Howdy all,
The old Virtualmin Framed Theme has been updated to version 9.3 to address some bugs caused by the new Webmin/Usermin versions. The HTML in the Webmin ui-lib was updated to improve validation, which lead to a few quirks in how some forms and tables would be rendered. This update should fix those problems.
Note that we aren't recommending this theme any long; Authentic is the recommended theme for all Webmin/Virtualmin/Cloudmin users, unless you have some reason to stick with the old one. So, we continue to support the old theme, and fix minor bugs, there will not be any major updates or enhancements to it. Authentic also needed and received updates to fix these problems, but that's already been rolled into the Webmin and Usermin packages we provide in the Virtualmin repositories.
As always, let us know if you run into any problems.
Cheers,
Joe
Thanks for the update.
We still use the framed theme for 2 reasons.
If there Is there a way to HTTP protect the webmin login (e.g. with .htaccess), we will be glad to try it again. That is, if there is a second line of defense we may get back in the train.
Both valid concerns.
On #1, I expect this will be a thing on the past in another couple of weeks (maybe sooner). Ilia has implemented a SPA model wherein pages are loaded via XHR, instead of loading the whole page. This reduces page load times dramatically; it may even be faster than framed theme (I haven't tested them side-by-side yet, but it wouldn't shock me if it were). There's an alpha version of that on the Authentic github. That's actually why we've rolled new Webmin/Usermin releases, to fix HTML bugs that the new loader triggered. So, it's coming soon. Will be fast.
On #2, I sympathize. That was an awful security issue (and we fixed a couple of others during the following audit that were equally bad, but harder to spot). Any theme can introduce security bugs; that's a problem of the architecture (but also true of most themeable web applications, so it's not unique to Webmin). It's just that Authentic is so much more ambitious than previous themes that it has a lot more surface area. I've been working with Ilia to push things down out of the theme and into core or into modules, so they're subject to the same security considerations as the rest of Webmin. So, it's on the radar.
We'll keep maintaining the old theme for the foreseeable future. But, we're also encouraging folks to keep letting us know about the things that keep you from using Authentic. We'll keep fixing them, and someday, we'll all be in agreement that Authentic is the best thing! ;-)
--
Check out the forum guidelines!
@nminkov2
Hi, http protect for webmin login page is simpler then it sounds like, just close port for webmin login page and put it behind vpn access only. pretty safe.
Configuring/troubleshooting Debian servers is always great fun
Hi, How can I add http auth for virtualmin please ?
Thanks! I also still use the old theme, it's indeed faster and easier/clearer to navigate.
I use the old theme as well, as it is much more accessible to visually impaired individuals because it's easier to navigate and uses simpler controls. The accessibility of the Authentic theme honestly leaves a lot to be desired but, to its credit, has been (very slowly) improving as releases continue.
Thanks for the feedback on accessibility in Authentic. I'd really like accessibility to be as good, or better, in everything we do in the future...but, it's more challenging than I'd like. I'll make sure we keep shipping the old theme until accessibility in Authentic catches up. Please don't hesitate to file bugs about accessibility issues, if you have any specific problems with Authentic. As an aside have you tried the old Virtualmin Mobile Theme? In the past, we've gotten feedback that it was better because it doesn't use frames and has a menu-baased navigation system (where only one piece of the hierarchy is on the screen at any given time).
--
Check out the forum guidelines!
I actually don't like the Virtualmin Mobile Theme as much because of the fact it only has one part of the interface on-screen at any given moment. I like the framed theme a lot because I can quickly navigate throughout the UI and the frames honestly don't really bother me all that much. By the way, as a completely blind individual who does use a screen reader, I am more than happy to conduct accessibility testing on the Authentic theme and, if desired, aid in making accessibility changes as I am also a Web developer with extensive experience with ARIA, WCAG, etc. I am glad to hear the framed theme will continue to be available until accessibility in Authentic has been made better, as honestly I wouldn't be able to use Virtualmin right now if Authentic were the only theme available (and by that I mean if every other theme, including the mobile theme, had been removed).
@Joe - I like the old Virtualmin mobile theme but notice that the 'Delete Spam' button doesn't appear in messages even though that is set in preferences.
Lucian took the words out of my mouth, I hope the framed theme will always be around, what Ila is doing is great as well but I find the framed theme so easy to work with.
Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.
Yes, you could add additional security authentication, by running Webmin behind Apache/Nginx proxy. I would personally make a bash script that would flip Webmin configuration to use default or proxyed settings. It's good to have Webmin run behind proxy for users, with additional security layer (
.htaccess
), when you're sure that Apache is up and running. In case it's down, you would need to fall back to default settings. The best to do, is to have an ability to change it on the fly using console.There are other multiple security measures that you could take:
Nowadays, Authentic Theme doesn't seem to have known security issues.
I promise, after complete re-write of Authentic Theme, starting with version 19.00+, it will be as fast as Virtualmin Framed Theme or, actually, even faster! There will be no longer an iframe and all request will load in the background, without constant page reload. It will still be possible to open each module in separate tab without having navigation menu.
It's humongous amount of work to be done but after all - it will be stunning. You could see the developer preview version of 19.00-beta2. The new version will not be based on this example but will work familiarly. There are bugs in this version but if you have Webmin 1.844+ you could give it a safe try.
Regards,
Ilia
Ilia
Thanks for the comment.
Putting a proxy will be just another overheat/overkill. Webmin is already running its own apache server, correct? Why not change it to add this first level of HTTP password before the actual theme login that caused so much security trouble?
No. Webmin runs under miniserv, a special purpose application server designed specifically for Webmin. The the only way to make something happen "before the theme" would be to make it so the theme can't customize the login page and couldn't customize any unauthenticated pages (of which there are several in Virtualmin, and removing those features would be pretty dramatic for many users), which isn't really ideal, either.
Even when you run Apache or nginx in front of it, Webmin's own web server is still running underneath; it's possible to run Webmin directly under Apache, but it'd provide horrible performance, much weaker security (no 2 factor auth, no password timeouts, you'd have to configure any extra access controls in Apache, rather than in Webmin, etc.), and would not be themeable in a meaningful way (the application server transparently performs the path changes for themes). Running a proxy in front of Webmin might be a security win, but running Webmin directly under Apache, definitely, would not.
There are ways forward that may improve overall security on an architectural level, but they're not simple, and we're considering our options on those fronts. But, there is no magic bullet for security in a very large system.
--
Check out the forum guidelines!
Got it. I don't know why was remembering that miniserv is based on Apache. My bad. Anyway, the idea was not to replace the current login, but add another one completely different. Thats what I do now for phpmyadmin, wordpress login. To actually get in touch with the web API, first line of deffense must be passed. Too bad is not easly configurable.
VPN will be best solutions security wise, but complicated
Thanks
@nminkov2
as joe mentioned earlier webmin is server independently from apache or nginx..anyway from point of security adding http simple auth on from of another login page is - pointless, it could slow down attacker but same as main login page it would not stop it. it would just make brute force worked longer and also it will slow you down if you would need it to use gui so what would be the actual point to have that?
at least allow some specific ip addresses to access login page or close webmin port to outside world and put it behind vpn (user would have to connect to vpn and then he would be able to access port 10000 for example and use webmin as normal) - that is quiet secure. Add proper offsite backup (via ssh and cron) and relax.
Configuring/troubleshooting Debian servers is always great fun
Saying that the first login is pointless because it will not stop but slowdown an attack, its like saying don't close your door because will just slow down the burglar. Actually this is the point of slowing down. There is no unbreakable wall, everything is about the resources the attacker is ready to allocate. So building a defense is to slow the attack and make it more costly. Better the defense, higher the cost of the attack, but also higher the cost of the defense. At the end I want better defense for lower cost.
We already have different port. We will explore port knocking.
VPN is complicated, slow to connect, smartphone monitoring is an issue. Can be done but, not handy to use.
HTTP password is easy and I can let my browser password manager to save it (not doing it for actual webmin login), so will be transparent on client side.
@illia
or close webmin port to outside world completely and use vpn to access it.. ;)
Configuring/troubleshooting Debian servers is always great fun
No need for VPN to protect any port, just use port knocking and you are fine. Actually you could use port knocking for anything what is usually the target of bruteforce attacks, e.g. webmin, ftp, ssh... and so on. With port knocking you dont even need to change any port because until you trigger the right combination the target port will stay closed.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Port knocking is an interesting idea!
Do you have a preferred tool for automating it? (It's probably not feasible for us to use generically in Virtualmin as it requires client-side participation), but it's an interesting thing that might be worth making an optional plugin for.
--
Check out the forum guidelines!
I would propose adding to WebminCore security options, such as:
All of this isn't that hard to implement, especially for the one who wrote miniserv and remembers the way it's designed.
What are the actual security related problems are you aware of? At the moment, as far as I remember, and you can easily check it
session_login.cgi
is just a plain copy of what Jamie did in his own code. It only adds themeable output but the logic is the same as in default code, thus, I don't see direct security issues coming from the theme.Ilia
@Joe: Well just to give you some clue you could check this article - https://tecadmin.net/secure-ssh-connections-with-port-knocking-linux/#
How to use port knocking on Windows there are two software what comes into my mind with easy to use interface, Windows Port Knocking (http://gregsowell.com/?p=2020) and KnockKnock (https://sourceforge.net/projects/knockknock/), but there are more. Once the right sequence is applied you can use other software like Putty or WinSCP. Probably there is a way to use batch script to automate everything but i never bother with this detail.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
This sounds interesting. Can I use the port knocking in CSF to accomplish this?
Port knocking should work regardless what you have installed and if i'm not mistaken CSF have an integration for port knocking, still i think you must install separately. I'm more for Fail2Ban so i never used CSF and dont know much about this software, so best would be to ask CSF or Google for an answer.
Edit: Forgot to mention, port knocking works directly with iptables so if this is ok for CSF it should work without any problem.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
CSF implemented Port Knocking around 2010. I assumed I could use it (as I already have CSF installed) but what do I have to do at my login? I have not instituted it as I was unfamiliar with its use. It would be nice if the Webmin login would allow me to enter my port list and for it to use these to perform the port knocking or does that pose a security risk?
Port knocking doesnt work in this way. The point of port knocking is to setup some ports what must be triggered before you can access your desired port. To put it simple, lets say you want to access SSH, that would be by default port 22. To open that post lets say you setup the next trigger - ports 15001, 15002 and 15003 and to close 15003, 15002, 15001. So now before you access your SSH port 22 you must open it, e.g. make it accessible. To do that you must use telnet or some other software (better to automate everything). Triggering the right ports and their order you will open port 22 until you dont need it anymore and at that point you would execute the second sequence and close it.
That means before you hit the Webmin port (default 10000) you need to execute the right sequence or it will stay closed. In other words you cant set anything with Webmin because you will not be able to even see the login screen in case you used port knocking to block Webmin port (default or custom, doesnt matter).
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
I set it up on my account and it appears to be working. I use a different port for Webmin that is closed.
I have to use a different app to do the knocking but it appears to work fine.
Edit:
I am using GregSowell.com Port Knocker (as you suggested) and if I try and access the site nothing happens in the browser although it looks like it is trying to connect. When I run the port Knocker with my preset ports it opens my Webmin port and I am able to log in and gain access to the webmin services. However, CSF has a timeout that you configure that is supposed to be the time you have to knock the ports within and hold the new port open.
Here is the CSF info
Syntax for the PORTKNOCKING setting:
PORTKNOCKING is a comma separated list of:
openport;protocol;timeout;kport1;kport2;kport3[...;kportN]
So, a setting of PORTKNOCKING = "22;TCP;20;100;200;300;400" means:
Open Port 22 TCP for 20 seconds to the connecting IP address to new connections
once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN
packet) each knock being less than 20 seconds apart.
Access to port 22 remains active after 20 seconds until the connection is
dropped, however new connections will not be allowed.
What I am noticing however is that I am blocked after the timeout period (or something close to it.) I assume that I must be making a new connection at some time during the Webmin session so in order to continue I have to re-run the port knock access or I have to set the timeout to be the period of time I expect to actually be using Webmin.
Couldn't a Port Knocking login screen be delivered via port 80 and after the Port Knocking was completed you could redirect to the opened port or something along those lines? Using the additional app is not a big problem but it is inconvienient.
There isnt port knocking login screen as the request must come from your IP plus i cant imagine how this should work. Either way this is out of the scope of *Min products and even port knocking, and best would be to find some geek guru coder to ask if he could make such software. Then again, you could just code a security software what would require some "codes" to open desired ports what doesnt have anything to do with port knocking and how it works.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Okay, you piqued my interest. I really don't know what the security implications of this would be. I'll leave that to you guys who actually know what you are doing. I was just curious as to what I could do with the whole port knocking concept. I blame you Diabolico because you were the one who introduced me to the concept of Port Knocking. Anyways, this is what I did:
Configured webmin to use port 10100
Configured Port knoking on CSF :
10100;TCP;300;10099;10098;10097
Attempt to access Webmin using admin.domain.com
Unable to connect
Url displays https://domain.com:10100/
The connection has timed out
Created the file login.php
Include a line for each port used to unlock the main port:
I assume I can use this file to create a port knocking login page that would allow me to enter the ports rather than having them hard coded.
<script>
window.location = 'http://domain.com:10099';
window.location = 'http://domain.com:10098';
window.location = 'http://domain.com:10097';
window.location = 'https://admin.domain.com';
</script>
Add an A Record to my DNS records webmin.domain.com
Create the Server Alias webmin.domain.com in httpd.conf
Create redirect in httpd.conf:
RewriteCond %{HTTP_HOST} =webmin.domain.com
RewriteRule ^(.*) http://domain.com/login.php [R]
Attempt to access Webmin using webmin.domain.com
Webmin login screen appears and I am able to log in.
My understanding of what is happening:
Note: If the timeout is reached but the user has not logged out of Webmin, simply re-knocking the ports will reopen the Webmin port and the user will be able to continue with their Webmin session without logging in again. Ie. re-run webmin.domain.com
I can now access Webmin using port knocking directly through the browser and do not need to use a separate port knocking application.
This isnt secure at all if you have all your ports listed in something.php plus DNS records arent secret so anyone can scrap them. This is the main reason why you must re-generate the signatures every few days (up to max 30 days) while using DNSSEC, so you can prevent rainbow attacks.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
So by sending the port numbers using a php script (but not hard coded - ie. entered manually on a browser form) it is just as insecure as hard coding them into the script?
Wouldn't this be just as secure as the standard login (since it still requires the standard webmin login) but at the same time it keeps the webmin ports closed unless you specifically request the port to open?
I'll have to look at DNSSEC when I get some time.
Would using ip address instead of domain names make any difference?
Sorry for all the questions but I learn from doing so this is very helpful.
Thanks
Kim
Hardcoded ports would be useless, maybe manually insert the ports - like login with captcha would be better solution. Still its php file what means it will make a hit on Apache and server resources every time when a bot tries to do anything and this isnt good. Its much better if you shift your protection as much as you can on kernel level (e.g. iptables) and avoid Apache, MySQL... and so on. Thats why any CMS (WP, Joomla...) security plugin is really bad solution as all of them rely on Apache and MySQL to block someone or prevent something. When you get hundreds (or even thousands) of bots hitting your website on hourly basis the server will collapse while iptables could much easier handle such hit. Of course i'm not speaking of real DDoS because for that you must have appropriate defense, but to let all that bots free pass to your Apache or MySQL you will actually help them to accomplish some sort of DDoS even if that was not their primary job/intention.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Thanks for the info Diabolico.
I'm not sure how you can present a browser login screen without the problems you point out. I will do a bunch more reading on the issues you point out and see what options there are.
Just so I'm clear on this:
Does providing a browser login screen, using user entered port fields (for the Port knocking that opens the Webmin port and redirects to it), increase the security risk to my server over just using a standard open webmin port with the standard webmin login?
I have an HTML form where I enter the data and then use this function to make the connection to the webmin login
function port_knock(){
var server = document.getElementById("server").value;
var port1 = document.getElementById("port1").value;
var port2 = document.getElementById("port2").value;
var port3 = document.getElementById("port3").value;
if (validation()) // checks that all fields are filled
{
window.location = "http://"+server+":"+port1;
window.location = "http://"+server+":"+port2;
window.location = "http://"+server+":"+port3;
window.location = "https://admin."+server;
}
}
I could use the ip address instead of the server domain if it makes any difference
Kim
For quite some time only CMS i consider to use for my clients its Wordpress (with or without Woocommerce) and Magento, and for that one i have some custom htaccess rules and fail2ban to prevent bots and bruteforce attacks. Fail2ban its quite nice software if you need to keep an eye on your logs and eventually block someone. The rest its just to find the edge when f2b will trigger the response, e.g. if the client is the only one to log then the rules can be set much harder while for e-commerce where a lot of people is using the login page the rules are more lenient (but not too much).
For the rest it would be better to start your own topic and maybe more people will join with suggestions. We already derailed this topic too much.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
I have used f2b for years but obviously server keys and even very good passwds do away with the need of software like that. Virtual Framed Theme though should be around as a fall back. VM team would be daft not to keep it up to date.
Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.
Software like Fail2Ban and CSF is always needed and saying otherwise could be even dangerous. I dont want to go into why because every smart person managing the server should already know this facts. Still i agree that using keys instead of passwords and/or strong passwords will add to the overall security of your server, but isnt enough and you should always look at the whole picture instead of focusing on some parts.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
With all this talk of security, I want to point out that the new Virtualmin 6 installer sets up a firewalld firewall (on systems that support firewalld...so any new system with systemd, it'll fallback to an iptables firewall on systems that can't have firewalld), and fail2ban. The failb2ban configuration includes webmin-auth, sshd, and several mai-released ports, plus a few other things.
The beta installer for VM6 now includes those features. I just finished them last night, and rolled the new packages immediately after, so they've had minimal testing, but I think they work on the new distros.
There's also good Webmin support for firewalld (several improvements are going into the next Webmin release) and Fail2ban (a couple of bugs with default options and jail.d*.conf files are still outstanding, but should be in place soon).
And, of course, Webmin already has brute force protection, 2FA, certificate-based login options, and more. There's a ton of security features already built into Webmin aside from all these external security tools.
--
Check out the forum guidelines!
Thats a great news Joe. It will make think easier for us, however is still its not a solution about the original theme security issue.
hi, can you be more specific on this? the original theme security issue.... I never seen any logs or anything to prove that there is the original theme security issue...nor on github..
thanks.
Configuring/troubleshooting Debian servers is always great fun
Yeah, I think there's a bit of a disconnect in the conversation about the security issues that Authentic had (and were fixed a few months ago). Any theme could have the same kinds of security issues. There's not really anything we can do, at this stage, to prevent a theme from causing security issues, if security mistakes are made in the theme...unless we removed significant theming abilities (no custom login page, no custom theme on any unauthenticated pages, etc.).
So...the security issues in Authentic were serious, but once fixed, there's nothing that makes the Virtualmin Framed Theme safer than Authentic, except being a lot older and having had a lot more vetting and been in the wild longer; which, I guess also has some security value. I guess it's also true that Framed Theme is no longer being developed actively (it is maintenance only at this point), so unless bugs already exist there won't be any new ones. So...there's also that.
But, let's be clear: Authentic is not a unique security conversation; all themes in Webmin/Virtualmin could be a vector of attack if there are mistakes in handling user data. That's true of most theme-able web applications, because the theme has to interact with every page, including things outside the control of ACLs and the like.
There are things we can do to isolate themes more completely, but it's a much bigger project, and one we'll have to tackle in Webmin 2.0; we have to break backward compatibility in major ways in order to change theming significantly. Total privilege separation (which nobody in this space currently does, as far as I know) would be the ideal, but it's effectively a from-the-ground-up re-design.
--
Check out the forum guidelines!
What happened to the old framed theme ? it seems to be gone in 6.00
Yeah, the Virtualmin Framed Theme seems to have gone but the Blue Framed Theme remains?
Maybe it is just a mistake, I hope so, installed this for now. http://www.xenlayer.com/xenlayer-theme.html
Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.
the new theme is a great thing that was really a good move. Some people just do not use anything if it is not shiny and the old theme was really dated. The new one is a good balance between shiny and workable. Please do not go too much into the shiny with it but right now it is a really appreciated improvement for us and our users.
best regards, Ghislain.
Regards, Ghislain
Virtualmin version 6.00.gpl Pro
That's what the new install says. https://postimg.org/image/guhsblfcl/
Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.