Hey

Yeah I know about country block feature and its working fine. But I was looking for something to prevent visitors from certain countries to be able to authenticate or ... For example, I have several visitors from China and thats fine. But, meanwhile I have so many hack attempts from China as well. I dont want to block all of them but to block those who are trying to login to WordPress or trying to authenticating to mail server and ...

That would be awesome if we have such feature in newer versions of Imunify360.

Thank you,
Iman

Or why not do it visitors from country using a specific port or application type.

Yes! Thanks

Hi,

I just made a simple shell script to work with Imunify360-agent CLI which scans Imunify360 incidents and move IPs to blacklist based on some rules that user can specify it. For example, block any attempts to login to WordPress from certain countries or even block any attempts which are not in allowed countries list.

I made it in the way that user can define different rules for different countries and incidents.

How it use it:

1. Connect to your server via SSH

2. Make a directory for example in your home directory and name it ccprotect

3. Download the attached file and unzip it inside this directory.

4. Go to rules directory and edit the files the way you need them. You need at least one .rule file and if you dont need the others you can remove them. I put a file named custom_rule.temp which you can use it as an empty template for your rules:

5. In each rule, theres 5 variables that you need to fill them:

RULE_NAME: Just a name for your rule.

CMDS: Grab a part of incidents event and put it here. For example: "WordPress login attempt" or if you want to use more than one incident to check for, use it like this one: "WordPress login attempt|Dovecot brute force attack|Attempt to login using a non-existent user". Please note that you should put | sign between incidents and it works like OR bitwise operator.

DENY_COUNTRIES: List of the countries that are checked for the incidents. If the IP address belongs to this list, it will be added to blacklist immediately. Country codes should be entered in two character format which you may find the whole list here:



ALLOW_COUNTRIES: List of the countries that wont be checked for the incidents. If the IP address doesnt belong to this list, it will be blocked immediately.

MODE: allow or deny. "allow" means ALLOW_COUNTRIES is in action (more restrictive), and deny means the rules will only apply to DENY_COUNTRIES list.

6. Once you are done with rule files, run the scan.sh file once to see if its working fine or not. It will read the incidents of last 10 minutes and apply the rules on them.

7. If it worked successfully, you need to go "Plesk > Tools and Settings > Scheduled Tasks" then add a new task. Task Type should be "Run a command".
Command should be "/home/iman/ccprotect/scan.sh" ( Make sure to replace the path with the path that youve uploaded the script there ).
Run should be "Cron style" and the value "*/2 * * * *"
Put a description for yourself and set the notify to errors only at first. Once it run successfully, you may edit it and set it to "Do not notify" because it will send you an email every two minutes.

I hope this helps. It was very useful for myself. But please note that you need to check the rules file carefully and make sure you are not blocking yourself. Please use this on your own risk.

Thanks,
Iman

> ImanGM, looks great! I passed it to our analytics team.
> Thanks for sharing the script!

You are welcome. Its working fine for me. If the analysis team accept the way Ive made it as a temporary solution, I guess it would be easy to monitor other logs such as MySQL and ... to identify brute-force or other kind of attacks and block them via Imunify360-agent...

Cheers
Iman

To optimize resource usage after increasing of Black list (over 12k IPs), we use blocking with expiration. [code type="markup"] BLACKLIST_CMD=$(echo imunify360-agent blacklist ip add "$IP360" --expiration $(date +%s --date=2 day) --comment "Restricted Country Auto Block by script") [/code] Hope it will be useful for other participants

Hi Eugeniu,

Yeah! Thats a very good improvement. My list is filled with about 20,000 IPs right now and thats definitely a very large number. Ive used your improvement and modified my scan.sh file to expire the blocked IPs in 14 days since I need a more restricted policy.

Thank you for sharing it.
Iman

Hi, ImanGM, also i can share commands to clear Imunifys list of IPs from Black list with your comment. I used it for few servers, everything is working well [code type="markup"] systemctl stop imunify360 echo "delete from iplist where comment=Restricted Country Auto Block by script;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db echo "vacuum;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db systemctl restart wsshdict systemctl start imunify360 [/code] P.S. Thanks to support team of Imunify360 for this solutions

Hi ImanGM

Excellent solution, congratulations! I am very grateful to you for this solution. Helped me a lot!
The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

Thank you very much!

> The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

Hello Jhonathan,
Thank you for reaching out! This feature is already available in the Black List section.
Using the Country filter, you can filter the list by country origin. Enter a country name into the input field with autocomplete. Imunify360 will show the list of IPs of the chosen country.
You can find more information here https://docs.imunify360.com/dashboard/#black-list
Drop me a line if I can do anything else for you. Thank you.

Hi Sergey Khristich

The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.

The solution that ImanGM presented works perfectly with custom rules.

If there was an area inside the tool to create custom rules it would be very interesting.

> Hi Sergey Khristich
>
> The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.
> The solution that ImanGM presented works perfectly with custom rules.
> If there was an area inside the tool to create custom rules it would be very interesting.

Hello Jhonathan,
Can you please open a support ticket / feature request here https://cloudlinux.zendesk.com/hc/en-us/requests/new? And describe in more detail what specific exceptions are needed and our development team will definitely consider the request. You can post the ticket number here and well link this thread to it. Thank you.

Hi Sergey Khristich

Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
I opened a ticket with the team. Now I will wait.

Thank you

> Hi Sergey Khristich
>
> Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
> I opened a ticket with the team. Now I will wait.
>
> Thank you

Hello Jhonathan,
Thank you, our specialists will answer you on the ticket as quickly as possible.