ISPConfig Patch 4 released

Discussion in 'General' started by till, Oct 17, 2014.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    What's new in ISPConfig

    This release introduces support for CentOS 7, adds some interesting new security features
    and fixes several bugs in the remote API.

    Intrusion Detection System

    The ISPConfig interface now contains a IDS System to protect it against unknown threats and
    vulnerabilitys. The IDS System consists of a scan engine for POST, GET and COOKIE
    variables based on PHPIDS and a SQL query scanner to detect SQL injection attacks.

    The IDS system does not replace any of the input and variable checks that are implemented in ISPConfig,
    the IDS adds a more generic check for all incoming variables in ISPConfig to build a second defense line.

    For now, the IDS system is configured to add warnings in the ISPConfig System log only and not to block attacks.
    If you like to block attacks, set ids_block_level to a value between 5 and 20 in the security_settings.ini file.
    The checks are quite strict and it is possible taht you have to whitelist some addditional variables to avoid false
    positive warnings. Therefore I would like to ask you to help us to complete the whitelist.

    The sql injection scanner is turned on by default while the intrusion detection system is turned off
    because the scan of all incoming variables can slow down the ISPconfig interface. You can turn
    the IDS on in /usr/local/ispconfig/security/security_settings.ini by changing "ids_enabled" to "yes"
    if you like to test this new feature.

    How whitelisting in IDS works:

    The IDS writes all alerts in whitelst file format to the file /usr/local/ispconfig/interface/temp/ids.log
    and the full warning message to the ispconfig system log in the interface. If you find that a alert is
    a false positive, then please post the alert message and line from ids.log here in the forum so we can check
    that and add it to the official whitelist.

    You can find a detailed description on the IDS settings in the security README file in the
    /usr/local/ispconfig/security/ folder.

    See changelog link below for a list of all changes that are included in this release.

    - Download

    The software can be downloaded here:

    - Changelog

    - Known Issues:

    Please take a look at the bugtracker:

    - BUG Reporting

    Please report bugs to the ISPConfig bugtracking system:

    - Supported Linux Distributions

    - Debian Etch (4.0) - Wheezy (7.0) and Debian testing
    - Ubuntu 7.10 - 14.04
    - OpenSuSE 11 - 13.1
    - CentOS 5.2 - 7
    - Fedora 9 - 15

    - Installation

    The installation instructions for ISPConfig can be found here:

    or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

    - Update

    To update existing ISPConfig 3 installations, run this command on the shell:

    Select "stable" as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

    Detailed instructions for making a backup before you update can be found here:

    If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

    - Manual update instructions

    cd /tmp
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    Last edited: Oct 17, 2014
  2. webguyz

    webguyz Active Member HowtoForge Supporter


    Was curious as to the best way to apply ISPConfig updates to dozens of servers in a multi-server ISPConfig setup. Does your hosting company do these manually or do you use some type of orchestration software like puppet to automate the upgrades?

    Thanks for all you do!
  3. bernholdt

    bernholdt Member

    After update is still tells me version

    I just ran the update
    But it is still telling me it is the old version any ideas how to fix this?

    Never mind just needed to delete the old version from tmp

    Last edited: Oct 19, 2014
  4. concept21

    concept21 Active Member

    If I update from to, do I have to choose "update services configurations"??
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you like to apply the poodle ssl changes (in case you did not do that manually yet), then yes. Otherwise a reconfigure is not required.
  6. itanium

    itanium Member


    Thank you for this update.

    I have just a small problem with the patch 4. After the update i can't use the php-fpm socket. I have an error 500 (FastCGI: incomplete headers (0 bytes) received from server).

    in the vhost of a website (php-fpm socket in use on the ispconfig interface) :
    "FastCgiExternalServer /var/www/xxx/xx/w23/cgi-bin/ -idle-timeout 300 -host -pass-header Authorization"

    need to be :

    "FastCgiExternalServer/var/www/xxx/xx/w23/cgi-bin / -idle-timeout 300 -socket /var/lib/php5-fpm/web23.sock -pass-header Authorization"

    With the patch 3, the "-host" change to "-socket" when you enable socket in the ispconfig interface.

    Ispconfig on Ubuntu 14.04.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    We have a bugtracker ticket on that topic. I will check that.
  8. concept21

    concept21 Active Member

    I experience a bug. When I update from 3.054p3 to 3.054p4, backing up ispconfig stops and jumps back to the shell. Then, I re-run the update and choose no backing up ispconfig. The update is then successful.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats a problem with the php binary and happens when the php has no mysql extension. Please post the output of:

    which php
  10. concept21

    concept21 Active Member

    It is my OS. It have been running for over a year without problem backing up ispconfig. :(

    php5-mysql 5.3.3-8ubuntu12~lucid1
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    which php
  12. concept21

    concept21 Active Member

    > which php
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Please create a file /tmp/test.php on your server with this code inside:

    if(function_exists('mysqli_connect')) {
    echo 'mysqli found';
    } else {
    echo 'no mysqli found';
    then run:

    php /tmp/test.php

    and post the output.
  14. concept21

    concept21 Active Member

    mysqli found.
  15. concept21

    concept21 Active Member

    Hello Till,
    Where can I find the IDS log record?
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    From first post:

  17. mccharlet

    mccharlet Member HowtoForge Supporter


    I has the same problem with the version
    I updated with the same version, disable and enable the website and it's ok
    Best regards

Share This Page