Announcement

Collapse
No announcement yet.

Global whitelist issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Global whitelist issues

    Hi Team,

    We have an ongoing issue with the global whitelisting that imunify360 sets and enables. it leads to a big flaw in your product that needs to be addressed

    Over the course of the last year several times we have seen IP addresses that are involved in repeated incidents and never get blocked. Often as obvious as repeated SSH bruteforces

    We only see this because we have CSF integrated and it places a block, and then imunify360 removes it. over and over

    Each time we have reported it to imunify360 they advise it's because the IP is listed in a imunify360 global white list.

    This is a huge problem and has reduced the trust we have in the firewall product altogether. You cant be whitelisting IP's that are obviously involved in an attack thereby giving them unlimited attempts at attacks.

    Over the year this has happened numerous times and it seems to most often be russian IP's example of a recent IP - 178.154.203.82

    Here is another CSF log today

    Time: Thu Feb 2 03:41:12 2023 +1100
    IP: 130.193.42.43 (RU/Russia/-)
    Failures: 3 (sshd)
    Interval: 3600 seconds
    Blocked: Permanent Block [LF_SSHD]

    ​This whitelist needs to be cleaned and maintained more often. i would suggest repeated failures from a whitelisted IP flag for investigation or similar.

    Any ideas how i can increase the trust i can have in imunify360?

  • #2
    To update this thread, the ticket has been created and it's under our investigation. No details so far.

    Comment


    • #3
      Hi bogdan.sh was there ever an outcome here? we need to get this big security hole fixed in imunify?

      Can i disable the whitelist and maintain my own?

      Comment


      • #4
        Hello Taz.

        I hope you are doing well and thank you for sharing your experience with the forum.

        As for your question i would like to let you know that while I fully understand the importance​ of disabling this specific feature , currently, that is not an available option.

        However, you can modify the time an IP gets into whitelist using the Imunify configuration file and set it to the minimum value which is '1' in /etc/sysconfig/imunify360/imunify360.config - Practically, that means you minimize the time-period to one minute.

        Indicatively​,
        Click image for larger version

Name:	Screenshot(1).png
Views:	304
Size:	26.0 KB
ID:	39122




        Above the default values are provided. You can find more information here: https://docs.imunify360.com/config_file_description/#config-file-description​

        Now, in case you want to pass your own IPs there, manually, then feel free to use this instructions link.

        Kind Regards,

        Comment


        • #5
          Hi KBOURDAKOS thank you for your suggestion - however these wont have any effect on the automatic whitelist which is applied from imunifys end though?

          Our problem we have no way of knowing that the IP whitelist imunify are enforcing has been vetted correctly. as evidenced by IP's in their whitelist actively involved in bruteforce attacks against imunify servers. (please note these are not ips whitelisted on our end they have been whitelisted by imunify themselves in the global whitelist that every imunify server gets)

          Comment


          • #6
            Hello Taz,

            Thank you for letting me know.

            As for that, my reply was intended to be used as an answer to
            Can i disable the whitelist and maintain my own?
            As far as Imunify's Global WL concerns it's a case that's being already investigated by the corresponding analysts team with its status In Progress

            Kind Regards,
            Last edited by KBOURDAKOS; 02-28-2023, 06:27 AM.

            Comment


            • #7
              Hi,

              More russian IP's in imunify360 global whitelist caught brute forcing our servers... guys we really need some attention to this, you have a giant hole in your security software allowing bad actors to hammer away at infrastructure.. and its all 100 % whitelisted by you. this should be treated with priority


              Time: Sun Mar 19 21:43:43 2023 +1100
              IP: 178.154.209.177 (RU/Russia/-)
              Failures: 3 (sshd)
              Interval: 3600 seconds
              Blocked: Permanent Block [LF_SSHD]

              Log entries:

              Mar 19 21:42:30 au1 sshd[15051]: Invalid user lijian from 178.154.209.177 port 44612 Mar 19 21:42:32 au1 sshd[15051]: Failed password for invalid user lijian from 178.154.209.177 port 44612 ssh2 Mar 19 21:43:40 au1 sshd[15808]: Invalid user smbtest from 178.154.209.177 port 41058


              Time: Sun Mar 19 22:09:21 2023 +1100
              IP: 178.154.192.75 (RU/Russia/-)
              Failures: 3 (sshd)
              Interval: 3600 seconds
              Blocked: Permanent Block [LF_SSHD]

              Log entries:

              Mar 19 22:08:01 au1 sshd[2311]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.154.192.75 user=root Mar 19 22:08:02 au1 sshd[2311]: Failed password for root from 178.154.192.75 port 35932 ssh2 Mar 19 22:09:18 au1 sshd[3211]: Invalid user reza from 178.154.192.75 port 37444


              Time: Sun Mar 19 20:22:34 2023 +1100
              IP: 84.201.172.56 (RU/Russia/-)
              Failures: 3 (sshd)
              Interval: 3600 seconds
              Blocked: Permanent Block [LF_SSHD]

              Log entries:

              Mar 19 20:20:43 au1 sshd[6232]: Invalid user fh from 84.201.172.56 port 57718 Mar 19 20:20:46 au1 sshd[6232]: Failed password for invalid user fh from 84.201.172.56 port 57718 ssh2 Mar 19 20:22:34 au1 sshd[7611]: Invalid user chenll from 84.201.172.56 port 59272

              Time: Sun Mar 19 13:03:41 2023 +1100
              IP: 130.193.42.43 (RU/Russia/-)
              Failures: 3 (sshd)
              Interval: 3600 seconds
              Blocked: Permanent Block [LF_SSHD]

              Log entries:

              Mar 19 13:02:21 au1 sshd[18402]: Failed password for invalid user chenyanmin from 130.193.42.43 port 38190 ssh2 Mar 19 13:03:36 au1 sshd[19338]: Invalid user omnisky from 130.193.42.43 port 35310 Mar 19 13:03:38 au1 sshd[19338]: Failed password for invalid user omnisky from 130.193.42.43 port 35310 ssh2

              Comment


              • #8
                Hello Taz,

                We understand how important it is for you to ensure the security of your website and we appreciate you reaching out to us. Our Web Protection Team reached out and provided the following update:

                We want to let you know that we have reviewed your issue and have decided to exclude the source from the whitelist. It was confirmed that there are a lot of addresses from subnets listed in the Yandex whitelist ((including those that you have mentioned in this thread) are performing massive attacks. We investigated the issue deeper and based on the results recevied we decided to exclude this source from the whitelists.

                Please let us know if you have any feedback in this regard!

                Additionally, please be informed that recently we have reworked the Blacklist/hitelist priorities, so that since the 6.9 releas the User-defined blacklist overwrite Imunify360 pre-defined whitelist​s. More on the way to add custom blacklisted can found in the article below:


                Thank you for raising the matter for the discussion and drawing it to our attention!

                Comment

                Working...
                X