Tweet
Just configured a new server, the first one without CSF/CXS, instead I just installed Imunify360 only. And I am "missing" a few things I would like to share.
a)
I missed the security check up in CSF [Check Server Security option], I know there is Security Advisor in cPanel but its missing a lot of stuff.
Do you plan something like that (or help cPanel on their own Security Advisor?)
b)
[Check IPs in RBLs], nice feature, most of the times we have problems with outgoing spam so we check it regularly. If it was automated and just reporting in the frontpage / or with popup notification it would be great! (Or maybe integrate it on reputation management)
c)
Allow incoming/outgoing tcp/udp ports. How can I port block something or even worse, block it for everyone except x,y,z IPs/subnets. I use it for MySQL connections mostly. Nice feature. I block everything for port 3306 for example except a few subnets and/or IPs. Doing the same for SSH. Can I do that with imunify ?
d)
Email Alerting. On port scans, floods, connlimit, etc, is there a way to get email alerts too ? Or program them to send alert if only something is true (e.g Send me alert of blocked IP then the country is Greece to double check it)
e)
Better reporting in incidents. (More verbose maybe)
CXS/CSF sends me alerts when it block something (mod_security for example) and I am getting something like that:
[Tue Jul 25 01:33:00.911526 2017] [:error] [pid 27625] [client 46.161.9.51] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[-_ ]?\\b(?:adipex|suboxone|pseudovent|topamax|trazodon e|prevacid|zyrtec|xenical|toprol|zoloft|synthroid| valtrex|wellbutrin|valium|protonix|vytorin|ritalin |zocor|seroquel|ultracet|plavix|voltaren|zyprexa|x anax|vicodin|penicillin|tramadol|provigil|predn ..." at ARGS:comment. [file "/etc/apache2/conf.d/modsec/modsec_rules/30_asl_antispam.conf"] [line "283"] [id "300061"] [rev "25"] [msg "Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected"] [data " 496 found within ARGS:comment: wh0cd76412 <a href=http://buyanafranilonline.us.com/>buy anafranil online</a> <a href=http://tamoxifennorx.us.com/>tamoxifen visa</a> <a href=http://buyfurosemide.us.com/>furosemide mg</a> <a href=http://prednisone10mg.us.com/>prednisone tablets</a> <a href=http://colchicine.us.com/>colchicine over the counter</a> "] [severity "WARNING"] [hostname "HOST-NAME-HERE"] [uri "/wp-comments-post.php"] [unique_id "WXZ1nIe9LNr8HNUDKIlV2QAAABU"]
So I know the rule, the hostname the rule, the data and the exact file location.
In imunify Im seeing only the file location. I dont know which account, username or domain it came from.
I am just seeing something like that:
Atomicorp.com WAF Rules: xmlrpc DOS attack
Sensor:
modsec
Rule:
392331
Abuser:
131.255.227.146
Or in newer beta:
i360-wallarm - web-shell access (WLRM-18fd997a)||domain-here.gr
Sensor:
modsec
Rule:
664273
Abuser:
179.105.30.70
But still no the exact URL.
(Or what that "web shell acess" means exactly)
f)
Outgoing emails spam,
Thats a pain, and somewhere here there is a un-answered question about that,
there are reporting tools about relaying, queue alerts, smtp alerts etc.
Generally, outgoing spam from php backdoors, shells, or hacked accounts is an issue. Do you plan alerts or hardening this ?
ps: Just updated to cPanel 66, frameless whm, even the beta imunify doesnt work well. No scrollbar. But I like it anyway.
a)
I missed the security check up in CSF [Check Server Security option], I know there is Security Advisor in cPanel but its missing a lot of stuff.
Do you plan something like that (or help cPanel on their own Security Advisor?)
b)
[Check IPs in RBLs], nice feature, most of the times we have problems with outgoing spam so we check it regularly. If it was automated and just reporting in the frontpage / or with popup notification it would be great! (Or maybe integrate it on reputation management)
c)
Allow incoming/outgoing tcp/udp ports. How can I port block something or even worse, block it for everyone except x,y,z IPs/subnets. I use it for MySQL connections mostly. Nice feature. I block everything for port 3306 for example except a few subnets and/or IPs. Doing the same for SSH. Can I do that with imunify ?
d)
Email Alerting. On port scans, floods, connlimit, etc, is there a way to get email alerts too ? Or program them to send alert if only something is true (e.g Send me alert of blocked IP then the country is Greece to double check it)
e)
Better reporting in incidents. (More verbose maybe)
CXS/CSF sends me alerts when it block something (mod_security for example) and I am getting something like that:
[Tue Jul 25 01:33:00.911526 2017] [:error] [pid 27625] [client 46.161.9.51] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[-_ ]?\\b(?:adipex|suboxone|pseudovent|topamax|trazodon e|prevacid|zyrtec|xenical|toprol|zoloft|synthroid| valtrex|wellbutrin|valium|protonix|vytorin|ritalin |zocor|seroquel|ultracet|plavix|voltaren|zyprexa|x anax|vicodin|penicillin|tramadol|provigil|predn ..." at ARGS:comment. [file "/etc/apache2/conf.d/modsec/modsec_rules/30_asl_antispam.conf"] [line "283"] [id "300061"] [rev "25"] [msg "Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected"] [data " 496 found within ARGS:comment: wh0cd76412 <a href=http://buyanafranilonline.us.com/>buy anafranil online</a> <a href=http://tamoxifennorx.us.com/>tamoxifen visa</a> <a href=http://buyfurosemide.us.com/>furosemide mg</a> <a href=http://prednisone10mg.us.com/>prednisone tablets</a> <a href=http://colchicine.us.com/>colchicine over the counter</a> "] [severity "WARNING"] [hostname "HOST-NAME-HERE"] [uri "/wp-comments-post.php"] [unique_id "WXZ1nIe9LNr8HNUDKIlV2QAAABU"]
So I know the rule, the hostname the rule, the data and the exact file location.
In imunify Im seeing only the file location. I dont know which account, username or domain it came from.
I am just seeing something like that:
Atomicorp.com WAF Rules: xmlrpc DOS attack
Sensor:
modsec
Rule:
392331
Abuser:
131.255.227.146
Or in newer beta:
i360-wallarm - web-shell access (WLRM-18fd997a)||domain-here.gr
Sensor:
modsec
Rule:
664273
Abuser:
179.105.30.70
But still no the exact URL.
(Or what that "web shell acess" means exactly)
f)
Outgoing emails spam,
Thats a pain, and somewhere here there is a un-answered question about that,
there are reporting tools about relaying, queue alerts, smtp alerts etc.
Generally, outgoing spam from php backdoors, shells, or hacked accounts is an issue. Do you plan alerts or hardening this ?
ps: Just updated to cPanel 66, frameless whm, even the beta imunify doesnt work well. No scrollbar. But I like it anyway.
Comment