1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. ImanGM
  2. Saturday, 15 December 2018
  3.  Subscribe via email
Hello there,

While checking the incidents page, I've noticed that I have so many WordPress login attempts or Postfix SASL authentication failure from the countries that I'm sure we don't have a client there.

Is it possible that we have an option to blacklist immediately the IP addresses from certain countries that do specific things such as trying to access the WordPress login page or trying to authenticate to mail server or ... ?

Thanks
Iman
Rate this post:
  1. 15.12.2018 19:12:12
  2. # 1
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Hi Iman,
Thank you for the feature request.
Currently, you can blacklist traffic coming from a particular country using the following command in CLI:


imunify360-agent blacklist --by-country-code <country-code>


For example, block requests from Bolivia:


imunify360-agent blacklist --by-country-code BO


But be careful with the option as you have to be 100% sure that there's no legitimate traffic from that country.

Later we will add a comprehensive blacklist management including the feature you requested.
Thanks!
  1. 18.12.2018 08:12:59
  2. # 2
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hey

Yeah I know about country block feature and it's working fine. But I was looking for something to prevent visitors from certain countries to be able to authenticate or ... For example, I have several visitors from China and that's fine. But, meanwhile I have so many hack attempts from China as well. I don't want to block all of them but to block those who are trying to login to WordPress or trying to authenticating to mail server and ...

That would be awesome if we have such feature in newer versions of Imunify360.

Thank you,
Iman
  1. 18.12.2018 11:12:02
  2. # 3
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Hi Iman,
OK, got it. You want to have a compound rule: "visitors from a specific country" and "visitor requesting particular URL".
Recorded as a feature request. Thanks!
  1. 21.12.2018 07:12:29
  2. # 4
Hostking Accepted Answer
Posts: 38
Joined: 07.11.2012
0
Votes
Undo
Or why not do it visitors from country using a specific port or application type.
  1. 22.12.2018 15:12:54
  2. # 5
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi Iman,
OK, got it. You want to have a compound rule: "visitors from a specific country" and "visitor requesting particular URL".
Recorded as a feature request. Thanks!



Yes! Thanks :)
  1. 29.12.2018 11:12:19
  2. # 6
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi,

I just made a simple shell script to work with Imunify360-agent CLI which scans Imunify360 incidents and move IPs to blacklist based on some rules that user can specify it. For example, block any attempts to login to WordPress from certain countries or even block any attempts which are not in allowed countries list.

I made it in the way that user can define different rules for different countries and incidents.

How it use it:

1. Connect to your server via SSH

2. Make a directory for example in your home directory and name it ccprotect

mkdir /home/myuser/ccprotect


3. Download the attached file and unzip it inside this directory.

4. Go to rules directory and edit the files the way you need them. You need at least one .rule file and if you don't need the others you can remove them. I put a file named custom_rule.temp which you can use it as an empty template for your rules:

cp custom_rule.temp my_own_rule.rule


5. In each rule, there's 5 variables that you need to fill them:

RULE_NAME: Just a name for your rule.

CMDS: Grab a part of incident's event and put it here. For example: "WordPress login attempt" or if you want to use more than one incident to check for, use it like this one: "WordPress login attempt|Dovecot brute force attack|Attempt to login using a non-existent user". Please note that you should put | sign between incidents and it works like OR bitwise operator.

DENY_COUNTRIES: List of the countries that are checked for the incidents. If the IP address belongs to this list, it will be added to blacklist immediately. Country codes should be entered in two character format which you may find the whole list here:

https://www.nationsonline.org/oneworld/country_code_list.htm

ALLOW_COUNTRIES: List of the countries that won't be checked for the incidents. If the IP address doesn't belong to this list, it will be blocked immediately.

MODE: allow or deny. "allow" means ALLOW_COUNTRIES is in action (more restrictive), and deny means the rules will only apply to DENY_COUNTRIES list.

6. Once you are done with rule files, run the scan.sh file once to see if it's working fine or not. It will read the incidents of last 10 minutes and apply the rules on them.

7. If it worked successfully, you need to go "Plesk > Tools and Settings > Scheduled Tasks" then add a new task. Task Type should be "Run a command".
Command should be "/home/iman/ccprotect/scan.sh" ( Make sure to replace the path with the path that you've uploaded the script there ).
Run should be "Cron style" and the value "*/2 * * * *"
Put a description for yourself and set the notify to errors only at first. Once it run successfully, you may edit it and set it to "Do not notify" because it will send you an email every two minutes.

I hope this helps. It was very useful for myself. But please note that you need to check the rules file carefully and make sure you are not blocking yourself. Please use this on your own risk.

Thanks,
Iman
Attachments (1)
  1. 30.12.2018 17:12:47
  2. # 7
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
ImanGM, looks great! I passed it to our analytics team.
Thanks for sharing the script!
  1. 31.12.2018 15:12:03
  2. # 8
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
ImanGM, looks great! I passed it to our analytics team.
Thanks for sharing the script!


You are welcome. It's working fine for me. If the analysis team accept the way I've made it as a temporary solution, I guess it would be easy to monitor other logs such as MySQL and ... to identify brute-force or other kind of attacks and block them via Imunify360-agent...

Cheers
Iman
  1. 15.07.2019 08:07:08
  2. # 9
Eugeniu Accepted Answer
Posts: 0
Joined: 24.08.2019
0
Votes
Undo
To optimize resource usage after increasing of Black list (over 12k IPs), we use blocking with expiration.

BLACKLIST_CMD=$(echo imunify360-agent blacklist ip add "$IP360" --expiration $(date '+%s' --date='2 day') --comment \"Restricted Country Auto Block by script\")

Hope it will be useful for other participants ;)
  1. 15.07.2019 09:07:05
  2. # 10
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi Eugeniu,

Yeah! That's a very good improvement. My list is filled with about 20,000 IPs right now and that's definitely a very large number. I've used your improvement and modified my scan.sh file to expire the blocked IPs in 14 days since I need a more restricted policy.

Thank you for sharing it.
Iman
  1. 15.07.2019 09:07:45
  2. # 11
Eugeniu Accepted Answer
Posts: 0
Joined: 24.08.2019
0
Votes
Undo
Hi, ImanGM, also i can share commands to clear Imunify's list of IP's from Black list with your comment.
I used it for few servers, everything is working well :)

systemctl stop imunify360
echo "delete from iplist where comment='Restricted Country Auto Block by script';" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db
echo "vacuum;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db
systemctl restart wsshdict
systemctl start imunify360


P.S. Thanks to support team of Imunify360 for this solutions
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.