[SOLVED] Possible attack detected. This action has been logged.

Discussion in 'Installation/Configuration' started by AxelssonDesign, Mar 16, 2018.

  1. Hello,
    When I try to login to my ispConfig I get this message: "Possible attack detected. This action has been logged."

    How to fix ?
  2. Entangled

    Entangled Member


    I got the same error from the Client account when doing a SSL update Save. I was able to Save from the Admin without any problems.

    I went to the link and it says: install an ISPConfig version where this issue is marked as fixed.

    According to the Admin Dashboard, there aren't any updates able so I am currently. With that said, what version of ISPConfig is marked fixed? I did what was suggested and it worked.

    I found a suggestion from Till which say:

    Try to set the ids anon score to a higher value in /usr/local/ispconfig/security/security_settings.ini

    My security_settings.ini does not have ids_anon_score so I have no idea what the default is so I set it higher.

    Please let me know what I am missing.

    Thank you.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The issue is about a problem in the remote api. You are not using the remote api, so this issue report and its fix is not relevant for your case.

    So the user is affected and not aanon. In that case raise the value of the "ids_user_block_level" in the /usr/local/ispconfig/security/security_settings.ini file.
  4. Entangled

    Entangled Member

    Thanks for the quick response Till ... it is currently set to 25, what do you suggest I change it to and what is the range 1-100 or what?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The range is 1+. Try to set the ids_user_block_level and maybe the ids_user_warn_level as well to e.g. 30 or 40.
  6. Entangled

    Entangled Member

    before I got your reply, I had set it to 50 and I was able to Save ... after your reply, I set to 30, 35 and 40 ... those failed. I have it set to 45, it works but take some time to Save ... with these:


    the Save is almost instantly ... what is causing the security check or whatever to slow the Save down so much?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The security check is done on each request when enabled and I have not seen such high scores on normal use, I'm not able to even trigger the 25 score here. The only way to trigger high scores is by trying to inject js xss code into the input fields. I wonder why you see any slowdown as I can't see any noticeable delay on any system, is your server that slow?
  8. Entangled

    Entangled Member

    I don't know either. I had to upgrade to pass a PCI test so I am now running Debian 9.4, PHP 7.1 with PHP-FPM and mySQL 5.7.21 ... I had to disable all SSL except TLS 1.2 and close port 25 SMTP.

    To pass the test, I had to close port 3306 ... once I passed, I opened to up again. I would like to permanently switch to Listen on the Internal IP, but, have not had the time to look into how to make the switch an easy process. mySQL on the CP server is only used for ISPConfig so I have to change all the server references to the internal IP so ISPConfig can "talk" between all the servers internally.

    I'll see if mySQL is causing this ... Debian 9.x switch to MariaDB which I did not want to mess with at this time ... not sure how running MariaDB on the CP while all the other servers are running mySQL 5.x.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to the database type you are using, so do not switch from MySQL to MariaDB. If it works better for you when you have the IDS disabled, then leave it switched off.
  10. Entangled

    Entangled Member

    Since I don't have a clue, what does:


    do beside disable these? In other words, am I opening myself up for a security issue?
  11. ilokano

    ilokano New Member

    I have the same question. I implemented this fix after encountering the problem and am concerned if this compromises the security.

Share This Page