1. What is brute force protection and why it is important?
A brute-force attack is a hacking method that uses an automated system to guess the password to your web server or services.
2. What mechanisms of brute force protection are included in Imunify360?
- RBL-based (via WAF rules) to protect web logins (e.g. CMS logins)
- PAM-based - for services that use PAM.
- OSSEC-based (including Active Response (AR)) - for non-web services
3. How do I know which brute force protection mechanism triggered blocking?
This information is available in the Incidents tab of Imunify360 UI - see Sensor field of an incident entry. Both AR and PAM-based blocks are listed as OSSEC.
4. How do I adjust brute force detection thresholds?
- You can change limits for WAF rules at `/etc/sysconfig/imunify360/imunify360.config` as described in https://docs.imunify360.com/config_file_description
- The PAM-based threshold can be found in `/etc/pam_imunify/i360.ini`.
- The AR-based OSSEC blocks default timeout is 600 seconds.
5. How do I disable the rule that triggers false positives?
This can be done in the Incidents list: click on the [Disable rule] icon at the right of the corresponding incident entry. You can also disable a WAF rule for a single domain, like:
# imunify360-agent rules disable --name rulename --id 333310 --plugin modsec --domains your-domain.com
6. What services can be protected by PAM-enabled brute force protection?
Exim/Dovecot (cPanel only) and SSH are supported.
7. Will blocked users see any warning or be redirected to some page (e.g. Captcha for web services)?
Neither of these three mechanisms triggers greylisting, so users will not be presented with a Captcha challenge.
Note: you need to set SecRuleEngine to "On" for RBL-based WAF blocking to work.
8. How can I disable RBL-based WAF protection?
- If you need to exclude some IP, add it to the White List (https://docs.imunify360.com/dashboard/#white-list or https://docs.imunify360.com/features/#external-black-whitelist-management) and perform the following command:
# imunify360-agent create-rbl-whitelist
The IP should appear in the corresponding rbl_whitelist file
/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/rbl_whitelist
or
/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/rbl_whitelist
- Other options are:
- disabling specific WAF rules (as described above)
- and setting SecRuleEngine to "DetectionOnly" (this will affect all WAF rules, not only RBL-based)
9. How do I disable PAM-enabled brute force protection?
This is possible by running:
# imunify360-pam disable
You can enable it back by running:
# imunify360-pam enable
You can check PAM-based protection status and services protected by running:
# imunify360-pam status
10. How do I disable OSSEC-based protection?
You can easily disable the Active Response mechanism - on the Settings page of Imunify360 UI.
OSSEC IDS can be disabled completely only by activating 3rd Party Integration with CSF.
11. Additional info
Additional details about this feature can be also viewed here
Comments
0 comments
Please sign in to leave a comment.