Usermin logging required

Are there any logs for Usermin?

I have a need to see Usermin logins as it appears that a client user account is being accessed by someone, so a login list should at least show date/time and IP.

Also I have a client with 2 domains and some unexpected emails have been sent but the Vmin mail log doesn’t show which domain sent the emails, just that it came from the server.

I would be pleased to find that the logs exist but I just haven’t found them, if not could something be implemented?

In these days of increasing Internet security concerns, all things like this are taking on more importance.

Of course. /var/usermin has multiple logs.

Virtualmin does not have a mail log. The mail services (Postfix, Dovecot, and Procmail) do.

You can view logs in either the System Logs module or the System Logs Viewer module (which can also view/search the journal on modern systemd systems where a lot of logging goes to the journal rather than plain text files). It has some logs preconfigured, but you can add any log you want (just realize that the old System Logs module also configures syslog/rsyslog in addition to being able to view arbitrary logs…you probably don’t want to add syslog configuration to view existing logs). I believe your system would probably only have the System Logs Viewer, anyway, since syslog is not standard on very new systems.

Curious, because I see some logins, but others don’t show. This is in /var/usermin/miniserv.log

Example, I can see logins this week from my own IP, but no logins to the user account I am interested in until about 2 hours ago, yet several emails were sent from that account, using Usermin (I have blocked all SMTP type connectionns to that server) over the last couple of days.

The emails are in the Sent mail folder. /var/log/maillog shows “connect from localhost[127.0.0.1]” so all the evidence is that it came from Usermin, yet no logins that day.

Is there anything I might be missing?

What makes you think Usermin was used to sent the emails? If a user has an account, they can use any email client they want, including something as simple as telnet or a shell script. Usermin is not the only way to send mail.

And, sending mail does not require incoming SMTP connections, only outgoing.

I have blocked incoming SMTP connections, so they aren’t using an email client or telnet to eg port 25. Incoming mail is only allowed from my incoming mail filter server.

A shell script requires access of some sort, so that could be the underlying OS or Vmin?

Would a script leave a copy in the Sent email folder?

I am only concerned with where the email originated from, that it then got sent out is to be expected.

You’re confusing me.

Are the mails you’re trying to figure out being sent from your server to other servers?

Or are they being received on your server from other servers?

Or are they being sent from your server to other users on your server?

Because this sounds like trying to address a completely different question that what I thought we were talking about:

Does the user have a shell account, or the ability to run any kind of web application on the server? If so, they can send email. An email client is literally anything that sends mail (which can be as simple as telnet or a shell or PHP or perl script), and it can run on the server itself. A firewall blocking incoming port 25 does nothing to prevent a local user from sending email (even in the usual case…your users would usually be using the submission port to send mail from e.g. Thunderbird or Outlook, not smtp).

Only if it were programmed to do so. Sent folder is an invention of modern mail clients.

Edit: I feel like I haven’t made it clear enough…so, will expand. Blocking port 25 is not a thing that will block your users from sending email. Even if the user is non-technical and is just setting up Outlook or Thunderbird or whatever to send mail. Port 25 is how servers talk to each other. Most users would be using the submission port. But, even that doesn’t do anything if a user has the ability to run code (any kind of code, including just PHP scripts) on the server.

These are emails that I believe are posted using Usermin and going out to external email addresses.

The user only has Usermin access, doesn’t even use an email client.

The users Virtualmin access is Email only.

I am the only person with any access to the server OS and Vmin administration, there are no resellers and that user isn’t and doesn’t have access to the domain admin login.

I don’t want to block users from sending email, but I only want users to send from this server using Usermin.

I believe that I am blocking all mail into Vmin except email that has gone through my email filter servers. That is both incoming email from the Internet, and users sending with email client programs - which go out through another separate SMTP server.

So the only outgoing email from the Vmin server comes either from Usermin or from client websites which don’t leave a copy in the Sent email folder.

Any outgoing email from eg Outlook or Thunderbird doesn’t go through the Vmin server at all.

What has happened.

Early this week there were dodgy emails sent from this users account via an SMTP client program. At that point I decided to block all incoming email except from my own servers.

Then 3 days ago I saw that this user had sent dodgy emails using Usermin, yet they didn’t know anything about it and had been in meetings etc when the emails were sent.

In response I changed their password but then yesterday some more dodgy emails were sent that the client knows nothing about.

Now, the first problem is how are the baddies getting her new password, and that is yet to be investigated, but there may be something nasty either on the clients phone or PC etc. I am assuming at this point that Vmin security isn’t the problem, and I am quite confident that it hasn’t leaked from myself or my devices.

What I would then like to discover is what IP’s the baddies are coming from, but the available logs don’t help - see posts above.

But what use can that knowledge be? The baddies can use VPN etc to hide original IP. Good luck.

For a start, I can verify that the real user and these emails are coming from different IPs, and also I can block those IPs which won’t do much, but it can frustrate them a bit.
It may also be possible to write a fail2ban rule to stop them on the fly.

VPN or not, the server should record the IP that is talking to the server, so it can still be blocked.

But any baddy worth their salt can change the IP and what about those “nice” who use a VPN supplied by their IP provider. (eg my Antivirus provider gives me a VPN to disguise my IP so I know it can vary considerably. I also travel a great deal between countries I would hate it if I was blocked simply because I say I am in France when actually I am in the USA. for example - therefore I think an IP is useless.) I also often use a “tor” browser which knocks out most of the usual tracking/fingerprinting mechanisms. … and I am not putting as much effort into obscurity as these “baddies” who seem to make a living out of it.

I’d love to have a foolproof way to catch/stop them I just do not think it is an IP address.

Why do you believe they have the password and don’t have a backdoor via a web app?

Have you confirmed in the mail log and mail headers that the mail was sent from the UID you believe is sending it? The From: address is literally meaningless; it can be set to anything the sender wants.

But, you said you don’t see Usermin log entries related to these mails. So, it was not sent via Usermin.

All that you say is valid, but the block would only be to stop them at that point, not permanent. Also, the main point is that I can establish that it is not the user or their devices doing this as I know which ISP they use and anything else is an imposter.

I can also then trawl the logs to try to find their entry point to the system.

If you read the entire thread again, this started as emails being sent via an email client program, at that point they had to have username/password to send it via Virtualmin.

I then blocked email client programs, so they logged into Usermin - evidence being the emails in the Sent folder and knowing that they had the password at that point.

I then changed the user password, yet a day later they were back sending via Usermin - evidence emails in Sent again.

The log from the Vmin server shows the emails being delivered to my outgoing filter server. The outgoing filter server log shows the emails coming from the Vmin server. The header shows that the email originated from Usermin. “X-Mailer: Usermin 1.860”

I can post the full header, but it would need significant editing for privacy reasons, perhaps I could sent it as a job ticket.

There is no evidence to make me suspect that the server is the problem. It’s a relatively new RHEL 9.1 install with very little added (mainly MC). and both the OS and VMin are up to date. The system logs - maillog, messages, secure don’t raise any red flags.

The only log that bothers me is usermin/miniserv.log as it doesn’t show the dodgy logins, bit nor does it show legitimate logins for that user from the 18th until late afternoon on the 21st , yet there were legitimate emails sent from Usermin in that time.

Possibly the user was logged in all that time from the 17th to the 21st, but what about the dodgy emails unless the hackers are in the device that was logged in all that time.

I am being very open minded about what might have happened, but to me it still looks like they access Usermin which would have required the Username/Password unless there is a flaw in Usermain - which there is no evidence of.

Anyway, at the end of the day, more and detailed logging will always be useful for investigating unexpected stuff.

Unrelated oddity, I checked a few emails and looking at the sent emails in Usermin they always show the time as being 12 minutes later than the mail logs on both the Vmin server and the Outgoing filter server, and the actual email header.

Does the user have an active session? (Webmin->Usermin->Current Login Sessions)

I’m pretty sure a password change would close existing sessions for the user, but maybe not…

Which reminds me that they logged in on the 19th to check the password yet there were no entries for that domain from the start of the log on 18th.

Yes, but it also shows my IP logged in multiple times going back to 01/16/2023 12:55:34pm yet I always log out after checking it, plus my PC reboots each night.

It’s more like a log rather than current sessions. It does show one foreign IP logged in over 24 hours ago, but the time doesn’t match any dodgy email. Might have just been checking that they still have access.

Perhaps the Current Login Sessions needs checking?

Every single page load is logged to miniserv.log. If you don’t see entries, then nobody visited Usermin.

In that case, what have I been logging in to? Where has email come from that claims to being sent from Usermin and leaves a copy in the sent folder?

If there are no faults, why does the Current Session look more like a log and shows log in dates and times not in the usermin miniserve.log?

Is my system very corrupted? I would hate to have to start over.

Should I raise a support ticket and include the log files?