Issue
Environment
- Imunify360
- Proactive Defense
- PHP Immunity
- PHP Blamer
- i360.so PHP module
- Any supported panel
- Any supported OS
Solution
Proactive Defense is an important component of Imunify360 that protects the server from attacks. It is not recommended to disable Proactive Defense, as disabling these protections can affect the overall security of the server.
However, there may be situations where Proactive Defense components need to be disabled during troubleshooting operations. Be sure to re-enable the components when such maintenance work is completed.
To disable Proactive Defense and its components, the following steps can be taken:
Disable PHP Immunity.
- Disable PHP Immunity through the Imunify360 settings menu.
Imunify360 > Settings > Malware > Proactive Defense > PHP Immunity > untick > Save changes.
- Disable PHP Immunity using the CLI command.
# imunify360-agent config update '{"PROACTIVE_DEFENCE": {"php_immunity": false}}'
Disable Blamer.
- Disable PHP Blamer via the Imunify360 settings menu.
Imunify360 > Settings > Malware > Proactive Defense > Enable Blamer > untick > Save changes.
- Disable PHP Blamer via the CLI command.
# imunify360-agent config update '{"PROACTIVE_DEFENCE": {"blamer": false}}'
Disable Proactive Defense.
- Change the mode of Proactive Defense itself in the UI.
- Change the mode of Proactive Defense itself via the CLI, switch to logging mode, or disable Proactive Defense completely. When switching to logging mode, Proactive Defense will log events, but will not block the attack.
# imunify360-agent config update '{"PROACTIVE_DEFENCE": {"mode": "LOG"}}'
# imunify360-agent config update '{"PROACTIVE_DEFENCE": {"mode": "DISABLED"}}'
Disable i360.so module.
It's also worth noting that even when Proactive Defense and its mechanisms are disabled via the UI or CLI, one of the components will still continue to work - it's the i360.so module, which is included via the PHP configuration. To completely disable Proactive Defense, this module also needs to be disabled. To do this (as an example of disabling a module for PHP 7.4 on a server with Apache):
1. Find out where exactly stored configuration files for the required PHP version.
# grep -lr "i360.so" /opt/cpanel/ea-php74/
/opt/cpanel/ea-php74/root/usr/lib64/php/modules/i360.so
/opt/cpanel/ea-php74/root/etc/php.d/i360.ini
2. Comment out the connection to the module.
# sed -i 's/extension=i360.so/;extension=i360.so/' /opt/cpanel/ea-php74/root/etc/php.d/i360.ini
# cat /opt/cpanel/ea-php74/root/etc/php.d/i360.ini
;extension=i360.so
More broadly we can hit all the i360.ini files in alt-php and ea-php with:
find /opt/cpanel/ -type f -name "i360.ini" -exec grep -lP "^\s*extension=i360\.so" {} \; | xargs -I {} sed -i 's/^\s*extension=i360\.so/;extension=i360.so/' {}
find /opt/alt/ -type f -name "i360.ini" -exec grep -lP "^\s*extension=i360\.so" {} \; | xargs -I {} sed -i 's/^\s*extension=i360\.so/;extension=i360.so/' {}
3. Restart the webserver or service processing PHP on the server.
# systemctl restart httpd
After this, from the phpinfo(); output the information about the i360 module will disappear and Proactive Defense for the desired PHP version will be completely disabled.
Enable Proactive Defense again.
To re-enable the i360.so module the following commands can be used:
1. Uncomment the string with the module in PHP configuration:
# cat /opt/cpanel/ea-php74/root/etc/php.d/i360.ini
;extension=i360.so
# sed -i 's/;extension=i360.so/extension=i360.so/' /opt/cpanel/ea-php74/root/etc/php.d/i360.ini
# cat /opt/cpanel/ea-php74/root/etc/php.d/i360.ini
extension=i360.so
2. Restart the webserver or service processing PHP on the server.
# systemctl restart httpd
3. Make sure that information about the module appears in phpinfo();
Enabling Proactive Defense can be done from the UI or with CLI command:
# imunify360-agent config update '{"PROACTIVE_DEFENCE": {"blamer": true, "php_immunity": true, "mode": "KILL"}}'
Useful links
- https://docs.imunify360.com/dashboard/#proactive-defense-2
- https://docs.imunify360.com/dashboard/#proactive-defense
- https://docs.imunify360.com/dashboard/#mode-settings
Comments
0 comments
Please sign in to leave a comment.