Root Login to WebMin Fails

22 posts / 0 new
Last post
#1 Fri, 03/29/2013 - 20:48
katir

Root Login to WebMin Fails

Semi urgent:

All of a sudden, root login to our WebMin interface is failing. But, i can use the same user: root pwd: ****** that I have been using all along to log into the server via SSH-shell terminal session.

I did make any changes recently. I had some notifications that web min ran some auto-updates, and I have a man working on security issues for PCI compliance but I'm not aware of anything he did that would disable root login to the WebMin virtual interface. Of course he could have done something, but I don't know what and cannot check with until next week but I need to get in asap. Anyway... I have logged into WebMin as root since he had been doing his work.. so I think it is something else.

So, how do I trouble shoot this and fix it? (via terminal of course, since I am locked out now from the WebMin application altogether.)

Fri, 03/29/2013 - 22:01
andreychek

Howdy,

Are you able to log into Webmin as another user, just not root? Or is it preventing all logins?

Do you see any errors in /var/webmin/miniserv.error?

-Eric

Fri, 03/29/2013 - 23:27
katir

Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

is what I'm getting in the browser....

Yep: some odd errors ... I think it is something my guy did about security... I tailed the log there are ten entries that all look like:

[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

and one at the end:

[29/Mar/2013:21:09:58 -0700] [67.52.81.242] /session_login.cgi : Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

but seems I need to unblock our IP here... how do I do that?

Fri, 03/29/2013 - 23:22
katir

Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

is what I'm getting in the browser....(that's my IP here on the outgoing firewall/gateway for "varuna.hindu.org"

Yep: some odd errors ... I think it is something my guy did about security...

[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

but seems I need to unblock our IP here... but I don't see any DROP for our domain in the iptables which look like this (we are varuna.hindu.org here)

[root@sat webmin]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8333
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pcsync-http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:smtp
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:smtp
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:ftp
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:ftp
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:submission
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:submission
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  cdm-75-109-138-39.asbnva.dh.suddenlink.net  anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:dnp
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:dnp
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:postgres
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:postgres
ACCEPT     tcp  --  varuna.hindu.org     anywhere            tcp dpt:mysql
ACCEPT     tcp  --  gateway2.hindu.org   anywhere            tcp dpt:mysql
ACCEPT     tcp  --  c-174-59-203-162.hsd1.pa.comcast.net  anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:30000
DROP       tcp  --  anywhere             anywhere            tcp dpts:tcpmux:65535
DROP       udp  --  anywhere             anywhere            udp dpts:tcpmux:65535
ACCEPT     all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

note we have two gateways on our firewall here that broadcast themselves as varuna.hindu.org and gateway2.hindu.org

But I'm no expert at reading IPtables.. maybe we are blocked...

Fri, 03/29/2013 - 23:24
katir

sorry... I don't know how to get that IPtable to format nicely in this comment box.

Sat, 03/30/2013 - 09:44
andreychek

Howdy,

Well, if you can actually get to the login screen, and it doesn't just timeout trying to load the page at port 10000, it's not likely a firewall/iptables issue you're seeing.

Regarding the IP address being blocked -- you can unblock all IP addresses by running this command on the commandline as root:

/etc/init.d/webmin restart

Sat, 03/30/2013 - 15:25
katir

"Well, if you can actually get to the login screen, and it doesn't just timeout trying to load the page at port 10000, it's not likely a firewall/iptables issue you're seeing."

duh... yes, of course (smile)

I would be interestws to know what, if any, other IP's are getting block (it would be re-assuring to see them)

is there some discrete file of blocked IP's that I can look at first before restarting? I would be interested to to see if the "monsters in St. Petersburg" IP's are there -- hackers from Russia that I have traced back to servers in St. Petersburg... they always seem to show up if I check on break in attempts and look up IP's (repeated attempts to find anything related to MySQL is common)

Sat, 03/30/2013 - 21:10
andreychek

By default, no IP should be blacklisted for more than a few minutes. However, you can look in /var/webmin/miniserv.error to see what IP's have been blocked.

-Eric

Sat, 03/30/2013 - 21:19
katir

Hmm. OK I restarted webmin while tailing the miniserve.error log and got some interesting results:

[30/Mar/2013:19:13:17 -0700] miniserv.pl started [30/Mar/2013:19:13:17 -0700] Using MD5 module Digest::MD5 [30/Mar/2013:19:13:17 -0700] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 17) line 1. BEGIN failed--compilation aborted at (eval 17) line 1.

[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:54 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:16:15 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:16:26 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

Not that I have not done anything with PAM (assuming that is the problem).. though webMin is set to run updates automatically.

Mon, 04/01/2013 - 07:41
andreychek

Howdy,

That PAM message is actually just a notice, and that's not actually a problem. Most folks receive that notice... it just means it's going to directly use the /etc/passwd file, rather than use PAM.

After restarting Webmin, are you able to login to Webmin as root? Or is it still preventing you from logging in?

-Eric

Mon, 04/01/2013 - 14:09
katir

Strange... yesterday after restarting webmin I could not log in as root, but today I can. I suspect some browser cache issue. At any rate... I'm good now.

Case closed, simple solution

/etc/init.d/webmin restart

Thanks!

Sun, 11/29/2015 - 11:40
jihane

Hello, I had the same problem, and executed the command /etc/init.d/webmin restart because my ip was blocked on ovh, and i had lot of emails gone to spam.

Now i'm enable to access to my virtualmin/ Webmin, do i have to wait one day like Katir did?

And thank u in advance

Sun, 11/29/2015 - 13:22
katir

You should have to wait. But, we have our own servers -- not a hosted context. So, when I make changes, they are immediate as we run the box ourselves, top to bottom (Linode Cloud instance running Ubunti)

Tue, 12/01/2015 - 09:57
jihane

After contacting my hosting provider, to ask if they validated my command to be executed, they replyed that after executing aommand they found out that my server is installed on under a nudeDebian and that i should verify my logs system, in wich case it's pertinent to revive the service from SSH. But i don't know how to do that. What can u advice me in this case please?

Tue, 12/01/2015 - 15:00
andreychek

Sorry, I'm not sure I understand what they're asking.... can you clarify what exactly it is they want you to do?

-Eric

Tue, 12/01/2015 - 15:08
katir

Unclear to me also... "revive the service from SSH" could possibly mean:

log in as root via terminal (i.e "from SSH") and just run start webmin

At least that is what I have to do if my portal page to Virtualmin just "disappears" it usually means webmin is not even running as one of the daemons on the box....

Looks like you are in a hosted environment, hopefully you still are chrooted and your web instance looks like a whole server (even though others may be running on the same box) if so I would just try logging in as root and restarting webmin.

Can you tell us what you see if you enter:

https://[[my.domain.com]]:10000 #replace with your domain

What happens? Do you get anything ?? or a blank screen?

Fri, 12/04/2015 - 07:01
jihane

Hello,

Thanks a lot, i had to restart webmin, it works. I'm not sure if u do understand frensh, because i was trying to translate u, but i'm gonna paste u what they wrote me: " Je constate de plus que le serveur en question est installé sous une Debian nue. De ce fait, je ne note pas d'une part de Cpanel actif sur la machinen, d'autre part, le webmin en question n'est pas accessible sur le réseau (comme l'indique la commande ci-dessous).

nmap ns33***************** | grep closed

10000/tcp closed snet-sensor-mgmt

Je vous invite concernant la problématique de l'accessibilité de votre webmin à vérifier les logs système concernant le bon fonctionnement de ce service. Auquel cas, il serait pertinent de relancer le service depuis une commande SSH.

Concernant l'ip bloquée pour Spam, nous recommandons de mettre en place un système de restriction et de sécurité sur le serveur mail de la machine (tel que le paquet Spamassassin). Il serait d'autant plus intéressant de s'attarder à l'étude des logs du service mail concerné pour le domaine/IP bloquée pour Spam. De ce fait, avec un paramétrage plus restrictif, le service de blocage spam sera donc plus souple avec vos envois."

My Ip is also deblocked now :D after restarting webmin. Thank you again, a lot :)

Fri, 12/04/2015 - 09:40
andreychek

Great, I'm glad to hear it's working for you now!

-Eric

Fri, 12/04/2015 - 10:17
jihane

Thank u :)

Well i have one more issue, i don't know why when i send an email from my roundcube to a gmail adress it goes to spam, how can i resolve this? My Ip is blocked again.

Fri, 12/04/2015 - 15:39
katir

Sorry, I can't help you there... mail services are a deep and tedious snake pit that I try to stay away from.

in fact we are slowly turning off all mail services on our web servers and using third party mail services. You might like that too. All the mail addresses outgoing on the box are from myDomain.org and go off to sendGrid e.g. (i use LiveCode Server, but this should work in any language)

 # send email receipt to user, only now, if the charge was successful.               
            put url ("file:"& $_SERVER["DOCUMENT_ROOT"] &"/ddd/ddd-email-receipt.txt") into tEmailReceipt
            put merge(tEmailReceipt) into tBody  
             sendGridMail gFormData["email_address"],"Thank You For Your Donation",tBody,"hope@myDomain.org"

Any mail TO mydomain.org is received via MicrosoftOffice 365. (used to be Google mail for our domain).

see:

https://sendgrid.com/

Thier prices are so free-to-low and the API is so simple ( i use their POST option) ... and all the headaches of having your server blocked etc. all go away

<?lc
 
function makeRecipientsString pRecipients
    repeat for each item x in pRecipients
       put "to[]=" & x & "&" after tRecipientsString
   end repeat
   return tRecipientsString
end makeRecipientsString
 
command sendGridMail pRecipients,pSubject,pBody,pFrom
    put "api_user=mydomain &"  into tEmail
    put "api_key=mySendGridAcctKey&" after tEmail
    put makeRecipientsString(pRecipients) after tEmail
    put ( "subject=" & urlEncode(pSubject) ) & "&" after tEmail
    put ("text=" & urlEncode(pBody) ) & "&" after tEmail
    put ("from=" & pFrom) after tEmail
    put tEmail & cr & cr after url ("file:" & $_SERVER["DOCUMENT_ROOT"] & "/ddd/ddd-log.txt")
    POST tEmail to URL "https://api.sendgrid.com/api/mail.send.json" 
    put it & cr & cr after url ("file:" & $_SERVER["DOCUMENT_ROOT"] & "/ddd/ddd-log.txt")
end  sendGridMail
Thu, 12/31/2015 - 23:05
scotwnw

Deleted. I responded to 2 yr old thread.

Mon, 01/09/2017 - 22:18
Francewhoa
Francewhoa's picture

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Topic locked