On Thu, 2004-12-23 at 20:34, Martin Mewes wrote: > Hello, > > amit sides <DiAblo_2@xxxxxxxxxx> wrote : > > #!/usr/bin/perl > > ## > > # Webmin BruteForce + Command execution - By Di42lo > > <DiAblo_2@xxxxxxxxxx> # > > # usage > > # ./bruteforce.webmin.pl <host> <command> > [...] > > this is a message from the maintainer ... > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > I haven't seen this one before - but it would be blocked by Webmin's > password timeouts feature. However, this feature (surprisingly!) isn't > enabled by default ... > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > On behalf of the maintainer I appreciate every input to secure the > software to its extend. Future versions of Webmin (if needed Usermin > too) will have this feature enabled by default. > > With this we encourage everyone using Webmin to enable this feature to > avoid a possible break-in. > > Again, we would like to tell the OP of this that it would be really nice > to know first about such issues, so we are ablte to / can do a > (full-)disclosure on items. Fortunately, it is quite easy to configure Webmin to defend against this kind of brute-force password guessing attack. Just do the following : - Go to the Webmin Configuration module. - Click on the Authentication icon. - Select 'Enable password timeouts'. - Click on the 'Save' button at the bottom of the page. Future releases will enable this by default. - Jamie
