Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. Troubleshooting

Questions and answers about RBL

Anna
  • Updated

Issue

Questions and answers about RBL.

Environment

  • Imunify360
  • RBL

Solution

Below are frequently asked questions about Imunify360 RBL.

1. Q: What kind of RBLs are used in Imunify360?
A: Imunify has several different RBL zones. Depending on the suspicious activity that has been detected for an IP address by our automated system, it appears in the corresponding RBL list. Some examples of such activity are brute-forcing passwords, attempts to upload malware to sites, suspicious activities on sites, attempts to exploit vulnerabilities, etc.

2. Q: Why was the IP listed in the RBL?
A: The IP address is put into a particular RBL based on information about suspicious activity on a large number of servers, obtained from the Imunify360 heuristics and automated system.

3. Q: Where in Imunify360 the RBLs are used?
A: The presence of IP address in RBL is checked by two Imunify360 components - ModSecurity rules set when processing traffic coming to the sites, and PAM module which protects services from bruteforce attacks.

4. Q: How can I remove the IP from the RBL? How can I whitelist IP on a server?
A: The IP address is added to the RBL for a specific time (TTL). When the TTL expires, if no suspicious activity has been detected for the IP address, it will be removed from the RBL automatically.

It is not possible to remove an IP from the RBL manually. Locally on the server, the IP address can be added to the whitelist. 

5. Q: The IP address is listed in the incident screen with the message "Imunify PAM. The IP has been locked by RBL," but the IP address is colored blue. Shouldn't it be black?
A: When an IP is blocked by RBL, the block does not come from your local firewall, so the IP appears blue. See: Imunify360 - Admin Interface - Incidents

6. Q: Why does an RBL-listed IP not appear in the local Firewall → Blacklist?
A: RBL is an external threat intelligence list, not the server’s own firewall. Imunify360 synchronizes RBL data into a special ipset, and this set is used by:

  • Imunify360 WAF (ModSecurity ruleset)

  • Imunify PAM (SSH/IMAP/POP/SMTP brute-force protection)

Because the IP is blocked at the application layer, not the local firewall layer, it does not appear under Firewall → Blacklist.

7. Q: Does an RBL-listed IP actually access the server? What is the step-by-step flow when an RBL-listed IP sends a request?
A:

  1. A request arrives from the source IP.

  2. Imunify360 checks the IP against the synced RBL ipset.

  3. If the IP is listed, the relevant component handles the block:

    • WAF → blocks HTTP(S) traffic

    • PAM → blocks SSH/IMAP/POP/SMTP authentication attempts

  4. The request is terminated before it reaches application logic.

  5. An incident is generated in the Imunify360 UI.

Useful Links

 

Comments

1 comment

Date Votes
  • Michael Cernyavsky

    If one wants to delete one or a few lists from /var/imunify360/files/whitelist/v2 those lists will be updated again from our servers, and local static whitelists are re-generated.

    0

Please sign in to leave a comment.

Related articles