I’m moving over to Virtualmin, been hosting clients on cpanel previously, but am wanting to make the switch. Just learning the ins and outs of Virtualmin
One thing for now I’d like to find out, and I haven’t had any luck looking at the forums here, or googling.
In cpanel, there are options out there that would allow clients to unblock/unban their ip if they had mistakenly locked themselves out their account.
I know with virtualmin/webmin fail2ban is installed by default, and I want to have a system where clients would be able to log into a portal or something, and unblock/unban their accounts - be it mail, or whatever.
Has someone done this already, or can put me in the right direction.
NO such thing in webmin/virtualmin that I know of. In that scenario, what keeps an abusive client from constantly trying ssh root logins, unbanning themselves and trying passwords forever?
Just my opinion, they should wait the 5 or 10 minutes for the ban to timeout. I’ve done it to myself many times so I know what you mean, now I always have 2 ways into the server just in case. But for a normal user, you cant lower security.
Thanks for the info @scotwnw
I understand that they will be able to log back in after a while. In my other hosting setup, there are mechanisms to ensure that if there are too many attempts, the ban is not just there for 15 minutes or whatever, but the block can be set for days or weeks even…This would ensure a “blacklist” of IP’s that are errant. I was thinking of doing something similar on this new hosting machine with Virtualmin. However if a client say sets up their email password wrong, they could then perhaps get onto the long term “blacklist” inadvertently - I was wanting some sort of mechanism whereby if they were banned for a time, could then go in and unban themselves. I hear you about a client maybe trying malicious things by going to “unban” themselves. However this would prove very tedious for the client/hacker and probably wouldn’t be feasible, especially if strong passwords are enforced on the server.
Let me know your thoughts, or any other comments/suggestions are welcome
First, I should point out I dont use fail2ban. I didnt like it for the lack of escalating ban time(at the time). I use CSF firewall. More complicated to setup but much better at temp to permanent bans of abusers. Bans can be temporary, multiple temp bans = permanent ban, multiple permanent bans from same /24 subnet = /24 ban. And bans on one server can be propagated to all servers running csf.
I concur. Email and FTP can sometimes try 4 or 5 attempts at once. Clients putting in password wrong just once can get banned. With CSF, you can also set it to have a quick response to attempts on ssh but a more lenient response to other services like smtp or ftp. Even has a webmin module to control it. Lots of people dont like it because it blocks all traffic, in and out, making it more difficult to diagnose when there are connection issues. Just have to be aware and open ports for in and out. I’m not promoting csf in any way, just saying that’s what Ive settled on after many years of trying different options to control abusers.
Still not a solution to allowing the clients to unban themselves though.
Thanks for the feedback. Yes I’m using CSF and my old host machine, but decided to try out Firewalld and Fail2ban. Regarding the escalating issue - one can set it up:
Pity can’t find a solution to unban - but then again, I think I’ll play with the escalating fail2ban script to see if I can get something I can live with
Can’t get on with firewalld … I like to ban counties via country codes yet cannot get it to work with firewalld although it works good with IPtables. I use the fail to ban escalating script which is useful. You can create as many steps as you want increasing the time of ban for each so start with a low one say 5 mins and gradually increase it.
If you want to ensure strong passwords you can use the following regex. This works for users groups and also Virtualmin site creation as well … not for randomly generated ones though only for those input by user
Go to webmin/system/users and groups click the module config at top and away you go. The above code forces at least 8 and max of 50 characters inc at least 1 Uppercase, 1 Lowercase, 1 Number and 1 Special Character.