Semi urgent:
All of a sudden, root login to our WebMin interface is failing. But, i can use the same user: root pwd: ****** that I have been using all along to log into the server via SSH-shell terminal session.
I did make any changes recently. I had some notifications that web min ran some auto-updates, and I have a man working on security issues for PCI compliance but I'm not aware of anything he did that would disable root login to the WebMin virtual interface. Of course he could have done something, but I don't know what and cannot check with until next week but I need to get in asap. Anyway... I have logged into WebMin as root since he had been doing his work.. so I think it is something else.
So, how do I trouble shoot this and fix it? (via terminal of course, since I am locked out now from the WebMin application altogether.)
Howdy,
Are you able to log into Webmin as another user, just not root? Or is it preventing all logins?
Do you see any errors in /var/webmin/miniserv.error?
-Eric
Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.
is what I'm getting in the browser....
Yep: some odd errors ... I think it is something my guy did about security... I tailed the log there are ten entries that all look like:
[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
and one at the end:
[29/Mar/2013:21:09:58 -0700] [67.52.81.242] /session_login.cgi : Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.
but seems I need to unblock our IP here... how do I do that?
Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.
is what I'm getting in the browser....(that's my IP here on the outgoing firewall/gateway for "varuna.hindu.org"
Yep: some odd errors ... I think it is something my guy did about security...
[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
but seems I need to unblock our IP here... but I don't see any DROP for our domain in the iptables which look like this (we are varuna.hindu.org here)
[root@sat webmin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:8333
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:smtp
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:smtp
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:ftp
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:ftp
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:submission
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:submission
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:ndmp
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:ndmp
ACCEPT tcp -- cdm-75-109-138-39.asbnva.dh.suddenlink.net anywhere tcp dpt:ndmp
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:dnp
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:dnp
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:postgres
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:postgres
ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:mysql
ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:mysql
ACCEPT tcp -- c-174-59-203-162.hsd1.pa.comcast.net anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:30000
DROP tcp -- anywhere anywhere tcp dpts:tcpmux:65535
DROP udp -- anywhere anywhere udp dpts:tcpmux:65535
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
note we have two gateways on our firewall here that broadcast themselves as varuna.hindu.org and gateway2.hindu.org
But I'm no expert at reading IPtables.. maybe we are blocked...
sorry... I don't know how to get that IPtable to format nicely in this comment box.
Howdy,
Well, if you can actually get to the login screen, and it doesn't just timeout trying to load the page at port 10000, it's not likely a firewall/iptables issue you're seeing.
Regarding the IP address being blocked -- you can unblock all IP addresses by running this command on the commandline as root:
/etc/init.d/webmin restart
"Well, if you can actually get to the login screen, and it doesn't just timeout trying to load the page at port 10000, it's not likely a firewall/iptables issue you're seeing."
duh... yes, of course (smile)
I would be interestws to know what, if any, other IP's are getting block (it would be re-assuring to see them)
is there some discrete file of blocked IP's that I can look at first before restarting? I would be interested to to see if the "monsters in St. Petersburg" IP's are there -- hackers from Russia that I have traced back to servers in St. Petersburg... they always seem to show up if I check on break in attempts and look up IP's (repeated attempts to find anything related to MySQL is common)
By default, no IP should be blacklisted for more than a few minutes. However, you can look in /var/webmin/miniserv.error to see what IP's have been blocked.
-Eric
Hmm. OK I restarted webmin while tailing the miniserve.error log and got some interesting results:
[30/Mar/2013:19:13:17 -0700] miniserv.pl started [30/Mar/2013:19:13:17 -0700] Using MD5 module Digest::MD5 [30/Mar/2013:19:13:17 -0700] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 17) line 1. BEGIN failed--compilation aborted at (eval 17) line 1.
[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:13:54 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:16:15 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
[30/Mar/2013:19:16:26 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.
Not that I have not done anything with PAM (assuming that is the problem).. though webMin is set to run updates automatically.
Howdy,
That PAM message is actually just a notice, and that's not actually a problem. Most folks receive that notice... it just means it's going to directly use the /etc/passwd file, rather than use PAM.
After restarting Webmin, are you able to login to Webmin as root? Or is it still preventing you from logging in?
-Eric
Strange... yesterday after restarting webmin I could not log in as root, but today I can. I suspect some browser cache issue. At any rate... I'm good now.
Case closed, simple solution
/etc/init.d/webmin restart
Thanks!
Hello, I had the same problem, and executed the command /etc/init.d/webmin restart because my ip was blocked on ovh, and i had lot of emails gone to spam.
Now i'm enable to access to my virtualmin/ Webmin, do i have to wait one day like Katir did?
And thank u in advance
You should have to wait. But, we have our own servers -- not a hosted context. So, when I make changes, they are immediate as we run the box ourselves, top to bottom (Linode Cloud instance running Ubunti)
After contacting my hosting provider, to ask if they validated my command to be executed, they replyed that after executing aommand they found out that my server is installed on under a nudeDebian and that i should verify my logs system, in wich case it's pertinent to revive the service from SSH. But i don't know how to do that. What can u advice me in this case please?
Sorry, I'm not sure I understand what they're asking.... can you clarify what exactly it is they want you to do?
-Eric
Unclear to me also... "revive the service from SSH" could possibly mean:
log in as root via terminal (i.e "from SSH") and just run start webmin
At least that is what I have to do if my portal page to Virtualmin just "disappears" it usually means webmin is not even running as one of the daemons on the box....
Looks like you are in a hosted environment, hopefully you still are chrooted and your web instance looks like a whole server (even though others may be running on the same box) if so I would just try logging in as root and restarting webmin.
Can you tell us what you see if you enter:
https://[[my.domain.com]]:10000 #replace with your domain
What happens? Do you get anything ?? or a blank screen?
Hello,
Thanks a lot, i had to restart webmin, it works. I'm not sure if u do understand frensh, because i was trying to translate u, but i'm gonna paste u what they wrote me: " Je constate de plus que le serveur en question est installé sous une Debian nue. De ce fait, je ne note pas d'une part de Cpanel actif sur la machinen, d'autre part, le webmin en question n'est pas accessible sur le réseau (comme l'indique la commande ci-dessous).
nmap ns33***************** | grep closed10000/tcp closed snet-sensor-mgmt
Je vous invite concernant la problématique de l'accessibilité de votre webmin à vérifier les logs système concernant le bon fonctionnement de ce service. Auquel cas, il serait pertinent de relancer le service depuis une commande SSH.
Concernant l'ip bloquée pour Spam, nous recommandons de mettre en place un système de restriction et de sécurité sur le serveur mail de la machine (tel que le paquet Spamassassin). Il serait d'autant plus intéressant de s'attarder à l'étude des logs du service mail concerné pour le domaine/IP bloquée pour Spam. De ce fait, avec un paramétrage plus restrictif, le service de blocage spam sera donc plus souple avec vos envois."
My Ip is also deblocked now :D after restarting webmin. Thank you again, a lot :)
Great, I'm glad to hear it's working for you now!
-Eric
Thank u :)
Well i have one more issue, i don't know why when i send an email from my roundcube to a gmail adress it goes to spam, how can i resolve this? My Ip is blocked again.
Sorry, I can't help you there... mail services are a deep and tedious snake pit that I try to stay away from.
in fact we are slowly turning off all mail services on our web servers and using third party mail services. You might like that too. All the mail addresses outgoing on the box are from myDomain.org and go off to sendGrid e.g. (i use LiveCode Server, but this should work in any language)
Any mail TO mydomain.org is received via MicrosoftOffice 365. (used to be Google mail for our domain).
see:
https://sendgrid.com/
Thier prices are so free-to-low and the API is so simple ( i use their POST option) ... and all the headaches of having your server blocked etc. all go away
Deleted. I responded to 2 yr old thread.
Another option at https://www.virtualmin.com/comment/769117#comment-769117
- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community