[SOLVED] Possible attack detected. This action has been logged.

Discussion in 'Installation/Configuration' started by AxelssonDesign, Mar 16, 2018.

  1. Hello,
    When I try to login to my ispConfig I get this message: "Possible attack detected. This action has been logged."

    How to fix ?
     
  2. Entangled

    Entangled Member

    Hello.

    I got the same error from the Client account when doing a SSL update Save. I was able to Save from the Admin without any problems.

    I went to the link and it says: install an ISPConfig version where this issue is marked as fixed.

    According to the Admin Dashboard, there aren't any updates able so I am currently. With that said, what version of ISPConfig is marked fixed? I did what was suggested and it worked.

    I found a suggestion from Till which say:

    Try to set the ids anon score to a higher value in /usr/local/ispconfig/security/security_settings.ini

    My security_settings.ini does not have ids_anon_score so I have no idea what the default is so I set it higher.

    Please let me know what I am missing.

    Thank you.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The issue is about a problem in the remote api. You are not using the remote api, so this issue report and its fix is not relevant for your case.

    So the user is affected and not aanon. In that case raise the value of the "ids_user_block_level" in the /usr/local/ispconfig/security/security_settings.ini file.
     
  4. Entangled

    Entangled Member

    Thanks for the quick response Till ... it is currently set to 25, what do you suggest I change it to and what is the range 1-100 or what?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The range is 1+. Try to set the ids_user_block_level and maybe the ids_user_warn_level as well to e.g. 30 or 40.
     
  6. Entangled

    Entangled Member

    before I got your reply, I had set it to 50 and I was able to Save ... after your reply, I set to 30, 35 and 40 ... those failed. I have it set to 45, it works but take some time to Save ... with these:

    ids_anon_enabled=no
    ids_user_enabled=no

    the Save is almost instantly ... what is causing the security check or whatever to slow the Save down so much?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The security check is done on each request when enabled and I have not seen such high scores on normal use, I'm not able to even trigger the 25 score here. The only way to trigger high scores is by trying to inject js xss code into the input fields. I wonder why you see any slowdown as I can't see any noticeable delay on any system, is your server that slow?
     
  8. Entangled

    Entangled Member

    I don't know either. I had to upgrade to pass a PCI test so I am now running Debian 9.4, PHP 7.1 with PHP-FPM and mySQL 5.7.21 ... I had to disable all SSL except TLS 1.2 and close port 25 SMTP.

    To pass the test, I had to close port 3306 ... once I passed, I opened to up again. I would like to permanently switch to Listen on the Internal IP, but, have not had the time to look into how to make the switch an easy process. mySQL on the CP server is only used for ISPConfig so I have to change all the server references to the internal IP so ISPConfig can "talk" between all the servers internally.

    I'll see if mySQL is causing this ... Debian 9.x switch to MariaDB which I did not want to mess with at this time ... not sure how running MariaDB on the CP while all the other servers are running mySQL 5.x.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to the database type you are using, so do not switch from MySQL to MariaDB. If it works better for you when you have the IDS disabled, then leave it switched off.
     
  10. Entangled

    Entangled Member

    Since I don't have a clue, what does:

    ids_anon_enabled=no
    ids_user_enabled=no

    do beside disable these? In other words, am I opening myself up for a security issue?
     
  11. ilokano

    ilokano New Member

    I have the same question. I implemented this fix after encountering the problem and am concerned if this compromises the security.
     
  12. Chris_UK

    Chris_UK Member HowtoForge Supporter

    I am running 3.1.13p1
    When logging into my control panel today, I came across this error. I have not logged in just loaded the url in the browser.

    Anybody shed any light on this, temporarily I have followed the steps above to allow me to access my panel, and reverted there after, this is clearly not a sustainable situation when i want to log in.

    Can somebody please answer the previous question, will disabling these two check anon and user until a fix is released create a significant problem for security?

    Ive never come across this issue before but seeing it in many threads on search results its clearly something that keeps coming back to bite us.

    What should we be doing to prevent this, any logs you need?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem described in this thread here has been fixed a year ago and is not present in 3.1.13p1, just verified that. When the IDS in a current ISPConfig version detects a suspicious code, then it will block access for a good reason. You should check the actual IDS error message in the ispconfig system log to find out which code has been sent to the ispconfig interface of your server by your browser that triggered the IDS. If you don't want to use the IDS, switch it off or set a higher block score.
     
  14. Chris_UK

    Chris_UK Member HowtoForge Supporter

    i set the following to 100 and it didnt eliminate the notice/block

    ids_user_warn
    ids_user_block

    What did allow me in was this.
    ids_anon_enabled no
    ids_user_enabled no

    As for logs,
    /var/logs/ispconfig/auth.log (shows my log in events as expected, nothing untoward)
    /var/logs/ispconfig/ispconfig.log (completely empty)

    Im not sure where else ispc writes logs to look for log files to investigate this.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    In ISPconfig > Monitor > Show system log. If the attack is not logged there, then you probably disabled logging of warnings under system > server config.
     
  16. Chris_UK

    Chris_UK Member HowtoForge Supporter

    Nothing in the logs, it was set at error, its now set at warnings, ive enabled ids again and nothing is logging about the issue. When im logged in I dont get the message, but if i log out its right there again, cant see the login page, just that message.

    So it does seem it might not be related to this but it is an issue non the less.

    Update: I have been able to isolate my issue:
    Chromium Version 73.0.3683.75 (Official Build) Built on Ubuntu , running on Ubuntu 18.04 (64-bit) Not present
    Firefox Quantum 66.0.2 (64bit) Not present
    Google Chrome Version 73.0.3683.86 (Official Build) (64-bit) Present

    This issue is clearly different to that of the above. I am going to create a new thread in an appropriate forum, in the mean time I will use one of the other browsers.
     
    Last edited: Apr 3, 2019
  17. Jesse Norell

    Jesse Norell Well-Known Member

    When you are logged out the ids_user_* settings do not apply, try increasing the value of the ids_anon_* settings.
     
  18. Chris_UK

    Chris_UK Member HowtoForge Supporter

    Thank you Jesse, my issue is resolved, deleted cookies, turns out trustpilot uses a cookie that is for all domains, I recently installed their plugin on my website which is what caused this error. Since clearing ive revisited my website and the cookies issue is now gone, all the same il be keeping an eye out to see if it bites me later.
     

Share This Page