1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. ImanGM
  2. Saturday, 15 December 2018
  3.  Subscribe via email
Hello there,

While checking the incidents page, I've noticed that I have so many WordPress login attempts or Postfix SASL authentication failure from the countries that I'm sure we don't have a client there.

Is it possible that we have an option to blacklist immediately the IP addresses from certain countries that do specific things such as trying to access the WordPress login page or trying to authenticate to mail server or ... ?

Thanks
Iman
Rate this post:
  1. 15.12.2018 19:12:12
  2. # 1
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Hi Iman,
Thank you for the feature request.
Currently, you can blacklist traffic coming from a particular country using the following command in CLI:


imunify360-agent blacklist --by-country-code <country-code>


For example, block requests from Bolivia:


imunify360-agent blacklist --by-country-code BO


But be careful with the option as you have to be 100% sure that there's no legitimate traffic from that country.

Later we will add a comprehensive blacklist management including the feature you requested.
Thanks!
  1. 18.12.2018 08:12:59
  2. # 2
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hey

Yeah I know about country block feature and it's working fine. But I was looking for something to prevent visitors from certain countries to be able to authenticate or ... For example, I have several visitors from China and that's fine. But, meanwhile I have so many hack attempts from China as well. I don't want to block all of them but to block those who are trying to login to WordPress or trying to authenticating to mail server and ...

That would be awesome if we have such feature in newer versions of Imunify360.

Thank you,
Iman
  1. 18.12.2018 11:12:02
  2. # 3
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
Hi Iman,
OK, got it. You want to have a compound rule: "visitors from a specific country" and "visitor requesting particular URL".
Recorded as a feature request. Thanks!
  1. 21.12.2018 07:12:29
  2. # 4
Hostking Accepted Answer
Posts: 38
Joined: 07.11.2012
0
Votes
Undo
Or why not do it visitors from country using a specific port or application type.
  1. 22.12.2018 15:12:54
  2. # 5
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi Iman,
OK, got it. You want to have a compound rule: "visitors from a specific country" and "visitor requesting particular URL".
Recorded as a feature request. Thanks!



Yes! Thanks :)
  1. 29.12.2018 11:12:19
  2. # 6
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi,

I just made a simple shell script to work with Imunify360-agent CLI which scans Imunify360 incidents and move IPs to blacklist based on some rules that user can specify it. For example, block any attempts to login to WordPress from certain countries or even block any attempts which are not in allowed countries list.

I made it in the way that user can define different rules for different countries and incidents.

How it use it:

1. Connect to your server via SSH

2. Make a directory for example in your home directory and name it ccprotect

mkdir /home/myuser/ccprotect


3. Download the attached file and unzip it inside this directory.

4. Go to rules directory and edit the files the way you need them. You need at least one .rule file and if you don't need the others you can remove them. I put a file named custom_rule.temp which you can use it as an empty template for your rules:

cp custom_rule.temp my_own_rule.rule


5. In each rule, there's 5 variables that you need to fill them:

RULE_NAME: Just a name for your rule.

CMDS: Grab a part of incident's event and put it here. For example: "WordPress login attempt" or if you want to use more than one incident to check for, use it like this one: "WordPress login attempt|Dovecot brute force attack|Attempt to login using a non-existent user". Please note that you should put | sign between incidents and it works like OR bitwise operator.

DENY_COUNTRIES: List of the countries that are checked for the incidents. If the IP address belongs to this list, it will be added to blacklist immediately. Country codes should be entered in two character format which you may find the whole list here:

https://www.nationsonline.org/oneworld/country_code_list.htm

ALLOW_COUNTRIES: List of the countries that won't be checked for the incidents. If the IP address doesn't belong to this list, it will be blocked immediately.

MODE: allow or deny. "allow" means ALLOW_COUNTRIES is in action (more restrictive), and deny means the rules will only apply to DENY_COUNTRIES list.

6. Once you are done with rule files, run the scan.sh file once to see if it's working fine or not. It will read the incidents of last 10 minutes and apply the rules on them.

7. If it worked successfully, you need to go "Plesk > Tools and Settings > Scheduled Tasks" then add a new task. Task Type should be "Run a command".
Command should be "/home/iman/ccprotect/scan.sh" ( Make sure to replace the path with the path that you've uploaded the script there ).
Run should be "Cron style" and the value "*/2 * * * *"
Put a description for yourself and set the notify to errors only at first. Once it run successfully, you may edit it and set it to "Do not notify" because it will send you an email every two minutes.

I hope this helps. It was very useful for myself. But please note that you need to check the rules file carefully and make sure you are not blocking yourself. Please use this on your own risk.

Thanks,
Iman
Attachments (1)
  1. 30.12.2018 17:12:47
  2. # 7
Greg Zemskov Accepted Answer
Posts: 28
Joined: 16.11.2018
0
Votes
Undo
ImanGM, looks great! I passed it to our analytics team.
Thanks for sharing the script!
  1. 31.12.2018 15:12:03
  2. # 8
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
ImanGM, looks great! I passed it to our analytics team.
Thanks for sharing the script!


You are welcome. It's working fine for me. If the analysis team accept the way I've made it as a temporary solution, I guess it would be easy to monitor other logs such as MySQL and ... to identify brute-force or other kind of attacks and block them via Imunify360-agent...

Cheers
Iman
  1. 15.07.2019 08:07:08
  2. # 9
Eugeniu Accepted Answer
Posts: 0
Joined: 05.06.2020
0
Votes
Undo
To optimize resource usage after increasing of Black list (over 12k IPs), we use blocking with expiration.

BLACKLIST_CMD=$(echo imunify360-agent blacklist ip add "$IP360" --expiration $(date '+%s' --date='2 day') --comment \"Restricted Country Auto Block by script\")

Hope it will be useful for other participants ;)
  1. 15.07.2019 09:07:05
  2. # 10
ImanGM Accepted Answer
Posts: 10
Joined: 08.12.2018
0
Votes
Undo
Hi Eugeniu,

Yeah! That's a very good improvement. My list is filled with about 20,000 IPs right now and that's definitely a very large number. I've used your improvement and modified my scan.sh file to expire the blocked IPs in 14 days since I need a more restricted policy.

Thank you for sharing it.
Iman
  1. 15.07.2019 09:07:45
  2. # 11
Eugeniu Accepted Answer
Posts: 0
Joined: 05.06.2020
0
Votes
Undo
Hi, ImanGM, also i can share commands to clear Imunify's list of IP's from Black list with your comment.
I used it for few servers, everything is working well :)

systemctl stop imunify360
echo "delete from iplist where comment='Restricted Country Auto Block by script';" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db
echo "vacuum;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db
systemctl restart wsshdict
systemctl start imunify360


P.S. Thanks to support team of Imunify360 for this solutions
  1. 18.04.2020 14:04:09
  2. # 12
Jhonathan Accepted Answer
Posts: 3
Joined: 18.04.2020
0
Votes
Undo
Hi ImanGM

Excellent solution, congratulations! I am very grateful to you for this solution. Helped me a lot!
The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

Thank you very much!
  1. 20.04.2020 11:04:11
  2. # 13
Sergey Khristich Accepted Answer
Posts: 354
Joined: 20.05.2019
0
Votes
Undo

The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

Hello Jhonathan,
Thank you for reaching out! This feature is already available in the Black List section.
Using the Country filter, you can filter the list by country origin. Enter a country name into the input field with autocomplete. Imunify360 will show the list of IPs of the chosen country.
You can find more information here https://docs.imunify360.com/dashboard/#black-list
Drop me a line if I can do anything else for you. Thank you.
Marketing Manager
  1. 20.04.2020 15:04:17
  2. # 14
Jhonathan Accepted Answer
Posts: 3
Joined: 18.04.2020
0
Votes
Undo
Hi Sergey Khristich

The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.

The solution that ImanGM presented works perfectly with custom rules.

If there was an area inside the tool to create custom rules it would be very interesting.
  1. 20.04.2020 17:04:08
  2. # 15
Sergey Khristich Accepted Answer
Posts: 354
Joined: 20.05.2019
0
Votes
Undo
Hi Sergey Khristich

The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.
The solution that ImanGM presented works perfectly with custom rules.
If there was an area inside the tool to create custom rules it would be very interesting.

Hello Jhonathan,
Can you please open a support ticket / feature request here https://cloudlinux.zendesk.com/hc/en-us/requests/new? And describe in more detail what specific exceptions are needed and our development team will definitely consider the request. You can post the ticket number here and we'll link this thread to it. Thank you.
Marketing Manager
  1. 20.04.2020 21:04:19
  2. # 16
Jhonathan Accepted Answer
Posts: 3
Joined: 18.04.2020
0
Votes
Undo
Hi Sergey Khristich

Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
I opened a ticket with the team. Now I will wait.

Thank you
Attachments (1)
  1. 21.04.2020 09:04:25
  2. # 17
Sergey Khristich Accepted Answer
Posts: 354
Joined: 20.05.2019
0
Votes
Undo
Hi Sergey Khristich

Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
I opened a ticket with the team. Now I will wait.

Thank you

Hello Jhonathan,
Thank you, our specialists will answer you on the ticket as quickly as possible.
Marketing Manager
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.