| commit | author | age | ||
| 7c2752 | 1 | |
| TB | 2 | Description for security_settings.ini values. |
| 3 | ||
| 4 | The option "superadmin" means that a setting is only available to the admin user with userid 1 in the interface. | |
| 5 | If there are other amdins, then they cant access this setting. | |
| 6 | ||
| 7 | ----------------------------------------------------------- | |
| 8 | Setting: allow_shell_user | |
| 9 | Options: yes/no | |
| 10 | Description: Disables the shell user plugins in ispconfig | |
| 11 | ||
| 12 | Setting: admin_allow_server_config | |
| 13 | Options: yes/no/superadmin | |
| 14 | Description: Disables System > Server config | |
| 15 | ||
| 16 | Setting: admin_allow_server_services | |
| 17 | Options: yes/no/superadmin | |
| 18 | Description: Disables System > Server services | |
| 19 | ||
| 20 | Setting: admin_allow_server_ip | |
| 21 | Options: yes/no/superadmin | |
| 22 | Description: Disables System > Server IP | |
| 23 | ||
| 24 | Setting: admin_allow_remote_users | |
| 25 | Options: yes/no/superadmin | |
| 26 | Description: Disables System > Remote Users | |
| 27 | ||
| 28 | Setting: admin_allow_system_config | |
| 29 | Options: yes/no/superadmin | |
| 30 | Description: Disables System > Interface > Main Config | |
| 31 | ||
| 32 | Setting: admin_allow_server_php | |
| 33 | Options: yes/no/superadmin | |
| 34 | Description: Disables System > Additional PHP versions | |
| 35 | ||
| 36 | Setting: admin_allow_langedit | |
| 37 | Options: yes/no/superadmin | |
| 38 | Description: Disables System > Language editor functions | |
| 39 | ||
| 40 | Setting: admin_allow_new_admin | |
| 41 | Options: yes/no/superadmin | |
| 42 | Description: Disables the ability to add new admin users trough the interface | |
| 43 | ||
| 44 | Setting: admin_allow_del_cpuser | |
| 45 | Options: yes/no/superadmin | |
| 46 | Description: Disables the ability to delete CP users | |
| 47 | ||
| 48 | Setting: admin_allow_cpuser_group | |
| 49 | Options: yes/no/superadmin | |
| 50 | Description: Disables cp user group editing | |
| 51 | ||
| 52 | Setting: admin_allow_firewall_config | |
| 53 | Options: yes/no/superadmin | |
| 54 | Description: Disables System > Firewall | |
| 55 | ||
| 56 | Setting: admin_allow_osupdate | |
| 57 | Options: yes/no/superadmin | |
| 58 | Description: Disables System > OS update | |
| 59 | ||
| 60 | Setting: admin_allow_software_packages | |
| 61 | Options: yes/no/superadmin | |
| 62 | Description: Disables System > Apps & Addons > Packages and Update | |
| 63 | ||
| 64 | Setting: admin_allow_software_repo | |
| 65 | Options: yes/no/superadmin | |
| 66 | Description: Disables System > Apps & Addons > Repo | |
| 67 | ||
| 68 | Setting: remote_api_allowed | |
| 69 | Options: yes/no | |
| 70 | Description: Disables the remote API | |
| 71 | ||
| 0baace | 72 | Setting: password_reset_allowed |
| TB | 73 | Options: yes/no |
| 74 | Description: Disables the password reset function. | |
| 75 | ||
| 7536c8 | 76 | Setting: ids_enabled |
| TB | 77 | Options: yes/no |
| 78 | Description: Enables the Intrusion Detection System | |
| 79 | ||
| 80 | Setting: ids_log_level | |
| 81 | Options: 1 (number, default = 1) | |
| 82 | Description: IDS score that triggers the log in /usr/local/ispconfig/interface/temp/ids.log | |
| 83 | This log can be used to feed the whitelist. | |
| 84 | ||
| 85 | Example: | |
| 86 | ||
| 87 | cat /usr/local/ispconfig/interface/temp/ids.log >> /usr/local/ispconfig/security/ids.whitelist | |
| 88 | rm -f /usr/local/ispconfig/interface/temp/ids.log | |
| 89 | ||
| 90 | If you want to use a custom whitelist, then store it as /usr/local/ispconfig/security/ids.whitelist.custom | |
| 91 | ||
| 92 | Setting: ids_warn_level | |
| 93 | Options: 5 (number, default = 5) | |
| 94 | Description: When the IDS score exceeds this level, a error message is logged into the system log. No message is displayed to the user. | |
| 95 | ||
| 96 | Setting: ids_block_level | |
| 97 | Options: 100 (number, default = 100) | |
| 98 | Description: When the IDS score exceeds this level, a error message is shown to the user and further processing is blocked. A score of 100 will most likely never be reached. | |
| 99 | We have choosen such a high score as default until we have more complete whitelists for this new feature. | |
| 100 | ||
| 101 | Setting: sql_scan_enabled | |
| 102 | Options: yes/no | |
| 103 | Description: Enables the scan for SQL injections in the DB library. | |
| 104 | ||
| 105 | Setting: sql_scan_action | |
| 106 | Options: warn/block | |
| 107 | Description: warn = write errot message to log only. Block = block user action and show error to the user. | |
| 108 | ||
| 109 | Setting: apache_directives_scan_enabled | |
| 110 | Options: yes/no | |
| 111 | Description: Scan apache directives field for potentially malicious directives. This function uses the regex | |
| 112 | list from /usr/local/ispconfig/security/apache_directives.blacklist file. | |
| 113 | If you want to use a custom blacklist, then store it as /usr/local/ispconfig/security/apache_directives.blacklist.custom | |
| 114 | ||
| 7c2752 | 115 | Setting: security_admin_email |
| TB | 116 | Options: email address |
| 117 | Description: Email address of the security admin | |
| 118 | ||
| 119 | Setting: security_admin_email_subject | |
| 120 | Options: Text | |
| 121 | Description: Subject of the notification email | |
| 122 | ||
| 123 | Setting: warn_new_admin | |
| 124 | Options: yes/no | |
| 125 | Description: Warn by email when a new admin user in ISPConfig has been added. | |
| 126 | ||
| 127 | Setting: warn_passwd_change | |
| 128 | Options: yes/no | |
| 129 | Description: Warn by email when /etc/passwd has been changed. | |
| 130 | ||
| 131 | Setting: warn_shadow_change | |
| 132 | Options: yes/no | |
| 133 | Description: Warn by email when /etc/shadow has been changed. | |
| 134 | ||
| 135 | Setting: warn_group_change | |
| 136 | Options: yes/no | |
| 137 | Description: Warn by email when /etc/group has been changed. | |
| 138 | ||
| 139 | ||
