Hello I am testing imunify360 considering to switch/add to csf and cxs It does a great job blocking wp-login brute force attacks and has find some infected very old files that maldet and cxs were not able to detect But there are some issues tested on cpanel cloudlinux server with about 500 small sites , load average 2 to 3 under normal conditions and half of 64GB memory usually free Disabled cxs, fail2ban , deleted all other modsec vendors, installed. Csf remains active 1) With the full set of modsec rules ( 25 rules set) the server load skyrockets from 2-3 to 20 -50 Also the peaks are so robust, between 2-3 top command refresh, the load goes from eg 5 to 40 Observed for many hours hopping that caused from inotify indexing, but the load remained high Uninstalled and installed 3 times, after deleting /etc/ and /var imunify folders in case accidentally misconfiguration caused this behavior, same high load Then i switched to the mini modesc and the load goes to 3-4 , almost normal, maybe 0.5 to 1 more load than usual. Acceptable. I noticed that the full set has 4 extra rulesets Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/116_Apps_JComponent.conf" Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/118_Apps_WPPlugin.conf" Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/119_Apps_WHMCS.conf" Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/121_Apps_OtherApps.conf" I enabled them one at a time 118_Apps_WPPlugin.conf is causing about 100% more load and 121_Apps_OtherApps.conf is causing 500% to 1000% more load Also, when using the full modsec set, even with this 4 ruleset disabled, the server more load spices and is some how more unpredictable and unstable So the only option for this particular server is to run imunify360 with the mini rule set Maybe this is voodoo related - , i will continue tests with other servers Forgot to mention that at some point a have upgraded to the roll-out version, same behavior 2) Dashboard Dashboard graphs not working today , i get a red error banner in top right of the dashbord page Error Internal Error And Failed to fetch data. Specify more narrow period or try again later. 3) Proactive Defense When i change mode to Proactive Defense, the new mode is activated only when i manual restart the service systemctl restart imunify360-webshield.service tested with https://docs.imunify360.com/dashboard/#user-interface How to test Proactive Defense 4) Auto white list I dont like the auto white list feature When someone logs in to cpanel , gets whitelisted for some hours Than means, if someone steals a cpanel password, he is free to do anything without firewall block I have changed the AUTO_WHITELIST: timeout: 1440 # set in minutes how long to keep automatically whitelisted IP from 1440 to 1, but users are still white-listed for 3 hours It would be nice to have an option to disable the auto white list feature
Announcement
Collapse
No announcement yet.
Imunify 360, server load and some notes
Collapse
X
-
Hello Nick,
Thank you for reaching out!
1) This is a confirmation that the additional load caused by full ruleset varies across systems, and that is why there exists the minified ruleset. We are constantly working on making the full ruleset fast on any system with any configuration, and hopefully one of the nearest releases of full ruleset will not be causing such a significant additional load on your system.
2) This would require a ticket so that we can take a closer look into the problem.
3) A proactive defense can be tested with the help of a script like the following one:
Code:<?php /* Imunify360 Proactive Defence test script */ echo "<pre>"; echo "Step 1<br>"; // Decode string with domain: 37kddsserrt.xyz $url=base64_decode("MzdrZGRzc2VycnQueHl6"); echo "Step 2<br>"; echo "</pre>"; // Try to access a malicious domain include($url); die(); ?>
Please create a ticket here https://cloudlinux.zendesk.com/hc/en-us/requests/new and technical experts will help you asap.
If you have any other questions, feel free to ask here. Thank you for contacting us.
Comment