Issue
How to test Proactive Defense on server with Imunify360?
Environment
- Imunify360
- Proactive Defense
Solution
1. Make sure that Proactive Defense is enabled.
# cat /etc/sysconfig/imunify360/imunify360-merged.config | grep PROACTIVE -A3
PROACTIVE_DEFENCE:
blamer: true
mode: KILL
php_immunity: true
2. Add the following row in order to enable test mode rules:
echo 'check_mode = -10' >> /usr/share/i360-php-opts/module.ini
3. Create a test script on the user's website. This script will only check for PD if file_get_contents is not disabled and allow_url_fopen is enabled in the PHP settings on the server.
$ cat ./im360pdtest.php
<?php
$pattern = 'TEST-FILE';
$external_code = @file_get_contents('https://secure.eicar.org/eicar.com.txt');
if (strpos($external_code, $pattern)) {
print "Proactive Defence DOESN'T work or NOT in KILL mode";
} else {
print "Proactive Defence works fine - file_get_contents function has been BLOCKED, please check Imunify360 Proactive Defence tab for correspondent BLOCK event";
}
?>
3. Reach for the script in the browser, if it works correctly, the following message will be displayed:
Proactive Defence works fine - file_get_contents function has been BLOCKED, please check Imunify360 Proactive Defence tab for correspondent BLOCK event
4. The corresponding item will appear in the Proactive Defense event list:
# imunify360-agent proactive list --user=try
ACTION COUNT HOST ID IP LISTNAME PATH RULE_ID RULE_NAME TIMESTAMP
BLOCK 1 try.wp 1 10.106.1.141 WHITE /home/try/public_html/im360pdtest.php 77777 Proactive Defence test BLOCK rule 1652787381
- If Proactive Defense is disabled, you will see "PD doesn't work or not in KILL mode" message after calling the script and no records will appear in "Incident" tab.
- If Proactive Defense is enabled and Log only mode is set, you will see "PD doesn't work or not in KILL mode" message after calling the script and a new event with the description "Blamer detection" in the Detected Events table with "LOG" action.
- If Proactive Defense is enabled and Kill mode is set, the test page returns an error. And a new event with the description "Blamer detection" in the Detected Events table with "KILL" action.
5. Remove the following row from the /usr/share/i360-php-opts/module.ini in order to disable test mode rules:
check_mode = -10
Useful links
Comments
0 comments
Please sign in to leave a comment.