|OS type and version||Ubuntu Linux 22.04.1|
|Webmin version||2.011, on virtualmin 7.5|
I have been observing this unexpected behavior from Webmin since before Webmin 2.000 and Virtualmin 7.0. Since I have a public Webmin login page, I’d want to make sure it’s secure. So, is there a bug or a configuration mistake that would make my Webmin shoe the behavior below?
TL;DR: Webmin sends notification of unsuccessful logins even when they are successful
Setup Webmin running well with miniserv and SSL on a custom domain. I log in with my username (not root). I have set up 2FA on Webmin that works well too. I have enabled a few options to block users after too many logins, on the page Webmin → Webmin configuration → Authentication.
Notification that work
I sometimes get a Webmin alert by email that a login is unsuccessful, it mostly happens for
root. I assume that my URL gets scanned and some bots have a try at it.
Notification that don’t work
When I log in myself, I also get these unsuccessful login emails from Webmin. For each successful login with my username, I receive 3 emails:
- Webmin action by user: Login to Webmin failed : Invalid twofactor token
- Webmin action by user: Login to Webmin failed : Invalid password
- Webmin action by user: Logged into Webmin
- I expect to only get 1 email when a user successfully logs in.
This are the log lines when I log in successfully with 2FA (correct password and correct 2FA token):
1674576635.2282934.0 [24/Jan/2023 17:10:35] user - 184.108.40.206 global miniserv.pl "failed" "-" "twofactor" 1674576635.2282941.0 [24/Jan/2023 17:10:35] user - 220.127.116.11 global miniserv.pl "failed" "-" "wrongpass"
Note that to be shown the 2FA entry field, I need to have already entered the correct password. So I don’t even understand why would Webmin log a
wrongpass after a failed twofactor.