Issue
Imunify360 blocks attacker's IPs with PAM, but does not block such IPs at the firewall level. In the logs, and in the Incidents tab, the following entries are displayed:
[IM360_RBL] The IP 12.13.14.15 has been locked due to Imunify RBL
[IM360_IPL] The IP 16.15.14.13 has been locked by Imunify PAM
[IM360_UL] The account barsik@sosiski.com has been temporarily locked by Imunify PAM(15.14.15.14)
Environment
- Imunify360
- PAM and PAM SMTP protection enabled
- Any panel
- Any OS
Solution
Enabled PAM protection allows blocking attackers not at the firewall level, but at the authorization level of the account on the server. This prevents an attacker from gaining access even if he manages to compromise the password to access the account.
Nevertheless, different Imunify360 protection mechanisms allow protecting the server in different situations. If the server is under heavy bruteforce attack and attackers' IP addresses need to be blocked at the firewall level, it makes sense to temporarily disable the PAM protection and Active Response feature. In this case, Imunify360 will limit attackers' access not to a specific account or a specific port, but to the server.
More details about bruteforce protection mechanisms are available in the article below. Here is available some examples of configurations that can be applied in different situations and for different types of attacks: https://blog.imunify360.com/configuring-brute-force-protection-in-imunify360
Useful links
Comments
0 comments
Please sign in to leave a comment.