Imunify360 blocks attacker's IPs with PAM, but does not block such IPs at the firewall level. In the logs, and in the Incidents tab, the following entries are displayed:
[IM360_RBL] The IP 18.104.22.168 has been locked due to Imunify RBL
[IM360_IPL] The IP 22.214.171.124 has been locked by Imunify PAM
[IM360_UL] The account firstname.lastname@example.org has been temporarily locked by Imunify PAM(126.96.36.199)
- PAM and PAM SMTP protection enabled
- Any panel
- Any OS
Enabled PAM protection allows blocking attackers not at the firewall level, but at the authorization level of the account on the server. This prevents an attacker from gaining access even if he manages to compromise the password to access the account.
Nevertheless, different Imunify360 protection mechanisms allow protecting the server in different situations. If the server is under heavy bruteforce attack and attackers' IP addresses need to be blocked at the firewall level, it makes sense to temporarily disable the PAM protection and Active Response feature. In this case, Imunify360 will limit attackers' access not to a specific account or a specific port, but to the server.
More details about bruteforce protection mechanisms are available in the article below. Here is available some examples of configurations that can be applied in different situations and for different types of attacks: https://blog.imunify360.com/configuring-brute-force-protection-in-imunify360