Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. Troubleshooting

The IP address is in the Imunify360 database but not listed in white/black list

Anna
  • Updated

Issue

The IP address entry is in the Imunify360 database, but the IP address itself is not added to the appropriate list on the server:

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | grep "|BLACK|" | grep "1.2.3.4"
1.2.3.4|BLACK|1669962650||1672317581||Wordpress XML RPC Login Violation|123754|0|1||0|1234379225|4321067295|4|group
# imunify360-agent ip-list local list --purpose drop  --limit 600000 | grep "1.2.3.4"
#
# ipset list | grep "1.2.3.4"
#

Environment

  • Imunify360
  • Firewall

Solution

  • Explanation

It is necessary to check if the TTL for the IP added to the list has expired because it is the reason why the address is preset in the database but not listed in white/black lists.

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | grep "|BLACK|" | grep "1.2.3.4"
1.2.3.4|BLACK|1669962650||1672317581||Wordpress XML RPC Login Violation|123754|0|1||0|1234379225|4321067295|4|group

# LANG=C date -d @1672317581
Thu Dec 29 15:39:41 MSK 2022
  • How to put the address back on the right list?

In this case, the easiest way is to simply add the IP again and either specify a new TTL via `--expiration` or not specify a TTL at all, and then the IP will remain in the list without any expiration date.

Here are some examples of commands to add IPs in the blacklist and update the TTL if needed:

  • Add the IP to the blacklist on a group of servers and specify the TTL for 10 days from the time of addition:
imunify360-agent ip-list local add --purpose drop 1.2.3.4 --scope group --expiration $(date '+%s' --date='10 days')
  • Add the IP to the blacklist on a single server and specify the TTL for 10 days from the time of addition:
imunify360-agent ip-list local add --purpose drop 1.2.3.4 --expiration $(date '+%s' --date='10 days')
  • Add an IP to blacklist on a group of servers without mentioning its TTL:
imunify360-agent ip-list local add --purpose drop 1.2.3.4 --scope group
  • Add an IP to blacklist on a single server without mentioning its TTL:
imunify360-agent ip-list local add --purpose drop 1.2.3.4
  • Additional useful commands

- Get the list of IP addresses for which the TTL was specified (if the TTL was not specified, it will be 0, and this output will not include the address) from the Imunify360 database directly:

# sqlite3 /var/imunify360/imunify360.db "select * from iplist where expiration >= $(date +%s)"

- Compare the total number of IPs marked as blacklisted in the Imunify360 database and the number of IPs added to the blacklist.

# sqlite3 /var/imunify360/imunify360.db 'select * from iplist' | wc -l && \
imunify360-agent ip-list local list --purpose drop --limit 600000 | wc -l && \
sqlite3 /var/imunify360/imunify360.db "select * from iplist where expiration >= $(date +%s)" | wc -l

Cause

The TTL specified upon the IP whitelisting/blacklisting has already expired. The IP remains in the Imunify360 database but it's not present in any of the firewall lists.

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles