If I hit :10000 with my fifth bad login (I think, it might be time related too) the site stops loading for a short period. This last time I even managed to get:
What is that mechanism? Can I configure it (to ban longer, wait more tries, etc)? And is it logging anywhere when it trips? It seems not to be fail2ban’s webmin-auth jail.
| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu 24.04 |
| Virtualmin version | 7.50.0 |
That’s fail2ban protecting your Virtualmin system against brute force attacks.
If you wish to tweak the settings, you can do so under Webmin.
If it were Fail2Ban wouldn’t my IP be in the webmin-auth jail?
Also Fail2Ban seems to keep me kicked for 10 minutes by default. This is maybe two.
It’s configurable on a per-service basis.
Yes, but Virtualmin’s are defaulted to 10 minutes. I am not blocked that long, and my IP does not appear in the webmin-auth jail. Additionally my IP range is in the “IP addresses never to ban” and appears in /var/log/fail2ban.log only as:
2025-10-29 10:40:17,483 fail2ban.filter [1119]: INFO [webmin-auth] Ignore #.#.#.# by IP"
I think something else does this.
There’s a whole /var/webmin/locks thing that might have to do with it. There’s a /var/webmin/block file (no idea what that is either).
Plausibly it’s a performance issue really. Plausibly fail2ban bans for a second while it decides whether to ignore your IP and that’s what I’m seeing.
Hoping someone will know.
I can’t find any configure options off hand. Since Webmin proceeded Virtualmin I guess it had its’ own default?
Yeah, that’s it alright!
Can I make changes to this thing’s settings? (How many logins, how long the ban, whitelisted IPs, etc.)
Does it log somewhere (maybe I want to be alerted when this happens, etc)?
Thanks.
It is not fail2ban. Fail2ban adds firewall rules which block network connections completely. It would time out, not show an error from the web server.
That’s Webmin’s brute force protection, configured in Webmin Configuration.
I see. Thanks Joe. I saw some references to Webmin in fail2ban and had always assumed that this was for that.
You were right, @Ron_E_James_D.O. 
Fail2ban also has rules for Webmin, so it’s entirely possible to get blocked by either or both, depending on the pattern of bad logins.
Does it log IPs that it’s blocked?
Thanks.
That depends on your configuration.
The actions like can be viewed in the Actions Log in the UI, or on the command line in /var/webmin/webmin.log.
Blocked IPs will appear in /var/webmin/blocked, I think.
The actions log and Webmin configuration stuff is documented. Worth a read.
Thank you.
Not for nothing, I do not stand behind this claim but it might be something to check, I think until I clicked “Save” on “Logging” that /var/webmin/webmin.log kept only the last logged line for some reason (which is why I couldn’t find this on my own).
I checked “Yes” to having webmin write to the auth log as well and then saved and restarted webmin… but I think that out of the box, if you fail 5 times on :10000 and get blocked and go look at /var/webmin/webmin.log the only line there will be your most recent failure… if you click “Yes” to “auth.log”, and probably if you just click “Save” on the “Logging” page without changing anything and restart Webmin it becomes more of a log.
At least in my case when I checked it this morning that file had only one line, a failed test login of mine from yesterday afternoon (and I had not changed the 168 hour default). This was strange to me because the whole reason I opened this thread was because someone mentioned that they’d gotten banned but their IP wasn’t in Fail2Ban jail (and is whitelisted anyway)… so at least their failed login should have been in there.
This morning from a different IP I tried 5-times to login and got Webmin blocked (also Fail2Ban exempt) and that log then only contained one line, my most recent failure.
You are correct that the blocked ones show up in /var/webmin/blocked (I couldn’t fit that together on my own before because the default block time is so short).
Ron
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.
