Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. Troubleshooting

Restricting WHM port 2087 with CSF integration enabled

Kristian Santos
  • Updated

Issue

Imunify360 administrators may want to restrict port 2087 through CSF, but if CSF integration is enabled they may later still see traffic on that port due to WebShield.

Environment

  • Imunify360
  • cPanel
  • CSF

Solution

Since CSF integration is enabled, the reported behavior is expected, as in that case Imunify360 adds the flagged IP address to its Gray list and removes from CSF deny/tempdeny lists, as per docs.imunify360.com/ids_integration/#_3-rd-party-integration-mode.
 
Please feel free to disable the integration and leave the WebShield active:

imunify360-agent config update '{"CSF_INTEGRATION": {"catch_lfd_events": false}}'

In that case, CSF will continue blocking IP addresses using PS_LIMITS, but Imunify360 will not remove it and will not move IP addresses to its Gray list.

Cause

When Imunify360 integration is enabled with CSF: 

CSF_INTEGRATION:
  catch_lfd_events: true

Imunify360 starts using this approach:

  • main setting that defines how Imunify360 works along with CSF is the 3-rd Party Integration switch (the config file equivalent is CSF_INTEGRATION.catch_lfd_events). 
  • When 3-rd Party Integration mode is enabled Imunify360 uses Login Failure Daemon (LFD) as source for security events instead of OSSEC. To get events from Login Failure Daemon (LFD), Imunify360 automatically replaces BLOCK_REPORT variable to the file path of Imunify360 script. When some IP address is blocked by LFD, Imunify360 adds this IP address to its Graylist and then removes it from CSF deny/tempdeny lists. The latter is done to unblock IP by passing the Splash Screen Challenge and to store all automatically blocked IP addresses in a single place. Thus, no IP is automatically added to CSF deny/tempdeny lists

According to this, Imunify360 starts using LFD events as a source for graylisting of abuser IP addresses, so opening a WHM link a few times triggers CSF according to the PS_LIMIT settings and it tries to block the IP, but due to the integration mode Imunify360 removes it from the deny list of CSF and puts it into the gray list of Imunify360, and thus we can the see Splash Screen. After Splash Screen is passed - WebShiled forwards the initial request towards the endpoint (2087) using internal communication (localhost), bypassing CSF blocks.
 
In other words, if this integration is enabled and a visitor passes Splash Screen, access will be granted.

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles