Issue
With the Port policy "All closed, except specified" it is needed to be careful to not lock out SSH port or other services, that are not specified. Originating connections can also be closed with this policy so it is required to clearly understand how this policy is expected to work.
Environment
- Imunify360
- cPanel/UI
Solution
Worth starting that an IP is whitelisted via successful login to WHM or CLI, and the port policy will be ignored for such IP ended up in whitelist with full access, until a TTL set for the whitelist entry is reached. After this such IP may not be able to access ports that are not specified. It is advised to double check the Ports configuration, whether the needed port is specified and whether there is nothing that may override this configuration access before logging out.
As a side note the merging events can be tracked:
grep config_provider /var/log/imunify360/console.log
Current IPtables rules can be checked as well:
iptables-save | grep ports
and compared with the expected configuration:
imunify360-agent config show --json -v | jq .items.FIREWALL
In regard to the order in which custom configurations are applied, there is a main configuration file and config.d path recommended for automated config provisioning:
/etc/sysconfig/imunify360/imunify360.config
/etc/sysconfig/imunify360/imunify360.config.d
- The main configuration file
imunify360.configis linked toimunify360.config.d/90-local.configas per:
/etc/sysconfig/imunify360/imunify360.config.d/90-local.config -> /etc/sysconfig/imunify360/imunify360.config
At the moment, the symlink should exist to ensure that the settings from imunify360.config are properly merged with the custom configuration files.
This files stores changes made via UI and CLI.
- The custom configuration files with TCP_IN / TCP_OUT settings are applied by the last occurred configuration file: https://docs.imunify360.com/features/#overridable-config
- The resulting merged config can be found in config show output as well as in -merged file:
/etc/sysconfig/imunify360/imunify360-merged.config
As such, to manage ports within UI while custom configuration files are used, it is possible to either use custom files with higher number to override previously set settings or lowering the priority of all the custom configuration files to allow changing settings within the UI. For instance, using custom files such as 91-no-override-from-UI.config for non-overridable ports and 51-settings-overridable-from-UI.config for overridable settings. So that using a filenames starting with 91-after-ui-configuration.config intentionally prevents changes from being made within the UI, while numbers below 90-local.config (e.g., 51-before-ui-configuration.config) will be overridden by the UI settings.
Lastly, regarding the need for any actions to apply newly created files or altered settings, the agent's routine continuously checks the config files' mtime and will reread and apply changes automatically. While UI displays the effective configuration, which can also be determined by using the config show command to obtain the same resulting port set and policy state.
And to clarify a bit, the custom config files are loaded in a lexicographical order e.g., 20_my_custom_overridable.config is loaded before 90-local.config and therefore UI/CLI config updates override values from 20_my_custom_overridable.config, and correspondingly values put into 99-highest-priority.config won't be overridden by UI/CLI. Note: 100-likely-not-intended-order.config is loaded before 90-local.config.
Useful links
https://docs.imunify360.com/dashboard/#ports
https://docs.imunify360.com/features/#overridable-config
Comments
0 comments
Please sign in to leave a comment.