Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@xxxxxxxxxx>
On Thu, 2004-12-23 at 20:34, Martin Mewes wrote:
> Hello,
>
> amit sides <DiAblo_2@xxxxxxxxxx> wrote :
> > #!/usr/bin/perl
> > ##
> > # Webmin BruteForce + Command execution - By Di42lo
> > <DiAblo_2@xxxxxxxxxx> #
> > # usage
> > # ./bruteforce.webmin.pl <host> <command>
> [...]
>
> this is a message from the maintainer ...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I haven't seen this one before - but it would be blocked by Webmin's
> password timeouts feature. However, this feature (surprisingly!) isn't
> enabled by default ...
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> On behalf of the maintainer I appreciate every input to secure the
> software to its extend. Future versions of Webmin (if needed Usermin
> too) will have this feature enabled by default.
>
> With this we encourage everyone using Webmin to enable this feature to
> avoid a possible break-in.
>
> Again, we would like to tell the OP of this that it would be really nice
> to know first about such issues, so we are ablte to / can do a
> (full-)disclosure on items.
Fortunately, it is quite easy to configure Webmin to defend against this kind
of brute-force password guessing attack. Just do the following :
- Go to the Webmin Configuration module.
- Click on the Authentication icon.
- Select 'Enable password timeouts'.
- Click on the 'Save' button at the bottom of the page.
Future releases will enable this by default.
- Jamie