How to deal with "Possible attack detected. This action has been logged." error message in our ISPConfig control panel

botond published 2021/03/23, k - 09:19 time

Content

 

Introductory

Az ISPConfig uses a variety of protection systems to keep it secure, including IDS (Intrusion Detection System) technology. However, this setting may be too sensitive and disable us from the control panel as well. In this little troubleshooter, we'll see what we can do if our ISPConfig control panel doesn't allow us, but instead gets a "Possible attack detected. This action has been logged." error message.

 

 

The symptom

When we load the login URL of our ISPConfig control panel, we get the following error message on a blank white screen: "Possible attack detected. This action has been logged."

 

The solution

ISPConfig IDS settings are set too sensitive, so you may consider yourself an attacker, but it is also possible that there are real attempts to attack against an external ISPConfig in the background.

Control panel security settings a /usr/local/ispconfig/security/security_settings.ini can be found in the following file, the original content of which is as follows:

[permissions]
allow_shell_user=yes
admin_allow_server_config=superadmin
admin_allow_server_services=superadmin
admin_allow_server_ip=superadmin
admin_allow_remote_users=superadmin
admin_allow_system_config=superadmin
admin_allow_server_php=superadmin
admin_allow_langedit=superadmin
admin_allow_new_admin=superadmin
admin_allow_del_cpuser=superadmin
admin_allow_cpuser_group=superadmin
admin_allow_firewall_config=superadmin
admin_allow_osupdate=superadmin
remote_api_allowed=yes
password_reset_allowed=yes
session_regenerate_id=yes
reverse_proxy_panel_allowed=none

[ids]
ids_anon_enabled=yes
ids_anon_log_level=1
ids_anon_warn_level=15
ids_anon_block_level=20
ids_user_enabled=yes
ids_user_log_level=1
ids_user_warn_level=27
ids_user_block_level=30
ids_admin_enabled=no
ids_admin_log_level=1
ids_admin_warn_level=90
ids_admin_block_level=100
sql_scan_enabled=yes
sql_scan_action=warn
apache_directives_scan_enabled=yes
nginx_directives_scan_enabled=yes

[systemcheck]
security_admin_email=root@localhost
security_admin_email_subject=Security alert from server
warn_new_admin=yes
warn_passwd_change=no
warn_shadow_change=no
warn_group_change=no

In the middle are the IDS settings. We now have to deal with the first eight of these settings:

  • ids_anon_enabled = yes
  • ids_anon_log_level = 1
  • ids_anon_warn_level = 15
  • ids_anon_block_level = 20
  • ids_user_enabled = yes
  • ids_user_log_level = 1
  • ids_user_warn_level = 27
  • ids_user_block_level = 30
The system monitors suspicious activities and /usr/local/ispconfig/interface/temp/ids.log collects them in a log file. When the score reaches log_level value, the activity is logged. When you reach the warn_level value, it will alert us to the interface in the "Overview" submenu of the "Monitor" main menu in the "The System-Log" line. Here, if we open the details, we can also see the log stored in the database, where the possible causes of the problem appear in the entries starting with "PHP IDS Alert.Total impact: ...". And if the scores reach block_level value, it will be banned from the entire system. The "anon" parts are intended to control the monitoring of unknown (non-user) activities, and the "user" parts are intended to control user activities.

Here you can do two things: either raise the scores for "ids_anon_block_level" and "ids_user_block_level" to the level where the control panel already allows us, or simply turn off both monitors with "ids_anon_enabled = no" and "ids_user_enabled =."

After saving the file, the ISPConfig control panel will allow it. You can then look around in the "System-Log" submenu of the "Monitor" menu mentioned above and check what caused the ban.

When you update the control panel, this configuration file is overwritten by the service pack, so you must perform these settings again after upgrading.

 

 

Conclusion

Of course, there may be other types of bans that may give other error messages, but in general, this is how IDS-type security flaws can be handled.