Config File Description
Imunify360 config file is available on the following location after installation:
/etc/sysconfig/imunify360/imunify360.config
In the config file it is possible to set up Imunify360 configuration. The following options are available:
| AUTO_WHITELIST: | |
|---|---|
| timeout: 1440 | # set in minutes how long to keep automatically whitelisted IP |
| after_unblock_timeout: 1440 | # set in minutes for how long IP will be added to the White List after it passes Imunify360 CAPTCHA |
| DOS: | |
| enabled: false | # allows to enable (true) or disable (false) DOS detection |
| interval: 30 | # interval in seconds between DoS detection system activation |
| default_limit: 250 | # maximum default limit of connections from remote IP to local port before DoS protection will be triggered. Cannot be set lower than 100 |
| port_limits: | # allows to set limits per local port |
| 80: 150 | # limit on port 80 is set to 150 connections |
| INCIDENT_LOGGING: | |
| min_log_level: 4 | # minimum severity level for incidents displayed in UI. Please find the levels description here |
| num_days: 100 | # incidents older than num_days are automatically deleted |
| limit: 100000 | # how many incidents should be stored in Imunify360 log file |
| ui_autorefresh_timeout: 10 | # set auto refresh time for incidents in user interface |
| MOD_SEC: | # defines ModSecurity settings |
| ruleset: FULL | # defines what ruleset to use: FULL (default value) or MINIMAL. If the amount of RAM on the server is less than 2.1GB, the ruleset value is automatically set to MINIMAL. |
| MOD_SEC_BLOCK_BY_SEVERITY: | |
| enable: true | # allows to enable or disable option that moves IPs to Gray List if the ModSecurity rule is triggered |
| max_incidents: 2 | # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List |
| denied_num_limit: 2 | # set a number of repeats of the ModSecurity incidents that got Access Denied error from the same IP for adding it to Gray List |
| check_period: 120 | # set a period in seconds during which incident from the same IP will be recorded as a repeat |
| severity_limit: 2 | # set a level of severity for DOS detection sensitivity. Read more about severity levels |
| MOD_SEC_BLOCK_BY_CUSTOM_RULE: | # this section allows to add custom configuration for blocking by ModSecurity incidents |
| 33332: | # set ModSecurity rule ID |
| check_period: 120 | # set a period in seconds during which incident from the same IP will be recorded as a repeat |
| max_incidents: 10 | # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List |
| MALWARE_SCANNING: | |
| try_restore_from_backup_first: false | # allows to enable (true) or disable (false) automatic malicious file restore from backup if a clean copy exists, otherwise default_action is applied |
| default_action: quarantine | # default action on malicious file detected. Available options:
|
| enable_scan_inotify: false | # enable (true) or disable (false) real-time scanning for modified files using inotify library |
| enable_scan_pure_ftpd: true | # enable (true) or disable (false) real-time scanning for files uploaded through PureFTPd |
| enable_scan_modsec: true | # enable (true) or disable (false) real-time scanning of all the files that were uploaded via http/https. Note that it requires ModSecurity to be installed |
| max_signature_size_to_scan: 1048576 | # max file size to scan in the standard mode; value is set in bytes |
| max_cloudscan_size_to_scan: 10485760 | # max file size to scan in the cloud-assisted (by hashes) mode; value is set in bytes |
| max_mrs_upload_file: 10485760 | # max file size to upload to CloudLinux malware research service; value is set in bytes |
| detect_elf: false | # enable (true) or disable (false) (default value) binary (ELF) malware detection |
| CAPTCHA: | |
| cert_refresh_timeout: 3600 | # set in seconds how often SSL certificate will be refreshed |
| ERROR_REPORTING: | |
| enable: true | # automatically report errors to imunify360 team |
| SEND_ADDITIONAL_DATA: | |
| enable: true | # send anonymized data from query string/post parameters and cookies. |
| NETWORK_INTERFACE: | # manages for what network interfaces Imunify360 rules will be applied |
| eth_device: null | # by default, Imunify360 will auto-configure iptables to filter all traffic. If you want iptables rules to be applied to a specific NIC only, list them here (e.g. eth1) |
| eth6_device: null | # it is the same as eth_device, but configures ip6tables to use specific device |
| eth_device_skip: [] | # if you don't want iptables\ip6tables rules to be applied to specific NICs, list them here (e.g [eth1, eth2]) |
| BACKUP_RESTORE: | |
| max_days_in_backup: 90 | # restore from backup files that are not older than max_days_in_backup |
| cl_backup_allowed: true | # show CloudLinux Backup in the list of available backup system (true) or hide it (false) |
| CAPTCHA_DOS: | |
| enabled: true | # enable (true) or disable (false) CAPTCHA Dos protection |
| time_frame: 21600 | # set a period in seconds during which requests to CAPTCHA from the same IP will be recorded as repeated |
| max_count: 100 | # set the maximum number of repeated CAPTCHA requests after which IP is moved to the CAPTCHA Dos list without an ability to request CAPTCHA again |
| timeout: 864000 | # set in seconds the time on which to add the IP in CAPTCHA Dos list without an ability to request CAPTCHA again |
| BLOCKED_PORTS: | |
| default_mode: allowed | # defines the default state of ports which is not explicitly set by user (denied by default or allowed by default). Currently only allowed is supported |
| WEBSHIELD: | |
| known_proxies_support: true | # enable CDN support, treat IPs behind CDN as any other IPs |
| enable: true | # enable (true) (default value) or disable (false) WebShield |
| PROACTIVE_DEFENСE: | |
| blamer: false | # enable (true) or disable (false) Blamer |
| mode: KILL | # available modes:
|
| MALWARE_SCAN_INTENSITY: | |
| cpu: 6 | # intensity level for CPU consumption. Can be set from 1 to 7, default is 6 |
| io: 6 | # intensity level for file operations. Can be set from 1 to 7, default is 6 |
| MALWARE_SCAN_SCHEDULE: | |
| day_of_month: 4 | # when the background scan shall start, day of the month. Can be from 1 to 31, the default value is the next day after the installation |
| day_of_week: 0 | # when the background scan shall start, day of the week. Can be from 0 to 7 (0 for Sunday, 1 for Monday..., 7 for Sunday (again)), the default value is 0 |
| hour: 3 | # when the background scan shall start, hour. Can be from 0 to 23, the default value is 3 |
| interval: none | # interval of scan. Supported values: strings `none`, `day`, `week`, `month`, the default value is `none` (no scan) |
| PAM: | # effective way to prevent brute-force attacks against FTP/SSH |
| enable: false | # enable (true) or disable (false) (default value) PAM brute-force attack protection |
| PAM.exim_dovecot_protection: false | # enable (true) or disable (false) (default value) Exim+Dovecot brute-force attack protection against Dovecot brute-force attacks. |
| KERNELCARE: | # KernelCare extension for Imunify360 which allows tracing malicious invocations to detect privilege escalation attempts |
| edf: false | # enable (true) or disable (false) (default value) exploit detection framework |
Active Response is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.
The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
In order to activate Active Response, the following lines should be added into /etc/sysconfig/imunify360/imunify360.config:
OSSEC:
active_response: true
systemctl restart imunify360
