IDS Integrations

CSF Integration

It is possible to use ConfigServer Security & Firewall (CSF) along with Imunify360.

Imunify360 automatically detects that CSF is running (you can enable it anytime). Imunify360 Blocked Ports, DoS Protection and SMTP Traffic Manager features are automatically disabled in this case. In general:

  • Black List, Gray List, and White List can be managed in Imunify360 regardless of CSF.
  • CSF Allow, Deny and Ignore Lists are not automatically imported from CSF. They can still be managed using CSF interface.
  • Imunify360 will not block addresses from CSF Allow and Ignore Lists.

To check that running CSF is detected, go to Imunify360 → Firewall tab → White List section and check if there is a warning message "CSF is enabled. Please manage IPs whitelisted in CSF using CSF user interface or config file".

Mod_security recommendations

When mod_security is configured with SecRuleEngine On (blocking mode), CSF blocks IP addresses by mod_security events. The number of events to block IP address is defined by LF_MODSEC variable in csf.conf. This can lead to a large number of false positives.

We recommend to set LF_MODSEC variable to 0.

In this case, Imunify360 will block IPs only by mod_security events with high severity.

3-rd Party Integration mode

The main setting that defines how Imunify360 works along with CSF is 3-rd Party Integration switch. (The config file equivalent is CSF_INTEGRATION.catch_lfd_events). When this mode is disabled (default), CSF and Imunify360 work as two independent solutions (with redundant modules disabled on the Imunify360 side - see above).

When 3-rd Party Integration mode is enabled Imunify360 uses Login Failure Daemon (LFD) as source for security events instead of OSSEC. To get events from Login Failure Daemon (LFD), Imunify360 automatically replaces BLOCK_REPORT variable to the file path of Imunify360 script. When some IP address is blocked by LFD, Imunify360 adds this IP address to its Graylist and then removes it from CSF deny/tempdeny lists. The latter is done to allow the IP to have access to the Captcha and to store all automatically blocked IP addresses in a single place. Thus, no IP is automatically added to CSF deny/tempdeny lists.

CXS Integration

ConfigServer eXploit Scanner (CXS) has different types of malware scanning, which affects Imunify360 Malware Scanner functionality. Below we describe how to make Imunify360 Malware Scanner work properly. These functionalities can be configured at Malware Scanner settings page, but CXS itself must be configured  as follows:

  1. Automatically scan all modified files

    CXS Watch daemon must be disabled.

  2. Automatically scan any files uploaded using web

    CXS ModSecurity vendor should be disabled.

  3. Automatically scan any file uploaded using ftp

    Imunify360 supports only Pure-FTPd. For Pure-FTPd CXS launches pure-uploadscript for the scan. Any pure-uploadscript used by CXS must be disabled. You can use the following commands to do that:

systemctl stop pure-uploadscript.service
systemctl disable pure-uploadscript.service
systemctl restart imunify360
  1. On-Demand scanning

    This type of scanning can be always run by Imunify360 and CXS separately. No special actions required.

Note

Imunify360 doesn’t make any imports from CXS.