I believe something should be mentioned on the server/D7 requirements page about this but it's obviously not my place to do so. Anyway, as some or most of you already know, D7 uses something that's known as PHPIDS for advanced security. This link is very helpful to learn more about PHPIDS.
I'm writing this topic because we have a very secure server running in europe. This server is pretty much dedicated to our D7 community and not much else. Even though we've had a paid for professional installation of D7 on a new server, we've been experiencing all sorts of "weird issues" such as inexplicable session timeouts, security attack messages, access denied site errors where free & complete access was the rule, and so on. The security attack messages that we've been receiving had a total impact threshold of 15 to begin with (not very serious).
Well, as we continued to set both threshold levels higher in order to avoid attack messages that were clearly NOT hacker attacks at all, so did the attack messages arrive with increased threshold levels. Even for same items that earlier had lower values. Eventually we raised the threshold levels bit by bit to 36 only to finally receive yet another message with a total impact rating of 38 which would normally be considered quite high, a definite security risk or even attack under way.
Maybe this has something to do with the fact that the server is in one country and I'm located in another country while I'm working with D7 ... ??? Again, we were able to prove beyond any doubt that our attack messages had strictly to do with permitted actions by members. Before the installation of D7 we never received any attack messages and our server has never had successful hacker attempts in the previous 4 years although the server is being hammered daily. Believe me when I tell you that hacker attacks are far worse in Europe (particularily russia/ukraine) than here in the USA and possibly many other areas.
So, if your server has several safeguards such as firewalls, zend, access failsafes, etc. in place and you're experiencing some weird timeout problems or receiving attack messages that are clearly not related to any attacks at all, then simply do what we ended up doing today, by changing both of the impact thresholds under admin/advanced settings/other to a negative one or rather -1
As soon as we did that, everything was working as it should have been all along.
At least four of our issues appeared to be directly related to PHPids for some reason ....
Hope this helps someone down the road.
