Use Imunify360 only and uninstall CSF

[kikloo]

Hi,

Can I uninstall CSF and use Imunify360 only ?

Thanks.

 

[Richard G]

Yes.

However, then you would have no firewall. Maybe you could think about using another one. I forgot the name.

 

[copernic]

Yes.

However, then you would have no firewall. Maybe you could think about using another one. I forgot the name.

Imunify360 has firewall functionality,

 

[Richard G]

I'm sorry, you're correct, I'm not familiar with imunify360 other then that I know it protects against malware.
But it has indeed a decent firewal too.

 

[kikloo]

Imunify360 is a complete security suite. I was running csf on my cPanel servers and csf blocks a lot of positive users for no reason and sends a lot of lfd emails. Whereas with imunify360 I never had such issues. It’s like it really takes care of everything on its own. So I prefer that over csf.

 

[scriptkitty]

Hi!

Why not configure CSF accordingly and then integrate it with Imunify360 for extra protection?

Let us know the notifications you're receiving that you'd like to not receive and we can advise you how to safely disable them without sacrificing security.

If you wish to proceed with removal, I believe you can just disable service monitoring for it (remove the entry lfd=ON from the file /usr/local/directadmin/data/admin/services.status)and uninstall, since DirectAdmin's integration requires the plugin to first be installed in order to function:

https://www.directadmin.com/features.php?id=2617

 

[Richard G]

It’s like it really takes care of everything on its own. So I prefer that over csf.

As for fireawlling CSF does to but gives admins the choice to get more information if wanted. It's easy to disable those lots of messages you're getting from CSF. I disabled most too, it's very quiet in my mailbox from CSF.

Also, if many valid users are blocked, then something must be set too strict somewhere. We run CSF on cPanel and DA servers for many years and don't encounter an issue with lots of users blocked by CSF without being an issue present.
What we encounter most as a reason with valid customers, is customers getting new phones or changing email passwords and they do not change it on all their devices or change it correctly which causes valid blocks by CSF.

However, anybody is free in the choice what they want to use or feel fine with ofcourse.

 

[Wanabo]

I had some issues with valid users to. But that was because of modsecurity settings, and CSF reported it as it should.

 

[Jordz2203]

I had some issues with valid users to. But that was because of modsecurity settings, and CSF reported it as it should.

How did you end up resolving the mod security issues? I find its killing many of my users and staff (blocked for various mod rules)

 

[Zhenmue]

How did you end up resolving the mod security issues? I find its killing many of my users and staff (blocked for various mod rules)

since we moved to DA with modsecurity, for some reason, there are many rules that gives false positives.

Everytime one of your clients or your staff gets blocked, ask their IP.
Check the modsecurity log, and the modsecurity rule
Check why it was triggered, also ask the client or staff what they were doing.

According to that, you can define if that rule gives false positive, if it does, just deactivate it.

We have more than a few deactivated wich solved pretty much all false positives, we had like 4-5 clients blocked everyday just for working on their website, now we have 1 every week, if we have any. But it has been few months checking logs and deciding if a rule can be deactivated.

If a rule causes issues for only 1 client, you can go inside that clients panel, and deactivate that rule just for him too.

 

[Zhenmue]

Adding my opinion to the thread.
We find IM360 and CSF work incredible, and Brute Force Monitor from DA work terrible

 

[Jordz2203]

Adding my opinion to the thread.
We find IM360 and CSF work incredible, and Brute Force Monitor from DA work terrible

I see, so other than certain rules being disabled, did you decide to remove CSF or anything else? We have DirectAdmin pretty standard, with CSF, then 4 mod sec rules disabled on Immunify360. Trying to figure out other than disabling rules for modsec what the best course of action is. Maybe there are certain other software or anything that needs to be disabled.

 

[Zhenmue]

I see, so other than certain rules being disabled, did you decide to remove CSF or anything else? We have DirectAdmin pretty standard, with CSF, then 4 mod sec rules disabled on Immunify360. Trying to figure out other than disabling rules for modsec what the best course of action is. Maybe there are certain other software or anything that needs to be disabled.

maybe someone else can tell you a better path for this.

For us was what i wrote, checking logs and disabling rules giving too many false positives.

 

[Wanabo]

In "/etc/modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
Whitelist your ip, or ip's from your staff.

## whitelist ip's
## prive ip
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" "id:1000,phase:1,pass,nolog,ctl:ruleEngine=Off"
SecRule REMOTE_ADDR "@ipMatch yyy.yyy.yyy.yyy" "id:1001,phase:1,pass,nolog,ctl:ruleEngine=Off"

When normal users trigger a modsecurity response, check the log files to see what php file was affected and what rule was triggerd. Then write your own exclusion also in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules !! Custom
SecRule REQUEST_FILENAME "@endsWith /xxx.php" "id:1004,phase:2,pass,nolog,ctl:ruleRemoveById=941000-942999"

To survive DA updates place a copy of "/etc/modsecurity.d/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" in /usr/local/directadmin/custombuild/custom/modsecurity/conf/