header_btn_reg_now
€ EUR
€ EUR $ USD
Setup, Configuration, and Best Practices for Imunify360 WAF
  • Monday, 8th September, 2025
  • 15:12pm

Imunify360 is a comprehensive, automated security solution designed to protect Linux web servers, particularly those utilizing cPanel and Plesk. It incorporates a powerful Web Application Firewall (WAF) that seamlessly integrates with Apache and Nginx servers. This integration enables it to effectively defend against a wide array of common web-based attacks, including SQL injection, cross-site scripting (XSS), remote file inclusion (RFI), and brute-force attacks. Beyond general web protection, Imunify360 also offers specialized rulesets and optimizations tailored for CMS-specific security and robust WordPress account compromise prevention.

Introduction to Imunify360 WAF

Imunify360 is an advanced, multi-layered security platform developed to provide comprehensive protection for web servers. Its core strength lies in its Web Application Firewall (WAF), which acts as a crucial barrier between your web applications and potential threats. By continuously analyzing incoming traffic, the WAF can identify and block malicious requests in real-time, safeguarding your digital assets from various forms of exploitation.

Key Features of Imunify360 WAF

  • Real-Time Protection: The system continuously monitors network traffic, allowing it to detect and block malicious requests as they occur, ensuring immediate defense against emerging threats.
  • CMS-Specific WAF Rules: Imunify360 provides predefined rules specifically tailored for popular Content Management Systems like WordPress, Joomla, and Drupal. These rules address known vulnerabilities unique to each CMS, offering targeted and effective protection.
  • Minimized ModSecurity Ruleset: An optimized and lightweight ruleset is employed to enhance server performance without compromising security. This ensures efficient threat detection with minimal resource overhead.
  • WordPress Account Compromise Prevention: Dedicated rules and features are included to protect WordPress login and administration areas from brute-force attacks, unauthorized access attempts, and other account takeover strategies.
  • Integrated with Apache and Nginx: The WAF offers seamless compatibility and integration with leading web servers, Apache and Nginx, providing robust protection across various hosting environments.
  • AI-Powered Threat Detection: Utilizing artificial intelligence, Imunify360 is capable of detecting and mitigating zero-day attacks and previously unknown threats, offering proactive security.
  • Automatic Rule Updates: The system automatically updates its security rules, ensuring continuous protection against the latest and evolving cyber threats.
  • Malware Scanning: An integrated malware scanner detects and facilitates the removal of malicious software from your server, maintaining a clean and secure environment.
  • Brute Force Protection: Advanced mechanisms are in place to guard against brute-force attacks targeting login pages, safeguarding user credentials and administrative access.

Step-by-Step Guide to Installing Imunify360 WAF

Installing Imunify360 WAF involves a few straightforward steps, ensuring your server meets the necessary prerequisites and the software is properly activated.

Step 1: Server Requirements

Before proceeding with the installation of Imunify360 WAF, verify that your server environment adheres to the following specifications:

  • Operating System: CentOS 7/8, CloudLinux 7/8, RHEL 7/8, or Ubuntu 16.04/18.04/20.04.
  • Web Servers: Apache, Nginx, or LiteSpeed.
  • Control Panels: cPanel, Plesk, or DirectAdmin.
  • Root access to the server is essential for installation and configuration.

Step 2: Installing Imunify360

To deploy Imunify360 on your server, execute the following commands:

  1. Log in as Root: Establish an SSH connection to your server using root user credentials.
  2. Download and Install the Imunify360 Script: Obtain and run the installer script. This is typically done by downloading it from the official Imunify360 repository and executing it: 
    wget [Official Imunify360 Installer Script URL]
bash imunify-force-installer.sh

    Ensure you replace [Official Imunify360 Installer Script URL] with the current, legitimate download link provided by Imunify360.

  3. Activate Imunify360: Upon successful installation, it is necessary to activate the software using a valid license key. Acquire your license key from your Imunify360 account and use the following command for activation: 
    imunify360-agent register KEY

    Remember to replace KEY with your specific license key.

  4. Verify Installation: After activation, confirm that Imunify360 is operational by checking its service status: 
    systemctl status imunify360

    A confirmation message indicating that Imunify360 is active and running should be displayed.

Step 3: Integrating Imunify360 WAF with cPanel

For cPanel users, integration is straightforward, allowing you to manage Imunify360 directly from your control panel.

  1. Log in to cPanel/WHM: Access your WHM/cPanel interface as the root user.
  2. Access Imunify360 Dashboard: Navigate to the Security Center and click on the Imunify360 icon to open its dedicated dashboard.
  3. Enable the WAF: Within the Imunify360 dashboard, proceed to the Firewall section and activate the Web Application Firewall (WAF). You will find an option to enable WAF protection for your hosted websites.
  4. Select Apache/Nginx: In the WAF settings, confirm that either the Apache or Nginx WAF is enabled, aligning with your server's current web server configuration.

Configuring Imunify360 WAF

Optimal configuration of Imunify360 WAF ensures tailored security for your specific web applications, balancing robust protection with efficient performance.

Step 1: CMS-Specific WAF Rules

Imunify360 incorporates predefined CMS-specific WAF rules designed for popular platforms such as WordPress, Joomla, and Drupal. These rules are meticulously crafted to target vulnerabilities unique to each CMS, offering highly specialized protection.

  1. Access CMS-Specific Rules:
    • Within the Imunify360 dashboard, navigate to the WAF Configuration section.
    • Activate CMS-specific rules relevant to your installed Content Management System. For example, if you are hosting a WordPress site, ensure that the WordPress-specific rules are active.
  2. Common CMS Vulnerabilities Covered:
    • WordPress: Provides defense against attacks such as plugin vulnerabilities, theme file injection, and XML-RPC abuse.
    • Joomla: Guards against file inclusion vulnerabilities, SQL Injection attacks, and unauthorized administrator URL access.
    • Drupal: Protects against remote code execution, arbitrary file uploads, and SQL injection threats.
  3. Customizing CMS-Specific Rules:
    • These rules can be customized to fit your specific security requirements. For instance, you might wish to strengthen protections on sensitive paths like /wp-login.php or /administrator.
    • If particular vulnerabilities require custom attention, specific rules can be formulated and added within the Custom Rules section.

Step 2: Minimized ModSecurity Ruleset

Imunify360 offers a Minimized ModSecurity Ruleset, providing essential protection while maintaining high performance. This is particularly beneficial for servers with limited resources, as this optimized ruleset ensures that the most critical threats are blocked without imposing a significant load on the server.

  1. Enable Minimized ModSec Ruleset:
    • In the ModSecurity section of the WAF dashboard, toggle the option to utilize the Minimized Ruleset. This action applies a leaner, more efficient version of the standard ModSecurity rules.
  2. Why Use a Minimized Ruleset:
    • Performance: It reduces the processing load on your server by evaluating fewer rules, leading to faster request handling and improved overall performance.
    • Essential Protection: The minimized ruleset prioritizes the detection and prevention of OWASP Top 10 vulnerabilities, delivering robust security while avoiding unnecessary rule checks that could impact speed.
  3. Customizing the Minimized Ruleset:
    • Should your environment require it, you have the flexibility to selectively re-enable or add back specific rules that you deem critical. This approach allows for a precise balance between server performance and comprehensive security coverage.
    • The Add Rule option can be used to input additional ModSecurity rules as required.

Step 3: WordPress Account Compromise Prevention

WordPress is a frequent target for cyberattacks due to its widespread use, making it imperative to implement extra security measures to protect its administrative areas and user accounts from compromise. Imunify360 provides a suite of tools designed to secure WordPress login pages and prevent account takeovers effectively.

  1. Enable WordPress-Specific Security:
    • Within the Login Protection section, ensure that brute-force protection is activated for WordPress.
    • This feature automatically detects multiple failed login attempts on wp-login.php and subsequently blocks IP addresses exhibiting suspicious behavior, thwarting brute-force efforts.
  2. Two-Factor Authentication (2FA):
    • While Imunify360 does not natively offer 2FA, it is highly recommended to enable 2FA through a compatible WordPress plugin, such as Google Authenticator. Imunify360's brute-force protection acts as a complementary layer, preventing unauthorized login attempts before they even reach the 2FA stage.
  3. Monitor Login Attempts:
    • Regularly review the Logs section to track login attempts, identifying potential unauthorized access efforts early.
    • Configure alerts for multiple failed logins originating from the same IP address to detect and respond to brute-force attempts promptly.
  4. Harden wp-admin Directory:
    • Implement additional protection for the wp-admin directory by configuring custom WAF rules. This can involve restricting access to the wp-admin area by specific IP addresses or enforcing password protection for the entire directory.
  5. Additional Account Compromise Prevention Tips:
    • Consistently update WordPress plugins and themes to mitigate vulnerabilities that could lead to account compromise.
    • Ensure that administrative usernames are unique, complex, and not easily guessable (e.g., avoid using "admin").
    • Actively monitor for any signs of compromise, such as the appearance of new, unknown users or unauthorized alterations to user roles.

Monitoring and Managing Imunify360 WAF

Effective monitoring and management are crucial for maintaining a strong security posture with Imunify360 WAF, allowing you to respond proactively to threats and optimize protection.

Step 1: Monitoring Traffic and Threats

  1. Real-Time Monitoring: Access the Traffic section within the Imunify360 dashboard to observe incoming requests in real-time. This view provides insights into the total number of blocked attacks and offers detailed logs for each detected malicious request.
  2. Review Blocked Requests: Examine any requests that have been blocked by the WAF. Utilize the available filtering options to search by IP address, URL, or specific threat type, aiding in the investigation of security events.

Step 2: Whitelisting and Blacklisting IPs

Managing IP addresses is an integral part of WAF configuration, enabling you to control access effectively.

  1. Whitelist Trusted IPs: If there are specific IP addresses that you wish to allow to bypass the WAF, navigate to the Whitelist section and add these trusted IPs.
  2. Blacklist Suspicious IPs: For persistent attackers or sources of consistently suspicious traffic, you can manually blacklist their IP addresses within the Blacklist section. This action will block all traffic originating from those specific IPs.

Step 3: Analyzing WAF Logs

The WAF logs provide a wealth of information crucial for understanding security events and refining your WAF rules.

  1. Access Logs: Imunify360 meticulously logs all WAF activity, including blocked requests, identified threats, and traffic patterns. The Logs section allows you to view these events as they occur in real-time.
  2. Analyze Patterns: Leverage these comprehensive logs to analyze attack patterns and subsequently optimize your WAF rules. If certain types of attacks become frequent, consider updating your custom rules to preemptively block them more efficiently.

Best Practices for Optimizing Imunify360 WAF

To maximize the effectiveness of your Imunify360 WAF, adhere to these best practices:

  1. CMS-Specific Hardening:
    • Utilize Imunify360’s specialized rulesets to ensure tailored protection for popular CMS platforms, addressing their unique vulnerabilities.
    • Regularly review and update CMS-specific rules to stay current with new vulnerabilities and evolving threats.
  2. Leverage the Minimized Ruleset:
    • For servers with resource constraints, employ the Minimized ModSecurity Ruleset. Introduce custom rules only when absolutely necessary to enhance security without compromising performance.
  3. WordPress Security Best Practices:
    • Fortify WordPress administration areas with additional rules and vigilant monitoring to prevent account compromise.
    • Activate brute-force protection, diligently review login logs, and implement custom rules to restrict access to wp-login.php and the wp-admin dashboard.
  4. Regularly Review WAF Logs:
    • Consistently monitor WAF logs for new types of threats, paying particular attention to targeted attacks on CMS platforms like WordPress or Joomla, to enable swift and informed responses.

Modifying or Editing WAF Rules in Imunify360

Imunify360 offers the flexibility to modify existing WAF rules or introduce custom rules, allowing you to fine-tune security measures to meet specific operational needs.

Step 1: Accessing the WAF Rules

  1. Log in to cPanel/WHM: Access your Imunify360 dashboard through cPanel or WHM.
  2. Navigate to the WAF Rules Section: Under the Security tab, click on the Web Application Firewall (WAF) section, where a comprehensive list of all active rules is presented.

Step 2: Modifying Existing Rules

  1. Locate the Rule to Modify: Identify the specific rule you wish to alter by searching for its rule ID or by filtering based on the vulnerability type (e.g., SQL Injection, XSS).
  2. Edit the Rule:
    • Click on the rule to review its detailed parameters.
    • You can adjust the conditions or the actions triggered by the rule (e.g., to block, drop, or permit traffic).

    Example: You might modify a rule to permit certain traffic types that were previously blocked by adjusting the SecRuleAction parameter within ModSecurity.

Step 3: Adding Custom Rules

  1. Create a New Rule: In the Custom Rules section, select the Add Rule option.
  2. Define the Rule: Compose your custom rule using standard ModSecurity syntax. For instance, to block a specific IP address from accessing your site: 
    SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200001,drop,log"
  3. Save and Apply: After creating the rule, save it and ensure it is properly applied across all relevant domains or directories.

Step 4: Managing Rule Priorities

When multiple rules could apply to the same network traffic, establishing priorities is essential. Rules with a higher priority (typically indicated by lower ID numbers) are evaluated first. To adjust rule priority:

  • Edit the rule ID to ensure that higher priority rules are executed before others. You can also define exceptions based on IP addresses, specific URLs, or user agents to refine rule application.

Handling False Positives in Imunify360

Occasionally, legitimate network traffic may be inadvertently blocked by WAF rules, a phenomenon known as a false positive. Understanding how to identify and address these is crucial for maintaining seamless user experience without compromising security.

Step 1: Identifying False Positives

  1. Review WAF Logs: Navigate to the Logs section in the Imunify360 dashboard to comprehensively review all blocked traffic records.
  2. Filter by Rule ID or IP: Utilize the filter functionalities to search for specific Rule IDs, IP addresses, or URLs that have been blocked. Scrutinize requests that appear legitimate but were nevertheless intercepted by the WAF.
  3. Analyze the Request: Conduct a detailed review of the blocked request's specifics to ascertain if it constitutes a false positive. Examine the request headers, URL, and the action taken by the rule to verify if the traffic should have been permitted.

Step 2: Disabling Specific Rules or Whitelisting

  1. Disable the Rule: Once a false positive has been identified, locate the corresponding Rule ID in the WAF settings. To temporarily disable this rule: 
    imunify360-agent config update MODSEC_RULES_IDS --add 981176 --type disable

    Replace 981176 with the precise Rule ID you intend to disable. This action will prevent the rule from blocking further traffic.

  2. Whitelist IP Addresses: If a particular IP address is frequently affected by false positives, you can whitelist it to ensure it bypasses WAF rules:
    • Go to the Whitelist section in the Imunify360 dashboard.
    • Add the IP address to the list.

    Example: SecRule REMOTE_ADDR "^123\.45\.67\.89$" "id:200002,allow,log"

  3. Modify the Rule (Instead of Disabling): Rather than completely disabling a rule, consider modifying it to narrow its scope. For instance, you can introduce exceptions based on specific URLs or parameters, thereby avoiding the blocking of legitimate requests while still preserving core security.

Step 3: Testing and Re-enabling Rules

After implementing changes to WAF rules, thorough testing is essential to confirm their effectiveness and prevent new issues.

  1. Test the Changes: Following the modification or temporary disabling of a rule, rigorously test your website's functionality by simulating legitimate traffic. Confirm that the alteration successfully resolves the false positive without inadvertently introducing new security vulnerabilities.
  2. Re-enable Rules if Necessary: If a rule was disabled as a temporary measure, continuously review its performance over time. Should it prove crucial for blocking attacks, consider re-enabling it after careful tweaking or fine-tuning to mitigate future false positives.

Modifying Request Body Size (Content-Length) in Imunify360 WAF

The Request Body Size (Content-Length) setting within ModSecurity, which is utilized by Imunify360 WAF, dictates the maximum permissible size of an HTTP request body. Adjusting this limit can be necessary to accommodate large file uploads or to counteract attacks that exploit oversized requests, such as certain types of Denial of Service.

Step 1: Accessing ModSecurity Configuration

  1. Log in to cPanel/WHM: Access your WHM or cPanel interface and navigate to the Imunify360 dashboard.
  2. Locate the ModSecurity Configuration: Within the WAF Settings section of the Imunify360 dashboard, identify the ModSecurity Configuration file, where rule parameters can be edited.

Step 2: Modify Request Body Size

To adjust the Request Body Size, you need to modify the SecRequestBodyLimit directive in the ModSecurity configuration file.

  1. Open ModSecurity Configuration: Open the main ModSecurity configuration file, typically found at /etc/modsecurity/modsecurity.conf.
  2. Edit the Request Body Limit: Locate the following line in the configuration file: 
    SecRequestBodyLimit 13107200
    • Default Value: The default value of 13107200 signifies a limit of 13 MB for the request body.
    • Adjusting the Value: This value can be increased or decreased according to your specific requirements. For example:
    • Increase Request Body Size: 
      SecRequestBodyLimit 52428800

      This setting configures the request body limit to 50 MB.

    • Decrease Request Body Size: 
      SecRequestBodyLimit 1048576

      This adjusts the request body limit to 1 MB.

Step 3: Modify Request Body In-Memory Limit

The in-memory limit dictates the maximum portion of the request body that will be stored in memory, as opposed to being written to disk storage. This is crucial for performance optimization.

  1. Locate the In-Memory Limit Directive: Find the directive: 
    SecRequestBodyInMemoryLimit 131072
    • Default Value: A default value of 131072 means 128 KB of the request body is stored in memory.
    • Adjusting the Value: Increase or decrease this limit based on the available memory resources on your server and the expected size of requests.

    Example: Increase In-Memory Limit

    SecRequestBodyInMemoryLimit 262144

    This sets the in-memory limit to 256 KB.

Step 4: Modify Response Body Limit

Similarly, you can control the Response Body Limit to ensure that large responses are handled appropriately without exhausting server resources.

  1. Edit the Response Body Limit Directive: Locate and modify: 
    SecResponseBodyLimit 5242880
    • Default Value: A value of 5242880 sets the response body limit to 5 MB.
    • Increase the Limit: If your application frequently generates substantial responses, such as downloadable content or large data exports, you may need to increase this limit: 
      SecResponseBodyLimit 10485760

      This increases the response body limit to 10 MB.

    • Disable Response Body Limit: If there is a requirement to disable the limit entirely, you can use the following configuration: 
      SecResponseBodyLimitAction ProcessPartial

      This setting ensures that larger responses are processed, but only up to the specified limit, rather than being completely blocked.

Step 5: Apply Changes and Restart Services

For the modifications to take effect, the configuration file must be saved and the web server restarted.

  1. Save the Configuration: After making all necessary changes to the ModSecurity configuration file, save the file.
  2. Restart the Web Server: To apply the newly configured settings, restart your web server (Apache or Nginx) using the appropriate commands:
    • For Apache: 
      systemctl restart httpd
    • For Nginx: 
      systemctl restart nginx
  3. Verify Changes: After restarting the web server, it is advisable to verify that the new limits are in effect. Check the WAF logs for any warnings or errors related to request size, confirming the successful application of your changes.

Common Use Cases for Adjusting Request Body Size

  • Large File Uploads: For web applications that permit users to upload large files (e.g., images, PDFs, or videos), increasing the Request Body Size is often necessary to accommodate these larger file transfers.
  • Security Tightening: To prevent certain types of attacks, such as Denial of Service attacks that leverage excessively large payloads to overwhelm the server, reducing the Request Body Size can provide an additional layer of defensive protection.
  • Performance Optimization: Adjusting the In-Memory Limit can significantly improve server performance by preventing large request bodies from being entirely loaded into memory, which could otherwise lead to system slowdowns.

Best Practices for Request Body Size Management

Effectively managing request body sizes requires a balance between security and functionality.

  1. Balance Security and Performance: Ensure that the Request Body Size is sufficiently large to handle all legitimate requests, such as file uploads or data submissions, but not so extensive that it creates an exploitable vulnerability for attackers using oversized requests.
  2. Monitor Logs Regularly: Consistently review WAF logs for any requests that are blocked due to Content-Length limits. This ongoing monitoring will help you determine if the limits require further adjustment to optimize functionality without compromising security.
  3. Optimize Memory Usage: By strategically adjusting the In-Memory Limit, you can enhance server performance. This ensures that even larger request bodies are processed and logged efficiently without undue memory consumption.
  4. Apply Limits Specific to Application Needs: If your server hosts multiple applications, consider applying different Request Body Size limits for specific domains or paths within the web server configuration. This granular control ensures that each application benefits from optimally tailored protection and performance settings.

Conclusion

Imunify360 WAF stands as a powerful and highly customizable solution for securing your web applications against a dynamic landscape of modern threats. With its array of features, including CMS-specific rules, an optimized ModSecurity ruleset, and robust WordPress account compromise prevention capabilities, it delivers comprehensive protection across various types of web servers. By diligently following the installation, configuration, and optimization steps outlined in this guide, you can effectively deploy and manage Imunify360 WAF to safeguard your server infrastructure and web applications, ensuring a resilient and secure online presence.

« Back

  By Month

Sept 2025 Aug 2025 May 2025 Jan 2024 Oct 2021 Older Announcements...   View RSS Feed

  By Month

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket