Отчеты Wordpress
Форум
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Glenn Taylor
  2. Wednesday, 24 January 2018
  3.  Subscribe via email
I've been using IM360 for a few months and I can't tell if it's doing much.

For instance, I'm looking at Incidents log and it shows hundreds of attempts from same IP over hours to login into non-existent ftp user. How come it's not getting added to grey list?

IM360 only seems to be detecting bad ftp logins. Hundreds of pages but it's not ftp I worry about. It's Wordpress.

We host a lot of Wordpress sites and I would have expected IM360 to show a lot of IDS activity there as well but all I see are failed ftp logins.

How about other types of IDS events?

Am I missing something?

It would be nice to see some Wordpress specific IDS management and logging and by user.

Thanks
Glenn
Rate this post:
  1. 24.01.2018 12:01:43
  2. # 1
Vladimir Accepted Answer
Posts: 108
Joined: 04.07.2017
0
Votes
Undo
Hello,

In order to answer your questions, we would like to check server configuration.
Please submit a ticket to https://cloudlinux.zendesk.com, our techs will check the issue in place.
  1. 24.01.2018 16:01:20
  2. # 2
Glenn Taylor Accepted Answer
Posts: 27
Joined: 23.04.2015
0
Votes
Undo
I'm not looking for tech support, just some insights into IM360. IM360 is working properly but I would like to understand better what it is and isn't blocking.
  1. 24.01.2018 16:01:40
  2. # 3
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Glenn, thank you for your feedback

For instance, I'm looking at Incidents log and it shows hundreds of attempts from same IP over hours to login into non-existent ftp user. How come it's not getting added to grey list?

Imunify360 has some thresholds for IP graylisting - e.g. 10 incidents per minute. Were the attempts frequent enough?

We host a lot of Wordpress sites and I would have expected IM360 to show a lot of IDS activity there as well but all I see are failed ftp logins.

Wordpress activity is actually inspected on the WAF (modsecurity) level. You can change a minimum severity level for Incidents in Settings -> General tab. Meanwile, we are working now on a better concept of logging and monitoring tools so that we will be able to show the most relevant information in Imunify360 UI.
  1. 24.01.2018 16:01:26
  2. # 4
Glenn Taylor Accepted Answer
Posts: 27
Joined: 23.04.2015
0
Votes
Undo
Are you referring to "Check delay - Period in seconds between each DoS detection check" ?

It is set to 30 seconds now.
  1. 24.01.2018 16:01:32
  2. # 5
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Not exactly - IDS thresholds are hard-coded in Imunify360 (as of the current version)
However, the modsecurity (WAF) thresholds can be modified by altering 'MOD_SEC_BLOCK_BY_SEVERITY.severity_limit' and 'MOD_SEC_BLOCK_BY_SEVERITY.max_incident_repetition' in the Imunify360 config file: /etc/sysconfig/imunify360/imunify360.config
  1. 24.01.2018 18:01:54
  2. # 6
Tony Baird Accepted Answer
Posts: 10
Joined: 25.07.2010
0
Votes
Undo
Our experience has been i360 has been effective against brute forcing for the most part until probably the past 48 hours or so. I'd estimate we're seeing approximately 10,000 different IP's attempting to brute force Wordpress installs. Unlike what we'd typically see each IP only attempts once every few hours per site. As a result I don't think they're ever going to get blocked. It's simply too spread out between sites and servers to just assume it's malicious. I've opened a ticket about it in case anyone from the Imunify360 team was curious about what we were seeing. I unfortunately imagine it's not going to be too helpful and we'll end up creating our own solution.
  1. 24.01.2018 18:01:18
  2. # 7
Glenn Taylor Accepted Answer
Posts: 27
Joined: 23.04.2015
0
Votes
Undo
Thanks for your reply Tony. I think that's been my experience as well. I've been watching an ecomm site we host which has Wordfence and intrusions and login attempts have been very minimal and way below what I would expect for ecomm site. I chalk that up to IM360.

Out of curiousity, how does the brute force login attempts show up in IM logs?

thx
Glenn
  1. 24.01.2018 19:01:57
  2. # 8
Tony Baird Accepted Answer
Posts: 10
Joined: 25.07.2010
0
Votes
Undo
The brute force login attempts are all showing up in the IM logs. I should point out though we have entire pages of them now compared to previously almost none.
  1. 24.01.2018 19:01:25
  2. # 9
Glenn Taylor Accepted Answer
Posts: 27
Joined: 23.04.2015
0
Votes
Undo
Interesting. I haven't seen that yet and I have 50 websites so far with about 40 WP sites. Server has had IM360 for about 4 months.

I do have 588 pages at 100/page with failed ftp login attempts. I haven't seen anything else yet but I'm sure I will.
  1. 25.01.2018 11:01:02
  2. # 10
Vladimir Accepted Answer
Posts: 108
Joined: 04.07.2017
0
Votes
Undo
Hello Glenn,

We'd really like to check logs on this host in order to understand whats happening on it.
Could you please create a support ticket with the output of the following command (run it as root on the server):
imunify360-agent doctor

Thank you.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
гость
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.