Hi,
I recently updated the Authentic Theme and I think that is when these issues started.
Now, upon any access of Usermin or Webmin (on ports 10000 or 20000), I get MULTIPLE e-mail messages.
While security is very important to me, if alerts flood my consciousness, I turn them off just like everybody else. Life is too short for useless or poorly designed error messages.
What I would like is to figure out what the developers were trying to accomplish with their security features and how can I configure things to be useful. I would like your configuration advice on this issue.
As an example, an evil actor just generated 247 e-mail messages...BEFORE I could block their IP address in the firewall (I use CSF). This is wonderful and good, but why 247 messages in under 5 minutes?
So, I'd like to keep any useful security features enabled, but I'd like to do so only if my Inbox can be kept under control.
Why so many messages? Why not just one every 5 minutes, or something like that?
How about an option only for successful logins? That would be helpful for Webmin (less so for Usermin). I think this is how it worked before the theme update (I'm not saying that that is a perfect option).
For now, I have disabled both Usermin and Webmin alerts here:
Webmin -> Webmin -> Webmin Configuration -> Webmin Themes -> Security Alerts options
Please advise,
G
Comments
Submitted by JamieCameron on Thu, 05/12/2016 - 01:03 Comment #1
Ilia, is this something that was added to the theme recently?
Submitted by andreychek on Thu, 05/12/2016 - 09:18 Comment #2
Yeah that is a Authentic Theme option.
To disable that option, click the Authentic Theme Settings option (on the bottom-left), and at the bottom of the settings screen is a set of security options.
There, set "Enabled for Webmin" and "Enabled for Usermin" to "No".
Submitted by andreychek on Thu, 05/12/2016 - 09:18 Comment #3
Hi,
No, nothing was changed in this regard as far as I can remember. This feature produces one message per request. If you got 247 emails, it means, someone reloaded your Webmin/Usermin login page exactly that amount of times.
This is what this feature is for. If you don't like it, you can disable it. You could also use mail filters for extended control over any messages.
Also, you could edit the tempalte
%3 login page is accessed by unauthenticated user from %2|%3 login page access alert|rootand redirect specific messages to no user. Just remove root from the line above and mail command should fail with warningSend options without primary recipient specified.In case you're using CSF you can enable up-on login messages there.
Submitted by JamieCameron on Thu, 05/12/2016 - 23:28 Comment #5
Ilia, I think this feature doesn't belong in the theme - Webmin/Usermin already log failed logins to syslog, which is the right place for these kinds of notifications.
Jamie, hi.
This is an optional feature. I personally use it, just as some other people I know. (there are probably more as it's been there for a long time)
It can be disabled in options and keep you free from notifications. It provides straightforward solution for getting notifications. Even though things are logged and can be monitored with such programs as Fail2Ban - it's to much overload for those, who doesn't use such tools but simply would want to get such notifications.
What do we do here?
I prefer not to remove this feature.
Submitted by andreychek on Fri, 05/13/2016 - 09:06 Comment #7
Could you perhaps have the option disabled by default?
We do get some questions about that, as folks don't think to look in the theme settings to disable that.
Another option is that you might also be able to convince Jamie to add that feature into Webmin's Authentication section :-)
Submitted by JamieCameron on Fri, 05/13/2016 - 19:31 Comment #8
Yeah, I'd recommend disabling this by default - and look into moving it into the Webmin core, as the theme doesn't always have access to all login/logout events.
What address does it email anyway?
Hi,
Alright, I will disable it by default.
By default it uses
rootuser. In settings you can change it and also add whitelist of IPs.You could port it under Webmin/Usermin with the same functionality (or more extensive), I would gladly remove it then at all.
New 18.00 will have it off by default for all new installations.