It is possible to use ConfigServer Security & Firewall (CSF) along with Imunify360.
Imunify360 automatically detects that CSF is running (you can enable it anytime). Imunify360 Blocked Ports, DoS Protection and SMTP Traffic Manager features are automatically disabled in this case. In general:
To check that running CSF is detected, go to Imunify360 → Firewall tab → White List section and check if there is a warning message "CSF is enabled. Please manage IPs whitelisted in CSF using CSF user interface or config file".
When mod_security is configured with SecRuleEngine On (blocking mode), CSF blocks IP addresses by mod_security events. The number of events to block IP address is defined by
LF_MODSEC variable in
csf.conf. This can lead to a large number of false positives.
We recommend to set
LF_MODSEC variable to 0.
In this case, Imunify360 will block IPs only by mod_security events with high severity.
The main setting that defines how Imunify360 works along with CSF is 3-rd Party Integration switch. (The config file equivalent is
CSF_INTEGRATION.catch_lfd_events). When this mode is disabled (default), CSF and Imunify360 work as two independent solutions (with redundant modules disabled on the Imunify360 side - see above).
When 3-rd Party Integration mode is enabled Imunify360 uses Login Failure Daemon (LFD) as source for security events instead of OSSEC. To get events from Login Failure Daemon (LFD), Imunify360 automatically replaces
BLOCK_REPORT variable to the file path of Imunify360 script.
When some IP address is blocked by LFD, Imunify360 adds this IP address to its Graylist and then removes it from CSF deny/tempdeny lists. The latter is done to allow the IP to have access to the Captcha and to store all automatically blocked IP addresses in a single place. Thus, no IP is automatically added to CSF deny/tempdeny lists.
ConfigServer eXploit Scanner (CXS) has different types of malware scanning, which affects Imunify360 Malware Scanner functionality. Below we describe how to make Imunify360 Malware Scanner work properly. These functionalities can be configured at Malware Scanner settings page, but CXS itself must be configured as follows:
Automatically scan all modified files
CXS Watch daemon must be disabled.
Automatically scan any files uploaded using web
CXS ModSecurity vendor should be disabled.
Automatically scan any file uploaded using ftp
Imunify360 supports only Pure-FTPd. For Pure-FTPd CXS launches pure-uploadscript for the scan. Any pure-uploadscript used by CXS must be disabled. You can use the following commands to do that:
systemctl stop pure-uploadscript.service
systemctl disable pure-uploadscript.service
systemctl restart imunify360
This type of scanning can be always run by Imunify360 and CXS separately. No special actions required.
Imunify360 doesn’t make any imports from CXS.