We are glad to announce a new feature in the Imunify360 latest release that enhances your server security by introducing improved DENY mode for the firewall. The feature empowers you to selectively whitelist specific IP addresses or subnets for access to designated ports, providing a granular level of control over your server's security settings.
Key points
Recognized as the first of OWASP's top ten security risks, broken access control poses a significant threat to web applications. To fortify your server against this vulnerability, it is crucial to follow industry best practices, and one key principle is the "deny by default" approach. Imunify360 now introduces the “IP:port” whitelisting feature for DENY mode. It empowers users to precisely control IPs’ access to specific ports of hosting panels, email services, or administrative applications.
How to set up the feature
The feature needs the “deny” mode to be switched on which could be set via Imunify360 UI or using the “port_blocking_mode” parameter in the configuration file.
The whitelisting configurations for the new feature are managed through a special file in the ‘imunify360/whitelist/ports’ directory.
In this file, you can specify the port, protocol (optional), and the desired IP addresses or subnets in the following format:
<port>:[<protocol>: TCP|UDP|ALL]:<IP|NET>...
The protocol parameter could be omitted, and the default value "ALL" will be applied.
You can specify one or more addresses or subnets separated by commas.
For example, a line “2083:TCP:203.0.113.1” would allow IP address 203.0.113.1 to access the standard cPanel port 2083 using TCP protocol.
Please note that several IPs or subnets could be listed with commas. Currently, this setting only accepts the "IPv4" format only.
The configuration file supports the optional inclusion of the protocol, providing flexibility in defining access rules. You can specify TCP or UDP protocol for added granularity or omit it if not needed.
After redacting the file content the settings are automatically updated within 30 minutes. If necessary, you can speed this up by turning the deny mode parameter off and on again.
How to check it works
You can check the whitelist settings using the following ipset CLI commands:
ipset list i360.ipv4.ports-ips-tcp
ipset list i360.ipv4.ports-ips-udp
The results of executing these commands contain the names of the ipsets, the number of entries in them, and a list of networks/addresses with ports that were added there.
Changelog
Please see the detailed description of the product changes we made in version 7.8 through our publicly available changelog for Imunify360.
How to install or update
To install the new Imunify360 v.7.8, follow the instructions in the documentation.
To upgrade to the new version, follow the instructions in the documentation.
Stay in touch
We encourage you to provide feedback to our product team regarding the new features.
Share your ideas and feature requests through feedback@imunify360.com or via our feedback form.
If you encounter any issues with this release, please send a comment or request to our Imunify support team via the Support Portal.
.png?width=115&height=115&name=pci-dss%20(1).png "pci-dss")
