Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2 () 012 net il>

[Jamie Cameron <jcameron () webmin com>]

On Thu, 2004-12-23 at 20:34, Martin Mewes wrote:
> Hello,
>
> amit sides <DiAblo_2 () 012 net il> wrote :
> > #!/usr/bin/perl
> > ##
> > # Webmin BruteForce + Command execution - By Di42lo
> > <DiAblo_2 () 012 net il> #
> > # usage
> > # ./bruteforce.webmin.pl <host> <command>
> [...]
>
> this is a message from the maintainer ...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I haven't seen this one before - but it would be blocked by Webmin's
> password timeouts feature. However, this feature (surprisingly!) isn't
> enabled by default ... 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> On behalf of the maintainer I appreciate every input to secure the 
> software to its extend. Future versions of Webmin (if needed Usermin 
> too) will have this feature enabled by default.
>
> With this we encourage everyone using Webmin to enable this feature to 
> avoid a possible break-in.
>
> Again, we would like to tell the OP of this that it would be really nice 
> to know first about such issues, so we are ablte to / can do a 
> (full-)disclosure on items.

Fortunately, it is quite easy to configure Webmin to defend against this kind
of brute-force password guessing attack. Just do the following :

 - Go to the Webmin Configuration module.

 - Click on the Authentication icon.

 - Select 'Enable password timeouts'.

 - Click on the 'Save' button at the bottom of the page.

Future releases will enable this by default.

 - Jamie