“1) Under Webmin > Webmin Configuration > Authentication, we have the option to “Block users with more than N tries for M secs”. So when an user fails for the Nth time, it says access for the user is blocked but on entering the right password, it allows the user into webmin again.”
So why on earth would you want to block a user who has entered the correct password. Are you trying to block yourself? If this is a user you no longer want to have access delete the account. @jamie sort of said the same on that report.
Submitted by JamieCameron on Fri, 12/05/2014 - 15:49 [Comment#8]
(https://archive.virtualmin.com/comment/608740#comment-608740)
Actually, I just looked closer at the Webmin code, and this behavior is by design. The reason is that if even a successful login was rejected, an attacker could make a Webmin system unusable by trying endless logins as root. The real root user would then never be able to login.
I do not know RHEL 8 (or anything other than Ubuntu) so no idea if it would be pertinent.
I simply cannot see why you would ever want to block any user from access given they are using a valid password. I do understand blocking a user (for a period) after a number of failed attempts.
If a valid user logs in with a password, but then abuses their access that is a completely different matter and requires a combination of education (teach them not to do it) and punishment (ACL) management or delete the account.
So the current code will not block a successful login after multiple failures, which arguably is a bug because it allows an attacker to effectively keep trying passwords. But on the other hand, this prevents an attacker from locking out legit users. I don’t actually see a good way to satisfy both of these requirements! Instead, it’s better to block only based on the client IP address…
Mean while got confused with the webmin behavior. By default webmin using PAM authentication of the underlying OS in my case RHEL 8, where at OS level the PAM is able to block the user after defined failure attempts for M sec time period even for correct password where as the webmin bypassing this constraint and allowing user to login.