Integrations

/
/
Integration of Imunify 360 WAF with ispmanager 6

Integration of Imunify 360 WAF with ispmanager 6

Preparing ispmanager 6 panel

Please note!

Integration is performed only when the LiteSpeed ​​web server is used.

In the ispmanager 6 panel, in the Software configuration section fro the web server, install the WAF component.

Next, create a panel user named imunifyui. For this user, create a website where the Imunify360 web interface will be accessible, for example, imunify360.example.com. Delete all files from the website's home directory and create a directory named im360.

Installing and configuring Imunify360

Important!

To install Immunify 360, download files from the official CloudLinux repository.

Connect to the server via SSH and make sure the nc utility is installed.

Next, create the /etc/sysconfig/imunify360/generic/ directory on the server. Upload the get-panel-info.sh script to the /etc/sysconfig/imunify360 directory.

Make the downloaded script executable:

chmod +x /etc/sysconfig/imunify360/get-panel-info.sh

If the server is behind NAT, change the local host variable to the server's local IP address.

Test the get-panel-info.sh script:

bash /etc/sysconfig/imunify360/get-panel-info.sh

Create the python script in the /etc/sysconfig/imunify360/ispmanager_integration.py/ispmanager_integration.py file with following code:

Python script ispmanager_integration.py

#!/usr/bin/env python3
"""
Imunify integration script for ISPManager.
Collects users and domains with mgrctl and
prints data appropriate to be consumed by imunify on stdout.

integration.conf example:
[integration_scripts]
...
users = /etc/sysconfig/imunify360/ispmanager_integration.py users
domains = /etc/sysconfig/imunify360/ispmanager_integration.py domains
...


Return codes:
0 - ok
1 - runtime error (e.g. mgrctl is missing, or can't parse its output, ...),
   see more in metadata['error'] and metadata['message']
2 - script usage error (e.g. wrong args)
"""
from subprocess import check_output
import argparse
import json
import pwd
import re
import sys


def get_ispmgr_data(section):
   assert section in ('user', 'webdomain')
   ispmgr_output = check_output([
       '/usr/local/mgr5/sbin/mgrctl',
       '-m',
       'ispmgr',
       section,
   ]).decode().split('\n')
   return [
       dict(re.findall(r'(\w+)=(\S*)', line))
       for line in ispmgr_output
       if len(line) > 0
   ]


def get_domains():
   domains = {}
   data = get_ispmgr_data('webdomain')
   for entry in data:
       domain = entry['name']
       domain_info = {
           'document_root': entry['docroot'],
           'owner': entry['owner'],
       }
       domains[domain] = domain_info
   return domains


def get_users():
   users = []
   data = get_ispmgr_data('user')
   for entry in data:
       username = entry['name']
       users.append({
           'id': pwd.getpwnam(username).pw_uid,
           'username': username,
       })
   return users


def main():
   parser = argparse.ArgumentParser()
   parser.add_argument(
       dest='cmd', choices=(
           'users',
           'domains'
       )
   )
   args = parser.parse_args()
   result = {
       'data': {},
       'metadata': {
           'result': 'ok'
       }
   }
   try:
       retval = 0
       if args.cmd == 'domains':
           cmd_result = get_domains()
       elif args.cmd == 'users':
           cmd_result = get_users()
   except Exception as e:
       result['metadata']['result'] = e.__class__.__name__
       result['metadata']['message'] = str(e)
       retval = 1
   else:
       result['data'] = cmd_result
   finally:
       print(json.dumps(result))
       return retval


if __name__ == "__main__":
   sys.exit(main()) 

Make it executable:

chmod +x /etc/sysconfig/imunify360/ispmanager_integration.py

Then check operation of the script:

python3 /etc/sysconfig/imunify360/ispmanager_integration.py users
python3 /etc/sysconfig/imunify360/ispmanager_integration.py domains

Next, create the integration configuration file, integration.conf with following code:

Configuration file integration.conf

#This is integration.conf example that requires adjustments, oterwise IM360 may not work.
#Values are given purely as an example and may not represent your environment.

#The path to the WEB server directory for Imunify360 files
[paths]
ui_path = /var/www/imunifyui/data/www/imunify360.example.com/im360
ui_path_owner = imunifyui:imunifyui

#which PAM service Imunify360 should use
[pam]
service_name = system-auth

#Malware Scanner base directory and patterns
[malware]
basedir = /var/www/
pattern_to_watch = ^/var/www/(vhosts|html)(/.*)?$
#basedir = /home
#pattern_to_watch = ^/home/.+?/(public_html|public_ftp|private_html)(/.*)?$


#WEB server type and commands
[web_server]
#server type apache/nginx/litespeed
server_type = apache
graceful_restart_script = /usr/bin/systemctl restart lsws
config_test_script = /usr/sbin/apachectl -t
#path to ModSecurity audit logs
modsec_audit_log = /var/log/httpd/modsec_audit.log
modsec_audit_logdir = /var/log/modsec_audit

#Limiting users and provide context for IM360 mechanisms
[integration_scripts]
admins = /etc/sysconfig/imunify360/get-admins-script.sh
users = /etc/sysconfig/imunify360/ispmanager_integration.py users
domains = /etc/sysconfig/imunify360/ispmanager_integration.py domains
#Domain-specific ModSecurity configuration (to disable rules using CLI)
#modsec_domain_config_script = /path/to/inject/domain/specific/config/script.sh

For the ui_path variable, specify the path to your website's home directory with the imunify360 subdomain.

Move the configuration file to the Imunify360 directory:

mv integration.conf /etc/sysconfig/imunify360/

Create a file for ModSecurity:

touch /etc/sysconfig/imunify360/generic/modsec.conf

In the main Apache configuration file at /etc/apache2/apache2.conf ( /etc/httpd/conf/httpd.conf for RHEL-based systems), specify the path to this file:

IncludeOptional /etc/sysconfig/imunify360/generic/modsec.conf

Download and run the installation script:

wget https://repo.imunify360.cloudlinux.com/defence360/i360deploy.sh
bash i360deploy.sh --key %LICENSE_KEY%

If the server is running a Debian-based system, make additional changes to some files to enable the WAF.

First, rename the modsecurity.conf-recommended file:

mv /etc/modsecurity/modsecurity.conf{-recommended,}

Next, in the file /etc/modsecurity/modsecurity.conf, change the SecRuleEngine parameter to On. Then, in the file /etc/apache2/mods-enabled/security2.conf, uncomment the IncludeOptional /etc/modsecurity/*.conf line.

After making the changes, restart the lsws service:

service lsws restart

Сheck whether the WAF works correctly with the following command:

curl 'http://exapmle.com/?q="><script>alert(123)</script>'

The Imunify360 dashboard will be accessible at https://imunify360.example.com/im360/ for the root user.

Disabling basic WAF rules

If you want to use only Imunify360 rules, make changes to your Apache configuration.

For Debian-based systems, in the file /etc/apache2/mods-enabled/security2.conf , comment the line IncludeOptional /etc/modsecurity/*.conf , and in the next line add the line SecRuleEngine On after the SecDataDir parameter .

For RHEL-based systems, in the file /etc/httpd/conf.d/mod_security.conf, comment the following lines:

  • IncludeOptional modsecurity.d/*.conf
  • IncludeOptional modsecurity.d/activated_rules/*.conf
  • IncludeOptional modsecurity.d/local_rules/*.conf

After making the changes, restart the web server:

service lsws restart

In this article