sidebar hamburger menu

Generic panels and no-panel installation and integration


Imunify360 can be installed directly on the server, independent of any panel, regardless of the administrative interface. It is also called stand-alone, non-panel, generic panel integration.



Supported Operating Systems

  • The same list as here.

Web Servers

  • Apache >= 2.4.30
  • LiteSpeed
  • Nginx

There are four main steps in general required for having Imunify360 Stand-alone running on your server:

  1. Install and configure the prerequisites such as ModSecurity, PHP with JSON support, and other common WEB server packages.
  2. Download and edit integration.conf file to configure Imunify360 required integrations BEFORE running the installation script.
  3. Install Imunify360 using the deploy script
  4. Check the installed modules work and change the Imunify360 settings to reflect your needs.

CageFS Warning

If Imunify360 runs in CageFS, you'll need to configure it accordingly. It is required to make sure Imunify Web-UI PHP code can be executed under a non-root user and grant access to /var/run/defence360agent/non_root_simple_rpc.sock.

To allow non-root user in CageFS access to the socket, this workaround should be applied:

# Ensure the existence of the related cagefs directory for the user
# and write necessary configuration for setting up virtual mp.
# For more information, see docs:
export prefix=$(id -u {{ imunify_ui_user }} | tail -c 3)
export cagefs_namespace_dir=/var/cagefs/${prefix}/{{ imunify_ui_user }}/
mkdir -p ${cagefs_namespace_dir}
# The lines starting with @ mean they are subdirectories.
# If we do not wanna mask everything else in /var/run,
# we should not omit that line but make it an empty subdir under defence360agent, like shown
cat << EOF > ${cagefs_namespace_dir}/
cagefsctl --remount-all

1. Install and configure the prerequisites

Imunify360 Stand-alone version requires the following components installed or enabled at the server:

  • ModSecurity 2.9.x for Apache or ModSecurity 3.0.x for Nginx
  • Apache module mod_remoteip or nginx module ngx_http_realip_module
  • PHP with json extension loaded and proc_open function enabled (remove it from the disable_functions list in php.ini)


We recommend using the stable versions of ModSecurity3 (i.e. 3.0.4), because developing versions (i.e. master) can have stability issues (see for example).

2. Download and edit integration.conf file to set required integrations

The Imunify360 Stand-alone version requires the following integrations before installation:

  • 2.1 Specifying panel information
  • 2.2 Integration with WEB server for serving UI
  • 2.3 Interaction with ModSecurity
  • 2.4 Integration with Authentication Service
  • 2.5 Integration with Malware Scanner

All integrations set in the integration config file like /etc/sysconfig/imunify360/integration.conf. You can find more details on the config file here, get a template or check the Knoledgebase article.

2.1 Specifying panel information

To specify information about your hosting panel in Imunify360/ImunifyAV, use the panel_info option in the [integration_scripts] section of integration.conf file.

This is a mandatory field and must be specified prior to the start of the installation.

panel_info = /etc/sysconfig/imunify360/

The option should contain a full path to the executable that prints JSON data in the following format:

    "data": {
        "name": "MyHostingPanel",
        "version": "1.23.4"
    "metadata": {
        "result": "ok"

The script can echo or print this information in JSON format, or you could configure the file in order to receive the actual information about the hosting panel in use. In case you don’t have a hosting panel at all, use the following stub file:

2.2 Integration with web server for serving UI

Imunify360 UI is implemented as a single-page application (SPA) and requires a web server to serve it. It’s required to specify a path to the web server directory, where the Imunify360 UI SPA application will be installed and served.


ui_path = /var/www/vhosts/imunify360/

Ensure that the domain you are going to use for the Imunify360 web-based UI refers to this path and that there are no other scripts or files under ui_path, to avoid overwriting the files Imunify360 installation will abort.

2.3 Web engine and Interaction with ModSecurity

It is required to set the web server graceful restart script ang paths in the integration.conf

  • graceful_restart_script – a script that restarts the web server to be called after any changes in web server config or ModSecurity rules
  • config_test_script – a script that checks the web server's config to be called after any changes in the web server config or ModSecurity rules (optional)
  • modsec_audit_log – a path to ModSecurity audit log file
  • modsec_audit_logdir – a path to ModSecurity audit log directory (only required when the SecAuditLogType set to the Concurrent)


server_type = apache
graceful_restart_script = /usr/sbin/apachectl restart
config_test_script = /usr/sbin/apachectl -t
modsec_audit_log = /var/log/httpd/modsec_audit.log
modsec_audit_logdir = /var/log/modsec_audit

Apache and LiteSpeed

Configure ModSecurity configuration directives (so that it can block):

SecAuditEngine RelevantOnly
SecConnEngine Off
SecRuleEngine On

Create the empty file /etc/sysconfig/imunify360/generic/modsec.conf and include it into the web server config as IncludeOptional. To do this you need to find your web server config file, like /etc/httpd/conf/httpd.conf and add a line to it:

IncludeOptional /etc/sysconfig/imunify360/generic/modsec.conf

The file would be replaced with the actual config during the first Imunify360 installation or you can fill it via calling the Imunify360 ModSec ruleset installation imunify360-agent install-vendors.



ModSecurity has different syntax comparing to Nginx configuration, thus ModSecurity directives can not be directly included to the Nginx config files.

Create a separate file (i.e. /etc/nginx/modsec.conf) and set the following ModSecurity directives in it:

SecAuditEngine RelevantOnly
SecConnEngine Off
SecRuleEngine On
SecAuditLogFormat JSON
# should match modsec_audit_log option in integration.conf (see below)
SecAuditLog /var/log/nginx/modsec_audit_log


ModSecurity on Nginx does not properly re-opens audit log on SIGHUP/SIGUSR1, which can cause logrotate to break integration with Imunify360. See for details.

Create an empty file /etc/sysconfig/imunify360/generic/modsec.conf. The file would be replaced with the actual config during the first Imunify360 installation or you can fill it via calling the Imunify360 ModSec ruleset installation imunify360-agent install-vendors.

Then enable ModSecurity and include both files into Nginx configuration using the modsecurity_rules_file directive:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec.conf;
modsecurity_rules_file /etc/sysconfig/imunify360/generic/modsec.conf;

2.4 Integration with authentication service

Imunify360 Stand-alone version can use PAM service to authenticate users for the Imunify360 UI application.

You can specify which PAM service Imunify360 should use with the service_name option:

service_name = system-auth

You can get a token which can be used for authentication using the login command. The administrators have full access to Imunify360 UI and its settings.

By default, root is considered to be the only admin user.

2.5 Integration with Malware Scanner

To scan files for changes (to detect malware) using inotify, configure which directories to watch and which to ignore in the integration.conf file:

  • configure [malware].basedir – a root directory to watch (recursively)
  • configure [malware].pattern_to_watch – only directories that match this (Python) regex in the basedir are actually going to be watched


basedir = /home
pattern_to_watch = ^/home/.+?/(public_html|public_ftp|private_html)(/.*)?$

3. Install Imunify360

3.1. Get your license key: Visit You can purchase it or get a trial key from a received email. 3.2. Log in with root privileges: Access the server where Imunify360 should be installed with root privileges. 3.3. Run the installation commands: Navigate to your home directory and execute the following commands:

wget -O
bash --key YOUR_KEY

Where YOUR_KEY is your license key. Replace YOUR_KEY with the actual key - trial or purchased one. The installation instructions are the same as for cPanel/Plesk/DirectAdmin version and can be found in the Imunify360 documentation.

After the successful installation, you can reach the Imunify360 UI at the URL specified by the ui_path parameter of the configuration file.

4. Set up modules and integrations and change other Imunify360 settings to reflect your needs

4.1 Define list of administrators for Imunify360

The administrators have full access to Imunify360 UI and its settings. To grant non-root users full access add more administrators by listing them in the them in the /etc/sysconfig/imunify360/auth.admin file or specify the integration scripts admin scetion.

Admin users will be merged from three sources:

  • /etc/sysconfig/imunify360/auth.admin list
  • scripts defined in the /etc/sysconfig/imunify360/integration.conf
  • /opt/cpvendor/etc/integration.ini that return user lists.
JSON data sample admin script should return
admins = /etc/sysconfig/imunify360/

It should point to an executable file that generates a JSON file similar to the following:

  "data": [
      "name": "admin1",
      "unix_user": "admin",
      "locale_code": "EN_us",
      "email": "",
      "is_main": true
      "name": "admin2",
      "unix_user": "admin",
      "locale_code": "Ru_ru",
      "email": "",
      "is_main": false
  "metadata": {
    "result": "ok"

4.2 FTP uploads scan

To scan files uploaded via FTP, configure PureFTPd. Write in the pure-ftp.conf:

CallUploadScript             yes

4.3 Per-domain rules constrol

To enable domain-specific ModSecurity configuration, specify the modsec_domain_config_script in the integration.conf.

modsec_domain_config_script = /path/to/inject/domain/specific/config/

It should point to an executable file that accepts as an input a list of domain-specific web server settings and injects them into the server config. The standard input (stdin) is given in the JSON Lines format similar to the following:

{"user": "username", "domain": "", "content": "modsec config text"}
{"user": "another", "domain": "", "content": "..."}

Each line contains config for a single domain e.g., it may contain rule tags excluded for the domain. The script should also restart the web server to apply the configuration. This should be done so that the script could implement the check that web server comes up after config change, and reset configuration if it doesn't.

If configuration change failed, the script should return 1, and in the standard error stream (stderr) it should return the reason for failure. On success, the script should return 0. In a single run of the script, we might update a single domain/user, as well as multiple users (all users) on the system.

4.4 Integration with WebShield

WebShield consists of four services:

  • WebShield itself
  • Shared memory daemon makes it easier to deal with certain aspects of Nginx configuration without reloading
  • SSL-caching daemon watches changes to host SSL certificate sets (for known hosting panels only: cPanel, Plesk, DirectAdmin) and updates the WebShield SSL cache when a certificate is added, updated or removed
  • Sentrylogs daemon watches WebShield log files to detect errors

The configuration of WebShield is done by an agent, and direct editing of WebShield configuration files is generally not recommended. This is mainly because after the next reconfiguration all custom changes would be lost. However, a host administrator is allowed to set a certificate as the default one for WebShield to return.

How to enable WebShield in the Imunify360 config file and start the service

When Imunify360 stand-alone is installed, WebShield is disabled by default.

You can enable it only via CLI. To do so, run the following commands:

  1.  imunify360-agent config update '{"WEBSHIELD": {"enable": true, "known_proxies_support": true}}'
  2.  systemctl enable imunify360-webshield
  3.  systemctl restart imunify360-webshield

Set default SSL certificate explicitly

  1. Place a certificate and a key into the /etc/imunify360-webshield/ssl_certs folder
  2. If required, in the /etc/imunify360-webshield/ssl.conf file, change the following directives according to your changes:
ssl_certificate             ssl_certs/dummy.pem;

ssl_certificate_key         ssl_certs/dummy.pem;

If you want to provide intermediate certificates, they are to be appended to the certificate file.

These settings require WebShield to be restarted/reloaded.

Manage WebShield SSL cache manually

To manually manage the certificate cache, use the /usr/sbin/im360-ssl-cache utility.

To add certificates to the cache, a user would run the command:

im360-ssl-cache --add /path/to/certs.json

The --add parameter accepts exactly one value. If the parameter value is not -, it is taken as a path to a file in JSON format with a list of certificates and private keys to be added. Otherwise, if the parameter value is -, data is expected to be sent in JSON format to STDIN as in the following example:

cat certs.json | im360-ssl-cache --add -
Format of JSON file:
      "domain": "",
      "key": "-----BEGIN PRIVATE KEY-----\nM...O\n-----END PRIVATE KEY-----\n",
      "certificate": "-----BEGIN CERTIFICATE-----\nMI...Y=\n-----END CERTIFICATE-----\n",
      "chain": "-----BEGIN CERTIFICATE-----\nM...I=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nM...U=\n-----END CERTIFICATE-----\n"
      "domain": "",
      "key": "...",
      "certificate": "...",
      "chain": "..."


As JSON text is not allowed to have line breaks, all newline symbols must be escaped as in the example above.

To remove certificate(s) from the cache, a user is expected to run the command:

im360-ssl-cache --remove …

The --remove parameter expects one or more space-separated domain names, for which certificates are to be removed from the cache.

When no parameters are passed, the im360-ssl-cache simply lists all domain names of certificates in the cache.


Passing certificates data in JSON format is done to put data flow in good order, to avoid excessive checks of data. No certificate checks are made.

Non-SNI requests

When a request without Server Name Indication (SNI) comes, WebShield has to guess what certificate from the cache to serve.

To allow WebShield to handle non-SNI requests properly, include an ip field in the JSON that you pass to the im360-ssl-cache.

        "domain": "...",
        "key": "...",
        "certificate": "...",
        "chain": "...",
        "ip": "..."  // NEW, optional, NOT UNIQUE

WebShield will use this data to decide which certificate to serve if a request without Server Name Indication (SNI) arrives. If there are several domains with the specified IPs, WebShield will use the first one alphabetically.

How to test SSL configuration

Administrators should see a warning in Settings in UI if no certificates are added: WebShield SSL-Cache is not configured. Although, even if a certificate is added, it doesn’t guarantee that the website is working correctly. The certificate may be outdated, invalid, or not applicable to that domain name.

The worst scenario when SSL certificate is not cached or recognised by the WebShield is that the SSL certificate of the Captcha page redirect will not match the initial site the user was visiting. The WebShield will serve it's default that not likely to match with the domain name, or an outdated certificate and this may not be trusted. Thus SSL certificate waning will appear.

To make sure WebShield can serve the Captcha page smoothly the relevant domain name (certificates cache) should be in the output of thec cache tool, e.g.:

If the domain name is presented, its certificate content with it's key should be written in cache, WebShield's pick up algorithm will find this match to serve with domain's Captcha page.

To attest this mechanisms, it is required:

  1. While using non-whitelisted IP (ideally an another machine that is not used to login), get the Graylist verdict.
  2. Visit the site and validate that no SSL errors occurred while Captcha is shown.

The first step can be achieved in various ways, the one that is also checks the ModSecurity layer is to send specific test tags, as per link describes. The approach is to send specific tags towards you site, trigger the test rule and get IP greylisted:

for i in {1..5} ; do curl -ks > /dev/null; echo $i; done

As well as without testing the ModSec layer, it is possible to add IP to the manual Greylist as per:

imunify360-agent graylist ip add --comment "Greylisting my test IP" --expiration $(($(date "+%s")+3600))

Subsequently, the curl results should return WebShield have no errors:

curl -iv --ssl-reqd

Required web server configuration to correctly detect client IP addresses from headers

To ensure WebShield and Graylist are working correctly (e.g. a correct IP is passed to ModSecurity), the server must recognize WebShield as an internal proxy. For example, for Apache, mod_remoteip must be installed and configured like this:

<IfModule remoteip_module>
    RemoteIPInternalProxy ::1
    RemoteIPHeader X-Forwarded-For

For Nginx, the ngx_http_realip_module module should be configured in the following way:

real_ip_header X-Forwarded-For;
set_real_ip_from ::1;

WebShield passes the real client IP in the X-Forwarded-For header.


In the Apache LogFormat configuration strings for correct representation of a remote host IP address it is required using:

%a	Client IP address of the request

instead of

%h	Remote hostname

You can find more details at

Use a specific list of users in Imunify360

By default, Imunify360 will use Linux system users, limited by uid_min and uid_max from the /etc/login.defs.

Data description

idFalseID of the UNIX account in the system.
usernameFalseThe name of the UNIX account in the system.
ownerTrueThe name of the account owner. The owner can be an administrator (in this case he should be included in the admins() output) or a reseller (in this case he should be included in the resellers() output).
locale_codeTrueThe locale selected by a user.
emailTrueEmail of the account user. If there is no email, it should return null.
domainTrueThe main domain of a user.
packageTrueInformation about the package to which a user belongs to. If the user doesn’t belong to any package, it should return null.
package.nameFalseThe name of the package to which a user belongs to.
package.ownerTrueThe owner of the package to which a user belongs to (reseller or administrator).
domains = /path/to/

It should point to an executable file that generates a JSON file similar to the following

  "data": {
    "": {
      "document_root": "/home/username/public_html/",
      "is_main": true,
      "owner": "username"
    "": {
      "document_root": "/home/username/public_html/subdomain/",
      "is_main": false,
      "owner": "username"
  "metadata": {
    "result": "ok"

web_server_config_path should point to a path that is added as IncludeOptional in this domain's virtual host e.g., /path/to/ path should be added for the domain.