I have been going through my LFD emails and noticed 33 emails about one IP address being blocked for ModSecurity errors. The top of the emails showed that the IP address was whitelisted:
Time: Mon Jul 23 08:35:39 2018 +1000
IP: 220.127.116.11 (PL/Poland/vdsl-18.104.22.168.atman.pl)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)
When checking CSF, it showed:
IPSET: Set:chain_ALLOW Match:22.214.171.124 Setting: File:/etc/csf/csf.allow
IPSET: Set:i360.ipv4.whitelist.static Match:126.96.36.199
The IP address was found in /var/imunify360/files/whitelist/v2/imunify360.txt, which is linked to from the csf.allow file:
# external for i360-security-analytics, i360-php-sandbox, i360-security-testing
Imunify, itself, shows 5 IP addresses in the whitelist. 2 of these have full access.
Firstly, running "ipset list" on i360.ipv4.whitelist.full_access, shows only 1 of the ip addresses with full access listed.
Secondly, running "ipset list" on i360.ipv4.whitelist.static, shows THOUSANDS of entries. Yet, I only have 3 whitelisted according to Imunify.
Can you please explain what all the IP addresses are in the Imunify Whitelist IPSET, and why your IP address was accessing all the shared hosting sites on the server?