[Q] Protect Webmin / Usermin login with .htaccess.

7 posts / 0 new
Last post
#1 Fri, 02/20/2009 - 13:57
TheEdge

[Q] Protect Webmin / Usermin login with .htaccess.

G'Day,

I want to protect the login forms for both webmin and usermin with a basic auth challenge via .htaccess. Is this possible for miniserv?

TIA

Fri, 02/20/2009 - 14:03
Joe
Joe's picture

<div class='quote'>I want to protect the login forms for both webmin and usermin with a basic auth challenge via .htaccess. Is this possible for miniserv?</div>

Why?

And the answer is no. .htaccess is not something miniserv would know anything about. It <i>can</i> do basic auth, if you prefer a browser popup auth window to session authentication, but it doesn't do it via .htaccess files.

Webmin has extensive security features, though...have a look in Webmin:Webmin Configuration:Authentication. Password timeouts, session vs. HTTP auth, etc.

--

Check out the forum guidelines!

Fri, 02/20/2009 - 14:39 (Reply to #2)
TheEdge

Call it paranoia.... :-)

For full access to webmin if I had to get through a basic auth challeng and then a password I would be happy. Makes it harder for potential hackers.

This way I can also hide what the user is logging into. Any savvy user that sees a login that says &quot;Login to Webmin&quot; (see my other post on how to change this) means they will definitely try more.

I had a look through the security options but don't see anything to do with basic auth. Would I be missing a module?

Fri, 02/20/2009 - 15:05 (Reply to #3)
Joe
Joe's picture

<div class='quote'>Makes it harder for potential hackers.</div>

Not really. If you were to proxy through Apache, and apply the extra auth layer there, then yes, it would. But, basic authentication isn't actually a particularly secure form of authentication, and is subject to brute force attacks.

Webmin has a very good security history. The last access exploitable issue was three years ago. I've never had a system exploited because of Webmin, and I've managed thousands of servers running Webmin over the past ten years. It could happen, and security issues have occurred in Webmin in the past, but Jamie has always been very aggressive about rolling out security updates when problems are discovered.

<div class='quote'>means they will definitely try more</div>

You're assuming a human is making decisions during an exploit attempt. This is pretty much never the case. Attacks happen like this:

1. Port scan (automatic) looks for services on a range of IPs.

2. Cracking tools runs through a list of known exploits against all of those services--it's a shotgun approach, and is all automatic. Most are user-level exploits, which merely insert cron jobs sending spam or enlisting the machine into service as another scanner/exploiting zombie--looking for more machines.

3. On the rare instance that a root exploit is discovered, a rootkit will be installed (probably automatically) and the system <i>might</i> be brought to the attention of the cracker, who may opt to use it more subtly as a base of operations for further cracking work (root is a bit more valuable than user-level accounts, so the person behind the attacks may begin to use it as a bouncing off point for more dangerous work--hiding their own identity more effectively).

And, you're assuming Webmin is more exploitable and more appealing than other services. Security history would indicate otherwise. It <i>is</i> still a very ripe target because it is one of the few services that runs as root on the average server (the others usually being the FTP daemon and sshd, though if the attacker gains local user-level access, they get access to dozens of other root-level services, and it's a whole new ballgame). But, since everything is automatic, the attacker doesn't care--they've got hundreds or thousands of machines out their looking for holes. If you have one, it doesn't matter whether it is Webmin or sshd or FTP or something else...they will find it.

<div class='quote'>I had a look through the security options but don't see anything to do with basic auth.</div>

The opposite of &quot;session authentication&quot; is &quot;HTTP authentication&quot;. So, the option is labelled &quot;Use session authentication&quot; or something like that. ;-)

Note that if you don't use session authentication you lose a number of security features, so I don't consider it a good trade.

--

Check out the forum guidelines!

Fri, 02/20/2009 - 15:27 (Reply to #4)
TheEdge

<b>Joe wrote:</b>
<div class='quote'>
You're assuming a human is making decisions during an exploit attempt.
</div>

OK. I am starting to feel less paranoid. However... then surely a captcha would also assist in the defeat of automated attacks. Non withstanding the fact that some of these are/have been compromised.

Fri, 02/20/2009 - 15:47 (Reply to #5)
Joe
Joe's picture

<div class='quote'>However... then surely a captcha would also assist in the defeat of automated attacks.</div>

I guess, but I would want to stab out the eyes of anyone that put a CAPTCHA on a login that I use every day, dozens of times a day. I don't think CAPTCHA is a reasonable addition to a login form--a signup form, where the user doesn't yet have a password, yes (and the Virtualmin email signup module does support CAPTCHA). But, CAPTCHA is not the right tool for the job here. ;-)

Webmin has password timeouts enabled, by default, if you are using session authentication--this prevents brute force attacks. If you're using strong passwords (longer than 8 chars, letters and numbers, upper/lower, and changed once every six months or so), the odds of someone getting in via Webmin are practically nil.

I think you're coming at this from a position of thinking Webmin is more new-fangled and risky than it actually is--this isn't some weekend project. Webmin is running on <i>millions</i> of machines right now, and has been for years (Webmin is over 11 years old--about the same age as OpenSSH). Yes, security is a concern--as it should be with any world-facing services, and even moreso with a root-level service--but I'm betting you've got more dangerous things happening on your server(s) this very instant (old packages, weak passwords, unnecessary services that you aren't paying attention to).

I've done enough security work in my days as an IT contractor to know that the seemingly more paranoid folks are often the ones who get exploited via the most obvious paths--they'll be running wacky non-standard firewall scripts, they'll have run &quot;hardening&quot; scripts, they'll have hardware firewalls, etc...but they'll spend so much time on all that that they won't keep their software up to date, or won't use strong passwords on their systems, or will enable stupid stuff like root FTP access because they can't be bothered to learn how to use SSH.

--

Check out the forum guidelines!

Fri, 02/20/2009 - 16:20 (Reply to #6)
TheEdge

<div class='quote'>I guess, but I would want to stab out the eyes of anyone that put a CAPTCHA on a login that I use every day, dozens of times a day.</div>
Thats why its configurable like everything else. In circumstances where it is appropriate it is turned on etc.

Don't get me wrong. I am not saying Webmin is insecure. By virtue of the fact that it is as good as it is once you have access to it serious damage can be done.

And no I am not one of those paranoia types :-) I audit my systems to disable non essential services, audit my configs, use ssh, use long passwords, apply security updates etc. etc.

Topic locked