Imunify360 is an all-in-one security solution with robust cloud protection against the newest attacks, and it is available directly within your control panel (cPanel, Plesk, and DirectAdmin).
When you log in to your control panel, Imunify360 asks you to enter your email address.
By entering your email address you agree to receive email reports about critical issues, security alerts or system misconfigurations detected on your servers.
Note
This email address is used ONLY for receiving server reports.
Or you can do it later in the Settings | General | Contact Details.
Log in to your control panel as an admin and go to Plugins, choose Imunify360 to get to the Imunify360 admin interface.
It allows to access:
Support – allows you to contact our support team directly from your Imunify360 Admin Interface
Dashboard – allows you to see retrospective data in form of charts/heatmaps in your Imunify360 Admin Interface
Incidents – the list of all suspicious activity on the server.
Firewall – a dashboard of Black List, White List and Gray List, and Blocked Ports with the ability to manage them.
Malware Scanner – real-time file scanner.
Proactive Defense – a unique Imunify360 feature that can prevent malicious activity through PHP scripts
Reputation Management – analyzing and notifying tool intended to inform about websites blocking and blacklisting.
KernelCare – KernelCare current state.
Imunify360 Settings – configuring and controlling Imunify360 options.
This tab allows you to contact our support team directly from your Imunify360 Admin Interface. You can create a request and attach some files to it.
To contact our support team in Imunify360 Admin Interface, please click the Call icon at the top right corner of the page.
A support ticket will be created and an email will be sent to a specified email address. When a status of your request will change you receive a notification to your email address. You will be able to track your request via https://cloudlinux.zendesk.com/hc/ and email.
You can access the Imunify360 Dashboard from your control panel. It shows security events as charts and heat maps. It's a great way to analyze incidents that happened within the past day, week or month.
Click Dashboard tab to display an overview of incidents recorded during the selected time interval, an estimate of the intensity of attacks, and correlate events across all sources.
Here you can see notifications about server security and Imunify360 configuration, along with recommendations for making server security effective and proactive.
The Imunify Advisor checks your server’s current settings, then provides a list of optimal settings for your individual server.
A dialog box pops up to display recommendations.
You can accept or reject them (by unchecking a corresponding checkbox) and apply settings by clicking Apply.
Rejected recommendations will not appear again for a while.
Note
If you do not want to use the recommendations you can disable Imunify Advisor via the config file.
Note
If your server's settings differ from the recommended, the Imunify Advisor will pop up again to display the settings.
Dashboard can display Imunify360 performance data for a number of specified servers.
You can add a specified server using its server key – a unique server id that identifies an installed Imunify360 instance.
Note
Server key is NOT a license key.
You can easily remove a server from the Dashboard.
You can use Server drop-down to show a list of all servers added into the Dashboard.
You can choose in the multi-server drop-down for which server the Dashboard would represent its data: a current server (where the Imunify360 is installed) or a remote one (it is indicated on the Dashboard).
There are two ways to get a server key.
Click the key symbol to copy server key of the selected server to the clipboard.
Go to the /var/imunify360/license.json
file and find id
field. Your server id looks like an alphanumeric string SghjhgFESDh65CFLfvz
.
If you'd like to display performance data for the server A on the Dashboard of the server B, please do the following:
Go to the Server drop-down to check all added servers – it contains a list of hostnames of all added servers and/or a list of IPs (if a hostname is not found).
To remove a server, click the Trash Can symbol . The Remove Server pop-up opens.
![]() |
Click Confirm to remove the server. To stop removing the server and close the pop-up, click Cancel.
Note
You cannot remove a server from its Imunify360 Dashboard.
The following time periods are available:
The following representation forms are available:
Hover mouse over the particular bar to check the accurate value.
Note
Charts may have gaps. This means that no incidents or alerts were recorded during that day/time period.
The following charts are available.
Security incidents recorded within the selected time interval. Data includes all ModSecurity incidents, Imunify360 DOS plugin alerts, cPanel Login Failure Daemon (for cPanel only) and OSSEC alerts. This is a summary of all major alert sources.
Recorded requests coming from detected attackers or bad bots that show the CAPTCHA challenge within the selected interval.
Web attacks recorded by ModSecurity within the selected time interval. It may include CMS brute-force and login attempts, websites hacking attempts, attempts to access “sensitive” files or restricted areas, and other malicious requests.
Web-based brute-force attacks against the CMS and hosting panel, and incidents recorded by ModSecurity.
Attacks against network services, e.g. FTP, SSH, POP, IMAP, etc., recorded by OSSEC IDS within the selected time interval. It includes authentication failures, requests from blocked IPs, break-in attempts alerts and more.
Attacks detected by the Imunify360 Bot-Detector heuristics-based plugin. Bot-Detector is a part of Imunify360’s “cloud heuristics” feature that collects and analyzes a massive amount of information on new attacks on a global scale which it uses to prevent attacks across multiple servers.
This chart lists the number of cleaned malicious files.
Note
Some charts may be hidden if no alerts of a particular type were recorded within the selected time interval.
Choose Incidents tab to view and manage the list of all the incidents. The table displays a list of detected incidents with all the information about the incidents reasons.
Use filters to show the exact list of incidents:
Move Auto-refresh to enable or disable automatic refresh of the incidents in the table without reloading the web page.
The list of incidents contains the following information:
Date – the time when the incident happened.
IP - the IP address of the abuser. There is a color indication for IP address.
Country– country origin of the abuser IP address.
Count – the number of times the abuser tried to repeat the action.
Event – description of the event or suspicious activity (as it is described by OSSEC and Mod_Security sensors).
Severity – severity level of the incidents (as it is estimated in OSSEC severity levels and Mod_Security severity levels). The color of severity means:
Actions – actions available for the Incident.
Click an incident to expand the detailed information.
Starting from version 6.2 Imunify360 will scan zip archives by default. It will not be possible to disable this functionality through the UI, but it will be possible through the command line.
For Ubuntu, CentOS/CloudLinux >= 7
To disable scanning of archives, you will need to run the following command:
echo '' > /etc/sysconfig/aibolit-resident && systemctl daemon-reload && systemctl restart aibolit-resident.service
To switch the feature back on:
echo 'ARCHIVE_SCAN="--scan-archive"' > /etc/sysconfig/aibolit-resident && systemctl daemon-reload && systemctl restart aibolit-resident.service
For CentOS/CloudLinux 6
To disable scanning of archives, you will need to run the following command:
sed -i 's/--scan-archive//g' /etc/minidaemon/minidaemon-aibolit.cfg && /sbin/service minidaemon stop && /sbin/service minidaemon start
To switch the feature back on:
sed -ri "s/^(cmd=.*)$/\1--scan-archive/g" /etc/minidaemon/minidaemon-aibolit.cfg && /sbin/service minidaemon stop && /sbin/service
Tne All Lists tab allows viewing and managing the IP addresses in the following lists (listed by priority):
The counters for the lists are presented at the top of the table, reflecting the number of records matching the category.
All the lists are available for search by the IP address as well as by the Country and Comment fields.
The IP address can be in several lists at the same time, and the highest in priority list decides how the IP will be treated.
Here, you can add or edit a comment to an IP, delete IP permanently or move it to the White/Black list. For an IP with full access you can also remove it here.
The Ports tab allows to manage the list of blocked ports.
To add an IP, click Add on the right side of the page. The following pop-up opens.
In the pop-up choose IP tab and fill out:
Note
You can grant or remove full access afterwards in the table, just click Cog icon and choose Grant Full Access to grant or Remove Full Access to remove it.
When done, click Add IP to confirm your action or Cancel to hide pop-up.
You will see a notification if an IP has been added successfully.
To add a country to the Black List, click Add on the right side of the page.
In the pop-up choose Country tab and fill out:
When done, click Add Country to confirm or Cancel to close the pop-up.
Be aware of the possibility that blocking countries can cause unexpected issues, for example visitors from adjacent countries may not be able to connect if at BGP level the decision to send the traffic through the blocked IP was made, when using glued DNS records, or with some mirrors.
You will see a notification if a country has been added successfully.
This feature allows to block specific ports for TCP/UDP connection. It is also possible to add specific IPs or subnet as a whitelisted so that the rule for the port will not work.
Click Firewall and choose Ports.
Choose the default blocking mode:
Or you can set the default blocking mode via CLI and config file.
Exact ports and port-ranges to be allowed can be configured by the following fields in the config file:
Changes of config files will be applied automatically. You don’t need to restart the server or Imunify360.
Note
The feature doesn’t support IPv6 addresses at this moment and CSF needs to be disabled due to conflicts.
Note
If CSF integration enabled, then Blocked Ports will be disabled. Imunify360 imports Closed ports and their whitelisted IPs from CSF.
Use filters to show the exact list of the IPs:
The following actions are available for the ports:
On the Lists page choose Blocked ports and click Add. In the pop-up specify the following:
Click Add Port to proceed or Cancel to close the pop-up.
To add an IP or a subnet to the White List for the port, click +IP and in the Add IP/Subnet pop-up specify the following:
To delete a port or separate IP/subnet, click Bin icon in the row of the element.
Note
The functionality described here depends on Malware Scanner settings.
Imunify360 Malware Scanner can scan file systems for malware injection and clean up infected files.
This is also a real time file scanner for vulnerability and it can:
scan files uploaded via FTP (supporting Pure-FTPd)
scan files uploaded via HTTP/HTTPS
scan files for changes via inotify
scan on-demand (any folder needed)
Malware scanning allows you to:
Click Malware Scanner in the main menu of the Imunify360 admin interface.
The following tabs are available:
Go to Imunify360 → Malware Scanner → Users tab. Here, there is a table with a list of users on the server, except users with root privileges.
The badge in the History tab shows the number of missed events in the Malware Scanner’s History. You won’t miss any automatic actions applied to infected files, since they are listed in the History tab and shown in the badge.
The table has the following columns:
To clean up all files of all users and scan all files, click Scan all or Cleanup all button above the table.
The following filters are available:
The table can be sorted by User name and Infection status (by the date of the last action).
Go to Imunify360 → Malware Scanner → Malicious tab. Here, there is a table with a list of infected files within all domains and user accounts.
The table has the following columns:
Note
To function properly Malware Database Scanner requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, only WordPress databases are supported as for now.
SMW-SA-05155-wshll
– in this Signature ID:
SMW
or CMW
. SMW
stands for Server Malware and CMW
stands for Client MalwareINJ
or SA
. INJ
stands for Injection (means Malware is Injected to some legitimate file) and SA
stands for StandAlone (means File is Completely Malicious)05155
. This is simply an identification number for the signature.wshll/mlw.wp/etc
explains the category and class of malware identified. Here, wshll
stands for web shell (mlw
stands for malware).0
, which provides the version number of the signature.Warning
Starting from ImunifyAV(+) v.6.2, the Quarantine and Delete actions were removed permanently from the UI as well as the CLI in Imunify360. Previously quarantined files are also subject to deletion. After this change is implemented, the restoration of the previously quarantined files will become impossible. For more information see this this blog post.
To perform a bulk action, tick required files and click the corresponding button above the table.
Click the desired string to display scan type.
To clean up all files of all users, click Clean up all button above the table.
The following filters are available:
The table can be sorted by detection date (detected), user name, file path (file), reason, and status.
It is possible to scan a specific directory for malware. Go to Malware Scanner page and choose Scan tab. Then proceed the following steps:
Enter a folder name you need to scan in the Folder to scan field. Start typing with the slash /
.
It is possible to use Advanced Settings:
*.php
– all the files with extension php). Default setting is *
which means all files without restriction.*.html
– will ignore all file with extension html).Note
If Imunify360 is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.
At the top right corner Malware Scanner progress and status are displayed:
After Malware Scanner stops on-demand scanning you will see the results in the table below with the following information:
To review and manage malicious files go to the Files tab described below.
History tab contains data of all actions for all files. Go to the Imunify360 → History tab. Here, there is a table with a list of files within all domains.
The table has the following columns:
The table can be sorted by Date, Path to File, Cause, and Owner.
Ignore List tab contains the list of files that are excluded from Malware Scanner scanning. Go to the Imunify360 → Malware Scanner → Ignore List tab. Here, there is a table with a list of files within all domains.
The table has the following columns:
Note
Wildcards are not supported when adding paths to the Ignore List. For example, the following paths are not supported:
/home/*/mail/
/home/user/*.html
/home/*
To perform a bulk action, tick required files and click the corresponding button above the table. The following filters are available:
The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.
To search file or folder in the Ignore List use Search input field above the table.
See also: How to edit watched and excluded patterns for Malware Scanner?
Proactive Defense is a unique Imunify360 feature that can prevent malicious activity through PHP scripts. It is available as a PHP module for Apache and LiteSpeed web servers and analyzes script activity using known patterns like obfuscated command injection, malicious code planting, sending spam, SQL injection etc.
Note
Proactive Defense requires Hardened PHP (alt-php) to operate.
Go to Imunify360 → Proactive Defense.
Here you can set a mode, view detected events and perform actions on them.
The following Proactive Defense modes are available:
To select a mode, tick the desired checkbox. When an action is completed, you will see a pop-up with the successful mode changing message.
Note
The Detected Events table displays all the necessary information about PHP scripts with malicious activity detected by Imunify360 Proactive Defense.
You can filter items by time frame in a Timeframe dropdown and search a certain entity in a search field.
The items in the Detected Events table are displayed per 25 on a page. To change a number of items displayed, click the number at the bottom right corner Items per page and select a desired number in the dropdown.
To go to the next or the previous page click >> or << button or click a desired page number.
The Detected Events table includes the following columns:
The following actions are available for the detected event:
View file content
This action can be performed in two ways.
The first way
Click the View details icon in the row of the desired event. Here you can see the same information as in the table and plus all environment variables and their values. Then, click View file content button. The file content will be displayed in a new pop-up.
The second way Click Cog icon in the row of the desired event and choose View file content.
The file content will be displayed in a new pop-up.
The group action is not available for this action.
Move IP to the Black List
Click View details icon in the row of the desired event. Then, click Block IP button. To move the IP to the Black list click Yes, move to Black list. In the pop-up displayed click Yes, move to black list to complete the action or Cancel to return to the Details window. When a file is added to the Black List, you will see the confirmation pop-up.
The first way
Click Cog icon in the row of the desired event and choose Ignore detected rule for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. Now you can see this file on the Ignore List tab.
The second way Click View details icon and then in the file details pop-up click Ignore detected rule for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.
The first way
Click Cog icon in the row of the desired event and choose Ignore all rules for the file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close pop-up. The file will be moved to Ignore List tab.
The second way Click View details icon and then in the file details pop-up click Ignore all rules for this file. Click Yes, add to Ignore List in the confirmation pop-up or click Cancel to close the pop-up. Now you can see this file on the Ignore List tab.
Remove file from Ignore List
On the Ignore List tab click Bin icon and confirm the action.
To perform bulk action, tick required checkboxes and click Remove from ignore list at the top of the table, then confirm the action in the pop-up.
Ignore List tab
Here, there is a table with files with ignored rules. If file is added to Ignore List, Proactive Defense will not analyze scripts activity from this file for all or specified rule.
The Ignore List table includes the following columns:
See also: How to edit watched and excluded patterns for Malware Scanner?.
echo 'check_mode = -10' >> /usr/share/i360-php-opts/module.ini
<?php
$pattern = 'TEST-FILE';
$external_code = @file_get_contents('https://secure.eicar.org/eicar.com.txt');
if (strpos($external_code,$pattern)){
print "Poactive Defence DOESN'T work or NOT in KILL mode";
}
else {
print "Proactive Defence works fine - file_get_contents function has been BLOCKED, please check Imunify360 Proactive Defence tab for corresponding BLOCK event";
}
?>
Note
This script is available starting from Imunify360 v. 4.10.2
This script will only check for PD if file_get_contents is not disabled and allow_url_fopen is enabled in the PHP settings on the server.
/usr/share/i360-php-opts/module.ini
in order to disable test mode rulescheck_mode = -10
Note
the number of triggered rule is 77777 and it is possible to check it via CLI
imunify360-agent proactive list
Choose Reputation Management in the main menu of the Imunify360 admin interface to get to the Reputation Management page.
Reputation Management allows to check if a domain registered on your server is safe or not based on the following reputation engines:
How does it work:
If a domain or an IP is blocked, then this information will be available in the table below. If a user’s website appears in this table, then it would be useful to send this link to the user. This instruction can help to solve problems with the domain.
At the top of the page (also in the main menu near Reputation Management item), Imunify360 shows the number of affected domains. This number is a quantity of affected domains that exist on the server.
The table shows:
Click link icon in the Action column to copy the URL to the clipboard.
Note
Reputation Management online and browser look may differ. This is because Google Safe Browsing has an issue described on github.
Imunify360 has KernelCare KernelCare integration. To install KernelCare go to the Settings tab and click Install KernelCare.
To observe current KernelCare status in the Imunify360 main menu choose KernelCare tab.
Here you can check:
To disable auto update mode toggle the Update mode
switch to No
.
Note
If you have KernelCare license(s) on the same server(s), then cancel this license in CLN because KernelCare will be free for that server. If you do not know how to cancel licenses then follow this link for details.
Note
KernelCare tab can load slowly on highly loaded systems.
Read more about KernelCare on the link.
Choose Settings in the main menu to get to the Imunify360 settings page. The following tabs are available:
Go to Imunify360 → Settings → General. The following sections are available:
Here you can install and uninstall the following components:
If you want to install it using CLI, please follow this article.
To install or uninstall HardenedPHP click on a button related. Please find additional information about HardenedPHP in this article. During HardenedPHP installation process the installation log will appear and will update automatically.
Note
HardenedPHP is free on the servers with Imunify360 installed.
Overview
This feature allows to automatically determine if the user is a human. The system falls back to CAPTCHA solving if the algorithm determines that a user may not be a human. It is possible to enable Invisible CAPTCHA feature via Imunify360 admin interface and via command line interface (CLI).
How to install Invisible CAPTCHA
Go to Imunify360 → Settings → General → Installation → Invisible CAPTCHA and click Install Invisible CAPTCHA button. Confirm the installation in the pop-up.
How to check if Invisible CAPTCHA is currently installed
Go to Imunify360 → Settings → General → Installation → Invisible CAPTCHA. The red Remove Invisible CAPTCHA button means that Invisible CAPTCHA is enabled.
How to uninstall Invisible CAPTCHA
Go to Imunify360 → Settings → General → Installation → Invisible CAPTCHA and click Remove Invisible CAPTCHA button. Confirm the action in the pop-up.
See how to test invisible CAPTCHA.
To install or uninstall KernelCare click on a button related. Please find additional information about KernelCare here.
Note
KernelCare is free on the servers with Imunify360 installed.
Warning!
This feature is deprecated.
The KernelCare extension for Imunify360 allows tracing malicious invocations to detect privilege escalation attempts.
You can find these attempts on the Incidents tab (as part of the OSSEC log). The incidents can be seen by filtering events with the EDF
label.
To enable the feature, tick the Privilege escalation detection & protection checkbox.
Note
The Privilege escalation detection & protection feature is implemented for CentOS 7 only.
Or you can enable it via CLI using the following command:
imunify360-agent config update '{"KERNELCARE": {"edf": true}}'
Click Save changes button on the bottom of the section to save changes.
When the Minimized ModSec Ruleset option is on, it disables Imunify WAF rules with a high memory footprint, yet leaves critical ruleset enabled. It is recommended for the servers with a small amount of RAM. It is enabled by default for the installations with low RAM.
You can switch back to the normal mode by enabling WebShield or unchecking Minimized ModSec Ruleset in Settings | General | WAF Settings
Click Save changes button on the bottom of the section to save changes.
Server admin can enable an option to prevent access to WordPress accounts with well-known (trivial) passwords. When the option is enabled, all end-users that are trying to log into the admin account with weak/trivial or well-known passwords from the dictionary used by brute-forcers will be taken to the special alert page with an appeal to change their current password.
This feature can be enabled by setting cms_account_compromise_prevention
to true
in MOD_SEC config file section
Note
This feature is implemented via modsec rule and could be partially disabled on a per-domain basis (the rule id is 33355)
The alert page supports localization and is displayed in the language of the browser (on an external Imunify domain).
WAF Rules Auto-Configurator generates a set of rules on a per-domain basis, considering the Content Management System (CMS), that the website is running (WordPress, Joomla, Drupal etc).
It allows making WAF rules more effective to protect websites and reduce the number os false positives.
It works in the background and scans domains for installed CMS daily, after that rebuilds ModSec configuration based on detected software.
Note
This feature is only available for the Apache 2.4 web server
DoS Protection section allows to enable or disable DoS protection. DoS protection works by counting connections from each remote IP address per local port separately. To enable/disable it, tick the Enable Dos Protection checkbox. Or you can enable it using the following CLI command:
imunify360-agent config update '{"DOS": {"enabled": true}}'
It is possible to configure how Imunify360 will behave:
The minimum values:
Note
Check delay is limited by the minimum value of 30, lower values can cause "false positives" triggering.
Note
Although DoS protection works on the TCP level, it is not the same as http request rate - even if there is large number of http connections, the number of TCP connections can be relatively low.
Note
Imunify360 DoS protection is automatically disabled if CSF is active - a warning is shown in Imunify360 UI in that case
Click Save changes button on the bottom of the section to save changes.
SMTP traffic management provides more control over SMTP traffic.
An administrator can redirect mail traffic to the local MTA, block it completely, or keep it available for local mails only. Administrators can also block particular ports and whitelist specific users or groups for outgoing mail.
This feature extends the existing cPanel “Block SMTP” functionality, albeit with more control and capabilities, and replaces the similar functionality from CSF.
You can enable the SMTP Traffic Management in the Settings:
allow_users
, it will not be blocked)allow_users
, it will not be blocked)Note
The following is added by default into the Allow users and the Allow groups for cPanel:
To enable these settings via direct config file update or a command-line interface, use this command:
imunify360-agent config update '{"SMTP_BLOCKING": {"allow_local": true, "enable": true}}'
The config file should show:
SMTP_BLOCKING:
allow_groups:
- mailacc
allow_local: true
allow_users: []
enable: true
ports:
- 25
- 587
- 465
redirect: true
WHM SMTP Restrictions requires to be disabled at the cPanel to get SMTP Traffic Management working.
To disable it, log in to the cPanel WHM portal, select SMTP Restrictions on the left sidebar and disable it.
Tick the Manage CSF Events and Lists checkbox to enable/disable the integration between CSF and Imunify360.
This settings is explained in more detail here
Auto White List section allows to automatically add admin IP to the White List each time when he logs in to hosting panel and enters Imunify360 admin interface. In Timeout field enter the number of minutes – the IP will be removed from the white list automatically after this time.
Note
0 means adding IP to the White List permanently.
Click Save changes button on the bottom of the section to save changes.
In this section it is possible to control what kind of incidents will be shown on the Incidents page. Move the slider to change your preferences.
There are 15 available levels related to OSSEC and ModSecurity severity levels:
Log level | ModSecurity | OSSEC |
1 | 7 – DEBUG | 01 – None |
2 | 6 – INFO | 02 – System low priority notification |
3 | 5 – NOTICE | 03 – Successful/Authorized events |
4 | 4 – WARNING | 04 – System low priority error |
5 | 4 – WARNING | 05 – User generated error |
6 | 3 – ERROR | 06 – Low relevance attack |
7 | 3 – ERROR | 07 – “Bad word” matching. |
8 | 3 – ERROR | 08 – First time seen |
9 | 3 – ERROR | 09 – Error from invalid source |
10 | 3 – ERROR | 10 – Multiple user generated errors |
11 | 3 – ERROR | 11 – Integrity checking warning |
12 | 2 – CRITICAL | 12 – High importancy event |
13 | 2 – CRITICAL | 13 – Unusual error (high importance) |
14 | 1 – ALERT | 14 – High importance security event. |
15 | 0 – EMERGENCY | 15 – Severe attack |
Autocleanup configuration allows to keep the Incidents page clean by default. The possible settings are as follows:
Click Save changes button on the bottom of the section to save changes.
Enable WebShield. When the option is off, disable WebShield, GreyList, and CAPTCHA. A disabled state is recommended for the servers with a small amount of RAM. A disabled option along with enabled "Minimized WAF Ruleset" will switch Imunify360 to the "Low Resource Usage" mode.
Detect IPs behind CDN feature allows to recognize and block IPs with suspicious activity behind supported CDN providers.
To enable/disable it, tick the Detect IPs behind CDN checkbox.
Or you can enable it using the following CLI command:
imunify360-agent config update '{"WEBSHIELD": {"known_proxies_support": true}}'
Supported CDN providers:
Google reCAPTCHA configuration window allows admin to specify reCAPTCHA keys for the server. Follow the step by step guide to setup a Site key and a Secret key.
Click Save changes button on the bottom of the section to save changes.
Tick the Anti-bot protection checkbox to enable the JavaScript challenge – "Splash Screen."
You can read more about Anti-bot protection here.
Click Save changes button on the bottom of the section to save changes.
Tick the Active response checkbox to block access to a specific server port being attacked. The purpose of the feature is significantly reducing false positive rate while increasing its capabilities to detect and block aggressive brute force requests.
Click Save changes button on the bottom of the section to save changes.
Note
For now, the feature covers the following ports:
Tick the PAM brute-force attack protection checkbox to enable an advanced brute-force protection technique based on the combination of PAM module authorization, RBL check, and IP blacklisting.
You can also enable it via CLI with the following command:
imunify360-agent config update '{"PAM": {"enable": true}}'
Click Save changes button at the bottom of the section to apply changes. This will enable protection for SSH/FTP protocols.
Note
This protection type is available only in cPanel/WHM.
Tick the Exim+Dovecot brute-force attack protection checkbox to enable advanced protection against Dovecot brute-force attacks. PAM module protects against IMAP/POP3 brute-force attack and prevents mail account from being compromised via brute-forcing.
You can also enable it via CLI with the following command:
imunify360-agent config update '{"PAM": {"exim_dovecot_protection": true}}'
Click Save changes button at the bottom of the section to apply changes.
Note
This protection type is available only in cPanel/WHM for proftpd and pureftpd daemons.
Tick the FTP brute-force attack protection checkbox to enable protection for ftpd server against FTP brute-force attacks. It uses a time-proven algorithm that we’ve been using in the SSH PAM extension.
You can also enable it via CLI with the following command:
imunify360-agent config update '{"PAM": {"ftp_protection": true}}'
Click Save changes button on the bottom of the section to save changes. This will enable protection for SSH/FTP protocols.
Tick Enable Sentry error reporting checkbox to send reports to Imunify360 error reports server.
Click Save changes button on the bottom of the section to save changes.
Type your email into the Email field to receive email reports about critical issues, security alerts or system misconfigurations detected on your servers.
Note
This email address is used ONLY for receiving server reports.
Click Save changes button at the bottom of the section to save changes.
Go to the Imunify360 → Settings → Malware. The following sections are available:
Here you can configure the following:
Note
Read CXS integration documentation carefully to make Malware Scanner work properly if you decided to use the former instead of Imunify360 anti-malware protection.
CPU consumption – allows to set a level of CPU usage by Malware Scanner.
Note
Low CPU usage means low scanning speed
I/O consumption – allows to set a level of I/O usage by Malware Scanner.
Note
Low I/O usage means low scanning speed
Note
If Imunify360 is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.
Automatically scan all modified files – enables real-time scanning for modified files using inotify library. The Scanner searches for modified files in user’s DocumentRoot directories.
Note
It requires inotify to be installed and may put an additional load on a system.
Optimize real-time scan – enables the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watchs.
Note
File change API can work only with ext4 file system.
inotify | fanotify | File change API | |
CentOS 6 | x | ||
CentOS 7 | x | x | |
CentOS 8 | x | x | |
CloudLinux OS 6 | x | ||
CloudLinux OS 7 | x | x | |
CloudLinux OS 8 | x | ||
Ubuntu 16 | x | x | |
Ububtu 18 | x | x |
Automatically scan any file uploaded using web – enables real-time scanning of all the files that were uploaded via http/https.
Note
It requires ModSecurity to be installed.
Automatically scan any file uploaded using ftp – enables real-time scanning of all the files that were uploaded via ftp.
Note
It requires Pure-FTPd to be used as FTP service.
Automatically send suspicious and malicious files for analysis – malicious and suspicious files will be sent to the Imunify360 Team for analysis automatically.
Try to restore from backup first – allows to restore file as soon as it was detected as malicious from backup if a clean copy exists. If a clean copy does not exist or it is outdated, default action will be applied. See also CloudLinux Backup.
Block malicious file uploads via cPanel File ManagerExperimental – enable blocking malicious file uploads via cPanel File Manager. Also, the file operations via cPanel File Manager that turn out to be malicious are blocked. The type of operations processed are: edits and saves.
Use backups not older than (days) – allows to set the a maximum age of a clean file.
Default action on detect – configure Malware Scanner actions when detecting malicious activity:
Warning
Starting from ImunifyAV(+) v.6.2, the Quarantine and Delete actions were removed permanently from the UI as well as the CLI in ImunifyAV(+). Previously quarantined files are also subject to deletion. After this change is implemented, the restoration of the previously quarantined files will become impossible. For more information see this this blog post.
Note
Those options may be hidden for end-user if Cleanup is disabled in Features Management.
This is the mechanism allowing to address Crontab infections with our powerful Malware scanner. Enabled, it will catch any event of Crontab file modification on the fly in seconds and keep them malware-free in real-time.
The cleanup results are available on the Malware and History tabs of the Imunify360 interface as for any other type of malware.
Tick required checkboxes and click Save changes button.
Allows to set up automatic, scheduled, background scanning of user accounts.
Depending on the selected period, precise settings.
If Run scanning is set to Daily, choose the exact time at the Run at dropdown.
If Run scanning is set to Weekly, choose the day of the week at the Run on dropdown and exact time at the Run at dropdown.
If Run scanning is set to Monthly, choose the day of the month at the Day of month to run dropdown and exact time at the Run at dropdown.
You can track the scanning activity at the Malware Scanner tab.
To reduce the number of blamer events, similar events are combined by default into a single one. In order to disable it, specify the filter_messages=off
in the /usr/share/i360-php-opts/module.ini
Once a vulnerable script or unknown malware executes any malicious flow which in turn leads to a malware drop, it causes the auto-generate rule to be released for the Proactive Defence. Ultimately, it will stop any further attempts to exploit the vulnerability or drop malware. Any dropped malware will be also auto-cleaned by the real-time malware scanner keeping the system clean and protected.
By enabling this feature Blamer will be enabled as well and Proactive Defence switched into the KILL mode.
Click Save changes at the page bottom to apply all changes.
Enable Malware Database Scanner – a database antivirus: automated malware detection and clean-up of web applications.
Note
Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, only WordPress databases are supported as for now.
Click Save changes to apply changes.
Imunify360 provides customers with an ability to integrate with backup providers and automatically or manually restore files from their backup if they have become infected. Only administrator can choose backup provider but end user has an ability to backup and restore files within this selected backup provider.
The following integrated with Imunify360 backup providers are available:
Warning
JetBackup server backup application is not available right now because of rework. It will be available back again in 2022.
Requirements
This section describes the following:
To enable backups log in to a hosting panel as administrator, go to Imunify360 plugin and do the following.
CloudLinux Backup option provides a customer with the most integrated with Imunify360 backup feature. It is powered by the Acronis technology, but you do not need to have an active Acronis account (if you have an existing Acronis account and would like to continue using it, skip to the Acronis Backup section for choosing an Acronis Backup option).
Warning
On servers with XFS, ReiserFS3, ReiserFS4, JFS, CloudLinux Backup has the following limitations:
With this backup and restore service, you can restore malicious or suspicious files from the backup if a clean version exists, schedule backups, see total and used storage space, and locate the data storage server.
To activate CloudLinux Backup, follow the next simple steps:
Note
Installation can take up to 10 minutes depending on specific server size. You can use Imunify360 as usual during the installation process. Also, we will send you an email with detailed information to the specified email address.
Choose it if you have Acronis account. So that Imunify360 can use backups to restore malicious or suspicious files from the backup if a clean version exists.
Imunify360 checks if Acronis agent is already installed. If not, Imunify360 installs it. Then Imunify360 checks, if a backup of entire server exists, if not, Imunify360 creates a backup of a current server. If all is OK the system returns successful message.
After the successful connection, Imunify360 will return the appropriate message.
To disable backups do the following:
Note
If you use CloudLinux Backup your backup will be still active in CloudLinux Network (CLN). To disable backup totally and terminate billing, please log in to CLN and deactivate CloudLinux Backup manually on the current server.
Click Manage Backups button. You will be redirected to the Backup Management Console. The console opens in a new tab in the browser. Please go to documentation to find out more information.
Click Resize link. You will be redirected to the CloudLinux Network where you can add or remove storage space.
After successful payment, the backup storage size will be increased. Imunify360 creates an initial backup of a current server if it was not done before or it just increases the storage size. On the Settings → Backups tab you can see the actual and used amount of backup storage in GB. If you get an error message, please follow the instructions in the message or contact our support team .
Click Manage Backups button. You will be redirected to the Backup Management Console (read the documentation here ). When a schedule is set it is displayed on the Backups tab.
To restore a file do the following:
You can configure the automatic restore. Please find more details here.
Go to Settings page and choose Disabled rules. This page allows user to manage disabled rules which have already been added.
Note
You can also add a new rule to the Disabled Rules list on Incidents page.
The list of disabled rules contains:
To add a new rule click Add Rule button.
In the pop-up specify the following:
Click Add Rule to add rule to the list or Cancel to close the pop-up.
To edit the list of domains where the rule should be disabled, click edit icon in the row of the rule and enter domains registered on the server separated by comma.
Note
It is possible to specify domains only for ModSecurity rules. For OSSEC rules it is always applies to all domains.
To remove the rule from disabled list click Enable and confirm action in the pop-up.
Overview
Features Management allows hosters to enable/disable Imunify360 features for each customer. On Features Management it is possible to manage Proactive Defense and Malware Cleanup for each customer account. If a feature is enabled for the user in hoster’s account, the user will be able to see and use it in his account.
Note
Default settings in Features Management are inherited by newly created user accounts only.
Note
Features are enabled/disabled account-wide.
Below, there is a table with all users and their domains and features for each user.
Group Action To perform a group action tick the users and move sliders for them.
How to enable/disable Proactive Defense
The Proactive Defense feature is enabled by default account-wide. So, all newly created user accounts will have Proactive Defence tab in their Imunify360 Section.
To disable Proactive Defense account-wide just move the slider to Turned Off. And confirm the action in the popup by clicking Yes, disable Proactive Defense for new users or click Cancel to close the popup.
How to enable/disable Malware Cleanup
The Malware Cleanup feature is enabled by default account-wide. So, all newly created user accounts will have Malware Cleanup feature in their Imunify360.
To disable Malware Cleanup account-wide just move the slider to Turned Off. And confirm the action in the popup by clicking Yes, disable Malware Cleanup for new users or click Cancel to close the popup.
You can perform all these actions via CLI.
Feature Management allows a hoster to enable/disable different Imunify360 features for server users. Using this functionality, hosting companies may resell chosen Imunify360 features as a part of hosting packages to end-users as well as make features available/unavailable for a group of end-users.
WHM/cPanel Feature Management is now available under WHM/cPanel Package Manager via Package Extension (PE). Using WHM/cPanel Native Feature Management a hoster can enable/disable Malware Scanner and Proactive Defense for all users with the same package (service plan) instantly.
Note
When switched to WHM/cPanel Feature Management, the same functionality will be disabled in the Imunify360 UI. The previous Feature Management config becomes overridden by defaults.
How to switch to WHM/cPanel Feature Management
Go to Imunify360 → Settings → Features Management. You will see the following.
Click Details. You will see the following pop-up.
Click Agree and Switch to confirm the action or click Cancel to close the popup.
Note
Note that current Imunify360 settings will be reset to default values after switching to WHM/cPanel Feature Management mode. You can switch back to in-app Imunify360 Feature Management mode at any time via CLI command. The end-user values will be reset to default values upon any mode switching.
When switched, you will see the following.
How to configure Imunify360 Features using WHM/cPanel Package Extensions
Go to WHM/cPanel → Add a Package → Package Extensions and tick Imunify360 Features (if it’s not selected).
Choose an option for each feature.
Malware Scanner
Note
The last option is available in the WHM/cPanel Package Manager only and is not available via Imunify360 UI or CLI.
Note
When the Malware Scanner is not available for end-user, it doesn't exclude user folders from scanning, so his files will be scanned and the results will be listed in an admin UI as usual.
Proactive Defense
Click Add to apply changes.
See also: CLI.
Click Settings and choose Attributions tab to observe a list of IDS install on the server.
Country-based white or blacklisting includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
cPanel
It is possible to enable Service Status checker for Imunify360. Perform the following steps:
imunify360
checkbox.If succeeded, the status of Imunify360 service will be displayed at Service Status section of Server Status.