<<< Date Index >>>     <<< Thread Index >>>

Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@xxxxxxxxxx>



On Thu, 2004-12-23 at 20:34, Martin Mewes wrote:
> Hello,
> 
> amit sides <DiAblo_2@xxxxxxxxxx> wrote :
> > #!/usr/bin/perl
> > ##
> > # Webmin BruteForce + Command execution - By Di42lo
> > <DiAblo_2@xxxxxxxxxx> #
> > # usage
> > # ./bruteforce.webmin.pl <host> <command>
> [...]
> 
> this is a message from the maintainer ...
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I haven't seen this one before - but it would be blocked by Webmin's
> password timeouts feature. However, this feature (surprisingly!) isn't
> enabled by default ... 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> On behalf of the maintainer I appreciate every input to secure the 
> software to its extend. Future versions of Webmin (if needed Usermin 
> too) will have this feature enabled by default.
> 
> With this we encourage everyone using Webmin to enable this feature to 
> avoid a possible break-in.
> 
> Again, we would like to tell the OP of this that it would be really nice 
> to know first about such issues, so we are ablte to / can do a 
> (full-)disclosure on items.

Fortunately, it is quite easy to configure Webmin to defend against this kind
of brute-force password guessing attack. Just do the following :

 - Go to the Webmin Configuration module.

 - Click on the Authentication icon.

 - Select 'Enable password timeouts'.

 - Click on the 'Save' button at the bottom of the page.

Future releases will enable this by default.

 - Jamie