Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. How do I

How to test Proactive Defense on server with Imunify360

Anna
  • Updated

Issue

How to test Proactive Defense on server with Imunify360?

Environment

  • Imunify360
  • Proactive Defense

Solution

1. Make sure that Proactive Defense is enabled.

mceclip0.png

# cat /etc/sysconfig/imunify360/imunify360-merged.config | grep PROACTIVE -A3
PROACTIVE_DEFENCE:
blamer: true
mode: KILL
php_immunity: true

2. Add the following row in order to enable test mode rules:

echo 'check_mode = -10' >> /usr/share/i360-php-opts/module.ini

3. Create a test script on the user's website. This script will only check for PD if file_get_contents is not disabled and allow_url_fopen is enabled in the PHP settings on the server.

$ cat ./im360pdtest.php
<?php
$pattern = 'TEST-FILE';
$external_code = @file_get_contents('https://secure.eicar.org/eicar.com.txt');
if (strpos($external_code, $pattern)) {
print "Proactive Defence DOESN'T work or NOT in KILL mode";
} else {
print "Proactive Defence works fine - file_get_contents function has been BLOCKED, please check Imunify360 Proactive Defence tab for correspondent BLOCK event";
}
?>

3. Reach for the script in the browser, if it works correctly, the following message will be displayed:

Proactive Defence works fine - file_get_contents function has been BLOCKED, please check Imunify360 Proactive Defence tab for correspondent BLOCK event

mceclip1.png

4. The corresponding item will appear in the Proactive Defense event list:

mceclip2.png

# imunify360-agent proactive list --user=try
ACTION COUNT HOST ID IP LISTNAME PATH RULE_ID RULE_NAME TIMESTAMP 
BLOCK 1 try.wp 1 10.106.1.141 WHITE /home/try/public_html/im360pdtest.php 77777 Proactive Defence test BLOCK rule 1652787381
  • If Proactive Defense is disabled, you will see "PD doesn't work or not in KILL mode" message after calling the script and no records will appear in "Incident" tab.
  • If Proactive Defense is enabled and Log only mode is set, you will see "PD doesn't work or not in KILL mode" message after calling the script and a new event with the description "Blamer detection" in the Detected Events table with "LOG" action.
  • If Proactive Defense is enabled and Kill mode is set, the test page returns an error. And a new event with the description "Blamer detection" in the Detected Events table with "KILL" action.

5. Remove the following row from the /usr/share/i360-php-opts/module.ini in order to disable test mode rules:

check_mode = -10

Useful links

 

 

Comments

0 comments

Please sign in to leave a comment.

Related articles