Imunify360 Features

RapidScan

RapidScan feature allows you to increase scanning speed by lower system resource usage and gives you an opportunity to scan more frequently, further hardening your systems’ security posture.

RapidScan techniques

  • Faster File Integrity Checking. File metadata, such as file hashes, are stored locally. This means that unchanged files don't need to be rescanned.
  • Efficient Cloud-assisted Scanning. Imunify360 stores its malicious file hash database in the cloud. We detect malicious files and skip white-listed files. The remaining files are fewer, so the overall scan time is significantly reduced.
  • Optimized Malware Signatures. Our malware signature database continually expands to match the variety of malicious software. While the database becomes more accurate and comprehensive, it also becomes larger and more cumbersome to index. We tackle this by actively curating the database and re-evaluating complex signatures, recasting any that affect scanning performance.

What does it mean to you?

When you first enable the RapidScan feature, the first scan will run as before. But subsequent scans will see a speed improvement, anywhere between 5 to 20 times faster. This is the case for both on-demand and scheduled scans, and means you can afford more scans without affecting system performance.

To take advantage of these new improvements, go to your Imunify control panel and enable RapidScan in Settings→Malware Scanner. See details here.

Low Resource Usage mode

This is a special operation mode where Imunify360 consumes less CPU and RAM. It is intended for servers with limited resources.

This mode disables WebShield switching off GrayList and Captcha.

Low Resource Usage mode also enables the Minimized Modsec Ruleset option that disables Imunify WAF rules with a high memory footprint, leaving critical rulesets enabled.

When the Low Resource Usage mode is activated it is reflected on the UI: an Imunify main menu changes color to light green, and an appropriate label appears on the top right.

Exim+Dovecot brute-force attack protection 4.5+ Experimental

Note

cPanel only, other panels will be added later

Exim+Dovecot brute-force attack protection is an advanced protection against Dovecot brute-force attacks. PAM module protects against IMAP/POP3 brute-force attack and prevents mail account from being compromised via brute-forcing.

How to enable Dovecot

imunify360-pam enable-dovecot

How to disable Dovecot

imunify360-pam disable-dovecot

The options of the pam_imunufy are placed in the file: /etc/pam_imunify/i360.ini

Values

USER_LOCK_TIMEOUT=5 a period of time during which a user should be blocked (minutes)
USER_LOCK_ATTEMPTS=10 a number of attempts after which a user should be blocked
USER_LOCK_MINUTES=5 a period of time (minutes) during which violation attempts from a user are counted; all attempts earlier than USER_LOCK_MINUTES are not counted
USER_IP_LOCK_TIMEOUT=5 a period of time during which a user + IP should be blocked (minutes)
USER_IP_LOCK_ATTEMPTS=10 a number of attempts after which a user + IP should be blocked
USER_IP_LOCK_MINUTES=5 a period of time (minutes) during which violation attempts from a user + IP are counted; all attempts earlier than USER_IP_LOCK_MINUTES are not counted
IP_LOCK_TIMEOUT=5 a period of time during which an IP should be blocked (minutes)
IP_LOCK_ATTEMPTS=10 a number of attempts after which an IP should be blocked
IP_LOCK_MINUTES=5 a period of time during which violation attempts from an IP are counted; all attempts earlier than IP_LOCK_MINUTES are not counted

How to apply settings

In order to apply new settings in the /etc/pam_imunify/i360.ini, run the following command:

systemctl restart imunify360-pam

How it works

During the last XXX_LOCK_MINUTES we count the number of login failures (unsuccessful login attempts). If the number of attempts exceeds the specified threshold XXX_LOCK_ATTEMPTS, the PAM plugin blocks access for XXX_LOCK_TIMEOUT minutes. After that, the counter is reset and the process repeats. Note that the plugin has three separate counters and a set of settings for USER/IP/USER+IP management regarding brute-force attacks (see the table above).

Notes

  • If a user is blocked by USER_LOCK_ATTEMPTS, then this user will not have access to the server from any IP
  • If a user is blocked by USER_IP_LOCK_ATTEMPTS, then this user will not have access to the server from that specific IP
  • If an IP is blocked by IP_LOCK_ATTEMPTS, then all users will not have access to the server from that specific blocked IP

SMTP Traffic Manager 4.6+ Experimental

SMTP traffic management provides more control over SMTP traffic.

An administrator can redirect mail traffic to the local MTA, block it completely, or keep it available for local mails only. Administrators can also block particular ports and whitelist specific users or groups for outgoing mail.

This feature extends the existing cPanel “Block SMTP” functionality, albeit with more control and capabilities, and replaces the similar functionality from CSF.

You can enable the SMTP Traffic Management in the Settings:

  • SMTP ports - a list of the ports to be blocked. The defaults are: 25, 587,465
  • Allow users a list of the users to be ignored (not blocked). By default it is empty. Including Unix and CPanel users (if a process that sends an email has a UID of one of the allow_users, it will not be blocked)
  • Allow groups - a list of the groups to be ignored (not blocked). By default it is empty. Including Unix and CPanel users (if a process that sends an email has a UID of one of the allow_users, it will not be blocked)
  • Allow local - block all except the local SMTP (localhost). By default it is disabled.
  • Redirect to local - enable automatic redirection to the local ports for outgoing mail traffic. By default it is disabled.

To enable these settings via direct config file update or a command-line interface, use this command:

/etc/sysconfig/imunify360/imunify360.config

The config file should show:

SMTP_BLOCKING:
 allow_groups:
 - mailacc
 allow_local: true
 allow_users: []
 enable: true
 ports:
 - 25
 - 587
 - 465
 redirect: true

Troubleshooting and FAQ

If the Conflict with WHM >> SMTP Restrictions message is shown?

WHM SMTP Restrictions requires to be disabled at the cPanel to get SMTP Traffic Management working.

To disable it, log in to the cPanel WHM portal, select SMTP Restrictions on the left sidebar and disable it.