Config File Description

Imunify360 config file is available on the following location after installation:

/etc/sysconfig/imunify360/imunify360.config

In the config file it is possible to set up Imunify360 configuration. The following options are available:

AUTO_WHITELIST:
timeout: 1440# set in minutes how long to keep automatically whitelisted IP
after_unblock_timeout: 1440 # set in minutes for how long IP will be added to the White List after it passes Imunify360 CAPTCHA
DOS:
enabled: false# allows to enable (true) or disable (false) DOS detection
interval: 30# interval in seconds between DoS detection system activation
default_limit: 250# maximum default limit of connections from remote IP to local port before DoS protection will be triggered. Cannot be set lower than 100
port_limits:# allows to set limits per local port
80: 150 # limit on port 80 is set to 150 connections
INCIDENT_LOGGING:
min_log_level: 4# minimum severity level for incidents displayed in UI. Please find the levels description here
num_days: 100# incidents older than num_days are automatically deleted
limit: 100000# how many incidents should be stored in Imunify360 log file
ui_autorefresh_timeout: 10# set auto refresh time for incidents in user interface
MOD_SEC_BLOCK_BY_SEVERITY:
enable: true# allows to enable or disable option that moves IPs to Gray List if the ModSecurity rule is triggered
max_incidents: 2# set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
denied_num_limit: 2 # set a number of repeats of the ModSecurity incidents that got Access Denied error from the same IP for adding it to Gray List
check_period: 120 # set a period in seconds during which incident from the same IP will be recorded as a repeat
severity_limit: 2 # set a level of severity for DOS detection sensitivity. Read more about severity levels
MOD_SEC_BLOCK_BY_CUSTOM_RULE:# this section allows to add custom configuration for blocking by ModSecurity incidents
33332: # set ModSecurity rule ID
check_period: 120 # set a period in seconds during which incident from the same IP will be recorded as a repeat
max_incidents: 10 # set a number of repeats of the ModSecurity incident from the same IP for adding it to Gray List
MALWARE_SCANNING:
try_restore_from_backup_first: false # allows to enable (true) or disable (false) automatic malicious file restore from backup if a clean copy exists, otherwise default_action is applied
default_action: quarantine # default action on malicious file detected.
Available options:
  • quarantine – do not delete and move to quarantine
  • notify – do not delete and send email notification
  • delete – delete malicious file
notify_on_detect: false # allows to enable (true) or disable (false) email notification if file is detected as infected
enable_scan_inotify: false # enable (true) or disable (false) real-time scanning for modified files using inotify library
enable_scan_pure_ftpd: true # enable (true) or disable (false) real-time scanning for files uploaded through PureFTPd
enable_scan_modsec: true # enable (true) or disable (false) real-time scanning of all the files that were uploaded via http/https. Note that it requires ModSecurity to be installed
CAPTCHA:
cert_refresh_timeout: 3600 # set in seconds how often SSL certificate will be refreshed
ERROR_REPORTING:
enable: true # automatically report errors to imunify360 team
SEND_ADDITIONAL_DATA:
enable: true # send anonymized data from query string/post parameters and cookies.
NETWORK_INTERFACE: # manages for what network interfaces Imunify360 rules will be applied
eth_device: null # by default, Imunify360 will auto-configure iptables to filter all traffic. If you want iptables rules to be applied to a specific NIC only, list them here (e.g. eth1)
eth6_device: null # it is the same as eth_device, but configures ip6tables to use specific device
eth_device_skip: [] # if you don't want iptables\ip6tables rules to be applied to specific NICs, list them here (e.g [eth1, eth2])
BACKUP_RESTORE:
max_days_in_backup: 90 # restore from backup files that are not older than max_days_in_backup
cl_backup_allowed: true # show CloudLinux Backup in the list of available backup system (true) or hide it (false)
CAPTCHA_DOS:
enabled: true # enable (true) or disable (false) CAPTCHA Dos protection
time_frame: 21600 # set a period in seconds during which requests to CAPTCHA from the same IP will be recorded as repeated
max_count: 100 # set the maximum number of repeated CAPTCHA requests after which IP is moved to the CAPTCHA Dos list without an ability to request CAPTCHA again
timeout: 864000 # set in seconds the time on which to add the IP in CAPTCHA Dos list without an ability to request CAPTCHA again
BLOCKED_PORTS:
default_mode: allowed # defines the default state of ports which is not explicitly set by user (denied by default or allowed by default). Currently only allowed is supported
WEBSHIELD:
known_proxies_support: true # enable CDN support, treat IPs behind CDN as any other IPs
PROACTIVE_DEFENСE:
blamer: false # enable (true) or disable (false) Blamer
mode: KILL # available modes:
  • KILL
  • DISABLED
  • LOG

Experimental - Active Response feature

The following feature requires a special Imunify360 build - contact our tech support at https://cloudlinux.zendesk.com (Imunify360 department) to enable it.

Active Response is an ossec-driven (IDS) feature of Imunify360 which has been re-engineered to make it capable of blocking access to a specific server port being attacked.

The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.

In order to activate Active Response, the following lines should be added into /etc/sysconfig/imunify360/imunify360.config:

OSSEC:
  active_response: true
and then restart Imunify360 service:
systemctl restart imunify360