM on the server is less than 2.1GB, the ruleset value is automatically set to MINIMAL.
cms_account_compromise_prevention: true# enables WordPress account brute-force protection.
prev_settings: # for internal usage, do not edit
MOD_SEC_BLOCK_BY_SEVERITY:
enable: true# allows to enable or disable option that moves IPs to Gray List if the ModSecurity rule is triggered
max_incidents: 2# set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
denied_num_limit: 2 # set a number of repeats of the ModSecurity incidents that got Access Denied error from the same IP for adding it to Gray List
check_period: 120 # set a period in seconds during which incident from the same IP will be recorded as a repeat
severity_limit: 2 # set a level of severity for DOS detection sensitivity. Read more about severity levels
MOD_SEC_BLOCK_BY_CUSTOM_RULE:# this section allows to add custom configuration for blocking by ModSecurity incidents
33332: # set ModSecurity rule ID
check_period: 120 # set a period in seconds during which incident from the same IP will be recorded as a repeat
max_incidents: 10 # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
MALWARE_SCANNING:
try_restore_from_backup_first: false # allows to enable (true) or disable (false) automatic malicious file restore from backup if a clean copy exists, otherwise default_action is applied
default_action: quarantine # default action on malicious file detected.
Available options:
  • quarantine – do not delete and move to quarantine
  • notify – do not delete and send email notification
  • delete – delete malicious file
  • cleanup – cleanup malicious file
  • cleanup_or_quarantine – choose what to do with a malicious file
enable_scan_inotify: False # enable (true) or disable (false) real-time scanning for modified files using inotify library
enable_scan_pure_ftpd: true # enable (true) or disable (false) real-time scanning for files uploaded through PureFTPd
enable_scan_modsec: true # enable (true) or disable (false) real-time scanning of all the files that were uploaded via http/https. Note that it requires ModSecurity to be installed
max_signature_size_to_scan: 1048576 # max file size to scan in the standard mode; value is set in bytes
max_cloudscan_size_to_scan: 10485760 # max file size to scan in the cloud-assisted (by hashes) mode; value is set in bytes
max_mrs_upload_file: 10485760 # max file size to upload to CloudLinux malware research service; value is set in bytes
detect_elf: False # enable (True) or disable (False) (default value) binary (ELF) malware detection
notify_on_detect: False # notify (True) or not (False) (default value) an admin when malware is detected
optimize_realtime_scan: False # use optimized engine for realtime scan
sends_file_for_analysis: True # send (True) (default value) or not (False) malicious and suspicious files to the Imunify team for analysis
i360_clamd: False # obsolete (not used)
show_clamav_results: False # obsolete (not used)
clamav_binary: True # obsolete (not used)
scan_modified_files: True # enable (True) (default value) or disable (False) real-time scanning for modified files using inotify library. The Scanner searches for modified files in user’s DocumentRoot directories.
cloud_assisted_scan: True # speed up scans by check file hashes using cloud database
rapid_scan: False # speeds up (True) ot not (False) (default value) repeated scans based on smart re-scan approach, local result caching and cloud-assisted scan.
CAPTCHA:
cert_refresh_timeout: 3600 # set in seconds how often SSL certificate will be refreshed
ERROR_REPORTING:
enable: true # automatically report errors to imunify360 team
SEND_ADDITIONAL_DATA:
enable: true # send anonymized data from query string/post parameters and cookies.
NETWORK_INTERFACE: # manages for what network interfaces Imunify360 rules will be applied
eth_device: null # by default, Imunify360 will auto-configure iptables to filter all traffic. If you want iptables rules to be applied to a specific NIC only, list them here (e.g. eth1)
eth6_device: null # it is the same as eth_device, but configures ip6tables to use specific device
eth_device_skip: [] # if you don't want iptables\ip6tables rules to be applied to specific NICs, list them here (e.g [eth1, eth2])
BACKUP_RESTORE:
max_days_in_backup: 90 # restore from backup files that are not older than max_days_in_backup
cl_backup_allowed: True # show CloudLinux Backup in the list of available backup system (True) or hide it (False)
cl_on_premise_backup_allowed: False # do not allow CloudLinux backup (False) or allow it (True)
CAPTCHA_DOS:
enabled: true # enable (true) or disable (false) CAPTCHA Dos protection
time_frame: 21600 # set a period in seconds during which requests to CAPTCHA from the same IP will be recorded as repeated
max_count: 100 # set the maximum number of repeated CAPTCHA requests after which IP is moved to the CAPTCHA Dos list without an ability to request CAPTCHA again
timeout: 864000 # set in seconds the time on which to add the IP in CAPTCHA Dos list without an ability to request CAPTCHA again
BLOCKED_PORTS:
default_mode: allowed # defines the default state of ports which is not explicitly set by user (denied by default or allowed by default). Currently only allowed is supported
WEBSHIELD:
known_proxies_support: true # enable CDN support, treat IPs behind CDN as any other IPs
enable: true # enable (true) (default value) or disable (false) WebShield
PROACTIVE_DEFENСE:
blamer: false # enable (true) or disable (false) Blamer
mode: KILL # available modes:
  • KILL
  • DISABLED
  • LOG
MALWARE_SCAN_INTENSITY:
cpu: 6 # intensity level for CPU consumption. Can be set from 1 to 7, default is 2
io: 6 # intensity level for file operations. Can be set from 1 to 7, default is 2
ram: 1024 # intensity level for RAM consumption. Minimum value is 1024, default is 2048
MALWARE_SCAN_SCHEDULE:
day_of_month: 4 # when the background scan shall start, day of the month. Can be from 1 to 31, the default value is the next day after the installation
day_of_week: 0 # when the background scan shall start, day of the week. Can be from 0 to 7 (0 for Sunday, 1 for Monday..., 7 for Sunday (again)), the default value is 0
hour: 3 # when the background scan shall start, hour. Can be from 0 to 23, the default value is 3
interval: none # interval of scan. Supported values: strings `none`, `day`, `week`, `month`, the default value is `none` (no scan)
PAM: # effective way to prevent brute-force attacks against FTP/SSH
enable: false # enable (true) or disable (false) (default value) PAM brute-force attack protection
PAM.exim_dovecot_protection: false # enable (true) or disable (false) (default value) Exim+Dovecot brute-force attack protection against Dovecot brute-force attacks.
KERNELCARE: # KernelCare extension for Imunify360 which allows tracing malicious invocations to detect privilege escalation attempts
edf: false # enable (true) or disable (false) (default value) exploit detection framework
MALWARE_CLEANUP:
trim_file_instead_of_removal: True # do not remove infected file during cleanup but make the file zero-size (for malwares like web-shells) (True) (default value)
keep_original_files_days: 14 # the original infected file is available for restore within the defined period. The default is 14 days. The minimum value is one day.
OSSEC:
active_response: False # block (True) access to a specific server port being attacked. The default value is False.
ADMIN_CONTACTS:
emails: youremail@email.com # your email to receive reports about critical issues, security alerts or system misconfigurations detected on your servers.
SMTP_BLOCKING:
enable: False # enable (True) or disable (False) (default value) SMTP Traffic Management. When enabled, the outgoing SMTP traffic would be blocked according to the settings.
ports: 25,587,465 # a list of the ports to be blocked. The defaults are: 25, 587,465.
allow_users: # a list of users to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked).
allow_groups: mail # a list of the groups to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked).
allow_local: False # block (True) all, except the local SMTP (localhost). False is the default value.
redirect: False # enable (True) or disable (False) (the default value) automatic redirection to the local ports for outgoing mail traffic.
CSF_INTEGRATION:
catch_lfd_events: True # let (True) (the default value) Imunify360 use Login Failure Daemon (LFD) as a source for security events.
PERMISSIONS:
support_form: True # show (True) (the default value) or hide (False) the Support icon in the Imunify360 UI.
user_ignore_list: True # show (True) (the default value) or hide (False) the Ignore List tab for end-users in the Imunify360 UI.
allow_malware_scan: False # enable (True) or disable (False) (the default value) “scan” action in the UI of the end-user.
STOP_MANAGING:
modsec_directives: False # for internal useage, do not edit
WEB_SERVICES:
http_ports: # additional http ports for Captcha
https_ports: # additional https ports for Captcha

Active Response is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.

The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.

In order to activate Active Response, the following lines should be added into /etc/sysconfig/imunify360/imunify360.config:

OSSEC:
  active_response: true
and then restart Imunify360 service:
systemctl restart imunify360

How to apply changes from CLI

In order to apply changes via command-line interface (CLI), you can use the following command:

imunify360-agent config update ‘{"SECTION": {"parameter": value}}’ 

For example, if you want to set MALWARE_SCAN_INTENSITY.cpu = 5 from a command line, then you should execute the following command:

imunify360-agent config update ‘{"MALWARE_SCAN_INTENSITY": {"cpu": 5}}’

It is also possible to apply several parameters at once. For example:

imunify360-agent config update '{"PAM": {"exim_dovecot_protection": false, "enable":true}}'