Use of PHP IDS in ISPConfig3

Discussion in 'General' started by Stephan Ververda, Jun 25, 2018.

  1. Stephan Ververda

    Stephan Ververda Member HowtoForge Supporter

    Hi, as i already saw in another thread i'm not the only one but as of some time ago i also started noticing a lot of PHP IDS errors in my ISPConfig3 log files. Lot of them related when i change something in DNS (add entries for example) or make some changes to website settings etc etc etc. It's only when i click on the trashcan that it changes its log level from error to debug.

    First of all the readability of the errors in the ISPConfig3 panel is not really great (see attached picture). Second of all i don't seem to be able to find any of these error's back in the actual ispconfig.log files.

    Anyway... the entire PHP IDS was a bit unclear for me so i started to look up something to try to get a bit more explanation just to find out that the entire PHP IDS project was kind of abandoned 4 years ago and not updated since then. It seems that it is only used within ISPConfig3 scripts itself, but i was wondering why it has been incorporated into ISPConfig3. I guess it has something to do with the vulnerability that ISPConfig3 was suffering from some time ago but isn't there another solution that is actually still supported?

    My problem is that the messages itself are actually very long, triggered by my own actions (not attacks on ISPConfig3 panel), nothing in the actual log files and no real support to find when i try to find out a bit more about the IDS error/alert codes/messages.
    And is it still a valid script to run on php versions 7.0/7.1/7.2? (i recently dropped support for 5.6 eventhough php.net extended it's security support till end of this year).

    I'm, for one, all for security. Right now I'm even checking to extend my nginx with naxsi to get some more protection for vulnerabilities like being covered by PHP IDS. But i do have my questions about running PHP IDS though.
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The IDS is just another security level that helps us to protect ISPConfig against unknown threats and vulnerabilities, that's why we added it to ISPConfig. The IDS is made to set scores for uncommon content in POST, GET and cookies requests. Actually, it does not matter much that the PHP IDS project has been abandoned as it has not changed what is common and uncommon in such requests and the regular expressions are still fine and in case we find taht something is missing, then we can add our own rules, we don't need the PHP IDS project for that as their code is OpenSource like ISPConfig. The error message is long as the value that triggered the filter is that long. The error message mentions that the triggered value is in the nginx_directived field, as this field is accessible to the admin only, you should whitelist it:

    add the line:

    Code:
    admin:/sites/web_vhost_domain_edit.php:POST.nginx_directives
    to the file /usr/local/ispconfig/security/ids.whitelist
     
    Stephan Ververda likes this.
  3. Stephan Ververda

    Stephan Ververda Member HowtoForge Supporter

    Tnx for that response. In the end i was just trying to get some more clarity on the types of alerts/errors that might get triggered by PHP IDS to get some better insight.

    The longitude of the error message itself is not really a problem, just the readability of it in ISPConfig3 panel as it all get's squeezed into that narrow column :).. where can i find it back in any of the logfiles so i can check them from a shell?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can find them in the sys_log table in the dbispconfig database and they are probably in the ispconfig.log as well, but not 100% sure :)
     
  5. Stephan Ververda

    Stephan Ververda Member HowtoForge Supporter

    Nope, not in the ispconfig.log, but i can work with the sys_log table though.
     

Share This Page