Announcement

**vmarchuk** · 01-24-2018, 12:09 PM

Hello,

In order to answer your questions, we would like to check server configuration.
Please submit a ticket to https://cloudlinux.zendesk.com, our techs will check the issue in place.

**glenn** · 01-24-2018, 04:01 PM

Im not looking for tech support, just some insights into IM360. IM360 is working properly but I would like to understand better what it is and isnt blocking.

**apb** · 01-24-2018, 04:15 PM

Glenn, thank you for your feedback

> For instance, Im looking at Incidents log and it shows hundreds of attempts from same IP over hours to login into non-existent ftp user. How come its not getting added to grey list?

Imunify360 has some thresholds for IP graylisting - e.g. 10 incidents per minute. Were the attempts frequent enough?

> We host a lot of Wordpress sites and I would have expected IM360 to show a lot of IDS activity there as well but all I see are failed ftp logins.

Wordpress activity is actually inspected on the WAF (modsecurity) level. You can change a minimum severity level for Incidents in Settings -> General tab. Meanwile, we are working now on a better concept of logging and monitoring tools so that we will be able to show the most relevant information in Imunify360 UI.

**glenn** · 01-24-2018, 04:36 PM

Are you referring to "Check delay - Period in seconds between each DoS detection check" ?

It is set to 30 seconds now.

**apb** · 01-24-2018, 04:56 PM

Not exactly - IDS thresholds are hard-coded in Imunify360 (as of the current version)
However, the modsecurity (WAF) thresholds can be modified by altering MOD_SEC_BLOCK_BY_SEVERITY.severity_limit and MOD_SEC_BLOCK_BY_SEVERITY.max_incident_repetition in the Imunify360 config file: /etc/sysconfig/imunify360/imunify360.config

**tony** · 01-24-2018, 06:30 PM

Our experience has been i360 has been effective against brute forcing for the most part until probably the past 48 hours or so. Id estimate were seeing approximately 10,000 different IPs attempting to brute force Wordpress installs. Unlike what wed typically see each IP only attempts once every few hours per site. As a result I dont think theyre ever going to get blocked. Its simply too spread out between sites and servers to just assume its malicious. Ive opened a ticket about it in case anyone from the Imunify360 team was curious about what we were seeing. I unfortunately imagine its not going to be too helpful and well end up creating our own solution.

**glenn** · 01-24-2018, 06:50 PM

Thanks for your reply Tony. I think thats been my experience as well. Ive been watching an ecomm site we host which has Wordfence and intrusions and login attempts have been very minimal and way below what I would expect for ecomm site. I chalk that up to IM360.

Out of curiousity, how does the brute force login attempts show up in IM logs?

thx
Glenn

**tony** · 01-24-2018, 07:06 PM

The brute force login attempts are all showing up in the IM logs. I should point out though we have entire pages of them now compared to previously almost none.

**glenn** · 01-24-2018, 07:30 PM

Interesting. I havent seen that yet and I have 50 websites so far with about 40 WP sites. Server has had IM360 for about 4 months.

I do have 588 pages at 100/page with failed ftp login attempts. I havent seen anything else yet but Im sure I will.

**vmarchuk** · 01-25-2018, 11:38 AM

Hello Glenn,

Wed really like to check logs on this host in order to understand whats happening on it.
Could you please create a support ticket with the output of the following command (run it as root on the server):
imunify360-agent doctor

Thank you.

Announcement

Wordpress Reporting

Wordpress Reporting

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment