Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Description for security_settings.ini values.
The option "superadmin" means that a setting is only available to the admin user with userid 1 in the interface.
If there are other amdins, then they cant access this setting.
-----------------------------------------------------------
Setting: allow_shell_user
Options: yes/no
Description: Disables the shell user plugins in ispconfig
Setting: admin_allow_server_config
Options: yes/no/superadmin
Description: Disables System > Server config
Setting: admin_allow_server_services
Options: yes/no/superadmin
Description: Disables System > Server services
Setting: admin_allow_server_ip
Options: yes/no/superadmin
Description: Disables System > Server IP
Setting: admin_allow_remote_users
Options: yes/no/superadmin
Description: Disables System > Remote Users
Setting: admin_allow_system_config
Options: yes/no/superadmin
Description: Disables System > Interface > Main Config
Setting: admin_allow_server_php
Options: yes/no/superadmin
Description: Disables System > Additional PHP versions
Setting: admin_allow_langedit
Options: yes/no/superadmin
Description: Disables System > Language editor functions
Setting: admin_allow_new_admin
Options: yes/no/superadmin
Description: Disables the ability to add new admin users trough the interface
Setting: admin_allow_del_cpuser
Options: yes/no/superadmin
Description: Disables the ability to delete CP users
Setting: admin_allow_cpuser_group
Options: yes/no/superadmin
Description: Disables cp user group editing
Setting: admin_allow_firewall_config
Options: yes/no/superadmin
Description: Disables System > Firewall
Setting: admin_allow_osupdate
Options: yes/no/superadmin
Description: Disables System > OS update
Setting: admin_allow_software_packages
Options: yes/no/superadmin
Description: Disables System > Apps & Addons > Packages and Update
Setting: admin_allow_software_repo
Options: yes/no/superadmin
Description: Disables System > Apps & Addons > Repo
Setting: remote_api_allowed
Options: yes/no
Description: Disables the remote API
Setting: password_reset_allowed
Options: yes/no
Description: Disables the password reset function.
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Setting: ids_enabled
Options: yes/no
Description: Enables the Intrusion Detection System
Setting: ids_log_level
Options: 1 (number, default = 1)
Description: IDS score that triggers the log in /usr/local/ispconfig/interface/temp/ids.log
This log can be used to feed the whitelist.
Example:
cat /usr/local/ispconfig/interface/temp/ids.log >> /usr/local/ispconfig/security/ids.whitelist
rm -f /usr/local/ispconfig/interface/temp/ids.log
If you want to use a custom whitelist, then store it as /usr/local/ispconfig/security/ids.whitelist.custom
Setting: ids_warn_level
Options: 5 (number, default = 5)
Description: When the IDS score exceeds this level, a error message is logged into the system log. No message is displayed to the user.
Setting: ids_block_level
Options: 100 (number, default = 100)
Description: When the IDS score exceeds this level, a error message is shown to the user and further processing is blocked. A score of 100 will most likely never be reached.
We have choosen such a high score as default until we have more complete whitelists for this new feature.
Setting: sql_scan_enabled
Options: yes/no
Description: Enables the scan for SQL injections in the DB library.
Setting: sql_scan_action
Options: warn/block
Description: warn = write errot message to log only. Block = block user action and show error to the user.
Setting: apache_directives_scan_enabled
Options: yes/no
Description: Scan apache directives field for potentially malicious directives. This function uses the regex
list from /usr/local/ispconfig/security/apache_directives.blacklist file.
If you want to use a custom blacklist, then store it as /usr/local/ispconfig/security/apache_directives.blacklist.custom
Setting: security_admin_email
Options: email address
Description: Email address of the security admin
Setting: security_admin_email_subject
Options: Text
Description: Subject of the notification email
Setting: warn_new_admin
Options: yes/no
Description: Warn by email when a new admin user in ISPConfig has been added.
Setting: warn_passwd_change
Options: yes/no
Description: Warn by email when /etc/passwd has been changed.
Setting: warn_shadow_change
Options: yes/no
Description: Warn by email when /etc/shadow has been changed.
Setting: warn_group_change
Options: yes/no
Description: Warn by email when /etc/group has been changed.