Is it possible to have different port to the main webmin port so customers can access their accounts?

18 posts / 0 new
Last post
#1 Fri, 10/20/2017 - 08:20
amityweb

Is it possible to have different port to the main webmin port so customers can access their accounts?

I have a firewall that blocks port 10000 to everyone except approved IP addresses. For security reasons of course.

but some customers want access to manage email accounts. But they would likely have dynamic IP addresses.

I dont want to open port 10000 to everyone, just so a few customers can access it to manage email, like add and remove domain other users email accounts.

Is there a way a different port can be used that only gives access to the scaled down webmin account users, and not the main server webmin root user? It would be terrible to offer a login to everyone in the world in which someone could login as root or some sudo user.

Thanks

Fri, 10/20/2017 - 11:54
scotwnw

How about change all of webmin to something besides 10000. Or have some sort of host intrusion prevention in place for every open port. Or both, which is what I do. Also, "users" only have permission in webmin that you allow them to have, you can pick and choose which modules they have access to.

Sat, 10/21/2017 - 05:05
amityweb

I worry that even changing port I am opening up the server control panel login to the whole world. All someone needs is the root password, then they can get in. I just dont believe in doing that, its one step down the security ladder. We have had good security over the years and part of our security is closing all ports in the firewall, except web ports. Customers cant even get SFTP (and we dont even use FTP). So the best situation would be firewall block the main server control panel, but still allow customers access to a control panel that is very limited, e.g. can just manage virtualmin features we choose. So even with the root password, that user could not login to the main server control panel using this interface on the open port.

Or is there an alternative way I could use that maintains the security only allowing root to login from approved IP addresses and dynamic hostnames, but anyone else who have limited permissions, to login from anywhere?

Thanks

Sat, 10/21/2017 - 09:29 (Reply to #3)
Joe
Joe's picture

Webmin supports two-factor authentication, and you can also restrict root logins to only some IP addresses, while other users can access it from any address.

It's in Webmin->Webmin->Webmin Users->Two-factor Authentication for 2FA, and the IP restrictions are under the user name (click "root" and look in the Security and Limits section.

--

Check out the forum guidelines!

Sun, 10/22/2017 - 08:11
amityweb

Oh, sounds like a plan. BUT can you restrict root logins to dynamic hostnames? I often work from home or anywhere, and would be on any IP, so need a process to update the IP. CSF Firewall allows dynamic hostnames, so it updates the IP often. So I would need the root access restriction to work that way too, otherwise I cant get it.

I have tried setting up a VPN in my office (with static IP), so I connect to that then its OK, but I have not been able to get VPN to work, thats a another issue!

Thanks

Sun, 10/22/2017 - 08:36
amityweb

Also, Perl Oauth wont install, seems several other threads about this issue, so cant use Google.

Sun, 10/22/2017 - 18:26 (Reply to #6)
Joe
Joe's picture

What distro and version? How were you installing? What errors did you get?

--

Check out the forum guidelines!

Mon, 10/23/2017 - 04:00 (Reply to #7)
amityweb

Centos 6. I followed the link in Webmin when I go to enable 2FA, it says its not enabled and to go to Webmin Configuration to enable it. When I click that link and then choose Google Authentication, it says the following:

Failed to save two-factor authentication : The Perl module Authen::OATH needed for two-factor authentication is not installed. Use the Perl Modules page in Webmin to install it.

When I then go to Perl Modules link in this, it says the following:

Installing Perl module Authen::OATH from package perl(Authen::OATH) ..
Installing package(s) with command /usr/bin/yum -y install perl(Authen::OATH) ..
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.freethought-internet.co.uk
* extras: mirrors.linode.com
* updates: mirrors.linode.com
No package perl(Authen::OATH) available.
Error: Nothing to do
.. install failed!
Some modules failed to install from packages, trying installation from source instead..
Downloading http://www.cpan.org/authors/id/O/OA/OALDERS/Authen-OATH-2.0.1.tar.gz (13.01 kB) ..
     Received 1024 bytes (7 %)
     Received 2 kB (15 %)
     Received 3 kB (23 %)
     Received 4 kB (30 %)
     Received 6 kB (46 %)
     Received 7 kB (53 %)
     Received 8 kB (61 %)
     Received 10 kB (76 %)
     Received 11 kB (84 %)
     Received 12 kB (92 %)
     Received 13.01 kB (100 %)
.. download complete.

I can click Continue with Install or Fetch Missing Pre-requisits.

Continue with Install shows it installed lots of things, and says at the end "Make and install of Authen::OATH successful." but when I go back to enable 2FA again, it says its not installed and I go through the whole process again. Even after a webmin restart.

If I click Fetch Missing Pre-requisits, then it shows the following, in which you can see it reports some packages not available:

Installing Perl module Moo from package perl(Moo) ..
Installing package(s) with command /usr/bin/yum -y install perl(Moo) ..
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.freethought-internet.co.uk
* extras: mirrors.linode.com
* updates: mirrors.linode.com
No package perl(Moo) available.
Error: Nothing to do
.. install failed!
Installing Perl module Types::Standard from package perl(Types::Standard) ..
Installing package(s) with command /usr/bin/yum -y install perl(Types::Standard) ..
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.freethought-internet.co.uk
* extras: mirrors.linode.com
* updates: mirrors.linode.com
No package perl(Types::Standard) available.
Error: Nothing to do
.. install failed!
Installing Perl module Authen::OATH from package perl(Authen::OATH) ..
Installing package(s) with command /usr/bin/yum -y install perl(Authen::OATH) ..
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.linode.com
* epel: mirror.freethought-internet.co.uk
* extras: mirrors.linode.com
* updates: mirrors.linode.com
No package perl(Authen::OATH) available.
Error: Nothing to do
.. install failed!
Some modules failed to install from packages, trying installation from source instead..
Downloading http://www.cpan.org/authors/id/H/HA/HAARG/Moo-2.003002.tar.gz (94.43 kB) ..
     Received 1024 bytes (1 %)
     Received 10 kB (10 %)
     Received 19 kB (20 %)
     Received 29 kB (30 %)
     Received 38 kB (40 %)
     Received 48 kB (50 %)
     Received 57 kB (60 %)
     Received 67 kB (70 %)
     Received 76 kB (80 %)
     Received 85 kB (90 %)
     Received 94.43 kB (100 %)
.. download complete.
Downloading http://www.cpan.org/authors/id/T/TO/TOBYINK/Type-Tiny-1.002001.tar.gz (258.74 kB) ..
     Received 1024 bytes (0 %)
     Received 26 kB (10 %)
     Received 52 kB (20 %)
     Received 78 kB (30 %)
     Received 104 kB (40 %)
     Received 130 kB (50 %)
     Received 156 kB (60 %)
     Received 182 kB (70 %)
     Received 207 kB (80 %)
     Received 233 kB (90 %)
     Received 258.74 kB (100 %)
.. download complete.
Downloading http://www.cpan.org/authors/id/O/OA/OALDERS/Authen-OATH-2.0.1.tar.gz (13.01 kB) ..
     Received 1024 bytes (7 %)
     Received 2 kB (15 %)
     Received 3 kB (23 %)
     Received 4 kB (30 %)
     Received 6 kB (46 %)
     Received 7 kB (53 %)
     Received 8 kB (61 %)
     Received 10 kB (76 %)
     Received 11 kB (84 %)
     Received 12 kB (92 %)
     Received 13.01 kB (100 %)
.. download complete.

I also tried some code from other forums where people had the same issues, and could not get it to work even though it looked like it installed a bunch of stuff for Perl.

Fri, 10/27/2017 - 21:53 (Reply to #8)
Joe
Joe's picture

It's likely to be very challenging to make modern Perl stuff (which this is) run on a very old Perl version (which CentOS 6 has).

I've started looking into packaging this module for our repos, but I would only be able to do it for CentOS 7. There's some really new stuff in there, and CentOS 6 has an ancient Perl version (5.10.1). I don't know of an easy way to make this stuff work on CentOS 6.

--

Check out the forum guidelines!

Sun, 10/22/2017 - 09:08
amityweb

Accessing webmin as root from an approved dynamic hostname works fine, so thats good. Really pleased about that, didnt know it existed.

Cant get 2 factor to work though. Authly is quote complicated, I registered an account, I got what i thought was an API key but just says its fails and forbidden. The necessary perl oauth module wont install and has errors. So I think 2FA needs more work in Webmin to make sure it can easily be enabled.

So I may consider opening up ports with IP restriction on root, but 2FA working would give me further piece of mind.

Fri, 10/27/2017 - 13:24 (Reply to #10)
adamjedgar

I use google authenticator with virtualmin and mobile phone app....easy to setup and works for me. Have also had virtualmin console runing on custom port other than 10000...also without issue.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 10/25/2017 - 23:05
Diabolico
Diabolico's picture

The only danger to your Webmin port is brute force attacks and weak passwords (e.g. 1234567..., admin001, etc.). Changing Webmin port to something different than 10000 you will avoid 90+% of all scan bots. For brute force attacks a solution like fail2ban is great and it supports Webmin out-of-the-box, you just need to enable this protection. Last but not least, you can close any port and open only when you need it with port knocking. Great feature to install if you want to open the ports only for people who have the right combination.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/30/2017 - 04:52
amityweb

@Joe, maybe Virtualmin should not offer features on unsupported OS's. There is no indication in the 2FA settings that Centos 6 is not supported.

About Fail2ban... would CSF firewall be an alternative, or use Fail2ban in addition to CSF? We have CSF and LFD and that already locks people out with failed passwords.

Sun, 11/05/2017 - 15:30 (Reply to #13)
Joe
Joe's picture

It's not really unsupported...it's just hard as hell to get the dependencies installed. Though, I didn't know that until this conversation took place and I went and looked at what the dependencies are and what those dependencies depend on, and realized it's all very modern Perl (and CentOS 6 has a Perl that is embarrassingly old...it was old even when CentOS 6 was new, and because RHEL/CentOS lock in the version through the lifecycle of the release, it never gets updated, except security backports...this is ordinarily a good feature, but for something you want modern features out of, it's annoying).

So...basically, if you want modern features, you should use a modern version of your distro. I'll see about making the 2FA feature smarter about when it tries to install dependencies, and if it sees it's running on a very old Perl, it won't even try, it'll just say, "Hey, your Perl is too old."

"About Fail2ban... would CSF firewall be an alternative, or use Fail2ban in addition to CSF? We have CSF and LFD and that already locks people out with failed passwords."

Yes, CSF and LFD is a reasonable alternative to Fail2ban+iptables (on CentOS 6) or Fail2ban+firewalld (on CentOS 7 and other systemd-based distros) that Virtualmin sets up during installation. Ilia prefers it and has done a lot of work to make Authentic theme work nicely with CSF, including stuff like notifications and such (I think, though I don't use CSF myself).

We considered going the CSF route, and it definitely has its advantages, but our policy of sticking as closely to the OS defaults as possible led to choosing firewalld (or iptables on old distros) instead. I also like lighter weight firewalls on servers...you really don't need a bunch of complexity, and it can make it harder to understand when things go wrong if there are dozens or hundreds of rules that don't actually do anything useful. Even the default firewall on CentOS is a bit crowded for my taste, but we mostly leave it alone in the interest of sticking close to stock.

But, if LFD is configured to watch all of the relevant logs, you should be fine not using fail2ban. They perform roughly the same service for you.

Fail2ban has actually kinda been a disappointment to me now that we have it out there in the wild. It can, in some circumstances, balloon up to tremendous size, at least in terms of VIRT memory usage (this rarely actually impacts the system, but it's still alarming to see a 1.5 GB process, even if only 70MB of it is resident in memory). I'd like it if it were a little less resource intensive. I'm not sure if it has a memory leak or if it's just memory-mapping all of the log files it watches (which would probably be mostly harmless), but it ends up being a pretty big resource consumer both in terms of memory and CPU, for a task that really ought to be very easy and not requiring a lot of resources.

--

Check out the forum guidelines!

Sun, 11/05/2017 - 14:20
Diabolico
Diabolico's picture

Dont have so much experience with CSF for the simple reason for me Fail2Ban works perfect for what i need. Good thing with F2B is i can add some other custom things like Wordpress login attempts. I find this much better solution instead of using WP plugin because the attacks are still hitting Apache using server resources. Fail2Ban should work with CSF but you must pay attention to turn off same/similar options from one of them.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 11/05/2017 - 15:20
amityweb

I dont know much about F2B but do you or anyone know if this could be a CSF replacement, or does it have much less features than CSF, or could be used in addition to CSF? The integration with Wordpress sounds good hence being interested in it!

Fri, 11/10/2017 - 15:50
scotwnw

My testing/experience... I've tried IPtables, F2B, OSSEC, CSF all for over a year or more on each on servers and VMs.

I went from just iptables, hacked in about week due to password guessing.

Then OSSEC, which was great, just complicated to setup, editing files ect. CMD line interface.

Then F2B, works great when setup properly. Didn’t get into creating new rules for other things like WP.

Now using CSF. It blocks all in and out connections by default. Has decent point and click interface with webmin module. Login failures can be sent to all servers in the CSF cluster. Has TONS of setup options so be sure you know what you're changing before hand. Has a testing mode for novices that will revert to last known config after like 5 min, which is handy if locked out. Also has built in support for IPV6 which is why I dropped F2B. If you use it with cloudmin and VMs, you have to add a 2 lines to forward traffic in /etc/csf/csfpost.sh to allow VMs to forward traffic to the host. Thats the only headache I ran into. Has temp to perm ban settings for nearly every service/port. There are regex rules that be added for wordpress. I have not tried that yet.

Just my opinion

Sat, 11/11/2017 - 04:41
amityweb

I use CSF and have done for years and it has done a great job, I have not had security issues that got through CSF (touch wood!). Its just because I close all ports except to allowed IP addresses, and customers have dynamic IP addresses, I cant give them access to Webmin to manage their own email accounts.

I have not had luck setting up 2FA, doesn't work on Centos 6 by the looks of it.

So last thing to investigate is port knocking which was mentioned above. Not had experience with that, but will look into it. But again, it looks like it lowers security a bit, as it could allow anyone in on any IP if they know the combinations.

Topic locked