Config File Description
Imunify360 config file is available on the following location after installation:
/etc/sysconfig/imunify360/imunify360.config
In the config file it is possible to set up Imunify360 configuration. The following options are available:
Note that if YAML is used, it accepts any format: True
/true
/yes
/y
, etc. However, the CLI uses JSON which is strict – only lowercase true
/false
. Thus, if you are using the imunify360-agent
CLI tool to make changes to the configuration, make sure you are using the lowercase.
AUTO_WHITELIST: | |
---|---|
timeout: 1440 | # set in minutes how long to keep automatically whitelisted IP |
after_unblock_timeout: 1440 | # set in minutes for how long IP will be added to the White List after it passes Imunify360 Anti-bot challenge |
DOS: | |
enabled: True | # allows to enable (True, the default value) or disable (False) DOS detection |
interval: 30 | # interval in seconds between DoS detection system activation |
default_limit: 250 | # maximum default limit of connections from remote IP to local port before DoS protection will be triggered. Cannot be set lower than 100 |
port_limits: | # allows to set limits per local port |
80: 150 | # limit on port 80 is set to 150 connections |
ENHANCED_DOS: | |
enabled: True | # allows to enable or disable (False) the Enhanced DOS protection |
time_frame: 60 | # the default timeframe in seconds between the Enhanced DoS detection system activation |
default_limit: 500 | # the threshold of requests (their number) from remote IP to local port before the Enhanced DoS protection will be triggered. |
port_limits: | # allows to set requests limits for different ports |
80: 300 | # limit on port 80 is set to 300 connections |
FIREWALL: | |
port_blocking_mode: ALLOW | # allows to set firewall port blocking mode. ALLOW (default) - allow all except specified. DENY - block all except specified. Exact ports and port-ranges to be allowed can be configured by the following fields in the config file: - FIREWALL.TCP_IN_IPv4 - FIREWALL.TCP_OUT_IPv4 - FIREWALL.UDP_IN_IPv4 - FIREWALL.UDP_OUT_IPv4 Changes of config files will be applied automatically. You don’t need to restart the server or Imunify360. Please note, the feature doesn’t support IPv6 addresses at this moment and CSF needs to be disabled due to conflicts. |
INCIDENT_LOGGING: | |
min_log_level: 4 | # minimum severity level for incidents displayed in UI. Please find the levels description here |
num_days: 100 | # incidents older than num_days are automatically deleted |
limit: 100000 | # how many incidents should be stored in Imunify360 log file |
ui_autorefresh_timeout: 10 | # set auto refresh time for incidents in user interface |
LOGGER: | |
max_log_file_size: 62914560 | # defines the maximum size of the log file in bytes (default is 60 MB) |
backup_count: 5 | # defines how many log files to store. If 5, it will store app.log, app.log.1, and up to app.log.5. |
syscall_monitor: False | Collect and report the source of suspicious actions using Syscall Monitor (True). Supported operating systems:
Imunify360 uses auditd to discover malicious cron jobs that are not detected by other methods yet and thus block them much faster. Additionally, it's also used for internal quality control and monitoring - e.g. if auditd records that PHP processes drop malware, but there are no related events/blocks from Proactive Defense, Imunify team receives an alert prompting an investigation. |
MOD_SEC: | # defines ModSecurity settings |
ruleset: FULL | # defines what ruleset to use: FULL (default value) or MINIMAL. If the amount of RAM on the server is less than 2.1GB, the ruleset value is automatically set to MINIMAL. |
cms_account_compromise_prevention: False | # enables WordPress account brute-force protection. Default is False. |
app_specific_ruleset: True | # enables WAF Rules Auto-Configurator. Default is True. |
prev_settings: | # for internal usage, do not edit |
MOD_SEC_BLOCK_BY_SEVERITY: | |
enable: True | # allows to enable or disable option that moves IPs to Gray List if the ModSecurity rule is triggered |
max_incidents: 2 | # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List |
denied_num_limit: 2 | # set a number of repeats of the ModSecurity incidents that got Access Denied error from the same IP for adding it to Gray List |
check_period: 120 | # set a period in seconds during which incident from the same IP will be recorded as a repeat |
severity_limit: 2 | # set a level of severity for DOS detection sensitivity. Read more about severity levels |
MOD_SEC_BLOCK_BY_CUSTOM_RULE: | # this section allows to add custom configuration for blocking by ModSecurity incidents |
33332: | # set ModSecurity rule ID |
check_period: 120 | # set a period in seconds during which incident from the same IP will be recorded as a repeat |
max_incidents: 10 | # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List |
MALWARE_SCANNING: | |
try_restore_from_backup_first: False | # allows to enable (True) or disable (False – the default value) automatic malicious file restore from backup if a clean copy exists, otherwise default_action is applied |
default_action: cleanup | # default action on malicious file detected. Available options:
|
enable_scan_inotify: True | # enable (True (default)) or disable (False) real-time scanning for modified files using inotify library |
enable_scan_pure_ftpd: True | # enable (True (default)) or disable (False) real-time scanning for files uploaded through PureFTPd |
enable_scan_modsec: True | # enable (True (default) or disable (False) real-time scanning of all the files that were uploaded via http/https. Note that it requires ModSecurity to be installed |
max_signature_size_to_scan: 1048576 | # max file size to scan in the standard mode; value is set in bytes |
max_cloudscan_size_to_scan: 10485760 | # max file size to scan in the cloud-assisted (by hashes) mode; value is set in bytes |
max_mrs_upload_file: 10485760 | # max file size to upload to CloudLinux malware research service; value is set in bytes |
detect_elf: True | # enable (True) (default value) or disable (False) binary (ELF) malware detection |
notify_on_detect: False | # notify (True) or not (False) (default value) an admin when malware is detected |
optimize_realtime_scan: True | # enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here |
sends_file_for_analysis: True | # send (True) (default value) or not (False) malicious and suspicious files to the Imunify team for analysis |
i360_clamd: False | # obsolete (not used) |
show_clamav_results: False | # obsolete (not used) |
clamav_binary: True | # obsolete (not used) |
scan_modified_files: Null | # enable (True) or disable (False) (default is not set). If disabled, it checks the file's timestamps (c/mtime) before scanning, and if the timestamp is not changed since the last scan, the file is skipped. Scanner's behaviour is based on other scan optimizations, therefore it is better to rely on default values and UI, although this parameter provides an option to overwrite this behaviour. This option is not available within UI. |
cloud_assisted_scan: True | # speed up scans by check file hashes using cloud database |
rapid_scan: True | # speeds up (True) (default value) ot not (False) repeated scans based on smart re-scan approach, local result caching and cloud-assisted scan. |
rapid_scan_rescan_unchanging_files_frequency: null | # defines what part of all files will be rescanned during each scan. For example, if set 10 then 1/10 part of all files will be rescanned. The default value `null` - means "choose frequency based on scan schedule". E.g. month - 1, week - 5, day - 10. |
hyperscan: True | # allows to use (True) the regex matching Hyperscan library in Malware Scanner to greatly improve the scanning speed. True is the default value. Hyperscan requires its own signatures set that will be downloaded from the files.imunify360.com and compiled locally. Platform requirements: * Hyperscan supports Debian, Ubuntu and CentOS/CloudLinux 7 and later. * SSE3 processor instructions support. It is quite common nowadays, but may be lacking in virtual environments or in some rather old servers. |
enable_scan_cpanel: False | # enable (True) blocking malicious file uploads via cPanel File Manager. The default value is False. The type of operations processed are: edits and saves |
crontabs: True | # enable (True) scan of the system and user crontab files for malicious jobs. The default value is True. |
CAPTCHA: | |
cert_refresh_timeout: 3600 | # set in seconds how often SSL certificate will be refreshed |
CONTROL_PANEL: | |
compromised_user_password_reset: True | # enables resetting passwords for compromised cPanel accounts. Upon activating this functionality, our platform will detect instances where a cPanel account password has been breached and will subsequently prevent access using the previous password. End-users will then be prompted to create a new password via the cPanel password reset process. |
ERROR_REPORTING: | |
enable: True | # automatically report errors to imunify360 team |
SEND_ADDITIONAL_DATA: | |
enable: True | # send anonymized data from query string/post parameters and cookies. True is the default value. |
NETWORK_INTERFACE: | # manages for what network interfaces Imunify360 rules will be applied |
eth_device: None | # by default, Imunify360 will auto-configure iptables to filter all traffic. If you want iptables rules to be applied to a specific NIC only, list them here (e.g. eth1) |
eth6_device: None | # it is the same as eth_device, but configures ip6tables to use specific device |
eth_device_skip: [] | # if you don't want iptables\ip6tables rules to be applied to specific NICs, list them here (e.g [eth1, eth2]) |
BACKUP_RESTORE: | |
max_days_in_backup: 90 | # restore from backup files that are not older than max_days_in_backup | CAPTCHA_DOS: |
enabled: True | # enable (True (default) or disable (False) Anti-bot Challenge Dos protection |
time_frame: 21600 | # set a period in seconds during which requests to Anti-bot Challenge from the same IP will be recorded as repeated |
max_count: 100 | # set the maximum number of repeated Anti-bot Challenge requests after which IP is moved to the Anti-bot Challenge Dos list without an ability to request Anti-bot Challenge again |
timeout: 864000 | # set in seconds the time on which to add the IP in Anti-bot Challenge Dos list without an ability to request Anti-bot Challenge again |
BLOCKED_PORTS: | |
default_mode: allowed | # defines the default state of ports which is not explicitly set by user (denied by default or allowed by default). Currently only allowed is supported |
WEBSHIELD: | |
known_proxies_support: True | # enable CDN support, treat IPs behind CDN as any other IPs. (True is the default value). |
enable: True | # enable (True) (default value) or disable (False) WebShield |
splash_screen: True | # enable (True) or disable (False) Anti-bot protection |
PROACTIVE_DEFENCE: | |
blamer: True | # enable (True (default)) or disable (False) Blamer. See also: How to forcibly enable Blamer for all users on the server. |
mode: LOG | # available modes:
|
php_immunity: False | # enable (True) or disable (False (default)) PHP Immunity (allows to automatically detect & patch vulnerabilities in software at the Proactive Defense level preventing re-infections through the same vulnerability). By enabling this feature, Blamer will be enabled as well and Proactive Defence switched into the KILL mode. |
MALWARE_SCAN_INTENSITY: | |
cpu: 2 | # intensity level for CPU consumption. Can be set from 1 to 7, default is 2 |
io: 2 | # intensity level for file operations. Can be set from 1 to 7, default is 2 |
ram: 1024 | # intensity level for RAM consumption. The default value is 1024 |
MALWARE_SCAN_SCHEDULE: | |
day_of_month: <next day after installation> | # when the background scan shall start, day of the month. Can be from 1 to 31, the default value is the <next day after installation>. |
day_of_week: 0 | # when the background scan shall start, day of the week. Can be from 0 to 7 (0 for Sunday, 1 for Monday..., 7 for Sunday (again)), the default value is 0 |
hour: 3 | # when the background scan shall start, hour. Can be from 0 to 23, the default value is 3 |
interval: MONTH | # interval of scan. Supported values: strings `NONE` (no scan), `DAY`, `WEEK`, `MONTH`, the default value is `MONTH` |
PAM: | # effective way to prevent brute-force attacks against FTP/SSH |
enable: False | # enable (True) or disable (False) (default value) PAM brute-force attack protection |
exim_dovecot_protection: False | # enable (True) or disable (False) (default value) Exim+Dovecot brute-force attack protection against Dovecot brute-force attacks. |
ftp_protection: False | # enable (True) or disable (False) (default value) FTP brute-force attack protection. |
exim_dovecot_native: True | # enable (True) (default value) or disable (False) the Dovecot native module. |
KERNELCARE: () | # KernelCare extension for Imunify360 which allows tracing malicious invocations to detect privilege escalation attempts |
edf: False () | # enable (True) or disable (False) (default value) exploit detection framework |
MALWARE_CLEANUP: | |
trim_file_instead_of_removal: True | # do not remove infected file during cleanup but make the file zero-size (for malwares like web-shells) (True) (default value) |
keep_original_files_days: 14 | # the original infected file is available for restore within the defined period. The default is 14 days. The minimum value is one day. |
OSSEC: | |
active_response: False | # block (True) access to a specific server port being attacked. The ports include FTP (21), SSH (any port) and SMTP (25, 465, 587). The default value is False. |
ADMIN_CONTACTS: | |
emails: youremail@email.com | # your email to receive reports about critical issues, security alerts or system misconfigurations detected on your servers. |
SMTP_BLOCKING: | |
enable: False | # enable (True) or disable (False) (default value) SMTP Traffic Management. When enabled, the outgoing SMTP traffic would be blocked according to the settings. |
ports: 25,587,465 | # a list of the ports to be blocked. The defaults are: 25, 587,465. |
allow_users: | # a list of users to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked). |
allow_groups: mail | # a list of the groups to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked). |
allow_local: False | # block (True) all, except the local SMTP (localhost). False is the default value. |
redirect: False | # enable (True) or disable (False) (the default value) automatic redirection to the local ports for outgoing mail traffic. |
CSF_INTEGRATION: | |
catch_lfd_events: False | # let (True) Imunify360 use Login Failure Daemon (LFD) as a source for security events. Default is False. |
PERMISSIONS: | |
support_form: True | # show (True) (the default value) or hide (False) the Support icon in the Imunify360 UI. |
user_ignore_list: True | # show (True) (the default value) or hide (False) the Ignore List tab for end-users in the Imunify360 UI. |
allow_malware_scan: False | # enable (True) or disable (False) (the default value) “scan” action in the UI of the end-user. |
advisor: True | # enable (True - the default value) or disable (False) the Imunify Advisor. |
user_override_malware_actions: False | # "True" allows overriding of actions applied to malware by a regular user. E.g., users will be able to disable automatic cleanup for their own files even if it was enabled by the admin. |
user_override_proactive_defense: False | # "True" allows overriding of Proactive Defense work mode by a regular user. E.g., users will be able to switch Proactive Defense mode to LOG for their websites even if the admin has set it to KILL. |
STOP_MANAGING: | |
modsec_directives: False | # for internal usage, do not edit |
WEB_SERVICES: | |
http_ports: | # additional http ports for Anti-bot Challenge |
https_ports: | # additional https ports for Anti-bot Challenge |
MALWARE_DATABASE_SCAN: | |
enable: True | # enable (True) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, only WordPress databases are supported as for now. |
Active Response is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
In order to activate Active Response, the following lines should be added into /etc/sysconfig/imunify360/imunify360.config:
OSSEC:
active_response: True
systemctl restart imunify360
How to apply changes from CLI
In order to apply changes via command-line interface (CLI), you can use the following command:
imunify360-agent config update '{"SECTION": {"parameter": value}}'
For example, if you want to set MALWARE_SCAN_INTENSITY.cpu = 5
from a command line, then you should execute the following command:
imunify360-agent config update '{"MALWARE_SCAN_INTENSITY": {"cpu": 5}}'
It is also possible to apply several parameters at once. For example:
imunify360-agent config update '{"PAM": {"exim_dovecot_protection": false, "enable":true}}'
For string configuration values, such as the administrator's email address, it is necessary to use the following command format:
imunify360-agent config update '{"ADMIN_CONTACTS": {"emails": ["email@domain.com"]}}'