Dear Customer,

Regarding the blocking rate, currently we block a user if there are 10 login attempts in 2 minutes. We find this reasonable in the first iteration of the rule to avoid many false positives. In the future we may decrease this value if there are no complaints from the customers. If you are eager to do this right now you can tune these parameters in /var/ossec/etc/rules.d/defence360_rules.xml line 39 followed by /var/ossec/bin/ossec-control restart.

Regarding the automatic captcha redirect, we are looking to implement this in one of our next releases in about 2 weeks. This would be helpful indeed.

Regards,
Imunify360 staff.

Thanks for your reply. I will check that .xml file and see if I do some changes or not.

But about Comodo WAF issue you didnt find anything on that? I tried changing the logging from Serial to Concurrent and that didnt work.
Seems like Imunify did take over mod_security on the server:

--11e7d75f-B--
POST /wp-login.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Content-Length: 52
Host: domain.tld
Cookie: wordpress_test_cookie=WP+Cookie+check

--11e7d75f-H--
Message: Warning. Pattern match "^POST$" at REQUEST_METHOD. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_rules/i360.conf"] [line "25"] [id "33332"] [rev "1"] [msg "WordPress login attempt"] [severity "WARNING"] [maturity "1"]
Stopwatch: 1489244594741842 103920 (- - -)
Stopwatch2: 1489244594741842 103920; combined=3900, p1=444, p2=3114, p3=61, p4=26, p5=171, sr=66, sw=84, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--11e7d75f-Z--

When I asked Igor last time, he said that Imunify360 should not do any WAF rules and will not function as that as it was hard to compete and invent the weel again.

In /etc/apache2/conf.d/modsec_vendor_configs/imunify360_rules/i360.conf I only see 3 rules.

CWAF seems to still be working and logging to:
/usr/local/apache/logs/modsec_audit.log

--0ffe2e30-B--
GET /test.html HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)
Accept: */*
Accept-Encoding: deflate, gzip
Host: http://www.domain.tld

--0ffe2e30-H--
Message: Access denied with code 403 (phase 2). Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/var/cpanel/cwaf/rules/02_Global_Agents.conf"] [line "34"] [id "210832"] [rev "2"] [msg "COMODO WAF: Blacklisted by userdata_bl_agents||http://www.domain.tld|F|4"] [data "AhrefsBot"] [severity "WARNING"]
Action: Intercepted (phase 2)
Stopwatch: 1489245322672179 685505 (- - -)
Stopwatch2: 1489245322672179 685505; combined=717, p1=562, p2=121, p3=0, p4=0, p5=34, sr=82, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--0ffe2e30-Z--

But logging inside WHM->
Home »Security Center »ModSecurity™ Tools »Hits List
Stopped logging when installed Imunify360.

If you need to check this you can follow up in the email on friday and get access if you need to replicate this when installing IM360.

It is a bug. We are working on fixing it.

Thanks Igor

Im also seeing Comodo WAF no longer functioning on all servers with Imunify360 installed

I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!

> I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!

Hi Morten,

This is a bug, jira id is DEF-1128. Please expect this jira bugfix will appear in one of subsequent bugfix releases: 1.0.5 or 1.0.6

In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?

> In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?

Pretty sure CWAF is not working for you then. In my testing server its logging both from Imunify and CWAF in that file.

>> I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!
>
> Hi Morten,
>
> This is a bug, jira id is DEF-1128. Please expect this jira bugfix will appear in one of subsequent bugfix releases: 1.0.5 or 1.0.6

Thanks! Looking forward for a fix :-)

>> In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?
>
> Pretty sure CWAF is not working for you then. In my testing server its logging both from Imunify and CWAF in that file.

Im not getting anything new logged in /usr/local/apache/logs/modsec_audit.log or in Imunify. Comodo WAF was working perfectly before installing Imunify.

Any idea how to fix? I should note I am using Litespeed and not Apache.

Actually, its not logging on either of my test servers, one running Litespeed, the other Apache.

Ok, I have only tested this on a Apache server with mod_lsapi. Do not dare to test on LiteSpeed yet Did you upgrade to latest version that came today?