sidebar hamburger menu

Config File Description

Imunify360 config file is available on the following location after installation:

/etc/sysconfig/imunify360/imunify360.config

In the config file it is possible to set up Imunify360 configuration. The following options are available:

Note that if YAML is used, it accepts any format: True/true/yes/y, etc. However, the CLI uses JSON which is strict – only lowercase true/false. Thus, if you are using the imunify360-agent CLI tool to make changes to the configuration, make sure you are using the lowercase.

AUTO_WHITELIST:
timeout: 1440# set in minutes how long to keep automatically whitelisted IP
after_unblock_timeout: 1440 # set in minutes for how long IP will be added to the White List after it passes Imunify360 Anti-bot challenge
DOS:
enabled: True# allows to enable (True, the default value) or disable (False) DOS detection
interval: 30# interval in seconds between DoS detection system activation
default_limit: 250# maximum default limit of connections from remote IP to local port before DoS protection will be triggered. Cannot be set lower than 100
port_limits:# allows to set limits per local port
80: 150 # limit on port 80 is set to 150 connections
ENHANCED_DOS:
enabled: True# allows to enable or disable (False) the Enhanced DOS protection
time_frame: 60# the default timeframe in seconds between the Enhanced DoS detection system activation
default_limit: 500# the threshold of requests (their number) from remote IP to local port before the Enhanced DoS protection will be triggered.
port_limits:# allows to set requests limits for different ports
80: 300 # limit on port 80 is set to 300 connections
FIREWALL:
port_blocking_mode: ALLOW# allows to set firewall port blocking mode.

ALLOW (default) - allow all except specified.
DENY - block all except specified.

Exact ports and port-ranges to be allowed can be configured by the following fields in the config file:
- FIREWALL.TCP_IN_IPv4
- FIREWALL.TCP_OUT_IPv4
- FIREWALL.UDP_IN_IPv4
- FIREWALL.UDP_OUT_IPv4

Changes of config files will be applied automatically. You don’t need to restart the server or Imunify360.

Please note, the feature doesn’t support IPv6 addresses at this moment and CSF needs to be disabled due to conflicts.
INCIDENT_LOGGING:
min_log_level: 4# minimum severity level for incidents displayed in UI. Please find the levels description here
num_days: 100# incidents older than num_days are automatically deleted
limit: 100000# how many incidents should be stored in Imunify360 log file
ui_autorefresh_timeout: 10# set auto refresh time for incidents in user interface
LOGGER:
max_log_file_size: 62914560# defines the maximum size of the log file in bytes (default is 60 MB)
backup_count: 5# defines how many log files to store. If 5, it will store app.log, app.log.1, and up to app.log.5.
syscall_monitor: False

Collect and report the source of suspicious actions using Syscall Monitor (True).

Supported operating systems:
  • CentOS 6/7
  • CloudLinux OS 6/7.
Additional requirements:
  • auditd needs to be installed
  • auditsp needs to be switched off.

Imunify360 uses auditd to discover malicious cron jobs that are not detected by other methods yet and thus block them much faster.

Additionally, it's also used for internal quality control and monitoring - e.g. if auditd records that PHP processes drop malware, but there are no related events/blocks from Proactive Defense, Imunify team receives an alert prompting an investigation.

MOD_SEC:# defines ModSecurity settings
ruleset: FULL# defines what ruleset to use: FULL (default value) or MINIMAL. If the amount of RAM on the server is less than 2.1GB, the ruleset value is automatically set to MINIMAL.
cms_account_compromise_prevention: False# enables WordPress account brute-force protection. Default is False.
app_specific_ruleset: True# enables WAF Rules Auto-Configurator. Default is True.
prev_settings: # for internal usage, do not edit
MOD_SEC_BLOCK_BY_SEVERITY:
enable: True# allows to enable or disable option that moves IPs to Gray List if the ModSecurity rule is triggered
max_incidents: 2# set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
denied_num_limit: 2# set a number of repeats of the ModSecurity incidents that got Access Denied error from the same IP for adding it to Gray List
check_period: 120# set a period in seconds during which incident from the same IP will be recorded as a repeat
severity_limit: 2# set a level of severity for DOS detection sensitivity. Read more about severity levels
MOD_SEC_BLOCK_BY_CUSTOM_RULE:# this section allows to add custom configuration for blocking by ModSecurity incidents
33332:# set ModSecurity rule ID
check_period: 120# set a period in seconds during which incident from the same IP will be recorded as a repeat
max_incidents: 10# set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
MALWARE_SCANNING:
try_restore_from_backup_first: False# allows to enable (True) or disable (False – the default value) automatic malicious file restore from backup if a clean copy exists, otherwise default_action is applied
default_action: cleanup# default action on malicious file detected.
Available options:
  • notify – just display in dashboard
  • cleanup – cleanup malicious file (default)
enable_scan_inotify: True# enable (True (default)) or disable (False) real-time scanning for modified files using inotify library
enable_scan_pure_ftpd: True# enable (True (default)) or disable (False) real-time scanning for files uploaded through PureFTPd
enable_scan_modsec: True# enable (True (default) or disable (False) real-time scanning of all the files that were uploaded via http/https. Note that it requires ModSecurity to be installed
max_signature_size_to_scan: 1048576# max file size to scan in the standard mode; value is set in bytes
max_cloudscan_size_to_scan: 10485760# max file size to scan in the cloud-assisted (by hashes) mode; value is set in bytes
max_mrs_upload_file: 10485760# max file size to upload to CloudLinux malware research service; value is set in bytes
detect_elf: True# enable (True) (default value) or disable (False) binary (ELF) malware detection
notify_on_detect: False# notify (True) or not (False) (default value) an admin when malware is detected
optimize_realtime_scan: True# enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here
sends_file_for_analysis: True# send (True) (default value) or not (False) malicious and suspicious files to the Imunify team for analysis
i360_clamd: False# obsolete (not used)
show_clamav_results: False# obsolete (not used)
clamav_binary: True# obsolete (not used)
scan_modified_files: Null# enable (True) or disable (False) (default is not set). If disabled, it checks the file's timestamps (c/mtime) before scanning, and if the timestamp is not changed since the last scan, the file is skipped. Scanner's behaviour is based on other scan optimizations, therefore it is better to rely on default values and UI, although this parameter provides an option to overwrite this behaviour. This option is not available within UI.
cloud_assisted_scan: True# speed up scans by check file hashes using cloud database
rapid_scan: True# speeds up (True) (default value) ot not (False) repeated scans based on smart re-scan approach, local result caching and cloud-assisted scan.
rapid_scan_rescan_unchanging_files_frequency: null# defines what part of all files will be rescanned during each scan. For example, if set 10 then 1/10 part of all files will be rescanned. The default value `null` - means "choose frequency based on scan schedule". E.g. month - 1, week - 5, day - 10.
hyperscan: True# allows to use (True) the regex matching Hyperscan library in Malware Scanner to greatly improve the scanning speed. True is the default value. Hyperscan requires its own signatures set that will be downloaded from the files.imunify360.com and compiled locally.
Platform requirements:
* Hyperscan supports Debian, Ubuntu and CentOS/CloudLinux 7 and later.
* SSE3 processor instructions support. It is quite common nowadays, but may be lacking in virtual environments or in some rather old servers.
enable_scan_cpanel: False# enable (True) blocking malicious file uploads via cPanel File Manager. The default value is False. The type of operations processed are: edits and saves
crontabs: True# enable (True) scan of the system and user crontab files for malicious jobs. The default value is True.
CAPTCHA:
cert_refresh_timeout: 3600# set in seconds how often SSL certificate will be refreshed
CONTROL_PANEL:
compromised_user_password_reset: True# enables resetting passwords for compromised cPanel accounts. Upon activating this functionality, our platform will detect instances where a cPanel account password has been breached and will subsequently prevent access using the previous password. End-users will then be prompted to create a new password via the cPanel password reset process.
ERROR_REPORTING:
enable: True# automatically report errors to imunify360 team
SEND_ADDITIONAL_DATA:
enable: True# send anonymized data from query string/post parameters and cookies. True is the default value.
NETWORK_INTERFACE:# manages for what network interfaces Imunify360 rules will be applied
eth_device: None# by default, Imunify360 will auto-configure iptables to filter all traffic. If you want iptables rules to be applied to a specific NIC only, list them here (e.g. eth1)
eth6_device: None# it is the same as eth_device, but configures ip6tables to use specific device
eth_device_skip: []# if you don't want iptables\ip6tables rules to be applied to specific NICs, list them here (e.g [eth1, eth2])
BACKUP_RESTORE:
max_days_in_backup: 90# restore from backup files that are not older than max_days_in_backup
CAPTCHA_DOS:
enabled: True# enable (True (default) or disable (False) Anti-bot Challenge Dos protection
time_frame: 21600# set a period in seconds during which requests to Anti-bot Challenge from the same IP will be recorded as repeated
max_count: 100# set the maximum number of repeated Anti-bot Challenge requests after which IP is moved to the Anti-bot Challenge Dos list without an ability to request Anti-bot Challenge again
timeout: 864000# set in seconds the time on which to add the IP in Anti-bot Challenge Dos list without an ability to request Anti-bot Challenge again
BLOCKED_PORTS:
default_mode: allowed# defines the default state of ports which is not explicitly set by user (denied by default or allowed by default). Currently only allowed is supported
WEBSHIELD:
known_proxies_support: True# enable CDN support, treat IPs behind CDN as any other IPs. (True is the default value).
enable: True# enable (True) (default value) or disable (False) WebShield
splash_screen: True# enable (True) or disable (False) Anti-bot protection
PROACTIVE_DEFENCE:
blamer: True# enable (True (default)) or disable (False) Blamer. See also: How to forcibly enable Blamer for all users on the server.
mode: LOG# available modes:
  • KILL
  • DISABLED
  • LOG (default)
php_immunity: False# enable (True) or disable (False (default)) PHP Immunity (allows to automatically detect & patch vulnerabilities in software at the Proactive Defense level preventing re-infections through the same vulnerability). By enabling this feature, Blamer will be enabled as well and Proactive Defence switched into the KILL mode.
MALWARE_SCAN_INTENSITY:
cpu: 2# intensity level for CPU consumption. Can be set from 1 to 7, default is 2
io: 2# intensity level for file operations. Can be set from 1 to 7, default is 2
ram: 1024# intensity level for RAM consumption. The default value is 1024
MALWARE_SCAN_SCHEDULE:
day_of_month: <next day after installation># when the background scan shall start, day of the month. Can be from 1 to 31, the default value is the <next day after installation>.
day_of_week: 0# when the background scan shall start, day of the week. Can be from 0 to 7 (0 for Sunday, 1 for Monday..., 7 for Sunday (again)), the default value is 0
hour: 3# when the background scan shall start, hour. Can be from 0 to 23, the default value is 3
interval: MONTH# interval of scan. Supported values: strings `NONE` (no scan), `DAY`, `WEEK`, `MONTH`, the default value is `MONTH`
PAM:# effective way to prevent brute-force attacks against FTP/SSH
enable: False# enable (True) or disable (False) (default value) PAM brute-force attack protection
exim_dovecot_protection: False# enable (True) or disable (False) (default value) Exim+Dovecot brute-force attack protection against Dovecot brute-force attacks.
ftp_protection: False# enable (True) or disable (False) (default value) FTP brute-force attack protection.
exim_dovecot_native: True# enable (True) (default value) or disable (False) the Dovecot native module.
KERNELCARE: ()# KernelCare extension for Imunify360 which allows tracing malicious invocations to detect privilege escalation attempts
edf: False ()# enable (True) or disable (False) (default value) exploit detection framework
MALWARE_CLEANUP:
trim_file_instead_of_removal: True# do not remove infected file during cleanup but make the file zero-size (for malwares like web-shells) (True) (default value)
keep_original_files_days: 14# the original infected file is available for restore within the defined period. The default is 14 days. The minimum value is one day.
OSSEC:
active_response: False# block (True) access to a specific server port being attacked. The ports include FTP (21), SSH (any port) and SMTP (25, 465, 587). The default value is False.
ADMIN_CONTACTS:
emails: youremail@email.com# your email to receive reports about critical issues, security alerts or system misconfigurations detected on your servers.
SMTP_BLOCKING:
enable: False# enable (True) or disable (False) (default value) SMTP Traffic Management. When enabled, the outgoing SMTP traffic would be blocked according to the settings.
ports: 25,587,465# a list of the ports to be blocked. The defaults are: 25, 587,465.
allow_users:# a list of users to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked).
allow_groups: mail# a list of the groups to be ignored (not blocked). By default it is empty. Including Unix and cPanel users (if a process that sends an email has a UID of one of the `allow_users`, it will not be blocked).
allow_local: False# block (True) all, except the local SMTP (localhost). False is the default value.
redirect: False# enable (True) or disable (False) (the default value) automatic redirection to the local ports for outgoing mail traffic.
CSF_INTEGRATION:
catch_lfd_events: False# let (True) Imunify360 use Login Failure Daemon (LFD) as a source for security events. Default is False.
PERMISSIONS:
support_form: True# show (True) (the default value) or hide (False) the Support icon in the Imunify360 UI.
user_ignore_list: True# show (True) (the default value) or hide (False) the Ignore List tab for end-users in the Imunify360 UI.
allow_malware_scan: False# enable (True) or disable (False) (the default value) “scan” action in the UI of the end-user.
advisor: True# enable (True - the default value) or disable (False) the Imunify Advisor.
user_override_malware_actions: False# "True" allows overriding of actions applied to malware by a regular user. E.g., users will be able to disable automatic cleanup for their own files even if it was enabled by the admin.
user_override_proactive_defense: False# "True" allows overriding of Proactive Defense work mode by a regular user. E.g., users will be able to switch Proactive Defense mode to LOG for their websites even if the admin has set it to KILL.
STOP_MANAGING:
modsec_directives: False# for internal usage, do not edit
WEB_SERVICES:
http_ports: # additional http ports for Anti-bot Challenge
https_ports: # additional https ports for Anti-bot Challenge
MALWARE_DATABASE_SCAN:
enable: True# enable (True) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, only WordPress databases are supported as for now.

Active Response is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.

The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.

In order to activate Active Response, the following lines should be added into /etc/sysconfig/imunify360/imunify360.config:

OSSEC:
  active_response: True
and then restart Imunify360 service:
systemctl restart imunify360

How to apply changes from CLI

In order to apply changes via command-line interface (CLI), you can use the following command:

imunify360-agent config update '{"SECTION": {"parameter": value}}'

For example, if you want to set MALWARE_SCAN_INTENSITY.cpu = 5 from a command line, then you should execute the following command:

imunify360-agent config update '{"MALWARE_SCAN_INTENSITY": {"cpu": 5}}'

It is also possible to apply several parameters at once. For example:

imunify360-agent config update '{"PAM": {"exim_dovecot_protection": false, "enable":true}}'

For string configuration values, such as the administrator's email address, it is necessary to use the following command format:

imunify360-agent config update '{"ADMIN_CONTACTS": {"emails": ["email@domain.com"]}}'