commit | author | age
|
7c2752
|
1 |
|
TB |
2 |
Description for security_settings.ini values. |
|
3 |
|
|
4 |
The option "superadmin" means that a setting is only available to the admin user with userid 1 in the interface. |
|
5 |
If there are other amdins, then they cant access this setting. |
|
6 |
|
|
7 |
----------------------------------------------------------- |
|
8 |
Setting: allow_shell_user |
|
9 |
Options: yes/no |
|
10 |
Description: Disables the shell user plugins in ispconfig |
|
11 |
|
|
12 |
Setting: admin_allow_server_config |
|
13 |
Options: yes/no/superadmin |
|
14 |
Description: Disables System > Server config |
|
15 |
|
|
16 |
Setting: admin_allow_server_services |
|
17 |
Options: yes/no/superadmin |
|
18 |
Description: Disables System > Server services |
|
19 |
|
|
20 |
Setting: admin_allow_server_ip |
|
21 |
Options: yes/no/superadmin |
|
22 |
Description: Disables System > Server IP |
|
23 |
|
|
24 |
Setting: admin_allow_remote_users |
|
25 |
Options: yes/no/superadmin |
|
26 |
Description: Disables System > Remote Users |
|
27 |
|
|
28 |
Setting: admin_allow_system_config |
|
29 |
Options: yes/no/superadmin |
|
30 |
Description: Disables System > Interface > Main Config |
|
31 |
|
|
32 |
Setting: admin_allow_server_php |
|
33 |
Options: yes/no/superadmin |
|
34 |
Description: Disables System > Additional PHP versions |
|
35 |
|
|
36 |
Setting: admin_allow_langedit |
|
37 |
Options: yes/no/superadmin |
|
38 |
Description: Disables System > Language editor functions |
|
39 |
|
|
40 |
Setting: admin_allow_new_admin |
|
41 |
Options: yes/no/superadmin |
|
42 |
Description: Disables the ability to add new admin users trough the interface |
|
43 |
|
|
44 |
Setting: admin_allow_del_cpuser |
|
45 |
Options: yes/no/superadmin |
|
46 |
Description: Disables the ability to delete CP users |
|
47 |
|
|
48 |
Setting: admin_allow_cpuser_group |
|
49 |
Options: yes/no/superadmin |
|
50 |
Description: Disables cp user group editing |
|
51 |
|
|
52 |
Setting: admin_allow_firewall_config |
|
53 |
Options: yes/no/superadmin |
|
54 |
Description: Disables System > Firewall |
|
55 |
|
|
56 |
Setting: admin_allow_osupdate |
|
57 |
Options: yes/no/superadmin |
|
58 |
Description: Disables System > OS update |
|
59 |
|
|
60 |
Setting: admin_allow_software_packages |
|
61 |
Options: yes/no/superadmin |
|
62 |
Description: Disables System > Apps & Addons > Packages and Update |
|
63 |
|
|
64 |
Setting: admin_allow_software_repo |
|
65 |
Options: yes/no/superadmin |
|
66 |
Description: Disables System > Apps & Addons > Repo |
|
67 |
|
|
68 |
Setting: remote_api_allowed |
|
69 |
Options: yes/no |
|
70 |
Description: Disables the remote API |
|
71 |
|
0baace
|
72 |
Setting: password_reset_allowed |
TB |
73 |
Options: yes/no |
|
74 |
Description: Disables the password reset function. |
|
75 |
|
7536c8
|
76 |
Setting: ids_enabled |
TB |
77 |
Options: yes/no |
|
78 |
Description: Enables the Intrusion Detection System |
|
79 |
|
|
80 |
Setting: ids_log_level |
|
81 |
Options: 1 (number, default = 1) |
|
82 |
Description: IDS score that triggers the log in /usr/local/ispconfig/interface/temp/ids.log |
|
83 |
This log can be used to feed the whitelist. |
|
84 |
|
|
85 |
Example: |
|
86 |
|
|
87 |
cat /usr/local/ispconfig/interface/temp/ids.log >> /usr/local/ispconfig/security/ids.whitelist |
|
88 |
rm -f /usr/local/ispconfig/interface/temp/ids.log |
|
89 |
|
|
90 |
If you want to use a custom whitelist, then store it as /usr/local/ispconfig/security/ids.whitelist.custom |
|
91 |
|
|
92 |
Setting: ids_warn_level |
|
93 |
Options: 5 (number, default = 5) |
|
94 |
Description: When the IDS score exceeds this level, a error message is logged into the system log. No message is displayed to the user. |
|
95 |
|
|
96 |
Setting: ids_block_level |
|
97 |
Options: 100 (number, default = 100) |
|
98 |
Description: When the IDS score exceeds this level, a error message is shown to the user and further processing is blocked. A score of 100 will most likely never be reached. |
|
99 |
We have choosen such a high score as default until we have more complete whitelists for this new feature. |
|
100 |
|
|
101 |
Setting: sql_scan_enabled |
|
102 |
Options: yes/no |
|
103 |
Description: Enables the scan for SQL injections in the DB library. |
|
104 |
|
|
105 |
Setting: sql_scan_action |
|
106 |
Options: warn/block |
|
107 |
Description: warn = write errot message to log only. Block = block user action and show error to the user. |
|
108 |
|
|
109 |
Setting: apache_directives_scan_enabled |
|
110 |
Options: yes/no |
|
111 |
Description: Scan apache directives field for potentially malicious directives. This function uses the regex |
|
112 |
list from /usr/local/ispconfig/security/apache_directives.blacklist file. |
|
113 |
If you want to use a custom blacklist, then store it as /usr/local/ispconfig/security/apache_directives.blacklist.custom |
|
114 |
|
7c2752
|
115 |
Setting: security_admin_email |
TB |
116 |
Options: email address |
|
117 |
Description: Email address of the security admin |
|
118 |
|
|
119 |
Setting: security_admin_email_subject |
|
120 |
Options: Text |
|
121 |
Description: Subject of the notification email |
|
122 |
|
|
123 |
Setting: warn_new_admin |
|
124 |
Options: yes/no |
|
125 |
Description: Warn by email when a new admin user in ISPConfig has been added. |
|
126 |
|
|
127 |
Setting: warn_passwd_change |
|
128 |
Options: yes/no |
|
129 |
Description: Warn by email when /etc/passwd has been changed. |
|
130 |
|
|
131 |
Setting: warn_shadow_change |
|
132 |
Options: yes/no |
|
133 |
Description: Warn by email when /etc/shadow has been changed. |
|
134 |
|
|
135 |
Setting: warn_group_change |
|
136 |
Options: yes/no |
|
137 |
Description: Warn by email when /etc/group has been changed. |
|
138 |
|
|
139 |
|