Whitelist IPSET Question/Issue/Inconsistencies
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Nick Texidor
  2. Monday, 23 July 2018
  3.  Subscribe via email
Hi,

I have been going through my LFD emails and noticed 33 emails about one IP address being blocked for ModSecurity errors. The top of the emails showed that the IP address was whitelisted:

Time: Mon Jul 23 08:35:39 2018 +1000
IP: 77.79.198.14 (PL/Poland/vdsl-77.79.198.14.atman.pl)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)


When checking CSF, it showed:

IPSET: Set:chain_ALLOW Match:77.79.198.14 Setting: File:/etc/csf/csf.allow
IPSET: Set:i360.ipv4.whitelist.static Match:77.79.198.14


The IP address was found in /var/imunify360/files/whitelist/v2/imunify360.txt, which is linked to from the csf.allow file:

# external for i360-security-analytics, i360-php-sandbox, i360-security-testing
77.79.198.14


Imunify, itself, shows 5 IP addresses in the whitelist. 2 of these have full access.

Firstly, running "ipset list" on i360.ipv4.whitelist.full_access, shows only 1 of the ip addresses with full access listed.
Secondly, running "ipset list" on i360.ipv4.whitelist.static, shows THOUSANDS of entries. Yet, I only have 3 whitelisted according to Imunify.

Can you please explain what all the IP addresses are in the Imunify Whitelist IPSET, and why your IP address was accessing all the shared hosting sites on the server?

Thanks
Rate this post:
  1. 23.07.2018 02:07:53
  2. # 1
Nick Texidor Accepted Answer
Posts: 0
Joined: 15.11.2019
0
Votes
Undo
I have been going through my LFD emails and noticed 33 emails about one IP address being blocked for ModSecurity errors


Scratch that. Across all our servers, there were 175 emails about this IP address!!
  1. 24.07.2018 13:07:22
  2. # 2
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Hello Nick,

77.79.198.14 is the address of Imunify360 security scanner - it is Ok to leave it whitelisted.
  1. 24.07.2018 23:07:41
  2. # 3
Nick Texidor Accepted Answer
77.79.198.14 is the address of Imunify360 security scanner - it is Ok to leave it whitelisted.


No problem. The atomic corp paid modsecurity rules are continually blocking it though:

[Wed Jul 25 00:33:16 2018] [error] [client 77.79.198.14] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' 'python-requests/'] [id "332039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. "] [severity "CRITICAL"]


Can you please explain this:

Secondly, running "ipset list" on i360.ipv4.whitelist.static, shows THOUSANDS of entries. Yet, I only have 3 whitelisted according to Imunify.

I am concerned that there are thousands of whitelisted IP addresses in the imunify360 whitelist ipset, yet only 3 are showing in imunify360.

Thank you :)
  1. 25.07.2018 09:07:10
  2. # 4
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
This is a pre-defined global whitelist of IP addresses known to be "good". You can find this list here: https://files.imunify360.com/static/whitelist/v2/

In the future versions of our product we will add this list to Imunify360 UI
  1. 25.07.2018 22:07:19
  2. # 5
Nick Texidor Accepted Answer
Thanks Alexandre. Good to know it's a 'good' list, and not that something is wrong :)
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.