Block user / host on failed logins

py4java · January 8, 2024, 11:48am

Https://archive.virtualmin.com/node/35423
is this bug report closed? can some confirm what is the solution for

“1) Under Webmin > Webmin Configuration > Authentication, we have the option to “Block users with more than N tries for M secs”. So when an user fails for the Nth time, it says access for the user is blocked but on entering the right password, it allows the user into webmin again.”

Stegan · January 8, 2024, 1:19pm

So why on earth would you want to block a user who has entered the correct password. Are you trying to block yourself? If this is a user you no longer want to have access delete the account. @jamie sort of said the same on that report.

py4java · January 8, 2024, 1:27pm

Thanks @Stegan for quick response.
Let me clear from my side

As per my requirement, even user enters right password has to wait until the M secs expired which is generally done by PAM auth in general RHEL 8.
I am not able to view complete report for (Block user / host on failed logins [#35423] | Virtualmin) as am new user unable to create account for it due site migration.

could you please help me with “what @jamie said in report or could you pls attach report here”
it will be great help for me.
Thanks in Advance

Stegan · January 8, 2024, 3:24pm

Submitted by JamieCameron on Fri, 12/05/2014 - 15:49 [Comment#8]

(https://archive.virtualmin.com/comment/608740#comment-608740)
Actually, I just looked closer at the Webmin code, and this behavior is by design. The reason is that if even a successful login was rejected, an attacker could make a Webmin system unusable by trying endless logins as root. The real root user would then never be able to login.

I do not know RHEL 8 (or anything other than Ubuntu) so no idea if it would be pertinent.

I simply cannot see why you would ever want to block any user from access given they are using a valid password. I do understand blocking a user (for a period) after a number of failed attempts.

If a valid user logs in with a password, but then abuses their access that is a completely different matter and requires a combination of education (teach them not to do it) and punishment (ACL) management or delete the account.

Jamie · January 8, 2024, 5:44pm

So the current code will not block a successful login after multiple failures, which arguably is a bug because it allows an attacker to effectively keep trying passwords. But on the other hand, this prevents an attacker from locking out legit users. I don’t actually see a good way to satisfy both of these requirements! Instead, it’s better to block only based on the client IP address…

jimr1 · January 8, 2024, 7:36pm

Why not activate the webmin-auth jail in fail2ban this will block login attempts that go over the jails settings and only block the ip addreess

py4java · January 9, 2024, 8:38am

Mean while got confused with the webmin behavior. By default webmin using PAM authentication of the underlying OS in my case RHEL 8, where at OS level the PAM is able to block the user after defined failure attempts for M sec time period even for correct password where as the webmin bypassing this constraint and allowing user to login.

system · March 9, 2024, 8:39am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.