- What is brute force protection and why it is important?
A brute force attack is a hacking method that uses an automated system to guess the password to your web server or services..
- What mechanisms of brute force protection are included in Imunify360?
- RBL-based (via WAF rules) to protect web logins (e.g. CMS logins)
- PAM-based - for services that use PAM.
- OSSEC-based (including Active Response (AR)) - for non-web services
- How do I know which brute force protection mechanism triggered blocking?
This information is available in Incidents tab of Imunify360 UI - see Sensor field of an incident entry. Both AR and PAM-based blocks are listed as ossec.
- How do I adjust brute force detection thresholds?
You can change limits for WAF rules at /etc/sysconfig/imunify360/imunify360.config
as described in https://docs.imunify360.com/config_file_description/
PAM-based threshold can be found in /etc/pam_imunify/i360.ini
AR-based OSSEC blocks default timeout is 600 seconds.
- How do I disable the rule that triggers false-positives?
This can be done in the Incidents list - click on [Disable rule] icon at the right of the corresponding incident entry. You can also disable a WAF rule for a single domain, like:
# imunify360-agent rules disable --name rulename --id 333310 --plugin modsec --domains your-domain.com
- What services can be protected by PAM-enabled brute force protection?
Only SSH is supported as of the initial release of PAM support (ver 4.4)
- Will blocked users see any warning or redirected to some page (e.g. captcha for web services)?
Neither of these three mechanisms trigger greylisting, so users will not be presented with Captcha challenge.
Note: you need to set SecRuleEngine to "On" for RBL-based WAF blocking to work.
- How can I disable RBL-based WAF protection?
If you need to exclude some IP, add it to rbl_whitelist file which should be located at
/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/rbl_whitelist or /etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_litespeed folder.
Another ways are disabling specific WAF rules (as described above) and setting SecRuleEngine to "DetectionOnly" (this will affect all WAF rules, not only RBL-based)
- How do I disable PAM-enabled brute force protection?
This is possible by running:
# imunify360-pam disable
You can enable it back by running:
# imunify360-pam enable
- How do I disable OSSEC-based protection?
You can disable only Active Response mechanism - on Settings page of Imunify360 UI. OSSEC IDS can be disabled completely only by activating coop mode with CSF. See https://docs.imunify360.com/ids_integration/#csf-integration for more details.