[SOLVED] Possible attack detected. This action has been logged.

Hello,
When I try to login to my ispConfig I get this message: "Possible attack detected. This action has been logged."

How to fix ?

 

solved by: https://git.ispconfig.org/ispconfig/ispconfig3/issues/4912

 

Hello.

I got the same error from the Client account when doing a SSL update Save. I was able to Save from the Admin without any problems.

I went to the link and it says: install an ISPConfig version where this issue is marked as fixed.

According to the Admin Dashboard, there aren't any updates able so I am currently. With that said, what version of ISPConfig is marked fixed? I did what was suggested and it worked.

I found a suggestion from Till which say:

Try to set the ids anon score to a higher value in /usr/local/ispconfig/security/security_settings.ini

My security_settings.ini does not have ids_anon_score so I have no idea what the default is so I set it higher.

Please let me know what I am missing.

Thank you.

 

Thanks for the quick response Till ... it is currently set to 25, what do you suggest I change it to and what is the range 1-100 or what?

 

before I got your reply, I had set it to 50 and I was able to Save ... after your reply, I set to 30, 35 and 40 ... those failed. I have it set to 45, it works but take some time to Save ... with these:

ids_anon_enabled=no
ids_user_enabled=no

the Save is almost instantly ... what is causing the security check or whatever to slow the Save down so much?

 

I don't know either. I had to upgrade to pass a PCI test so I am now running Debian 9.4, PHP 7.1 with PHP-FPM and mySQL 5.7.21 ... I had to disable all SSL except TLS 1.2 and close port 25 SMTP.

To pass the test, I had to close port 3306 ... once I passed, I opened to up again. I would like to permanently switch to Listen on the Internal IP, but, have not had the time to look into how to make the switch an easy process. mySQL on the CP server is only used for ISPConfig so I have to change all the server references to the internal IP so ISPConfig can "talk" between all the servers internally.

I'll see if mySQL is causing this ... Debian 9.x switch to MariaDB which I did not want to mess with at this time ... not sure how running MariaDB on the CP while all the other servers are running mySQL 5.x.

 

Since I don't have a clue, what does:

ids_anon_enabled=no
ids_user_enabled=no

do beside disable these? In other words, am I opening myself up for a security issue?

 

I have the same question. I implemented this fix after encountering the problem and am concerned if this compromises the security.

 

I am running 3.1.13p1
When logging into my control panel today, I came across this error. I have not logged in just loaded the url in the browser.

Anybody shed any light on this, temporarily I have followed the steps above to allow me to access my panel, and reverted there after, this is clearly not a sustainable situation when i want to log in.

Can somebody please answer the previous question, will disabling these two check anon and user until a fix is released create a significant problem for security?

Ive never come across this issue before but seeing it in many threads on search results its clearly something that keeps coming back to bite us.

What should we be doing to prevent this, any logs you need?

 

i set the following to 100 and it didnt eliminate the notice/block

ids_user_warn
ids_user_block

What did allow me in was this.
ids_anon_enabled no
ids_user_enabled no

As for logs,
/var/logs/ispconfig/auth.log (shows my log in events as expected, nothing untoward)
/var/logs/ispconfig/ispconfig.log (completely empty)

Im not sure where else ispc writes logs to look for log files to investigate this.

 

Nothing in the logs, it was set at error, its now set at warnings, ive enabled ids again and nothing is logging about the issue. When im logged in I dont get the message, but if i log out its right there again, cant see the login page, just that message.

So it does seem it might not be related to this but it is an issue non the less.

Update: I have been able to isolate my issue:
Chromium Version 73.0.3683.75 (Official Build) Built on Ubuntu , running on Ubuntu 18.04 (64-bit) Not present
Firefox Quantum 66.0.2 (64bit) Not present
Google Chrome Version 73.0.3683.86 (Official Build) (64-bit) Present

This issue is clearly different to that of the above. I am going to create a new thread in an appropriate forum, in the mean time I will use one of the other browsers.

 

Thank you Jesse, my issue is resolved, deleted cookies, turns out trustpilot uses a cookie that is for all domains, I recently installed their plugin on my website which is what caused this error. Since clearing ive revisited my website and the cookies issue is now gone, all the same il be keeping an eye out to see if it bites me later.

 

Had d problem just now, ver 3.1.15p3. Just cleared cookies and cache and then refresh, error gone.