Root Login to WebMin Fails

Howdy,

Are you able to log into Webmin as another user, just not root? Or is it preventing all logins?

Do you see any errors in /var/webmin/miniserv.error?

-Eric

Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

is what I’m getting in the browser…(that’s my IP here on the outgoing firewall/gateway for “varuna.hindu.org

Yep: some odd errors … I think it is something my guy did about security…

[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

but seems I need to unblock our IP here… but I don’t see any DROP for our domain in the iptables which look like this (we are varuna.hindu.org here)

[root@sat webmin]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:8333 ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:smtp ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:smtp ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:ftp ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:ftp ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:submission ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:submission ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:ndmp ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:ndmp ACCEPT tcp -- cdm-75-109-138-39.asbnva.dh.suddenlink.net anywhere tcp dpt:ndmp ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:dnp ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:dnp ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:postgres ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:postgres ACCEPT tcp -- varuna.hindu.org anywhere tcp dpt:mysql ACCEPT tcp -- gateway2.hindu.org anywhere tcp dpt:mysql ACCEPT tcp -- c-174-59-203-162.hsd1.pa.comcast.net anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:30000 DROP tcp -- anywhere anywhere tcp dpts:tcpmux:65535 DROP udp -- anywhere anywhere udp dpts:tcpmux:65535 ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

note we have two gateways on our firewall here that broadcast themselves as varuna.hindu.org and gateway2.hindu.org

But I’m no expert at reading IPtables… maybe we are blocked…

sorry… I don’t know how to get that IPtable to format nicely in this comment box.

Error - Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

is what I’m getting in the browser…

Yep: some odd errors … I think it is something my guy did about security…
I tailed the log there are ten entries that all look like:

[29/Mar/2013:18:43:58 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

and one at the end:

[29/Mar/2013:21:09:58 -0700] [67.52.81.242] /session_login.cgi : Access denied for 67.52.81.242. The host has been blocked because of too many authentication failures.

but seems I need to unblock our IP here… how do I do that?

Howdy,

Well, if you can actually get to the login screen, and it doesn’t just timeout trying to load the page at port 10000, it’s not likely a firewall/iptables issue you’re seeing.

Regarding the IP address being blocked – you can unblock all IP addresses by running this command on the commandline as root:

/etc/init.d/webmin restart

“Well, if you can actually get to the login screen, and it doesn’t just timeout trying to load the page at port 10000, it’s not likely a firewall/iptables issue you’re seeing.”

duh… yes, of course (smile)

I would be interestws to know what, if any, other IP’s are getting block (it would be re-assuring to see them)

is there some discrete file of blocked IP’s that I can look at first before restarting? I would be interested to to see if the “monsters in St. Petersburg” IP’s are there – hackers from Russia that I have traced back to servers in St. Petersburg… they always seem to show up if I check on break in attempts and look up IP’s (repeated attempts to find anything related to MySQL is common)

By default, no IP should be blacklisted for more than a few minutes. However, you can look in /var/webmin/miniserv.error to see what IP’s have been blocked.

-Eric

Hmm. OK I restarted webmin while tailing the miniserve.error log and got some interesting results:

[30/Mar/2013:19:13:17 -0700] miniserv.pl started
[30/Mar/2013:19:13:17 -0700] Using MD5 module Digest::MD5
[30/Mar/2013:19:13:17 -0700] Perl module Authen::PAM needed for PAM is not installed : Can’t locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 17) line 1.
BEGIN failed–compilation aborted at (eval 17) line 1.

[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

[30/Mar/2013:19:13:47 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

[30/Mar/2013:19:13:54 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

[30/Mar/2013:19:16:15 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

[30/Mar/2013:19:16:26 -0700] [67.52.81.242] Bad Request : This web server is running in SSL mode. Try the URL https://64.151.71.252.servepath.com:10000/ instead.

Not that I have not done anything with PAM (assuming that is the problem)… though webMin is set to run updates automatically.

Howdy,

That PAM message is actually just a notice, and that’s not actually a problem. Most folks receive that notice… it just means it’s going to directly use the /etc/passwd file, rather than use PAM.

After restarting Webmin, are you able to login to Webmin as root? Or is it still preventing you from logging in?

-Eric

Strange… yesterday after restarting webmin I could not log in as root, but today I can. I suspect some browser cache issue. At any rate… I’m good now.

Case closed, simple solution

/etc/init.d/webmin restart

Thanks!

Hello,
I had the same problem, and executed the command /etc/init.d/webmin restart because my ip was blocked on ovh, and i had lot of emails gone to spam.

Now i’m enable to access to my virtualmin/ Webmin, do i have to wait one day like Katir did?

And thank u in advance

You should have to wait. But, we have our own servers – not a hosted context. So, when I make changes, they are immediate as we run the box ourselves, top to bottom (Linode Cloud instance running Ubunti)

After contacting my hosting provider, to ask if they validated my command to be executed, they replyed that after executing aommand they found out that my server is installed on under a nudeDebian and that i should verify my logs system, in wich case it’s pertinent to revive the service from SSH.
But i don’t know how to do that. What can u advice me in this case please?

Sorry, I’m not sure I understand what they’re asking… can you clarify what exactly it is they want you to do?

-Eric

Unclear to me also… “revive the service from SSH” could possibly mean:

log in as root via terminal (i.e “from SSH”) and just run start webmin

At least that is what I have to do if my portal page to Virtualmin just “disappears” it usually means webmin is not even running as one of the daemons on the box…

Looks like you are in a hosted environment, hopefully you still are chrooted and your web instance looks like a whole server (even though others may be running on the same box) if so I would just try logging in as root and restarting webmin.

Can you tell us what you see if you enter:

https://[[my.domain.com]]:10000 #replace with your domain

What happens? Do you get anything ?? or a blank screen?

Hello,

Thanks a lot, i had to restart webmin, it works.
I’m not sure if u do understand frensh, because i was trying to translate u, but i’m gonna paste u what they wrote me:
"
Je constate de plus que le serveur en question est installé sous une Debian
nue. De ce fait, je ne note pas d’une part de Cpanel actif sur la machinen,
d’autre part, le webmin en question n’est pas accessible sur le réseau (comme
l’indique la commande ci-dessous).

nmap ns33***************** | grep closed

10000/tcp closed snet-sensor-mgmt

Je vous invite concernant la problématique de l’accessibilité de votre webmin
à vérifier les logs système concernant le bon fonctionnement de ce service.
Auquel cas, il serait pertinent de relancer le service depuis une commande
SSH.

Concernant l’ip bloquée pour Spam, nous recommandons de mettre en place un
système de restriction et de sécurité sur le serveur mail de la machine (tel
que le paquet Spamassassin).
Il serait d’autant plus intéressant de s’attarder à l’étude des logs du
service mail concerné pour le domaine/IP bloquée pour Spam. De ce fait, avec
un paramétrage plus restrictif, le service de blocage spam sera donc plus
souple avec vos envois."

My Ip is also deblocked now :smiley: after restarting webmin.
Thank you again, a lot :slight_smile:

Great, I’m glad to hear it’s working for you now!

-Eric

Thank u :slight_smile:

Well i have one more issue, i don’t know why when i send an email from my roundcube to a gmail adress it goes to spam, how can i resolve this? My Ip is blocked again.

Sorry, I can’t help you there… mail services are a deep and tedious snake pit that I try to stay away from.

in fact we are slowly turning off all mail services on our web servers and using third party mail services. You might like that too. All the mail addresses outgoing on the box are from myDomain.org and go off to sendGrid e.g. (i use LiveCode Server, but this should work in any language)

	# send email receipt to user, only now, if the charge was successful.	   			
			put url ("file:"& $_SERVER["DOCUMENT_ROOT"] &"/ddd/ddd-email-receipt.txt") into tEmailReceipt
			put merge(tEmailReceipt) into tBody  
			 sendGridMail gFormData["email_address"],"Thank You For Your Donation",tBody,"hope@myDomain.org"

Any mail TO mydomain.org is received via MicrosoftOffice 365. (used to be Google mail for our domain).

see:

https://sendgrid.com/

Thier prices are so free-to-low and the API is so simple ( i use their POST option) … and all the headaches of having your server blocked etc. all go away

<?lc

function makeRecipientsString pRecipients
    repeat for each item x in pRecipients
       put "to[]=" & x & "&" after tRecipientsString
   end repeat
   return tRecipientsString
end makeRecipientsString

command sendGridMail pRecipients,pSubject,pBody,pFrom
	put "api_user=mydomain &"  into tEmail
	put "api_key=mySendGridAcctKey&" after tEmail
	put makeRecipientsString(pRecipients) after tEmail
	put ( "subject=" & urlEncode(pSubject) ) & "&" after tEmail
	put ("text=" & urlEncode(pBody) ) & "&" after tEmail
	put ("from=" & pFrom) after tEmail
	put tEmail & cr & cr after url ("file:" & $_SERVER["DOCUMENT_ROOT"] & "/ddd/ddd-log.txt")
	POST tEmail to URL "https://api.sendgrid.com/api/mail.send.json" 
	put it & cr & cr after url ("file:" & $_SERVER["DOCUMENT_ROOT"] & "/ddd/ddd-log.txt")
end  sendGridMail

Deleted. I responded to 2 yr old thread.