Content
Introductory
Az ISPConfig uses a variety of protection systems to keep it secure, including IDS (Intrusion Detection System) technology. However, this setting may be too sensitive and disable us from the control panel as well. In this little troubleshooter, we'll see what we can do if our ISPConfig control panel doesn't allow us, but instead gets a "Possible attack detected. This action has been logged." error message.
The symptom
When we load the login URL of our ISPConfig control panel, we get the following error message on a blank white screen: "Possible attack detected. This action has been logged."
The solution
ISPConfig IDS settings are set too sensitive, so you may consider yourself an attacker, but it is also possible that there are real attempts to attack against an external ISPConfig in the background.
Control panel security settings a /usr/local/ispconfig/security/security_settings.ini can be found in the following file, the original content of which is as follows:
[permissions] allow_shell_user=yes admin_allow_server_config=superadmin admin_allow_server_services=superadmin admin_allow_server_ip=superadmin admin_allow_remote_users=superadmin admin_allow_system_config=superadmin admin_allow_server_php=superadmin admin_allow_langedit=superadmin admin_allow_new_admin=superadmin admin_allow_del_cpuser=superadmin admin_allow_cpuser_group=superadmin admin_allow_firewall_config=superadmin admin_allow_osupdate=superadmin remote_api_allowed=yes password_reset_allowed=yes session_regenerate_id=yes reverse_proxy_panel_allowed=none [ids] ids_anon_enabled=yes ids_anon_log_level=1 ids_anon_warn_level=15 ids_anon_block_level=20 ids_user_enabled=yes ids_user_log_level=1 ids_user_warn_level=27 ids_user_block_level=30 ids_admin_enabled=no ids_admin_log_level=1 ids_admin_warn_level=90 ids_admin_block_level=100 sql_scan_enabled=yes sql_scan_action=warn apache_directives_scan_enabled=yes nginx_directives_scan_enabled=yes [systemcheck] security_admin_email=root@localhost security_admin_email_subject=Security alert from server warn_new_admin=yes warn_passwd_change=no warn_shadow_change=no warn_group_change=no
In the middle are the IDS settings. We now have to deal with the first eight of these settings:
- ids_anon_enabled = yes
- ids_anon_log_level = 1
- ids_anon_warn_level = 15
- ids_anon_block_level = 20
- ids_user_enabled = yes
- ids_user_log_level = 1
- ids_user_warn_level = 27
- ids_user_block_level = 30
Here you can do two things: either raise the scores for "ids_anon_block_level" and "ids_user_block_level" to the level where the control panel already allows us, or simply turn off both monitors with "ids_anon_enabled = no" and "ids_user_enabled =."
After saving the file, the ISPConfig control panel will allow it. You can then look around in the "System-Log" submenu of the "Monitor" menu mentioned above and check what caused the ban.
Conclusion
Of course, there may be other types of bans that may give other error messages, but in general, this is how IDS-type security flaws can be handled.
- To post registration and login required
- 86 views