Block user / host on failed logins

Hi

We have noticed the following feature has issues / doesnt work properly as it should

1) Under Webmin > Webmin Configuration > Authentication, we have the option to "Block users with more than N tries for M secs". So when an user fails for the Nth time, it says access for the user is blocked but on entering the right password, it allows the user into webmin again.

2) Under Webmin > Webmin Configuration > Authentication, we have the option to "Block hosts with more than N tries for M secs". But consider a scenario where webmin is placed behind a proxy. In that case it will block the proxy ip instead of the remote client ip and no one can access webmin till the block period is over. An apache backend can solve this using RPAF module where it gets the client IP using x-header from the proxy server and block the IP of the client instead of the proxy. Is there a way to achieve the same thing in miniserv.pl?

Thanks Arnab

Status: 
Active

Comments

For question 1, are you sure the M second timeout didn't expire?

For question 2, you can configure Webmin to respect the IP provided by the proxy. Just add the line trust_real_ip=1 to /etc/webmin/miniserv.conf , then run /etc/webmin/restart

The solution for question 2 worked but i face the same issue now in both the cases. Whether i block a particular user after certain tries for certain seconds or if i block an IP for some time, the result is always the same. I can get in by entering the right username and password even during the block period. Can you please a similar scenario by placing a proxy infront of cloudmin and testing the blocks? I have attached the screenshot.

Thanks Arnab

Does this problem only happen for you when accessing Webmin via a proxy?

Hi Jamie

It seems you were right - the issue occurs ONLY when cloudmin is accessed from a proxy. If i directly access cloudmin, the block works. If however i access it via proxy, it allows me to login with the right username and password during the block period. My guess is cloudmin checks the proxy ip instead of the real client ip during the block period. So please let me know if there is a way to solve this

Thanks Arnab

Can you post the contents of the file /etc/webmin/blocked when a user is supposed to be locked out? That tracks which users are currently denied, and for how long.

i am attaching two pictures 1) with block message 2) allowing the prompt - and allowing the user to login with the right username / password 3) the block configuration

BTW during the time block is enabled i dont see a file

[root@cloudmin-dev ~]# cat /etc/webmin/blocked cat: /etc/webmin/blocked: No such file or directory

Thanks Arnab

Sorry, the block file should actually be at /var/webmin/blocked

Actually, I just looked closer at the Webmin code, and this behavior is by design. The reason is that if even a successful login was rejected, an attacker could make a Webmin system unusable by trying endless logins as root. The real root user would then never be able to login.