How to run Imunify360 in stand-alone mode on a Linux server

Note

Prior to version 4.5, Imunify360 supported cPanel, Plesk, and DirectAdmin control panels only. Starting from v4.5, Imunify360 could be run on any CloudLinux OS, CentoOS 6/7, RHEL 6/7, and Ubuntu 16.04/18.04 systems without requiring any of these web panels to be installed. Imunify360 can be run with any web panel, as the UI is implemented using the single-page application (SPA) approach.

Note

The current version of Imunify360 requires Apache web-server.

Below you can find the steps to install and run Imunify360 in stand-alone mode (without panel) or within any hosting panel.

What Imunify360 requires to run properly

There are some basic steps to run Imunify360 as a stand-alone application.

  1. Define a way to serve web-based UI
  2. Configure a user authentication process
  3. Implement integration scripts that provide Imunify360 with necessary information such as a list of users, domains hosted on the server, panel administrators, general panel info
  4. Install prerequisites such as ModSecurity and remoteip web server modules
  5. Configure ModSecurity integration
  6. Configure malware scanner integration

Warning

Imunify Web-UI PHP code has to be executed under a user which has access to /var/run/defence360agent/non_root_simple_rpc.sock. If it runs in CageFS, you'll need to configure it accordingly.

How to configure Imunify360 UI

Note

Imunify UI requires the proc_open PHP function to be enabled. If you are unable to log in, you might see a related message in the errror.log of the web-server. If so, please remove it from the disable_functions list in php.ini.

Create the /etc/sysconfig/imunify360/integration.conf file with the ui_path option defining a path that will serve web-based UI. For example:

[paths]
ui_path = /var/www/vhosts/imunify360/imunify360.hosting.example.com/html/im360

Imunify360 will automatically copy UI files there during installation/upgrade.

Note

Ensure that the domain you are going to use for the Imunify360 web-based UI refers to this path and that there are no other scripts or files under ui_path, as they might be overridden by the Imunify360 installation.

How to configure authentication for Imunify360 (optional)

Imunify360 can use PAM to authenticate users. Once the UI is opened, the user sees a sign-in form. The credentials are checked via PAM.

You can specify which PAM service Imunify360 should use with the SERVICE_NAME option:

[PAM]
SERVICE_NAME = system-auth

If it is not specified, the system-auth service is used.

By default, root is considered to be the only admin user. To add more administrators, list them in the /etc/sysconfig/imunify360/auth.admin file or specify the admins option in the /etc/sysconfig/imunify360/integration.conf:

ini
[integration_scripts]
admins = /path/to/get-admins-script.sh

It should point to an executable file that generates a JSON file similar to the following:

{
  "data": [
    {
      "name": "admin1",
      "unix_user": "admin",
      "locale_code": "EN_us",
      "email": "admin1@domain.zone",
      "is_main": true
    },
	{
      "name": "admin2",
      "unix_user": "admin",
      "locale_code": "Ru_ru",
      "email": "admin2@domain.zone",
      "is_main": false
    },
  ],
  "metadata": {
    "result": "ok"
  }
}

How to provide Imunify360 with an actual list of users (optional)

By default, Imunify360 will use Linux system users, limited by UID_MIN and UID_MAX from /etc/login.defs

If you want to see a specific list of users (note, that all of them must be real Linux users accessible via PAM), you can specify the users option in the /etc/sysconfig/imunify360/integration.conf:

[integration_scripts]
users = /path/to/get-users-script.sh

It should point to an executable file that generates a JSON file similar to the following (domains are optional):

{
  "data": [
    {
      "id": 1000,
      "username": "ins5yo3",
      "owner": "root",
      "domain": "ins5yo3.com",
      "package": {
        "name": "package",
        "owner": "root"
      },
      "email": "ins5yo3@ins5yo3.com",
      "locale_code": "EN_us"
    },
    {
      "id": 1001,
      "username": "ins5yo4",
      "owner": "root",
      "domain": "ins5yo4.com",
      "package": {
        "name": "package",
        "owner": "root"
      },
      "email": "ins5yo4@ins5yo4.com",
      "locale_code": "EN_us"
    }
  ],
  "metadata": {
    "result": "ok"
  }
}

Note

Any type of an executable file is acceptable. For example, you can use a Python or PHP script.

Data description

Key Nullable Description
id False ID of the UNIX account in the system.
username False The name of the UNIX account in the system.
owner True The name of the account owner in the control panel. The owner can be an administrator (in this case he should be included in the admins() output) or a reseller (in this case he should be included in the resellers() output).
locale_code True The control panel locale selected by a user.
email True Email of the account user. If there is no email, it should return null.
domain True The main domain of a user.
package True Information about the package to which a user belongs to. If the user doesn’t belong to any package, it should return null.
package.name False The name of the package to which a user belongs to.
package.owner True The owner of the package to which a user belongs to (reseller or administrator).

How to provide information about domains

Specify DOMAINS option in the /etc/sysconfig/imunify360/integration.conf:

[integration_sctipts]
domains = /path/to/get-domains-script.sh

It should point to an executable file that generates a JSON file similar to the following:

{
  "data": {
    "example.com": {
      "document_root": "/home/username/public_html/",
      "is_main": true,
      "owner": "username",
    },
    "subdomain.example.com": {
      "document_root": "/home/username/public_html/subdomain/",
      "is_main": false,
      "owner": "username",
    }
  },
  "metadata": {
    "result": "ok"
  }
}

web_server_config_path should point to a path that is added as IncludeOptional in this domain's virtual host e.g., /path/to/example.com/specific/config/to/include path should be added for the example.com domain.

How to provide information about the control panel

Specify panel_info option in the /etc/sysconfig/imunify360/integration.conf:

[integration_scripts]
panel_info = /path/to/get-panel-info-script.sh

It should point to an executable file that generates a JSON file similar to the following:

{
	"data": {
		"name": "SomeCoolWebPanel",
		"version": "1.0.1",
		"user_login_url": "https://{domain}:1111/"
	},
	"metadata": {
		"result": "ok"
	}
}

How to install Imunify360

Prerequisites

Now everything is ready to install Imunify360.

The installation instructions are the same as for cPanel/Plesk/DirectAdmin version, and can be found in the documentation.

How to configure ModSecurity integration

Configure ModSecurity configuration directives (so that it can block):

SecAuditEngine = "RelevantOnly"
SecConnEngine = "Off"
SecRuleEngine = "On"

Update your your web server config: add IncludeOptional that points to the /etc/sysconfig/imunify360/generic/modsec.conf file. Create the file if it doesn't exist, otherwise, the web server might not start until Imunify360 is installed (which creates the file).

Set in integration.conf:

  • [web_server].server_type​ – apache/litespeed
  • [web_server].graceful_restart_script​ – a script that restarts the web server to be called after any changes in web server config or ModSecurity rules.
  • [web_server].modsec_audit_log​ – path to ModSecurity audit log file
  • [web_server].modsec_audit_logdir​ – path to ModSecurity audit log dir

Example:

[web_server]
server_type = apache
graceful_restart_script = /path/to/a/script/that/restarts/web-server/properly
modsec_audit_log = /var/log/httpd/modsec_audit.log
modsec_audit_logdir = /var/log/modsec_audit

How to configure ModSecurity domain level integration

To enable domain-specific ModSecurity configuration, specify modsec_domain_config_script in the integration.conf:

[web_server]
modsec_domain_config_script = /path/to/inject/domain/specific/config/script.sh

It should point to an executable file that accepts as an input a list of domain-specific web server settings and injects them into the server config. The standard input (stdin) is given in the JSON Lines format similar to:

{"user": "username", "domain": "example.com", "config": "modsec config text"}
{"user": "another", "domain": "another.example.com", "config": "..."}

Each line contains config for a single domain e.g., it may contain rule tags excluded for the domain.

The script should also restart the web server to apply the configuration. This should be done so that the script could implement the check that web server comes up after config change, and reset configuration if it doesn't.

If configuration change failed, the script should return 1, and in the standard error stream (stderr) it should return the reason for failure. On success, the script should return 0.

In a single run of the script, we might update a single domain/user, as well as multiple users (all users) on the system.

How to configure malware scanner integration

To scan files uploaded via FTP, configure PureFTPd. Write in the pure-ftp.conf:

CallUploadScript             yes

To scan files for changes (to detect malware) using inotify, configure which directories to watch and which to ignore in the integration.conf file:

  • configure [malware].basedir – a root directory to watch (recursively)
  • configure [malware].pattern_to_watch – only directories that match this (Python) regex in the basedir are actually going to be watched

Examples for already supported panels:

  • cPanel
basedir = /home
pattern_to_watch = ^/home/.+?/(public_html|public_ftp|private_html)(/.*)?$
  • DirectAdmin
basedir = /home
pattern_to_watch = ^/home/(.+?|.+?/domains/.+?)/(public_html|public_ftp|private_html)(/.*)?$
  • Plesk
basedir = /var/www/vhosts/
pattern_to_watch = ^/var/www/vhosts/.+?(?<!/.skel|/chroot|/default|/system)(/.+?(?<!/logs|/bin|/chroot|/other-from-VHOST_IGNORE)(/.*)?)?$

How to open Imunify360 UI once Imunify360 is installed

The web-based UI is available via the domain configured in ui_path.

For example, if /var/www/vhosts/imunify360/imunify360.hosting.example.com/html/im360 is the document root folder for the imunify360.hosting.example.com domain, then you could open ImunifyAV with the following URL:

  • https://imunify360.hosting.example.com/ (when you have TLS certificate configured for the domain) or
  • http://imunify360.hosting.example.com/

Extended integration.conf example for reference

integration.conf is a config in which all integration points should be defined. It contains two kinds of fields:

  • A simple variable, for example, [web_server].server_type
  • A path to a script that will return the data for Imunify360, for example, [integration_scripts].DOMAINS.
[integration_scripts]
panel_info = /opt/cpvendor/bin/panel_info
users = /opt/cpvendor/bin/users
domains = /opt/cpvendor/bin/vendor_integration_script domains
admins = /opt/cpvendor/bin/vendor_integration_script admins

[paths]
ui_path = /var/www/vhosts/im360/im360.example-hosting.com/html

[web_server]
server_type = apache
graceful_restart_script = /path/to/a/script/that/restarts/web-server/properly
modsec_audit_log = /var/log/httpd/modsec_audit.log
modsec_audit_logdir = /var/log/modsec_audit

[malware]
basedir = /home
pattern_to_watch = ^/home/.+?/(public_html|public_ftp|private_html)(/.*)?$

Unless otherwise stated, the expected output/error handling for the integrations scripts follows https://docs.cloudlinux.com/control_panel_integration/#expected-structure-of-replies interface.

Further steps

Detailed instructions on how to use Imunify360 can be found in the Imunify360 documentation.

If you have any questions or experience any issues regarding the product, submit a ticket to our technical support team. For feature requests, just drop us an email to feedback@imunify360.com.