Issue
IP is matched in ModSecurity logs and Imunify console.log but it's not blocked and does not show in the Imunify360 Incidents UI.
INFO [2021-09-08 13:32:36,006] defence360agent.internals.the_sink:
Rejected: IP in the whitelist -> SensorAlert({'method': 'ALERT', 'plugin_id': 'modsec',
'attackers_ip': IPv6Network('xxxxxxx'), 'rule': '77211190', 'access_denied': True,
'severity': 2, 'tag': ['service_gen'], 'status_code': '403'
Environment
- Imunify360
- ModSecurity
Solution
Most likely it happens due to IP being currently in the whitelist. It can be checked with the following command:
# ipset -L | grep -e "^Name" -e "^1.2.3.4"
One of the possible reasons it has been added to the whitelist. For example, someone from IP 1.2.3.4 has logged on to the server, and Imunify places this IP to the whitelist in the firewall with TTL 10800 seconds.
INFO [2021-09-08 11:24:12,099] im360.plugins.whitelist_panels_login: Added xxxxx logged in panel to the Whitelist for 10800 seconds
Until the IP is in the whitelist, it will not be blocked and won't be listed in the incidents UI, even with events in logs.
Comments
0 comments
Please sign in to leave a comment.