Issue
Questions and answers about RBL.
Environment
- Imunify360
- RBL
Solution
Below there are frequently asked questions about Imunify360 RBL.
1. Q: What kind of RBLs are used in Imunify360?
A: Imunify has several different RBL zones. Depending on the suspicious activity that has been detected for an IP address by our automated system, it appears in the corresponding RBL list. Some examples of such activity are brute-forcing passwords, attempts to upload malware to sites, suspicious activities on sites, attempts to exploit vulnerabilities, etc.
2. Q: Why was the IP listed in the RBL?
A: The IP address is put into a particular RBL based on information about suspicious activity on a large number of servers, obtained from the Imunify360 heuristics and automated system.
3. Q: Where in Imunify360 the RBLs are used?
A: The presence of IP address in RBL is checked by two Imunify360 components - ModSecurity rules set when processing traffic coming to the sites, and PAM module which protects services from bruteforce attacks.
4. Q: How can I remove the IP from the RBL? How can I whitelist IP on a server?
A: The IP address is added to the RBL for a specific time (TTL). When the TTL expires, if no suspicious activity has been detected for the IP address, it will be removed from the RBL automatically.
It is not possible to remove an IP from the RBL manually. Locally on the server, the IP address can be added to the whitelist. More information about this can be found in our documentation:
- Firewall whitelisting:
https://docs.imunify360.com/dashboard/#white-list
https://docs.imunify360.com/command_line_interface/#whitelist - WAF whitelisting:
https://docs.imunify360.com/faq_and_known_issues/#_28-how-can-i-disable-rbl-based-waf-protection
Comments
1 comment
If one wants to delete one or a few lists from /var/imunify360/files/whitelist/v2 those lists will be updated again from our servers, and local static whitelists are re-generated.
Please sign in to leave a comment.