Hi
We have noticed the following feature has issues / doesnt work properly as it should
1) Under Webmin > Webmin Configuration > Authentication, we have the option to "Block users with more than N tries for M secs". So when an user fails for the Nth time, it says access for the user is blocked but on entering the right password, it allows the user into webmin again.
2) Under Webmin > Webmin Configuration > Authentication, we have the option to "Block hosts with more than N tries for M secs". But consider a scenario where webmin is placed behind a proxy. In that case it will block the proxy ip instead of the remote client ip and no one can access webmin till the block period is over. An apache backend can solve this using RPAF module where it gets the client IP using x-header from the proxy server and block the IP of the client instead of the proxy. Is there a way to achieve the same thing in miniserv.pl?
Thanks Arnab
Comments
Submitted by JamieCameron on Fri, 11/28/2014 - 13:29 Comment #1
For question 1, are you sure the M second timeout didn't expire?
For question 2, you can configure Webmin to respect the IP provided by the proxy. Just add the line
trust_real_ip=1
to/etc/webmin/miniserv.conf
, then run/etc/webmin/restart
Submitted by mmi on Mon, 12/01/2014 - 04:17 Pro Licensee Comment #2
The solution for question 2 worked but i face the same issue now in both the cases. Whether i block a particular user after certain tries for certain seconds or if i block an IP for some time, the result is always the same. I can get in by entering the right username and password even during the block period. Can you please a similar scenario by placing a proxy infront of cloudmin and testing the blocks? I have attached the screenshot.
Thanks Arnab
Submitted by JamieCameron on Mon, 12/01/2014 - 18:00 Comment #3
Does this problem only happen for you when accessing Webmin via a proxy?
Submitted by mmi on Thu, 12/04/2014 - 06:37 Pro Licensee Comment #4
Hi Jamie
It seems you were right - the issue occurs ONLY when cloudmin is accessed from a proxy. If i directly access cloudmin, the block works. If however i access it via proxy, it allows me to login with the right username and password during the block period. My guess is cloudmin checks the proxy ip instead of the real client ip during the block period. So please let me know if there is a way to solve this
Thanks Arnab
Submitted by JamieCameron on Fri, 12/05/2014 - 00:35 Comment #5
Can you post the contents of the file
/etc/webmin/blocked
when a user is supposed to be locked out? That tracks which users are currently denied, and for how long.Submitted by mmi on Fri, 12/05/2014 - 05:06 Pro Licensee Comment #6
i am attaching two pictures 1) with block message 2) allowing the prompt - and allowing the user to login with the right username / password 3) the block configuration
BTW during the time block is enabled i dont see a file
[root@cloudmin-dev ~]# cat /etc/webmin/blocked cat: /etc/webmin/blocked: No such file or directory
Thanks Arnab
Submitted by JamieCameron on Fri, 12/05/2014 - 15:42 Comment #7
Sorry, the block file should actually be at
/var/webmin/blocked
Submitted by JamieCameron on Fri, 12/05/2014 - 15:49 Comment #8
Actually, I just looked closer at the Webmin code, and this behavior is by design. The reason is that if even a successful login was rejected, an attacker could make a Webmin system unusable by trying endless logins as
root
. The realroot
user would then never be able to login.