Reset blocking and whitelisting for PAM

Issue

In some cases, when the PAM feature is enabled, accounts can be blocked on the server. For example, account barsik@sosiski.com was blocked by USERLOCK on the server, and in secure log the following record can be found:

 [IM360_UL] The account barsik@sosiski.com has been temporarily locked by Imunify PAM(1.2.3.4)

Environment

• Imunify360
• Imunify360 PAM
• Any supported OS
• Any supported panel

Solution

There are several ways how to solve this issue.

I. Change Imunify's behavior for such cases to block the attacker's IP instead of the account on the server:

1. Open the file /etc/pam_imunify/i360.ini and modify several parameters as described below:

USER_LOCK_TIMEOUT=5
USER_LOCK_ATTEMPTS=50
USER_LOCK_MINUTES=5
USER_IP_LOCK_TIMEOUT=5
USER_IP_LOCK_ATTEMPTS=50
USER_IP_LOCK_MINUTES=5
IP_LOCK_TIMEOUT=5
IP_LOCK_ATTEMPTS=5
IP_LOCK_MINUTES=5

2. Save the file and restart PAM service:

systemctl restart imunify360-pam

After these changes, the priority for blocking by IP will be higher than for blocking by username. And when an attack will be detected, access will only be blocked for the attacking IP address.

II. Add the user to the whitelist:

1. Create a file /var/i360_pam_imunify/users/users.txt
2. Add to it the username/email from the new line:

# cat /var/i360_pam_imunify/users/users.txt
barsik@sosiski.com

3. Save the file and restart the service:

systemctl restart imunify360-pam

In this case, the account will be added to the whitelist and will not be blocked.

III. Clear the database of current locks:

1. Delete the database files (be careful when executing this command):

rm -rf /opt/i360_pam_imunify/db/leveldb/*

2. Restart the service, to create a new base:

systemctl restart imunify360-pam

In this case, all current blocking timers will be reset and accounts will be unblocked.

Cause

When PAM brute-force attack protection feature is enabled, Imunify360 handles attacks on accounts according to PAM settings. Current blocking settings can be found in the file /etc/pam_imunify/i360.ini using the command:

# cat /etc/pam_imunify/i360.ini | grep "_LOCK_"
USER_LOCK_TIMEOUT=5
USER_LOCK_ATTEMPTS=10
USER_LOCK_MINUTES=5
USER_IP_LOCK_TIMEOUT=5
USER_IP_LOCK_ATTEMPTS=10
USER_IP_LOCK_MINUTES=5
IP_LOCK_TIMEOUT=5
IP_LOCK_ATTEMPTS=100
IP_LOCK_MINUTES=5

If the value for IP blocking (IP_LOCK_ATTEMPTS) is higher than the value for account blocking (USER_LOCK_ATTEMPTS), and the account will be under attack, access to this account will be blocked for all users by USERLOCK (IM360_UL).

Useful links

• https://blog.imunify360.com/configuring-brute-force-protection-in-imunify360
• https://cloudlinux.zendesk.com/hc/en-us/articles/4413836922898-Imunify360-blocks-IP-with-PAM-but-does-not-block-IP-at-the-firewall-level