Announcement

Collapse
No announcement yet.

Whitelist IPSET Question/Issue/Inconsistencies

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Whitelist IPSET Question/Issue/Inconsistencies

    Hi,

    I have been going through my LFD emails and noticed 33 emails about one IP address being blocked for ModSecurity errors. The top of the emails showed that the IP address was whitelisted:

    Time: Mon Jul 23 08:35:39 2018 +1000
    IP: 77.79.198.14 (PL/Poland/vdsl-77.79.198.14.atman.pl)
    Failures: 5 (mod_security)
    Interval: 3600 seconds
    Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)

    When checking CSF, it showed:

    IPSET: Set:chain_ALLOW Match:77.79.198.14 Setting: File:/etc/csf/csf.allow
    IPSET: Set:i360.ipv4.whitelist.static Match:77.79.198.14

    The IP address was found in /var/imunify360/files/whitelist/v2/imunify360.txt, which is linked to from the csf.allow file:

    # external for i360-security-analytics, i360-php-sandbox, i360-security-testing
    77.79.198.14

    Imunify, itself, shows 5 IP addresses in the whitelist. 2 of these have full access.

    Firstly, running "ipset list" on i360.ipv4.whitelist.full_access, shows only 1 of the ip addresses with full access listed.
    Secondly, running "ipset list" on i360.ipv4.whitelist.static, shows THOUSANDS of entries. Yet, I only have 3 whitelisted according to Imunify.

    Can you please explain what all the IP addresses are in the Imunify Whitelist IPSET, and why your IP address was accessing all the shared hosting sites on the server?

    Thanks

  • #2
    > I have been going through my LFD emails and noticed 33 emails about one IP address being blocked for ModSecurity errors

    Scratch that. Across all our servers, there were 175 emails about this IP address!!

    Comment


    • #3
      Hello Nick,

      77.79.198.14 is the address of Imunify360 security scanner - it is Ok to leave it whitelisted.

      Comment


      • #4
        No problem. The atomic corp paid modsecurity rules are continually blocking it though: [Wed Jul 25 00:33:16 2018] [error] [client 77.79.198.14] ModSecurity: Access denied with code 403, [Rule: REQUEST_HEADERS:User-Agent python-requests/] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. "] [severity "CRITICAL"] Can you please explain this: Secondly, running "ipset list" on i360.ipv4.whitelist.static, shows THOUSANDS of entries. Yet, I only have 3 whitelisted according to Imunify. I am concerned that there are thousands of whitelisted IP addresses in the imunify360 whitelist ipset, yet only 3 are showing in imunify360. Thank you

        Comment


        • #5
          This is a pre-defined global whitelist of IP addresses known to be "good". You can find this list here: https://files.imunify360.com/static/whitelist/v2/

          In the future versions of our product we will add this list to Imunify360 UI

          Comment


          • #6
            Thanks Alexandre. Good to know its a good list, and not that something is wrong

            Comment

            Working...
            X