FAQ and Known Issues

Common Questions

1. End user IP is blocked and I do not know why

If you use CSF, then try to find the IP in CSF Allow/Deny Lists using their documentation and support. If not, then do the following:

  • Go to cPanel Plugins section, choose Imunify360 and enter the Incidents page.

  • Make sure that the IP checkbox at the top of the table is ticked. Enter proper IP or part of IP in the input field and click Enter.

    • If the IP was found, then follow instructions on Incidents page and perform the actions you need, like: add IP to the White List or disable the security rule that has detected this incident.
  • If the IP was not found on the Incidents page, then go to Firewall page and using the same way as in the previous step try to find proper IP in Black List or Grey List.

    • If the IP was found then follow this instruction for Grey List or Black List and move the IP to the White List or just remove from the Black List or Grey List.

If nothing helps, then contact our support team.

2. Could I disable IPtables (firewall) or OSSEC, when using Imunify360?

No. Imunify360 will not be able to stop an attack without IPtables and will not be able to detect an attack without OSSEC.

3. Does Imunify360 log events such as adding or removing an IP to/from the Gray List?

Most Imunify360 logs are saved in /var/log/imunify360/console.log. For example, when IP is blocked and added to the Black List, the following lines are added:

INFO [2017-04-15 18:30:00,889]
defence360agent.plugins.protector.lazy_init: IP 103.86.52.175 is BLOCKED
with 300 sec (expiration: 1492281300) (due to SensorAlert)
INFO [2017-04-15 18:30:00,889]
defence360agent.plugins.protector.lazy_init: Unblocking 103.86.52.175 in
CSF as it is already in our graylist
INFO [2017-04-15 18:30:01,663] defence360agent.internals.the_sink:
SensorAlert:
{'rule_id': 'LF_SMTPAUTH', 'timestamp': 1492281000.8720655, 'attackers_ip': '103.86.52.175', 'plugin_id': 'lfd', 'method': 'ALERT', 'ttl': '1'}
When user unblocks himself by captcha, logs look like this:
INFO [2017-04-17 00:51:26,956] defence360agent.internals.the_sink:
CaptchaEvent:
{'timestamp': 1492404686.9496775, 'errors': [], 'user_agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36', 'accept_language': 'ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4', 'event': 'PASSED', 'method': 'CAPTCHA', 'attackers_ip': '10.101.1.18'}
INFO [2017-04-17 00:51:26,967]
defence360agent.plugins.protector.lazy_init: IP 10.101.1.18 is UNBLOCKED
(due to ClientUnblock)

Adding and removing IPs from the White List is only possible manually, no IPs will be added automatically.

5. To start using Imunify360 we need to know which information is sent to your servers. Could you please give us some more information?

The following info is sent to our server:

  • all the messages from IDS OSSEC (can be found in OSSEC logs)
  • all the messages from mod_security (can be found in modsec_audit.log)
  • users domains (to be checked in reputation engine);
  • CAPTCHA verification info
  • all running scans for malware (maldet scans) and information on moving to the quarantine or discovering suspicious files
  • optionally, suspicious files can be sent to us for the analysis. Files can be sent via UI by marking a proper checkbox

6. No valid Imunify360 License Found.

Check if the agent is running.

Check access to the central server (IP: 148.251.130.176 port: 443).

Call imunify360-agent rstatus and ensure that status is True:

{'expiration': 0, 'status': True, 'user_count': None, 'user_limit': None, 'redirect_url': None}

Ensure that /etc/sysconfig/imunify360/imunify360.id file contains server_id.

If no, imunify360-agent register KEY.

7. I have an error peewee.DatabaseError: database disk image is malformed. What should I do?

Imunify360 uses SQLite database to store its data. Although this database has proved its reliability, database files become corrupted in rare cases. To restore data try to perform the following steps:

Stop the agent.

If you have sqlite3 application installed on your machine, try to make dump of Imunify360 database:

#sqlite3 /var/imunify360/imunify360.db
.mode insert
.output dump_all.sql
.dump
.exit

You should see new file dump_all.sql in the directory /var/imunify/

Create a new database from this dump file:

#sqlite3 imunify360.db.new < dump_all.sql

Replace old database with the new one:

#cd /var/imunify/
#mv imunify360.db imunify360.db.corrupt && mv imunify360.db.new imunify360.db

Start the Imunify360 agent.

If these steps have not solved the problem or no sqlite3 package is installed, then you should create a completely new database:

Stop the agent.

#rm /var/imunify/imunify360.db
#imunify360-agent migratedb

Start the agent

8. Why does my cPanel with LiteSpeed and OWASP ModSecurity rule set trigger 500 error on all web pages after installing Imunify360?

OWASP rule set may conflict with Imunify360 default rule set on a server running LiteSpeed Web Server. We recommend to turn off OWASP rule set prior to installing Imunify360.

Please find more FAQs in our Knowledge Base.

9. Disabling WAF rules for certain countries.

It is possible to disable some WAF rules for IPs that are resolved to be from some country (or other geographical entity). To implement this, a customer should create his own modsecurity configuration file, and include it into the default modsecurity configuration. In case of cPanel, this can be done by creating /etc/apache2/conf.d/includes/countrywafrules.conf and adding it as an include to the /etc/apache2/conf.d/modsec/modsec2.cpanel.conf. Otherwise configuration files might be rewritten by Imunify360 rules update.

Example of contents of such config file:

SecGeoLookupDb /path/to/GeoLiteCity.dat 
# ModSecurity relies on the free geolocation databases (GeoLite City and GeoLite Country) that can be obtained from MaxMind http://www.maxmind.com. Currently ModSecurity only supports the legacy GeoIP format. Maxmind's newer GeoIP2 format is not yet currently supported.
So a customer need to download this IP database and locate somewhere.

# Lookup IP address 
SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:155,nolog,pass"

# Optionally block IP address for which geolocation failed
# SecRule &GEO "@eq 0" "phase:1,id:156,deny,msg:'Failed to lookup IP'"

# Skip rules 942100 and 942101 for GB country as example

SecRule GEO:COUNTRY_CODE "@streq GB" "phase:2,auditlog,id:157,pass,severity:2,\
ctl:ruleRemoveById=942100,\
ctl:ruleRemoveById=942101"

Make sure that you have replaced /path/to/GeoLiteCity.dat with the real path to the GeoLiteCity.dat file installed in your system.

Variable GEO is a collection populated by result of the last @geoLookup operator. The collection can be used to match geographical fields looked from an IP address or hostname.

Note

Available since ModSecurity 2.5.0.

Fields:

  • COUNTRY_CODE: two character country code. Example: US, GB, etc.
  • COUNTRY_CODE3: up to three character country code.
  • COUNTRY_NAME: full country name.
  • COUNTRY_CONTINENT: two character continent that the country is located. Example: EU.
  • REGION: two character region. For US, this is state. For Canada, providence, etc.
  • CITY: city name if supported by the database.
  • POSTAL_CODE: postal code if supported by the database.
  • LATITUDE: latitude if supported by the database.
  • LONGITUDE: longitude if supported by the database.
  • DMA_CODE: metropolitan area code if supported by the database. (US only)
  • AREA_CODE: phone system area code. (US only)

10. How to clone Imnify360 configuration on another system?

The solution is available in FAQ section

11. How to disable Support icon in the Imunify360 UI?

  1. Go to /etc/sysconfig/imunify360/imunify360.config.
  2. And set PERMISSIONS.support_form: option to false.

OR, better, run the following command:

imunify360-agent config update '{"PERMISSIONS": {"support_form": false}}'

12. How to hide the Ignore List tab for end users in the Imunify360 UI?

  1. Go to /etc/sysconfig/imunify360/imunify360.config.
  2. And set PERMISSIONS.user_ignore_list: option to false.

OR, better, run the following command:

imunify360-agent config update '{"PERMISSIONS": {"user_ignore_list": false}}'

13. How to delete malware scan results from Imunify360’s database?

Sometimes, you may need to delete all users’ scan results from the server. This should not be common practice, and we do not recommend doing it on a regular basis. But, if you do need to erase the results of all Imunify360 scans, you can find the instructions below.

  1. First, you need to stop the agent:
systemctl stop imunify360

(on CentOS 7)

service imunify360 stop

(on CentOS 6, Ubuntu)

  1. Connect to the Imunify360 database by running this command:
sqlite3 /var/imunify360/imunify360.db
  1. Execute the following SQL commands:

IMPORTANT

This will remove all scan results from Imunify360!

DELETE FROM malware_history;
DELETE FROM malware_hits;
DELETE FROM malware_scans;
DELETE FROM malware_user_infected;
  1. Start the Imunify360 service:
systemctl start imunify360

(on CentOS 7)

service imunify360 start

(on CentOS 6, Ubuntu)

We don’t recommend cleaning the scan results for specific users, as it may cause inconsistencies in the malware_scans table. But, in emergencies, you can do it with these SQL commands:

DELETE FROM malware_history WHERE file_onwer = <user>;
DELETE FROM malware_hits WHERE user = <user>;
DELETE FROM malware_user_infected WHERE user = <user>;

Unfortunately, there’s no easy way to delete records in the malware_scans table for a specific user, so the table should be either truncated with the other tables shown in step 2 above, or the records should just be ignored.

If you need any more information on this or anything else related to Imunify360 administration, please get in touch .

14. Imunify360 WebShield ‘Could not allocate memory’ problem. How to fix?

Symptoms: It can have pretty different symptoms (increased IO, CPU and memory usage), but the main one is that WebShield blacklisting (through CDN) does not work.

How to check: Just browse wsshdict log (/var/log/wsshdict/wsshdict.log). If you face the issue, the log will have entries like:

2019-07-09 16:50:06 [WARN]: Could not allocate memory for 192.126.123.115/32 in rbtree
2019-07-09 16:52:23 [WARN]: Could not allocate memory for 179.108.244.125/32 in lpctrie

This means that the shared memory is full and no new address is allowed to be added. Shared memory has a fixed size (it’s set in configuration files) and cannot change it dynamically. Currently, the size of shared memory is 20 MB, and it can take up to 89k IPv4 addresses. However, some of our clients have more blacklisted addresses, and when Imunify360 agent tries to place all these IP addresses into shared memory, the aforementioned error occurs.

How to fix: We want to increase the shared memory size.

  1. Modify the second parameter of the shared_storage directive of the /etc/imunify360-webshield/webshield.conf config file, to make it look like:
shared_storage /opt/imunify360-webshield/shared_data/shdict.dat 21m;
  1. Modify the data_size directive of the /etc/imunify360-webshield/webshield-shdict.conf config file to 22020096 (21 MB in bytes: 1024 * 1024 * 21):

  2. Restart imunify360-webshield:

   systemctl restart imunify360-webshield

Or

   service imunify360-webshield reload

The wsshdict daemon is expected to be restarted automatically.

  1. Make sure the shared memory size is actually changed. Run ipcs -m command. It’s expected to have the output like this:
# ipcs -m
------ Shared Memory Segments --------
key      shmid   owner    perms   bytes nattch status  
0x620035c1 4554752  imunify360 600    22020096   4                       
0x00000000 32769    root       644    80         2

The first column must not have zeros (like in the second row), the third column (owner) is expected to be ‘imunify360-webshield’, and size must correspond to values set in the config files (22020096 in our case).

15. How to check "ModSecurity scan" works?

  1. To verify, if ModSecurity scan works, you can use the following command:
curl -v -s -o /dev/null -F 'data=@<path-to-malware-sample>' http://<domain>/

You can get a malware sample file on the eicar.org: eicar.org.

For instance:

wget http://www.eicar.org/download/eicar.com.txt -O /tmp/eicar.com.txt
curl -v -s -o /dev/null -F 'data=@/tmp/eicar.com.txt' http://mycoolwebsite.net/

You can find the results of this attempt in the Incidents tab

  1. Also, you can perform the following request which triggers a test rule
curl -v http://mycoolwebsite.net//?i360test=88ff0adf94a190b9d1311c8b50fe2891c85af732 

And check the Imunify360 console log

grep 'Testing the work of the i360 ModSecurity rules' /var/log/imunify360/console.log

16. How to check "automatically scan all modified files" works?

To check "automatically scan all modified files" (i.e inotify scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the Malicious tab shortly.

You can get a malware sample file on the eicar.org.

Make sure the option is enabled.

wget http://www.eicar.org/download/eicar.com.txt -O /tmp/eicar.com.txt
scp /tmp/eicar.com.txt  mycooluser@X.Y.Z.A:/var/www/mycooluser/mycoolwebsite_docroot

where X.Y.Z.A - your server IP address

You can find the results in the Malware scanner > Files tab.