Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Christos Panagiotakis
  2. Thursday, March 30, 2017
  3.  Subscribe via email
I asked in a thread about CSF and Imunify because it some-kinda relevant but I got no answer.
I hope it's OK to ask again,

Do you plan features like this (mail / spam relevant) ?

Usually when an account gets infected/hacked bots or malicious users are uploading mail scripts. And the usual Top #1 problem for us (My personal opinion of course) is dealing with outgoing mail spam.

CSF/LFD notifies us when someone / some script is sending mass mails, localrelay, authrelay, and when the queue is above x limit.

When I get the warning I know something is wrong and start investigation.

The usual outcome is server IP blacklisted in multiple RBLs -and other users can't send mails-, IP block, or whole server block (for one account) from the data center.

So I believe it's crucial to know what's happening with outgoing mails and queues.
Rate this post:
  1. 30.03.2017 16:03:25
  2. # 1
Ryan Smith Accepted Answer
Posts: 32
Joined: 27.04.2016
0
Votes
Undo
Having outgoing spam monitoring (authrelay, localrelay, localhostrelay) with email alerts is such an important feature of CSF that I would strongly urge you to consider implementing this in Imunify.

Having to run CSF in conjunction with Imunify seems to unnecessarily complicate and devalue the product. If Imunify added outgoing spam monitoring we would be more inclined to remove CSF altogether once Imunify is stable.
  1. 30.03.2017 17:03:44
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1195
Joined: 09.02.2010
0
Votes
Undo
There are a lot of things that CSF does that we want to automate in long term -- and after some time period we will have basic spam protection similar to CSF in Imunify360.
Yet, for now, we wanted to move forward with where we are strong together -- so we added complete CSF integration for Imunify360 -- so you can have the best of both worlds.
  1. 16.04.2017 09:04:19
  2. # 3
Jeppe Accepted Answer
Posts: 1
Joined: 15.04.2017
0
Votes
Undo
I would just like to make a vote for this, since this is also one of our regular issues.
  1. 20.04.2017 11:04:18
  2. # 4
Eric Accepted Answer
Posts: 2
Joined: 20.04.2017
0
Votes
Undo
Another vote
  1. 14.05.2017 14:05:08
  2. # 5
Steven Accepted Answer
Posts: 5
Joined: 31.10.2013
0
Votes
Undo
We dont use CSF, but need this as well. There are lots of possibilities for this such as monitor/block/alert when a script is calling the php mail function a lot, but I think seeing how a malicious file behaves and stopping it is the best, then it wont be able to run in the first place (such as the sandboxing feature), including blocking the IPs that are trying to access such script.
  1. 24.05.2017 00:05:14
  2. # 6
Hector Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
I agree.

In my experience, when someone gains access for example by penetrating Wordpress, the end goal is to install back doors, phishing pages (that look exactly like Hotmail, for example) and base64-encoded scripts that send thousands of emails per hour. That is a constant problem as it gets the server's IP address blacklisted and usually by the time we're notified and investigate, a lot of damage has already been done.
  1. 06.10.2017 06:10:13
  2. # 7
Mauritz K Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
Another vote.

Running 25+ servers with Imunify360 and CSF side-by-side and the only reason we have CSF is because of the tracking of SPAM mail and where it is coming from.

Hope this gets attention sooner than later.
  1. 12.10.2017 21:10:55
  2. # 8
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Well, something must be done. How I'm not sure, but customers emails are getting cracked all the time and has today the same number of cracked accounts as hacked Joomla/WordPress sites on our servers.

So I would say it's the most important thing to find a better solution then there is today.

I found some bugs with Imunify not blocking exim attempts so hopefully that will help when they fix it in DEFA-98.
  1. 08.01.2018 08:01:51
  2. # 9
Nick Cook Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
Yes I would also agree if it was not for CSF flagging up bulk outgoing mail, we would not have stopped many a spammer who had cracked an email password. I am having to switch CSF back on, as I really need this feature.
  1. 09.01.2018 12:01:42
  2. # 10
Alexander Z Accepted Answer
Posts: 31
Joined: 29.03.2017
0
Votes
Undo
Thank you for all your request!

We are planning to implement "Outgoing spam protection" in Q4 2018.
Also, we constantly working on Imunify360 WAF rules hardening in order to prevent any infections and intrusions.
If your server was hacked while Imunify360 was running, please feel free to write our technical support at https://cloudlinux.zendesk.com (Imunify360 department) so our team can help you to investigate and terminate the issue.

Regards,
Alexander, Imunify360 developer
  1. 09.01.2018 14:01:01
  2. # 11
Eric Accepted Answer
Posts: 2
Joined: 20.04.2017
0
Votes
Undo
You might want to look into the free Comodo WAF ruleset. They have hardened the OWASP set and we've never had a hack using Comodo WAS and CSF CXS.
  1. 09.01.2018 16:01:28
  2. # 12
Posts: 172
Joined: 31.01.2017
0
Votes
Undo
Comodo WAF ruleset is included into Imunify360 ruleset for apache web server
  1. 29.06.2018 03:06:57
  2. # 13
Nick Texidor Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
Another vote.

Running 25+ servers with Imunify360 and CSF side-by-side and the only reason we have CSF is because of the tracking of SPAM mail and where it is coming from.

Hope this gets attention sooner than later.


Do you use the CSF cluster feature? That's another reason we use CSF. If someone is hacking one of our servers, we can lock them out of all others using Cluster. I'm not sure this is in Imunify?
  1. 17.07.2018 07:07:21
  2. # 14
Posts: 172
Joined: 31.01.2017
0
Votes
Undo
Do you use the CSF cluster feature? That's another reason we use CSF. If someone is hacking one of our servers, we can lock them out of all others using Cluster. I'm not sure this is in Imunify?

We call it herd immunity and it is already there in Imunify360. Security incidents from all our customers are sent to Imunify360 network (correlation) so that attackers can be blocked before they reach your servers.
  1. 17.07.2018 23:07:52
  2. # 15
Nick Texidor Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
Do you use the CSF cluster feature? That's another reason we use CSF. If someone is hacking one of our servers, we can lock them out of all others using Cluster. I'm not sure this is in Imunify?

We call it herd immunity and it is already there in Imunify360. Security incidents from all our customers are sent to Imunify360 network (correlation) so that attackers can be blocked before they reach your servers.


Unfortunately, as per the other topic I started, it can take nearly 30 minutes for the ban to be actioned on servers that use Imunify360, whereas the Cluster CSF servers respond almost immediately. In my email trail, I can receive tens and tens of emails for the same IP, stating a ban has been applied, yet Imunify360 doesn't seem to block the IP address. If a brute force attack is underway, and identified, I want that IP address blocked NOW, not in half an hour :)
  1. 18.07.2018 03:07:36
  2. # 16
Rushan Accepted Answer
Posts: 2
Joined: 25.04.2018
0
Votes
Undo
Unfortunately, as per the other topic I started, it can take nearly 30 minutes for the ban to be actioned on servers that use Imunify360, whereas the Cluster CSF servers respond almost immediately. In my email trail, I can receive tens and tens of emails for the same IP, stating a ban has been applied, yet Imunify360 doesn't seem to block the IP address. If a brute force attack is underway, and identified, I want that IP address blocked NOW, not in half an hour :)


Can you please clarify, is it takes 30 minutes to block IP on attacked server, or to propagate blocked address to other servers?
  1. 18.07.2018 03:07:28
  2. # 17
Nick Texidor Accepted Answer
Posts: 0
Joined: 17.12.2018
0
Votes
Undo
Unfortunately, as per the other topic I started, it can take nearly 30 minutes for the ban to be actioned on servers that use Imunify360, whereas the Cluster CSF servers respond almost immediately. In my email trail, I can receive tens and tens of emails for the same IP, stating a ban has been applied, yet Imunify360 doesn't seem to block the IP address. If a brute force attack is underway, and identified, I want that IP address blocked NOW, not in half an hour :)


Can you please clarify, is it takes 30 minutes to block IP on attacked server, or to propagate blocked address to other servers?


On the attacked server. Please see: https://www.cloudlinux.com/forum/imunify360-imunifysensor/an-issue-with-csf-lfd-and-imunify360
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Remove Upload Files (Maximum File Size: 2 MB)
You may insert polls into your post. The poll would then appear in the post.
Vote Options
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.