IDS Integrations

CSF Integration

ConfigServer Security & Firewall (CSF) integration is intended to allow to use CSF along with Imunify360.

If CSF is disabled then Imunify360 becomes a primary IDS.

  • White List is loaded from CSF. Imunify360 and CSF work without any additional actions.
  • Gray List is not imported from CSF but it is possible to view and manage Gray List in Imunify360 interface. All changes will not be automatically exported to CSF.
  • Black List is not imported from CSF but it is possible to view and manage Black List in Imunify360 interface. All changes will not be automatically exported to CSF.

If CSF is enabled Imunify360 uses Login Failure Daemon (LFD) as source for security events instead of OSSEC. CSF integration is enabled automatically when Imunify360 detects that CSF is running. No additional configuration is needed.

  • Black List, Gray List, and White List can be managed in Imunify360 regardless of CSF.
  • CSF Allow, Deny and Ignore Lists are not automatically imported from CSF. They can still be managed using CSF interface.
  • Imunify360 will not block addresses from CSF Allow and Ignore Lists.

It is possible to enable CSF when Imunify360 is already running. All IP addresses from Imunify360 White List will be exported to CSF ignore list. In about 30 seconds after CSF started, Imunify360 switches to CSF Integration mode.

To check if CSF integration is enabled go to Imunify360 → Firewall tab → White List section and check if there is a warning message "CSF is enabled. Please manage IPs whitelisted in CSF using CSF user interface or config file". It means that CSF and Imunify360 integration processed successfully.

To get events from Login Failure Daemon (LFD), Imunify360 automatically replaces BLOCK_REPORT variable to the file path of Imunify360 script. In CSF integration mode, when some IP address is blocked by LFD, Imunify360, add this IP address to its Graylist and then remove it from CSF deny/tempdeny lists. The latter is done to allow IP to have access to the Captcha and to store all automatically blocked IP addresses in a single place. Thus, no IP automatically added to CSF deny/tempdeny lists.

Mod_security recommendations

When mod_security is configured with SecRuleEngine On (blocking mode), CSF blocks IP addresses by mod_security events. The number of events to block IP address is defined by LF_MODSEC variable in csf.conf. This can lead to a large number of false positives.

We recommend to set LF_MODSEC variable to 0.

In this case, Imunify360 will block IPs only by mod_security events with high severity.

CXS Integration

ConfigServer eXploit Scanner (CXS) has different types of malware scanning, which affects Imunify360 Malware Scanner functionality. Below we describe how to make Imunify360 Malware Scanner work properly. These functionalities can be configured at Malware Scanner settings page, but CXS itself must be configured  as follows:

  1. Automatically scan all modified files

    CXS Watch daemon must be disabled.

  2. Automatically scan any files uploaded using web

    CXS ModSecurity vendor should be disabled.

  3. Automatically scan any file uploaded using ftp

    Imunify360 supports only Pure-FTPd. For Pure-FTPd CXS launches pure-uploadscript for the scan. Any pure-uploadscript used by CXS must be disabled. You can use the following commands to do that:

systemctl stop pure-uploadscript.service stop
systemctl disable pure-uploadscript.service
systemctl restart imunify360
  1. On-Demand scanning

    This type of scanning can be always run by Imunify360 and CXS separately. No special actions required.

Note

Imunify360 doesn’t make any imports from CXS.