Comprehensive Guide to Imunify360 WAF: Setup, Configuration, and Best Practices Print

  • 0

Introduction to Imunify360 WAF

Imunify360 is a comprehensive, automated security solution designed to protect Linux web servers, particularly those using cPanel and Plesk. Imunify360 includes a powerful Web Application Firewall (WAF) that integrates with Apache and Nginx servers to defend against common web-based attacks such as SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and brute force attacks. In addition to general web protection, Imunify360 provides specialized rulesets and optimizations for CMS-specific security and WordPress account compromise prevention.


Key Features of Imunify360 WAF

  • Real-Time Protection: Continuous monitoring of traffic to block malicious requests.
  • CMS-Specific WAF Rules: Predefined rules for popular CMS platforms like WordPress, Joomla, and Drupal to prevent CMS-specific vulnerabilities.
  • Minimized ModSecurity Ruleset: Lightweight, optimized ruleset to enhance performance without compromising security.
  • WordPress Account Compromise Prevention: Additional rules and features to protect WordPress login and admin areas from brute force attacks and unauthorized access.
  • Integrated with Apache and Nginx: Provides seamless protection for popular web servers.
  • AI-Powered Threat Detection: Detects and mitigates zero-day attacks.
  • Automatic Rule Updates: Ensures continuous protection from emerging threats.
  • Malware Scanning: Integrated detection and removal of malware.
  • Brute Force Protection: Guards against brute force attacks on login pages.

Step-by-Step Guide to Installing Imunify360 WAF

Step 1: Server Requirements

Before installing Imunify360 WAF, ensure your server meets the following requirements:

  • Operating System: CentOS 7/8, CloudLinux 7/8, RHEL 7/8, or Ubuntu 16.04/18.04/20.04.
  • Web Servers: Apache, Nginx, or LiteSpeed.
  • Control Panels: cPanel, Plesk, or DirectAdmin.
  • Root access to the server.

Step 2: Installing Imunify360

To install Imunify360 on your server, follow these steps:

  1. Log in as Root: Log into your server as the root user using SSH.

  2. Download and Install the Imunify360 Script: Run the following command to download and install Imunify360:

    wget https://repo.imunify360.cloudlinux.com/defence360/imunify-force-installer.sh
    bash imunify-force-installer.sh
  3. Activate Imunify360: Once the installation is complete, you will need to activate the software using a license key. You can obtain a key from your Imunify360 account. Run the following command to activate:

    imunify360-agent register KEY

    Replace KEY with your actual license key.

  4. Verify Installation: After the installation, verify that Imunify360 is installed and running by checking the status:

     
    systemctl status imunify360

    You should see a message indicating that Imunify360 is active and running.

Step 3: Integrating Imunify360 WAF with cPanel

  1. Log in to cPanel:
    After installing Imunify360, log in to your WHM/cPanel interface as the root user.

  2. Access Imunify360 Dashboard:
    Navigate to the Security Center and click on the Imunify360 icon. This will open the Imunify360 dashboard.

  3. Enable the WAF:
    In the Imunify360 dashboard, navigate to the Firewall section and enable the Web Application Firewall (WAF). You will see an option to toggle WAF protection for your websites.

  4. Select Apache/Nginx:
    In the WAF settings, ensure that the Apache or Nginx WAF is enabled based on your web server configuration.

 


Configuring Imunify360 WAF

Step 1: CMS-Specific WAF Rules

Imunify360 includes predefined CMS-specific WAF rules for popular platforms like WordPress, Joomla, and Drupal. These rules target vulnerabilities that are unique to each CMS, providing targeted protection.

  1. Access CMS-Specific Rules:

    • In the Imunify360 dashboard, navigate to the WAF Configuration section.
    • Enable CMS-specific rules for your installed CMS. For instance, if you're hosting a WordPress site, ensure that WordPress-specific rules are active.
  2. Common CMS Vulnerabilities Covered:

    • WordPress: Prevents attacks such as plugin vulnerabilities, theme file injection, and XML-RPC abuse.
    • Joomla: Guards against file inclusion, SQL Injection, and administrator URL abuse.
    • Drupal: Protects against remote code execution, arbitrary file uploads, and SQL injection.
  3. Customizing CMS-Specific Rules:

    • You can customize these rules if necessary. For instance, you may want to strengthen protections on specific paths (e.g., /wp-login.php or /administrator).
    • Custom rules can be created in the Custom Rules section if specific vulnerabilities need to be addressed.

Step 2: Minimized ModSecurity Ruleset

Imunify360 offers a Minimized ModSecurity Ruleset, which provides essential protection while maintaining high performance, especially for servers with limited resources. This optimized ruleset ensures that the most critical threats are blocked without imposing a heavy load on the server.

  1. Enable Minimized ModSec Ruleset:

    • In the ModSecurity section of the WAF dashboard, toggle the option to use the Minimized Ruleset. This will apply a leaner version of the standard ModSecurity rules.
  2. Why Use a Minimized Ruleset:

    • Performance: Reduces the load on your server by processing fewer rules, ensuring faster request handling.
    • Essential Protection: The minimized ruleset focuses on OWASP Top 10 vulnerabilities, providing essential security while avoiding unnecessary rule checks.
  3. Customizing the Minimized Ruleset:

    • You can selectively add back rules that you believe are critical for your environment. This allows for a balance between performance and security coverage.
    • Use the Add Rule option to input additional ModSec rules as needed.

Step 3: WordPress Account Compromise Prevention

WordPress is one of the most widely targeted CMS platforms, making it essential to deploy extra measures to protect admin areas and user accounts from compromise. Imunify360 offers a range of tools to help secure WordPress login pages and prevent account takeover.

  1. Enable WordPress-Specific Security:

    • In the Login Protection section, ensure that brute force protection is enabled for WordPress.
    • This will automatically detect multiple failed login attempts on wp-login.php and block IP addresses that show suspicious behavior.
  2. Two-Factor Authentication (2FA):

    • While Imunify360 doesn’t natively provide 2FA, it is recommended that you enable 2FA through a WordPress plugin like Google Authenticator. Imunify360's brute force protection will complement this by preventing unauthorized login attempts before they even reach the 2FA stage.
  3. Monitor Login Attempts:

    • In the Logs section, review login attempts to track potential unauthorized access attempts.
    • Set alerts for multiple failed logins from the same IP to detect brute force attempts early.
  4. Harden wp-admin Directory:

    • Add extra protection to the wp-admin directory by configuring custom WAF rules. You can limit access to the wp-admin area by IP address or use password protection for the entire directory.
  5. Additional Account Compromise Prevention Tips:

    • Regularly update WordPress plugins and themes to avoid vulnerabilities that could lead to account compromise.
    • Ensure admin usernames are unique and not easily guessable (e.g., avoid using "admin").
    • Monitor for signs of compromise, such as new unknown users or changes to user roles.

Monitoring and Managing Imunify360 WAF

Step 1: Monitoring Traffic and Threats

  1. Real-Time Monitoring:
    In the Imunify360 dashboard, go to the Traffic section to monitor incoming requests. You can view the total number of blocked attacks, as well as detailed logs of each malicious request.

  2. Review Blocked Requests:
    Review any requests that were blocked by the WAF. You can use the filtering options to search by IP address, URL, or threat type.

Step 2: Whitelisting and Blacklisting IPs

  1. Whitelist Trusted IPs:
    If you want to allow specific IP addresses to bypass the WAF, navigate to the Whitelist section and add the trusted IPs.

  2. Blacklist Suspicious IPs:
    For persistent attackers or suspicious traffic, you can manually blacklist IP addresses in the Blacklist section. This will block all traffic from those IPs.

Step 3: Analyzing WAF Logs

  1. Access Logs:
    Imunify360 logs all WAF activity, including blocked requests, detected threats, and traffic patterns. In the Logs section, you can view these events in real-time.

  2. Analyze Patterns:
    Use these logs to analyze attack patterns and optimize your WAF rules. If certain types of attacks are frequent, consider updating your custom rules to preemptively block them.


Best Practices for Optimizing Imunify360 WAF

  1. CMS-Specific Hardening:

    • Use Imunify360’s specialized rulesets to ensure tailored protection for popular CMS platforms.
    • Regularly review and update CMS-specific rules to keep up with new vulnerabilities.
  2. Leverage the Minimized Ruleset:

    • Use the Minimized ModSec Ruleset for servers with resource constraints, adding custom rules only when necessary to enhance security.
  3. WordPress Security Best Practices:

    • Harden WordPress admin areas with additional rules and monitoring to prevent account compromise.
    • Enable brute force protection, review login logs, and use custom rules to restrict access to wp-login.php and wp-admin.
  4. Regularly Review WAF Logs:

    • Monitor WAF logs for new types of threats, especially targeted attacks on CMS platforms like WordPress or Joomla.

Modifying or Editing WAF Rules in Imunify360

Imunify360 allows users to modify existing WAF rules or add custom rules to fine-tune security according to specific needs. Here’s how you can manage these rules:

Step 1: Accessing the WAF Rules

  1. Log in to cPanel/WHM:
    Go to your Imunify360 dashboard within cPanel or WHM.

  2. Navigate to the WAF Rules Section:
    Under the Security tab, click on the Web Application Firewall (WAF) section. Here you’ll find a list of all active rules.

Step 2: Modifying Existing Rules

  1. Locate the Rule to Modify:
    Search for the rule that you want to modify using the rule ID or by filtering based on the vulnerability type (e.g., SQL Injection, XSS).

  2. Edit the Rule:

    • Click on the rule and review its details.
    • You can adjust the conditions or actions taken by the rule (e.g., block, drop, or allow traffic).

    Example: You can change a rule to allow certain traffic types that were previously blocked by altering the SecRuleAction parameter in ModSecurity.

Step 3: Adding Custom Rules

  1. Create a New Rule:
    In the Custom Rules section, click on Add Rule.

  2. Define the Rule:
    Write your custom rule using the ModSecurity syntax. For example, to block a specific IP address from accessing the site:

    SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200001,drop,log"
     
  3. Save and Apply:
    Once the rule is created, save it and ensure that it is applied across all relevant domains or directories.

Step 4: Managing Rule Priorities

If multiple rules apply to the same traffic, you can set priorities. Rules with higher priority (lower ID numbers) are evaluated first. To change the priority:

  • Edit the rule ID to ensure higher priority rules are executed before others. You can also create exceptions based on IP addresses, specific URLs, or user agents.

Handling False Positives in Imunify360

Occasionally, legitimate traffic may be blocked due to WAF rules, known as false positives. Here’s how you can identify false positives and disable or fine-tune rules to prevent them from affecting user experience.

Step 1: Identifying False Positives

  1. Review WAF Logs:
    Navigate to the Logs section in the Imunify360 dashboard to review all blocked traffic.

  2. Filter by Rule ID or IP:
    Use the filter options to search for specific Rule IDs, IP addresses, or URLs that have been blocked. Look for requests that appear legitimate but were blocked by the WAF.

  3. Analyze the Request:
    Review the details of the blocked request to determine if it was a false positive. Check the request headers, URL, and rule action to verify if the traffic should have been allowed.

Step 2: Disabling Specific Rules

  1. Disable the Rule:
    Once you have identified a false positive, locate the corresponding Rule ID in the WAF settings. To temporarily disable the rule:

    SecRuleRemoveById 981176
     

    Replace 981176 with the Rule ID you want to disable. This will prevent the rule from blocking further traffic.

  2. Whitelist IP Addresses:
    If you determine that a specific IP address is frequently affected by false positives, you can whitelist it:

    • Go to the Whitelist section in the Imunify360 dashboard.
    • Add the IP address to the list to ensure it bypasses WAF rules.

    Example: SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200002,allow,log"

  3.  
  4. Modify the Rule (Instead of Disabling):
    Instead of fully disabling the rule, you can modify it to narrow its scope. For instance, you can add exceptions based on URLs or parameters to avoid blocking legitimate requests while still maintaining security.

Step 3: Testing and Re-enabling Rules

  1. Test the Changes:
    After modifying or disabling a rule, test the website functionality by simulating legitimate traffic. Ensure that the change resolves the false positive without introducing security vulnerabilities.

  2. Re-enable Rules if Necessary:
    If you disable a rule temporarily, review its performance over time. If it was essential for blocking attacks, consider re-enabling it after tweaking or fine-tuning it to avoid further false positives.

Modifying Request Body Size (Content-Length) in Imunify360 WAF

The Request Body Size (Content-Length) setting in ModSecurity (used by Imunify360 WAF) controls the maximum allowed size of an HTTP request body. Adjusting this limit can help accommodate large file uploads or prevent attacks that exploit oversized requests.

Here’s how to modify this setting and explore all available options:

Step 1: Accessing ModSecurity Configuration

  1. Log in to cPanel/WHM:
    Access your WHM or cPanel and navigate to the Imunify360 dashboard.

  2. Locate the ModSecurity Configuration:
    In the WAF Settings section of the Imunify360 dashboard, find the ModSecurity Configuration file where you can edit rule parameters.

Step 2: Modify Request Body Size

To adjust the Request Body Size, you need to modify the SecRequestBodyLimit directive in the ModSecurity configuration file.

  1. Open ModSecurity Configuration:
    Open the main ModSecurity configuration file, which is usually located at:

/etc/modsecurity/modsecurity.conf

Edit the Request Body Limit:
Look for the following line in the configuration file:

SecRequestBodyLimit 13107200

 

  • Default Value: 13107200 represents a limit of 13 MB for the request body.

  • Adjusting the Value: You can increase or decrease the value based on your requirements. For example:

  • Increase Request Body Size:

    SecRequestBodyLimit 52428800

    This sets the request body limit to 50 MB.

  • Decrease Request Body Size:
    SecRequestBodyLimit 1048576​

This sets the request body limit to 1 MB.

Step 3: Modify Request Body In-Memory Limit

The in-memory limit controls how much of the request body will be stored in memory, as opposed to disk storage.

  1. Locate the In-Memory Limit Directive:

    SecRequestBodyInMemoryLimit 131072

 

  • Default Value: 131072 means 128 KB of the request body is stored in memory.
  • Adjusting the Value: Increase or decrease this limit based on the available memory on your server.

Example:

  • Increase In-Memory Limit
    SecRequestBodyInMemoryLimit 262144

    This sets the in-memory limit to 256 KB.

Step 4: Modify Response Body Limit

Similarly, you can control the Response Body Limit to ensure that large responses are handled appropriately.

  1. Edit the Response Body Limit Directive:

    SecResponseBodyLimit 5242880

 

  • Default Value: 5242880 sets the response body limit to 5 MB.

  • Increase the Limit if your application frequently generates large responses, such as downloadable content or large data exports:

    SecResponseBodyLimit 10485760

 

This increases the response body limit to 10 MB.

  • Disable Response Body Limit: If you want to disable the limit altogether, you can use the following configuration:

    SecResponseBodyLimitAction ProcessPartial
    
    
    This setting ensures that larger responses are processed, but only up to the specified limit.

 

 

Step 5: Apply Changes and Restart Services

  1. Save the Configuration:
    After making the necessary changes to the ModSecurity configuration file, save the file.

  2. Restart the Web Server:
    To apply the new settings, restart the web server (Apache or Nginx) using the following commands:

    For Apache:

    systemctl restart httpd
    

For Nginx:

systemctl restart nginx

Verify Changes:
After restarting the web server, verify that the new limits are in effect by checking the WAF logs for any request size-related warnings or errors.

Common Use Cases for Adjusting Request Body Size

  • Large File Uploads:
    If your web application allows users to upload files (e.g., images, PDFs, or videos), you may need to increase the Request Body Size to accommodate larger file uploads.

  • Security Tightening:
    If you want to prevent attacks involving oversized requests (e.g., Denial of Service attacks that use very large payloads to overwhelm the server), reducing the Request Body Size can provide an additional layer of protection.

  • Performance Optimization:
    Adjusting the In-Memory Limit helps improve performance by preventing large request bodies from being entirely loaded into memory, which can slow down the server.


Best Practices for Request Body Size Management

  1. Balance Security and Performance:
    Ensure the Request Body Size is large enough to handle legitimate requests, such as file uploads or data submissions, but not so large that it allows attackers to exploit oversized requests.

  2. Monitor Logs Regularly:
    Regularly review WAF logs for any requests blocked due to Content-Length limits. This will help you identify whether the limits need further adjustment.

  3. Optimize Memory Usage:
    By adjusting the In-Memory Limit, you can improve server performance while still allowing larger request bodies to be processed and logged appropriately.

  4. Apply Limits Specific to Application Needs:
    If you host multiple applications, you can adjust the Request Body Size for specific domains or paths within the web server configuration to ensure that each application is optimally protected.

Conclusion

Imunify360 WAF provides a powerful, customizable solution to secure your web applications against modern threats. With its CMS-specific rules, optimized ModSecurity ruleset, and WordPress account compromise prevention features, it offers comprehensive protection for all types of web servers. By following the steps in this guide, you can install, configure, and optimize Imunify360 WAF to safeguard your server and web applications.


Was this answer helpful?

« Back