Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. Troubleshooting

The IP address is in the Imunify360 database, but is not in the white or black list

Artemiy Sukhoplyuev
  • Updated

Issue

The IP address entry is in the Imunify360 database, but the IP address itself is not added to the appropriate list on the server.

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | grep "|BLACK|" | grep "1.2.3.4"
1.2.3.4|BLACK|1669962650||1672317581||Wordpress XML RPC Login Violation|123754|0|1||0|1234379225|4321067295|4|group
# imunify360-agent blacklist ip list --limit 600000 | grep "1.2.3.4"
#
# ipset list | grep "1.2.3.4"
#

Environment

  • Imunify360
  • Firewall

Solution

It is necessary to check if the TTL for the IP added to the list has expired. If the TTL that was specified when the IP was added to the whitelist or blacklist has previously expired, the IP will remain in the Imunify360 database, but the IP will not be added to the lists.

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | grep "|BLACK|" | grep "1.2.3.4"
1.2.3.4|BLACK|1669962650||1672317581||Wordpress XML RPC Login Violation|123754|0|1||0|1234379225|4321067295|4|group

# LANG=C date -d @1672317581
Thu Dec 29 15:39:41 MSK 2022

How to put the address back on the right list?

In this case, the easiest way is to simply add the IP again and either specify a new TTL via --expiration or not specify a TTL at all, and then the IP will remain in the list without any expiration date. Here are some examples of commands to add IPs in the blacklist and update the TTL if needed:


- Add the IP to the blacklist on a group of servers and specify the TTL for 10 days from the time of addition:

# imunify360-agent blacklist ip add 1.2.3.4 --scope group --expiration $(date '+%s' --date='10 days')

- Add the IP to the blacklist on a single server and specify the TTL for 10 days from the time of addition:

# imunify360-agent blacklist ip add 1.2.3.4 --expiration $(date '+%s' --date='10 days')

- Add an IP to blacklist on a group of servers without mentioning its TTL:

# imunify360-agent blacklist ip add 1.2.3.4 --scope group

- Add an IP to blacklist on a single server without mentioning its TTL:

# imunify360-agent blacklist ip add 1.2.3.4

Additional useful commands.

- Get the list of IP addresses for which the TTL was specified (if the TTL was not specified, it will be 0, and this output will not include the address) from the Imunify360 database directly:

# sqlite3 /var/imunify360/imunify360.db "select * from iplist where expiration >= $(date +%s)"

- Compare the total number of IPs marked as blacklisted in the Imunify360 database and the number of IPs added to the blacklist.

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | wc -l && \
imunify360-agent blacklist ip list --limit 600000 | wc -l && \
sqlite3 /var/imunify360/imunify360.db "select * from iplist where expiration >= $(date +%s)" | wc -l

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles