Imunify360 User Interface

Imunify360 dashboard is available directly within your control panel. It displays all the security events and the latest incidents updated every 30 seconds. It allows filtering and selecting events based on various parameters, reviewing the details of the incidents, managing White, Gray, and Black lists, Blocked ports and configuring settings.

Note

cPanel, Plesk, and DirectAdmin are supported at the moment. Standalone version are coming soon.

Log in to WHM as an admin and go to Plugins, choose Imunify360 to get to the Imunify360 user interface.

It allows to access:

  • Support – allows you to contact our support team directly from your Imunify360 User Interface

  • Incidents – the list of all suspicious activity on the server.

  • Firewall – a dashboard of Black, White, Gray lists and Blocked ports with the ability to manage them.

  • Malware Scanner – real-time file scanner.

  • Proactive Defense – a unique Imunify360 feature that can prevent malicious activity through PHP scripts

  • Reputation Management – analyzing and notifying tool intended to inform about websites blocking and blacklisting.

  • KernelCare – KernelCare current state.

  • Imunify360 Settings – configuring and controlling Imunify360 options.

Support

This tab allows you to contact our support team directly from your Imunify360 User Interface. You can create a request and attach some files to it.

To contact our support team in Imunify360 User Interface, please click the Call icon at the top right corner of the page.

A support ticket will be created and an email will be sent to a specified email address. When a status of your request will change you receive a notification to your email address. You will be able to track your request via https://cloudlinux.zendesk.com/hc/ and email.

Incidents

Choose Incidents tab to view and manage the list of all the incidents. The table displays a list of detected incidents with all the information about the incidents reasons.

Use filters to show the exact list of incidents:

  • Timeframe – allows filtering incidents by different time periods.
  • List – allows filtering incidents by White, Black, or Gray lists, or showing the incidents from all lists.
  • IP – allows showing all the incidents of a proper IP address. Tick Description/IP checkbox to enable input field where you can enter a proper IP or a part of it and filter the list by clicking on magnifier or pressing Enter.
  • Country – allows filtering the incidents by abusers country. Tick Country checkbox to enable input field with auto-complete where you can enter a proper country and  filter the incidents by clicking magnifier or Enter.

Slide Auto-refresh to enable or disable automatic refresh of the incidents in the table without reloading the web page. Set the number of incidents to be shown on a page by choosing the number of items per page in the bottom right of the page.

The list of incidents contains the following information:

  • Date – the time when the incident happened. IP - the IP address of the abuser. There is a color indication for IP address.

    • A gray bubble means that this IP address is currently in the gray list (so, every connection from this IP address will redirect to the CAPTCHA).
    • A blue bubble means that this IP address is currently in no one list (white list/gray list/black list). IP is not blocked.
    • A white bubble means that this IP address is currently in the white list. IP will never be blocked by Imunify360.
    • A black bubble means that this IP address is currently in the black list. And access from this IP is totally blocked without ability to unblock by the CAPTCHA.
    • No bubble is shown when this incident doesn’t contain IP address.
  • Country – country origin of the abuser IP address.

  • # of Times – the number of times the abuser tried to repeat the action.

  • Event – description of the event or suspicious activity (as it is described by OSSEC and Mod_Security sensors).

  • Severity – severity level of the incidents (as it is estimated in OSSEC severity levels and Mod_Security severity levels). The color of severity means:

    • Green – Mod_Security levels 7-5, OSSEC levels 00-03
    • Orange – Mod_Security level 4, OSSEC levels 04-10
    • Red – Mod_Security levels 3-0, OSSEC levels 11-15

Click an incident to expand the detailed information.

Actions available for the Incidents:

  • Disabling the rule of the incident and add it to the list of Disabled rules. Click Ban icon in a proper incident row and confirm the action.

  • Adding IP to the Black or White list. Click Cog icon and choose the action.

Firewall

Firewall tab allows viewing and managing the IP addresses in the lists:

  • White list – allows to always accept IPs from the list.
  • Gray list – an auto-generated list of all the IPs blocked by Imunify360, based on Sensors alerts and alerts from the central server.
  • Black list – allows to always block IPs from the list.
  • Blocked ports – allows to manage the list of blocked ports.

White List

Click Firewall in the main menu then choose White List .

Use filters to show the exact list of the IPs:

  • Page size – allows setting the number of the incidents to be shown on the page.
  • IP – allows filtering the list by IP. Tick IP checkbox to enable input field where you can enter an IP or a part of.
  • Country – allows filtering the list by country origin. Tick Country checkbox to enable an input field with autocomplete where you can enter a country name. Imunify360 will show the list of IPs of the chosen country.

You can perform the following actions with the IPs in the White list:

  • Add IPs manually
  • Add a comment to IP
  • Move IPs from the White List to the Black List
  • Remove IPs from the White List

How to add IPs manually

To add an IP to the White list click Add on the right side of the page:

In the pop-up choose Add IP tab and specify the following:

  • Enter IP – add IP or subnet in CIDR notation .

  • Enter a comment – add a comment to the IP or subnet (optional).

  • Choose where to add the IP or subnet: to the Black or to White List.

    • For White list it is possible to tick Full Access checkbox to make this IP or subnet ignore the rules in Blocked ports. The IPs with full access have a crown icon in the IP column. Note that it is possible to grant or remove full access afterwards in the table, just click Cog icon and choose Grant Full Access to grant or Remove Full Access to remove it.

When done, click Add IP to confirm your action or Cancel to hide pop-up.

You will see a notification if an IP has been added successfully:

How to add a comment to IP

In the proper IP row click plus sign (+) in the Comment column, type a comment and click Save in the pop-up.

To remove a comment just delete the text in the pop-up and click Save.

How to move IP from the White List to the Black List

To move several IPs from the White list to the Black list choose proper IPs (use checkboxes), click Move permanently at the top of the table and choose Black List in the drop-down.

To move one IP address, click Cog icon in proper IP row and choose Black List in the drop-down.

You will see a notification if IP is moved successfully.

How to remove IP address from the White List

To remove several IPs from the White List, choose proper IPs (use checkboxes) and click Delete permanently.

To move an exact IP, just click Bin icon in front of a proper IP address.

You will see a notification if the IP is deleted successfully:

Whitelisted trusted services

Imunify360 has a predefined whitelisted services. The actual list is always available on the link.

Gray List

Choose Firewall tab in the main menu then click Gray List.

Use filters to show the exact list of IPs:

  • Page size – allows setting the number of the incidents to be shown on the page.
  • IP – allows filtering the list by IP. Tick IP checkbox to enable input field where you can enter an IP or part of IP.
  • Country – allows filtering the list by country origin. Tick Country checkbox to enable an input field with autocomplete where you can enter a country name. Imunify360 will show the list of IPs of the chosen country.

In the Gray List you can only remove IPs from it.

How to remove IP from the Gray list

To remove several IPs from the Gray List choose IPs in the list (use checkboxes) and click Delete permanently.

To remove an exact IP click Bin icon in front of a proper IP.

You will see a notification if the IP is deleted successfully.

Black List

Choose Firewall tab in the main menu then click Black List.

Use filters to show an exact list of the IPs:

  • Page size – allows setting the number of the incidents to be shown on the page.
  • IP – allows filtering the list by IP. Tick IP checkbox to enable input field where you can enter an IP or a part of.
  • Country – allows filtering the list by country origin. Tick Country checkbox to enable an input field with autocomplete where you can enter a country name. Imunify360 will show the list of IPs of the chosen country.

The following actions are available with IPs in the Black List:

  • Add IPs manually
  • Add a country
  • Add comments to IPs
  • Move IPs from the Black List to the White List
  • Remove IPs manually

How to add IPs manually

To add an IP to the Black List click Add on the right side of the page.

In the pop-up choose Add IP tab and fill out:

  • Enter IP – IP or subnet in CIDR notation
  • Enter a comment – type a comment to the IP or subnet (optional)
  • Choose Black List radio button

When done, click Add IP to confirm your action or Cancel to close the pop-up.

You will see a notification if the IP is added successfully.

[required Imunify360 Beta version 2.7.4 or later]

If Show only manually added switcher is disabled (default setting) than IPs automatically blocked by Imunify360 without access to CAPTCHA are displayed in a Black List along with manually added IPs. They have Imunify360 in the Source column and Automatically blocked due to distributed attack in Comment column.

Note

Regardless of switched CSF off or on, blocked by Imunify360 IPs exist along with CSF deny list.Warning displayed at the top of the table says that CSF is running and can be used for blacklisting along with Imunify360.

How to add a country manually

To add a country to the Black List, click Add on the right side of the page:

In the pop-up choose Add Country tab and fill out:

  • Enter country – autocomplete field. Just start typing.
  • Enter comment – type a comment to IP or subnet (optional).

When done, click Add Country to confirm or Cancel to close the pop-up.

You will see a notification if a country has been added successfully.

How to add a comment to IP

In a proper IP line click plus sign (+) in the Comment column, add a comment and click Save in the pop-up:

To remove a comment just delete the text in the pop-up and click Save .

How to move IPs from the Black List to the White List

To move IPs from the Black List to the White List choose proper IPs in the list (use checkboxes), click Move permanently at the top of the table and choose White List in the drop-down.

To move an exact IP just click on a Cog icon in a proper IP row and choose White List in the drop-down.

You will see a notification if an IP is moved to the White list successfully.

How to remove IPs from the Black List

To remove IPs from the Black List choose proper IPs in the table (use checkboxes) and click Delete permanently.

To remove an exact IP just click Bin icon in the row.

You will see a notification if an IP is successfully deleted.

Blocked ports

This feature allows to block specific ports for TCP/UDP connection. It is also possible to add specific IPs or subnet as a whitelisted, so that the rule for the port will not work.

Click Firewall and choose Blocked Ports .

Note

If CSF integration enabled, then Blocked Ports will be disabled. Imunify360 imports Closed ports and their whitelisted IPs from CSF.

Use filters to show the exact list of IPs:

  • Page size – allows setting the number of the incidents to be shown on the page.
  • IP – allows filtering the list by IP. Tick IP checkbox to enable input field where you can enter an IP or a part of.
  • Description – allows filtering the list by text in notes.

The following actions are available for the ports:

  • add port to the list of blocked ports
  • edit ports in the list of blocked ports

Add a port to the list of blocked ports

On the Firewall page choose Blocked ports and click Add Port. In the pop-up specify the following:

  • Port – the number of the port to be added to the list of blocked ports.
  • TCP/UDP – tick the checkboxes of connection types for the port that should be blocked.
  • Description (optional) – a text to be added as a note for the port.
  • List of IPs/Subnets – add IPs or subnets to the Whitelist separated by commas. They will be able to use the port.

Click Add Port to proceed or Cancel to close the pop-up.

Edit ports in the blocked ports list

To add an IP or a subnet to the White List for the port, click +IP and in the Add IP/Subnet pop-up specify the following:

  • Enter IP – IP or subnet that should be added to the whitelist
  • Enter description – a desxription to be added as a note to the IP or subnet.

In the blocked ports list it is possible to edit notes for IPs and ports. Click Pen icon near the note and make changes.

To delete port or separate IP/subnet, click Bin icon in the row of the element.

Malware Scanner

Click Malware Scanner in the main menu of Imunify360 user interface to get to the Malware Scanner page.

Note

The functionality described on this page depends on Malware Scanner settings.

Imunify360 Malware Scanner can scan file systems for malware injection and quarantine infected files.

This is also a real time file scanner for vulnerability and it can:

  • scan files uploaded via FTP (supporting Pure-FTPd)

  • scan files uploaded via HTTP/HTTPS

  • scan files for changes via inotify

  • scan on-demand (any folder needed)

Note

When using Mod_Security for real-time scans, it is only possible to detect file owner if Apache is running with mod_ruid2 configured. In other cases, the user for these files will always be the user a web server is running under (usually nobody).

Malware scanning allows you to:

  • observe scanner activity
  • start on-demand file scanner
  • manage malicious and quarantined files
  • manage ignore list

Observing Malware Scanner activity

Go to Malware Scanner page and choose Dashboard tab. On this page, the file scanning activity from the beginning of the current day is displayed by default. It is possible to use a Timeframe filter to observe scanner activity within the particular time period.

The scanner activity is filtered by:

  • Malicious – the number of files where Malware Scanner has detected a malicious activity. It is possible to configure the action to be applied to the files:
    • Delete permanently
    • Move to quarantine
    • Try to restore from backup
    • Display in dashboard Please find more details in the Malware Scanner settings section.
  • Quarantined – the number of quarantined files that are not available for the user.
  • Restored from quarantine – the list of the files restored from the quarantine manually.

On-demand file scanner

It is possible to scan a specific directory for malware. Go to Malware Scanner page and choose On-demand scan tab. Then proceed the following steps:

  1. Enter a folder name you need to scan in the Folder to scan field. Start typing with the slash /.

    It is possible to use Advanced settings:

    • Filename mask. It allows to set file type for scanning (for example, *.php – all the files with extension php). Default setting is * which means all files without restriction.
    • Ignore mask . It allows to set file type to ignore (for example, *.html – will ignore all file with extension html).
    • Intensity. Defines the priority and resources consumption for scanning without decreasing efficiency: * Low – low priority and resources consumption * Moderate – moderate priority and resources consumption * High – high priority and resources consumption
    • Follow symlinks 3.9.0+. Follow all symlinks within the folder to scan.

  1. Click Start.

At the top right corner Malware Scanner progress and status are displayed:

  • Scanner is stopped – means that there is no scanning process running.
  • Scanning…% – means that the scanner is working at the moment. A percentage displays the scanning progress. You can also see the scanning status beneath the Mask or Advanced options.

After Malware Scanner stops on-demand scanning you will see the results in the table below with the following information:

  • Date – the date when the scanning process was started.
  • Path – the name of the folder that was scanned.
  • Total – the total number of files scanned.
  • Malicious – the number of malicious files found during the scanning.
  • Action – click icon in this column to perform particular actions.

To review and manage malicious files go to Malicious Files tab described below.

Managing files detected as malicious

Go to Malware ScannerDashboardMalicious Files. This page has a table with malicious and quarantined files.

Use filters to show a list of files in a table:

  • Timeframe – allows to filter files for different time period of detection.
  • Page size – allows to set the number of files to be shown on a page.
  • Search field – allows to search files by filename.

Malicious Files Table

The following information is available in the table:

  • Date/time of detection – hover mouse over clock icon to show the exact time when file was detected as malicious.
  • Username – file owner name.
  • File – the path where the file is located.
  • Scan type – shows which way was used to detect the malicious activity. Can be one of the following:
    • On-demand, which means that the file was found during manual scanning;
    • Real-time, which means that the file was detected during real-time scanning process.
  • Reason – describes the signature which was detected during the scanning process. Names in this column depend on the signature vendor.
  • Quarantined – displays whether a file is put on quarantine or not.
  • Actions – displays the possible actions with a file.

It is possible to manage suspicious files in the table:

  • Delete files permanently
  • Add to Ignore List
  • View file content
  • Restore from quarantine
  • Restore from backup
  • Cleanup files from malicious code

Delete files permanently

Click Cog icon in the file line and choose Delete permanently in the drop-down.

To do mass action tick several checkboxes or one in the table header to perform action on all files and click Cog icon or Group Actions link above the table. Choose Delete permanently in the drop-down.

Add to ignore list

Add to ignore list action is performed simultaneously with Restore from quarantine action. Please go to Restore from quarantine section. Read more about ignore list.

::: tip Note If a file is added to Ignore List, Malware Scanner will no longer scan this file. :::

View file content

Click Eye icon in the file line and the file content will be displayed in the pop-up. Only the first 100Kb of the file content will be shown in case if a file has bigger size.

Restore from quarantine

Click Fish icon in the file line and approve the action in the pop-up. It is possible to send a file to Imunify360 team for analysis and add file to the Ignore List. To do so, tick Submit to the Imunify360 team for analysis checkbox and/or Add to ignore list checkbox and confirm by clicking Yes, Restore.

To do mass action tick several checkboxes or one in the table header to perform action on all files and click Not malware. Restore from quarantine above the table. Confirm the action in the pop-up.

Restore from backup

Click Cog icon in the file line and choose Try to restore clean version from backup in the drop-down. Confirm the action in the pop-up bу clicking Yes, restore from backup.

To do mass action tick several checkboxes or one in the table header to perform action on all files and click Cog icon or Group actions link above the table. Then choose Try to restore clean version from backup in the drop-down.

Cleanup files from malicious code 3.7.1+

This feature allows users to cleanup infected files from malicious code or to remove malicious files. Click Cleanup icon in the file line. Cleanup confirmation pop-up opens.

Click Yes, cleanup to confirm the action or Cancel to close the pop-up.

File status will change to Cleanup in progress. When cleanup will be finished the status changes to Cleaned. To do mass action tick several checkboxes or one in the table header to perform action on all files and click Cleanup icon or Cleanup files above the table. Confirm the action in the confirmation pop-up or click Cancel to close the pop-up.

To cleanup all files, click Cleanup all button and confirm the action in the confirmation pop-up or click Cancel to close the pop-up.

A user can restore original file cleaned or removed by Malware Cleanup before the infected file expiration date. The keeping period is set in Malware Scanner Settings section.

Managing Ignore List

Go to Malware Scanner page and choose Ignore List tab. The table on the page shows all items (files and folders) added to ignore list and date and time when they have been added.

To add a new file or a new path to the Ignore List do the following:

  • click Add new file or directory
  • in the pop-up enter the path to be added
  • click Add

Note

Wildcards are not supported when adding paths to Ignore List. For example, the following paths are not supported: /home/*/mail/ /home/user/*.html /home/*

To delete the item click Bin icon and confirm the action. The item(s) will be rechecked by Malware Scanner after removal.

To search file or folder in the Ignore List use Search input field above the table.

Proactive Defense

Overview

Proactive Defense is a unique Imunify360 feature that can prevent malicious activity through PHP scripts. It is available as a PHP module for Apache and LiteSpeed web servers and analyzes script activity using known patterns like obfuscated command injection, malicious code planting, sending spam, SQL injection etc.

User Interface

Go to Imunify360 → Proactive Defense.

Here you can set a mode, view detected events and perform actions on them.

Mode Settings

The following Proactive Defense modes are available:

  • Disabled — means that Proactive Defense feature is not working and a system is not protected enough (default mode)
  • Log Only — means that possible malicious activity is only logged, no actions are performed Kill Mode — the highest level of protection — the script is terminated as soon as malicious activity is detected

To select a mode, tick the desired checkbox. When an action is completed, you will see a pop-up with the successful mode changing message.

Note

  • Data is logged in all modes except Disabled.
  • A user can disable Proactive Defense anytime. Any mode that is not disabled (for user’s hosting account) by admin can be activated by user.

Detected Events

The Detected Events table displays all the necessary information about PHP scripts with malicious activity detected by Imunify360 Proactive Defense.

You can filter items by time frame in a Timframe dropdown and search a certain entity in a search field. The items in the Detected Events table are displayed per 25 on a page. To change a number of items displayed, click the number at the bottom right corner Items per page and select a desired number in the dropdown. To go to the next or the previous page click >> or << button or click a desired page number. The Detected Events table includes the following columns:

  • Group/individual action checkbox — allows to perform actions on one or several desired entities
  • Detection Date/Time — displays the date and the exact time of event detected. To view the exact time click the clock icon in the desired event line. To order the events from the last to the first or vice versa click the ▲ icon in the Date/Time of detection column header
  • Description — displays a special Proactive Defense rule according to which a suspicious activity was detected
  • Script Path — displays the path to the suspicious script. A number near the path describes how many times this event has repeated
  • Host — displays the host of the script
  • First script call from — displays the IP in which the first call of the script was detected.
    • White color means that this IP is whitelisted
    • Black color means that this IP is blacklisted
    • Gray color means that this IP is graylisted
    • All the others IPs are blue colored
  • Action — displays the current mode
  • Actions — allows to view details and perform actions on the event

Actions

The following actions are available for the detected event:

  • View file content
  • Move IP to the Black List
  • Move file to Ignore List 3.7.0+ (ignore detected rule) — allows a user to exclude a file from Proactive Defense analysis for a particular rule
  • Move file to Ignore List (ignore all rules) 3.7.0+ — allows a user to exclude a file from Proactive Defense analysis for all rules
  • Remove file from Ignore List 3.7.0+ — allows a user to include ignored file to Proactive Defense analysis again.

View file content

This action can be performed in two ways.

The first way

Click the View details icon in the row of the desired event. Here you can see the same information as in the table and plus all environment variables and their values. Then, click View file content button. The file content will be displayed in a new pop-up.

The second way Click Cog icon in the row of the desired event and choose View file content.

The file content will be displayed in a new pop-up. The group action is not available for this action.

Move IP to the Black List

Click View details icon in the row of the desired event. Then, click Block IP button. To move the IP to the Black list click Yes, move to Black list. In the pop-up displayed click Yes, move to black list to complete the action or Cancel to return to the Details window. When a file is added to the Black list, you will see the confirmation pop-up.

Move file to Ignore List (ignore detected rule) 3.7.0+

The first way Click Cog icon in the row of the desired event and choose Ignore detected rule for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. Now you can see this file on the Ignore List tab.

The second way Click View details icon and then in the file details pop-up click Ignore detected rule for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.

Move file to Ignore List (ignore all rules) 3.7.0+

The first way Click Cog icon in the row of the desired event and choose Ignore all rules for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. The file will be moved to Ignore List tab.

The second way Click View details icon and then in the file details pop-up click Ignore all rules for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.

Remove file from Ignore List 3.7.0+

On the Ignore List tab click Bin icon and confirm the action.

To perform bulk action, tick required checkboxes and click Remove from ignore list at the top of the table, then confirm the action in the pop-up.

Ignore List tab 3.7.0+

Here, there is a table with files with ignored rules. If file is added to Ignore List, Proactive Defense will not analyze scripts activity from this file for all or specified rule.

The Ignore List table includes the following columns:

  • Add Date/Time — displays the date and the exact time of adding a file. To view the exact time click the clock icon in the desired file line. To order the files from the last to the first or vice versa click the ▲ icon in the Add Date/Time column header.
  • Script Path — displays the path to the script.
  • Rules to ignore — displays the pattern to be ignored.
  • Actions — allows to view details and perform actions on the file.

How to test Proactive Defense

  1. Set Proactive Defense to Log only mode (requests will not be blocked) or to Kill mode to kill all requests.
  2. Create a file with the following content:
<?php
/* Imunify360 Proactive Defence test script */

echo "<pre>";
echo "Step 1<br>";

// Decode string with domain: 37kddsserrt.xyz
$url=base64_decode("MzdrZGRzc2VycnQueHl6");

echo "Step 2<br>";
echo "</pre>";

// Try to access a malicious domain
include($url);
die();
?>
  1. Place this file on the server.
  2. Call a test page with the script from the point 2.
  3. If Proactive Defense is disabled, you will see Step 1 and Step 2 strings after calling the script.
  4. If Proactive Defense is enabled and Log only mode is set, you will see Step 1 and Step 2 strings after calling the script and a new event in the Detected Events table.
  5. If Proactive Defense is enabled and Kill mode is set, the test page returns an error.

Reputation Management

Choose Reputation Management in the main menu of the Imunify360 user interface to get to the Reputation Management page.

Based on the Google Safe Browsing, the Reputation Management allows to check if a domain registered on your server is safe or not.

How it works:

  • We get a list of domains periodically (via crontab)
  • Send it to the central Imunify360 server
  • Get results from it
  • Add bad domains to the list of Reputation Management

If a domain or an IP is blocked, then this information will be available in the table below. Imunify360 uses Google Safe Browsing technology. If a user’s website appears in this table, then it would be useful to send this link to the user. This instruction can help to solve problems with the domain.

At the top of the page (also in the main menu near Reputation Management item), Imunify360 shows the number of affected domains. This number is a quantity of affected domains that exist on the server.

The table shows:

  • ID – domain owner username
  • URL – the affected domain link
  • Type – read more about types on the link (we still do not support THREAT_TYPE_UNSPECIFIED and POTENTIALLY_HARMFUL_APPLICATION).
  • Detection time – exact time when the Reputation Management has detected the domain

Click link icon in the Action column to copy the URL to the clipboard.

Note

Reputation management online and browser look may differ. This is because Google Safe Browsing has an issue described on github.

KernelCare Integration

Imunify360 has KernelCare KernelCare integration. To install KernelCare go to the Settings tab and click Install KernelCare.

To observe current KernelCare status in the Imunify360 main menu choose KernelCare tab.

Here you can check:

  • Effective Kernel Version – version of the kernel that KernelCare enable on the server
  • Real Kernel Version – real version of the kernel
  • Update mode – auto updated mode On or Off
  • Uptime – uptime of the kernel in days

To disable auto update mode toggle the Update mode switch to No.

Note

If you have KernelCare license(s) on the same server(s), then cancel this license in CLN because KernelCare will be free for that server. If you do not know how to cancel licenses then follow this link for details.

Note

KernelCare tab can load slowly on highly loaded systems.

Read more about KernelCare on the link.

Settings

Choose Settings in the main menu to get to the Imunify360 settings page. The following tabs are available:

General

Go to Imunify360 → Settings → General. The following sections are available:

Installation

Here you can install and uninstall the following components:

  • HardenedPHP
  • Invisible Captcha
  • KernelCare

HardenedPHP

To install or uninstall HardenedPHP click on a button related. Please find additional information about HardenedPHP in this article. During HardenedPHP installation process the installation log will appear and will update automatically.

Note

HardenedPHP is free on the servers with Imunify360 installed.

Invisible Captcha

Overview

This feature allows to automatically determine if the user is a human. The system falls back to CAPTCHA solving if the algorithm determines that a user may not be a human. It is possible to enable Invisible CAPTCHA feature via Imunify360 user interface (UI) and via command line interface (CLI).

How to install Invisible CAPTCHA

Go to Imunify360 → Settings → General → Installation → Invisible CAPTCHA and click Install Invisible CAPTCHA button. Confirm the installation in the pop-up.

How to check if Invisible CAPTCHA is currently installed

Go to Imunify360 → Settings → General →Installation → Invisible CAPTCHA. The red Remove Invisible CAPTCHA button means that Invisible CAPTCHA is enabled.

How to uninstall Invisible CAPTCHA

Go to Imunify360 → Settings → General → Installation → Invisible CAPTCHA and click Remove Invisible CAPTCHA button. Confirm the action in the pop-up.

KernelCare

To install or uninstall KernelCare click on a button related. Please find additional information about KernelCare here.

Note

KernelCare is free on the servers with Imunify360 installed.

Click Save changes button on the bottom of the section to save changes.

DoS Protection

DoS Protection section allows to enable or disable DoS protection. DoS protection works by counting connections from each remote IP address per local port separately. Tick checkbox Enable Dos Protection. It is possible to configure how Imunify360 will behave:

  • Max Connections – allows to setup the number of simultaneous connections allowed before IP will be blocked. Cannot be set lower than 100.
  • Check delay – allows to setup period in seconds between each DoS detection system activation that will check a server for DoS attack. Also, it is possible to set different limits for different local ports by editing the configuration file directly.

Click Save changes button on the bottom of the section to save changes.

Auto White List

Auto White List section allows to automatically add admin IP to the White List each time when he logs in to hosting panel and enters Imunify360 user interface. In Timeout field enter the number of minutes – the IP will be removed from the white list automatically after this time.

Note

0 means adding IP to the White List permanently.

Click Save changes button on the bottom of the section to save changes.

Incidents Logging

In this section it is possible to control what kind of incidents will be shown on the Incidents page. Move the slider to change your preferences.

There are 15 available levels related to OSSEC and ModSecurity severity levels:

Log level ModSecurity OSSEC
1 7 – DEBUG 01 – None
2 6 – INFO 02 – System low priority notification
3 5 – NOTICE 03 – Successful/Authorized events
4 4 – WARNING 04 – System low priority error
5 4 – WARNING 05 – User generated error
6 3 – ERROR 06 – Low relevance attack
7 3 – ERROR 07 – “Bad word” matching.
8 3 – ERROR 08 – First time seen
9 3 – ERROR 09 – Error from invalid source
10 3 – ERROR 10 – Multiple user generated errors
11 3 – ERROR 11 – Integrity checking warning
12 2 – CRITICAL 12 – High importancy event
13 2 – CRITICAL 13 – Unusual error (high importance)
14 1 – ALERT 14 – High importance security event.
15 0 – EMERGENCY 15 – Severe attack

Autocleanup configuration allows to keep the Incidents page clean by default. The possible settings are as follows:

  • Keep incidents for the last days – set the number of days Imunify360 will keep the incidents
  • Keep maximum incidents count – set maximum quantity of the incidents to keep on the server
  • Auto-refresh time for Incidents page – set Incidents page auto-refresh time in seconds

Click Save changes button on the bottom of the section to save changes.

WebShield

Tick Detect IPs behind CDN checkbox to allow to recognize and block IPs with suspicious activity behind Cloudflare and MaxCDN.

Click Save changes button on the bottom of the section to save changes.

Error Reporting

Tick Enable Sentry error reporting checkbox to send reports to Imunify360 error reports server.

Click Save changes button on the bottom of the section to save changes.

Malware

Go to Imunify360 → Settings → Malware. Here you can configure General and Malware Cleanup Settings3.7.1+.

Note

Read CXS integration documentation carefully to make Malware Scanner work properly if you decided to use the former instead of Imunify360 anti-malware protection.

General

  • Automatically scan all modified files – enables real-time scanning for modified files using inotify library. The Scanner searches for modified files in user’s DocumentRoot directories.

    Note

    It requires inotify to be installed and may put an additional load on a system.

  • Automatically scan any file uploaded using web – enables real-time scanning of all the files that were uploaded via http/https.

    Note

    It requires ModSecurity to be installed.

  • Automatically scan any file uploaded using ftp – enables real-time scanning of all the files that were uploaded via ftp.

    Note

    It requires Pure-FTPd to be used as FTP service.

  • Automatically send suspicious and malicious files for analysis – malicious and suspicious files will be sent to the Imunify360 Team for analysis automatically.
  • Show ClamAV scanning results – show ClamAV scanning results in Users/Files tab.
  • Try to restore from backup first – allows to restore file as soon as it was detected as malicious from backup if a clean copy exists. If a clean copy does not exist or it is outdated, default action will be applied. See also CloudLinux Backup.
  • Use backups not older than (days) – allows to set the a maximum age of a clean file.
  • Default action on detect – configure Malware Scanner actions when detecting malicious activity:
    • Delete permanently
    • Quarantine file in place
    • Just display in dashboard

Tick required checkboxes and click Save changes button.

Malware Cleanup3.7.1+

  • Trim file instead of removal — do not remove infected file during cleanup but make the file zero-size (for malwares like web-shells);
  • Keep original files for … days — the original infected file is available for restore within the defined period. Default is 14 days.

Click Save changes button at the page bottom to apply all changes.

Backups

Note

Imunify360 2.7.0+

Overview

Imunify360 provides customers with an ability to integrate with backup providers and automatically or manually restore files from their backup if they have become infected. Only administrator can choose backup provider but end user has an ability to backup and restore files within this selected backup provider.

The following integrated with Imunify360 backup providers are available:

  • CloudLinux Backup
  • Hosting panel Backup (cPanel or Plesk)
  • Acronis Backup

Requirements

  • Imunify360 version 2.7.0 and later
  • For Acronis Backup, it is required to have Acronis account
  • For hosting panel backup, it is required to configure backup option by the administrator of the hosting panel

User Interface

This section describes the following:

How to enable backups

To enable backups log in to a hosting panel as administrator, go to Imunify360 plugin and do the following.

  • Go to Imunify360 → Settings → Backups. If the feature is not currently used the Backup and restore is Disabled.
  • To enable it, select backup provider from the dropdown:

CloudLinux Backup

CloudLinux Backup option provides a customer with the most integrated with Imunify360 backup feature. It is powered by the Acronis technology, but you do not need to have an active Acronis account (if you have an existing Acronis account and would like to continue using it, skip to the Acronis Backup section for choosing an Acronis Backup option).

CloudLinux Backup offers 10 GB of free storage space, and you can purchase additional space as needed.

With this backup and restore service, you can restore malicious or suspicious files from the backup if a clean version exists, schedule backups, see total and used storage space, and locate the data storage server. You can learn more about the CloudLinux Backup for Imunify360 here.

To activate CloudLinux Backup, follow the next simple steps:

  • Select CloudLinux Backup in a dropdown
  • Click Connect Backup button
  • You will be redirected to the CloudLinux Network page which opens in a new tab. Please log in with existing CloudLinux Network (CLN) credentials otherwise create a new account.
  • On the purchase page, you can choose and purchase required size of the storage.
  • After successful payment, the installation will be in progress and you will see a Welcome Page with the follow-up instructions.

    Note

    Installation can take up to 10 minutes depending on specific server size. You can use Imunify360 as usual during the installation process. Also, we will send you an email with detailed information to the specified email address.

  • You can see the purchased storage space on the Settings → Backups tab.
  • Imunify360 creates an initial backup of a current server. If all is OK the system returns successful message otherwise, please contact our support team.
  • You can see used and total storage space on the Settings → Backups tab.

Acronis Backup

Choose it if you have Acronis account. So that Imunify360 can use backups to restore malicious or suspicious files from the backup if a clean version exists.

  • Select Acronis Backup from the dropdown
  • Specify Acronis username and password
  • Click Connect Backup button

Imunify360 checks if Acronis agent is already installed. If not, Imunify360 installs it. Then Imunify360 checks, if a backup of entire server exists, if not, Imunify360 creates a backup of a current server. If all is OK the system returns successful message.

cPanel or Plesk Backup

  • Choose cPanel/Plesk backup
  • Select cPanel/Plesk Backup
  • Click Connect Backup button

After successful connection, Imunify360 will return an appropriate message.

How to disable backups

To disable backups do the following:

  • Go to Imunify360 → Settings → Backups
  • Move the slider to Disabled
  • Imunify360 returns confirmation pop-up
  • Click Yes, disable backup to disable backups or click Cancel to close the pop-up.

    Note

    If you use CloudLinux Backup your backup will be still active in CloudLinux Network (CLN). To disable backup totally and terminate billing, please log in to CLN and deactivate CloudLinux Backup manually on the current server.

Manage CloudLinux Backup

Click Manage Backups button. You will be redirected to the Backup Management Console. The console opens in a new tab in the browser. Please go to documentation to find out more information.

Change CloudLinux Backup storage size

Click Resize link. You will be redirected to the CloudLinux Network where you can add or remove storage space.

After successful payment, the backup storage size will be increased. Imunify360 creates an initial backup of a current server if it was not done before or it just increases the storage size. On the Settings → Backups tab you can see the actual and used amount of backup storage in GB. If you get an error message, please follow the instructions in the message or contact our support team .

Schedule CloudLinux Backup

Click Manage Backups button. You will be redirected to the Backup Management Console (read the documentation here ). When a schedule is set it is displayed on the Backups tab.

How to restore file

To restore a file do the following:

  • Go to Imunify360 → Malware Scanner
  • Find the file to restore in the table and click Cog icon, then click Try to restore clean version from backup.
  • In the pop-up confirm the action by clicking Yes, restore from backup or click Cancel to close the pop-up.

You can configure the automatic restore. Please find more details here.

Disabled Rules

Go to Settings page and choose Disabled rules . This page allows user to manage disabled rules which have already been added.

Note

You can also add a new rule to the Disabled rules list on Incidents page.

The list of disabled rules contains:

  • Rule ID — ID number of the rule provided by the plugin
  • Plugin — the name of the firewall plugin of the added rule
  • Description — rule description or details of the rule from ModSecurity or OSSEC
  • Domains — the list of the domains for which the rule is disabled (blank field means all domains)

To add a new rule click Add Rule button.

In the pop-up specify the following:

  • Rule ID — ID provided by firewall plugin; Select firewall plugin from the drop-down (ossec for OSSEC, modsec for ModSecurity)
  • Description — rule description or details from ModSecurity or OSSEC
  • Domains — this option is available only for modsec firewall plugin. Specify comma-separated list of domains for which this rule will be disabled. Leave empty to disable for all domains

Click Add Rule to add rule to the list or Cancel to close the pop-up.

To edit the list of domains where the rule should be disabled, click edit icon in the row of the rule and enter domains registered on the server separated by comma.

Note

It is possible to specify domains only for ModSecurity rules. For OSSEC rules it is always applies to all domains.

To remove the rule from disabled list click Enable and confirm action in the pop-up.

Attributions

Click Settings and choose Attributions tab to observe a list of IDS install on the server.

  • Name – name of the IDS
  • Version – IDS version
  • License – under which licenses this IDS is working
  • Link – URL to the IDS official page

Hosting panels specific settings

cPanel

It is possible to enable Service Status checker for Imunify360. Perform the following steps:

  • Go to Service Configuration and choose Service Manager.
  • In Additional Services section tick imunify360-agent and imunify360-captcha checkboxes.
  • Click Save and wait until cPanel enables the Service Status checker for Imunify360.

If succeeded, the status of Imunify360 service will be displayed at Service Status section of Server Status.