Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. How do I

Why the IP address is added to the graylist / RBL? How to remove the IP address from the graylist?

Vladislav Dagaev
  • Updated

Issue

Why the IP address is added to the graylist / RBL? How to remove the IP address from the graylist?

Environment

  • Imunify360

Cause

Understanding the RBL Feature in Imunify360

Imunify360 includes a powerful feature known as the Remote Blackhole List (RBL). This system analyzes incoming requests to websites hosted on servers with Imunify360 installed. If suspicious activity is detected, the corresponding IP address may be added to either the RBL or the Gray List.

 

When can an IP Address be added to the RBL?

An IP address may be added to the RBL in the following cases:

  • Brute-force attacks: Multiple failed login attempts to websites or services.
  • Suspicious requests triggering mod_security (WAF) rules:
    • This includes both default and custom security rules.
  • If Anti-Bot Protection is enabled:
    • Automated requests will be restricted.
    • This does not apply to IP addresses in the global allowlist, which you can review here.
  • If you or your developer are testing your website for vulnerabilities or using incorrect login credentials in a script, the IP address may be temporarily added to the RBL as well.

What happens when an IP address is added to the RBL?

If an IP address is added to the RBL, the following restrictions will apply:

  1. Website Access:

    • When attempting to visit a website, the user will see a page notifying them that "Please wait while your request is being verified". If the request passes the verification, the website visitor will be able to access the website.
    • Automated bots will not be able to bypass this challenge.
  2. FTP/SSH and other protected services:
    • Connections to these services will be denied.
    • The IP address must successfully pass a JavaScript challenge on any website hosted on the server to regain access.

Solution

What do you do if an IP address is in the RBL? 

1. If you do not recognize the Blocked IP Address:

  • The system will continue monitoring the activity.
  • If the suspicious behavior persists, the block duration will increase over time.
  • No need for additional actions on your end.

2. If you recognize the blocked IP address (your own, a developer’s, or a known service’s) and you want to unblock it:

The IP address will be delisted when it stops performing suspicious activities. If you want to allow connections to your server from such an IP address, please follow these recommendations:

  • For browser-based requests:

    • Simply complete the JavaScript challenge on any website hosted on the server.
    • The IP will be locally whitelisted for 24 hours (default value after_unblock_timeout = 1440 minutes in imunify360.config).
    • You can change this default duration using the following command: 
       imunify360-agent config update '{"AUTO_WHITELIST": {"after_unblock_timeout": 1440}}'

  • For automated and browser-based requests:

  • For automated requests - for debugging and testing purposes only:
    One additional but not recommended option is to disable Anti-Bot protection (if you want to allow all automated requests). It is acceptable for debugging or testing. You can read about it here.

By understanding how Imunify360’s RBL works, you can better manage access restrictions and ensure security without unnecessary disruptions. If you need further assistance, feel free to reach out to our support team.

Comments

0 comments

Please sign in to leave a comment.

Related articles