Issue
What entries in the Imunify360 console.log might be useful to investigate the attack and the blocking of the IP address?
Applies to
- Imunify360 console.log
Resolution
In the system, the log is available via the following path: /var/log/imunify360/console.log
An IP address can appear in the Gray List on the server due to:
- suspicious activity detected from the IP locally
- after synchronizing the Gray List with the Imunify correlation server
In both cases, the Imunify360 log will have a relevant entry about what happened.
Examples of logs entries for local IP blocking and for blocking after synchronization with the correlation server.
- Attackers IP here is 10.51.48.37
- Server IP and "domain" here is 10.51.48.14.
- Imunify360 ModSecurity vendor installed.
- WebShield enabled and CAPTCHA_DOS have max_count 20 value.
- Standard ModSecurity test query is used for attack.
Blocking due to suspicious activity
Attack on the website was detected at the first time:
INFO [2021-07-30 07:02:32,723] defence360agent.internals.the_sink:
SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec',
'attackers_ip': '10.51.48.37', 'rule': '33312', 'access_denied':
True, 'severity': 2, 'tag': ['service_i360custom'], 'modsec_version':
'2.9.3', 'status_code': '406', 'engine_mode': 'ENABLED', 'advanced':
{'headers': [['User-Agent', 'Wget/1.20.3 (linux-gnu)'], ['Accept', '*/*'],
['Accept-Encoding', 'identity'], ['Host', '10.51.48.14'], ['Connection',
'Keep-Alive']], 'uri': '/', 'http_method': 'GET'}, 'user_id':
'f3b2695019f5202cda32488a2bfd3237ea9d4b4e', 'message': 'IM360 WAF:
Testing the IM360 ModSecurity ruleset||User:root||T:APACHE||',
'name': 'IM360 WAF: Testing the IM360 ModSecurity ruleset', 'timestamp':
1627628552.7020054, 'domain': '10.51.48.14'}) processed in 0.0209 seconds
The attacker continued to make requests, and was added to the Gray List:
INFO [2021-07-30 07:02:33,905] defence360agent.internals.the_sink:
SensorAlert({'method': 'ALERT', 'plugin_id': 'modsec', 'attackers_ip':
IPv4Network('10.51.48.37/32'), 'rule': '33312', 'access_denied': True,
'severity': 2, 'tag': ['service_i360custom'], 'modsec_version': '2.9.3',
'status_code': '406', 'engine_mode': 'ENABLED', 'advanced': {'headers':
[['User-Agent', 'Wget/1.20.3 (linux-gnu)'], ['Accept', '*/*'],
['Accept-Encoding', 'identity'], ['Host', '10.51.48.14'], ['Connection',
'Keep-Alive']], 'uri': '/', 'http_method': 'GET'}, 'user_id':
'f3b2695019f5202cda32488a2bfd3237ea9d4b4e', 'message': 'IM360 WAF:
Testing the IM360 ModSecurity ruleset||User:root||T:APACHE||', 'name':
'IM360 WAF: Testing the IM360 ModSecurity ruleset', 'timestamp':
1627628553.7951908, 'domain': '10.51.48.14', 'properties': {'ttl': 300,
'expiration': 1627628853, 'deep': 0}}) processed in 0.1009 seconds
INFO [2021-07-30 07:02:33,916] defence360agent.internals.the_sink:
BlockUnblockList({'method': 'BLOCK_UNBLOCK', 'blocklist': {(IPv4Network
('10.51.48.37/32'), 'GRAY'): {'expiration': 1627628853}}, 'unblocklist':
[]}) processed in 0.0359 seconds
If the attack on the site will continue and the Captcha challenge will not be passed, then as the CAPTCHA_DOS limit will be reached, the attacker's IP will be moved to the Black List.
The attacker continues to make requests:
INFO [2021-07-30 07:11:03,154] defence360agent.internals.the_sink:
CaptchaEvent({'method': 'CAPTCHA', 'plugin_id': 'ossec', 'rule': 31124,
'attackers_ip': IPv4Network('10.51.48.37/32'), 'timestamp': 1627629063.1383533,
'message': '10.51.48.37 - - [30/Jul/2021:07:11:01 +0000]
"GET /?i360test=88ff0adf94a190b9d1311c8b50fe2891c85af732 HTTP/1.1" 200 20786
10.51.48.14 "-" "Wget/1.20.3 (linux-gnu)" WL:"0" "-" XFF:"-" CAPTCHA:"1"
PEER:10.51.48.37', 'severity': 1, 'name': 'Nginx access log message', 'event':
'REQUESTED', 'is_ajax': False}) processed in 0.0153 seconds
And his IP is moved from the Gray List to the Black List:
INFO [2021-07-30 07:11:03,233] im360.model.firewall: Removed 10.51.48.37/32
from ['GRAY'] lists
INFO [2021-07-30 07:11:03,233] im360.model.firewall: Put 10.51.48.37/32 on
the BLACK list
INFO [2021-07-30 07:11:03,250] defence360agent.internals.the_sink:
CaptchaDosAlert({'method': 'CAPTCHA_DOS_ALERT', 'attackers_ip':
IPv4Network('10.51.48.37/32'), 'expiration': 1628493063, 'ttl':
864000, 'retries': 21, 'timestamp': 1627629063.2020597, 'message':
'Blacklisted for 10 days after 21 captcha requests'}) processed
in 0.0480 seconds
INFO [2021-07-30 07:11:03,277] defence360agent.internals.the_sink:
BlockUnblockList({'method': 'BLOCK_UNBLOCK', 'blocklist': {(IPv4Network
('10.51.48.37/32'), 'BLACK'): {'expiration': 1628493063}}, 'unblocklist':
[(IPv4Network('10.51.48.37/32'), 'GRAY')]}) processed in 0.0408 seconds
After this event, the IP address will remain in the Black List until the TTL expires or until it will be manually removed from the List.
Blocking after the List synchronization
When an IP address gets into the Gray List via synchronization with the Imunify360 correlation server, the following entries will appear in the log:
INFO [2021-08-03 07:45:43,725] defence360agent.internals.the_sink:
SynclistResponse({'method': 'SYNCLIST', 'blocklist': {IPv4Network
('10.51.48.37/32'): {'rule': '', 'ttl': 2147483, 'deep': 6,
'expiration': 1630124222, 'action_type': 'splashscreen'}, IPv4Network
('44.33.22.11/32'): {'rule': '', 'ttl': 2147483, 'deep': 6,
'expiration': 1630124222, 'action_type': 'splashscreen'},
'unblocklist': {}, '__debug__': {'class_name': 'Synclist'}})
processed in 1.2124 seconds
INFO [2021-08-03 07:45:43,754] defence360agent.internals.the_sink:
BlockUnblockList({'method': 'BLOCK_UNBLOCK', 'blocklist': {(IPv4Network
('10.51.48.37/32'), 'GRAY_SPLASHSCREEN'): {'expiration': 1630124222},
(IPv4Network('44.33.22.11/32'), 'GRAY_SPLASHSCREEN'): {'expiration':
1630124222}, 'unblocklist': []}) processed in 0.0612 seconds
Here, the IP address 10.51.48.37 was obtained from the correlation server and was added to the Grey List.
Events and Incidents Lookup Feature
Logs contain a lot of information, but it is not always handy to use them to find the reasons for blocking. In addition to logs, a separate tool is available to server administrators in the CLN - Events and Incidents Lookup Feature.
Additional detail about this feature is available in the blog article here: https://blog.imunify360.com/events-and-incidents-lookup-feature.
Comments
0 comments
Please sign in to leave a comment.