Configuring brute force protection in Imunify360
Brute-force attacks are the most widely used cyber-attacks in the cyber-sphere. And dependent on the target, the protection method is unique to the attack. There are two main types of brute-force attacks:
- Service level brute-force, targeting ssh, ftp, smtp services and others.
- Web application level brute-force, e.g. attacks against WordPress, Magento, and similar CMSes and web-scripts.
Imunify360 has an arsenal loaded and ready to defend your system from brute-force attacks. Conditioned on real-world factors, the strategy used for protection will vary. The following article highlights the most common brute-force attack scenarios. Then, based on your specific business needs, this article explains how Imunify360 offers protection for your system at each level.
Table of Contents
- Imunify360: Service-level protection
- Imunify360: Web-application protection
- Use cases
- Useful CLI Commands
Imunify360: Service-level protection
Imunify360 employs “out-of-the-box” protection for these services:
Protection service logic is configurable in several ways: “layered protection,” including Greylisting, OSSEC Active Response, and Imunify PAM extension. See the table below for more details.
The table shows the variety of Imunify360 protection services and how they block attackers. We deliver Imunify360 with the default configuration that is effective for the majority of hosting setups. Nevertheless, you can customize according to your traffic and hosting configuration. In the table below, we provide details about the protection layers and how they work.
PAM is the most flexible tool of the three. Also, the attacker can’t pinpoint the moment when he is already blocked by the PAM. All in all, it is the most secure solution that we provide. But it has drawbacks, and in some cases, the better option will be to rely on Active response. Let’s review the cases:
- PAM has limited support. It is fully functional only on CloudLinux and CentOS. Integration with Dovecot and FTP are implemented only on cPanel. PAM also has no implementation for Exim (SMTP server).
- PAM does not prevent excessive traffic and high CPU utilization. Since attackers can’t distinguish if they are in a blocked or not-blocked state, they may proceed with the brute-force attacks indefinitely.
If one of these options is a deal-breaker, consider disabling PAM and enabling Active response.
On the other hand, Active Response also has its own drawbacks. Let’s review them as well:
- Custom port configuration is currently not supported. Imunify v5.7 will support not-standard ports set on the server, e.g. 2222 instead of 22.
- The Active Response has no progressive ban. The attacker will be banned for 10 minutes maximum and can repeat attacks after the timeout. While other protection layers can block an attacker in a progression (5, 10, 60 minutes, etc.) if attacks do not stop.
If one of these options is also a deal-breaker, consider disabling PAM and Active Response as well and rely solely on Greylisting logic. The biggest issue regarding greylisting is a considerable false-positive rate. It might block attackers and legitimate users residing behind the same NAT.
We configured default settings that are fine for most customers. However, Imunify360 lets users make their own setup for personal business priorities, e.g., minimize False positive rate, retain resources, or maximize security. In most cases, you can balance between these three layers of brute-force protection and can adjust settings dynamically depending on the real-time situation.
Imunify360: Web-application protection
The following is the list of web applications for which Imunify360 provides fully-automated anti-brute-force protection:
- WordPress
- Magento
- Drupal
- Joomla
- OpenCart
- Prestashop
- WHMCS
The situation with web applications is a bit different than with services. The way Imunify360 protects web applications is predefined and not designed, nor recommended to be altered by the customer.
Use cases
Let’s review a few real-world examples and consider recommended configurations for each of them:
Useful CLI commands
Disable PAM for Exim and Dovecot:
imunify360-agent config update '{"PAM": {"exim_dovecot_protection": false}}'
Enable PAM for FTP:
imunify360-agent config update '{"PAM": {"ftp_protection": true}}'
Enable Active Response:
imunify360-agent config update '{"OSSEC": {"active_response": true}}'
Please feel free to contact support via Zendesk if you need consultation on how to properly configure your server protection or in case of any additional questions.
Imunify360 is a comprehensive six-layers web server security with feature management. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to enable full brute force protection.