SuSe Tumbleweed Webmin checks on Apache #2142
Comments
What makes you think that this was done by Webmin? |
|
Only other thing would be tumblewwed itself. I control my application by myself and there is no access from outside. between usual SuSe, Debian and Tumbleweed was nothing changed at all (only everywhere slightly different configs, but the same (Debian is much different)). I would start a debug file, if I would know, it can be only anyything related to the login or status collection. ,,,^..^(") |
|
I have dozens of Webmin instances and none of them have logged requests to |
|
there is nothing, that crafts a network request with the webmin-UA. It started with the use of Tumbleweed. I run now a debug log of all modules, might take 2 or 3 days, until a result shows up. ,,,^..^(") |
|
So, I played around (including early morning and wrong password): Apache access log X:X:X - - [02/May/2024:06:35:50 +0200] "GET /index.txt HTTP/1.0" 406 3511 "-" "Webmin" 5/5022188 X:X:X - - [02/May/2024:08:48:13 +0200] "GET /index.txt HTTP/1.0" 302 - "-" "Webmin" 0/25006 X:X:X - - [02/May/2024:10:02:19 +0200] "GET /index.txt HTTP/1.0" 302 - "-" "Webmin" 0/3130 Webmin debug log 699 [02/May/2024 06:35:00.307956] - - - START "script=record-logout.pl" 32616 [02/May/2024 06:35:40.024757] root Y.Y.Y webmin TCP "host=127.0.0.1 port=10000" 1132 [02/May/2024 06:38:55.995389] SOMEONE Y.Y.Y proc CMD "cmd=vmstat 1 2 2>/dev/null" 1245 [02/May/2024 06:39:11.937413] SOMEONE Y.Y.Y webmin HTTP "host=announce.webmin.com port=443 page=/index.txt ssl=1" 1831 [02/May/2024 08:48:08.580820] SOMEONE Y.Y.Y webmin HTTP "host=announce.webmin.com port=443 page=/index.txt ssl=1" 2696 [02/May/2024 10:02:14.559514] - Y.Y.Y - START "script=right.cgi" miniserv log Y.Y.Y - - [02/May/2024:06:35:00 +0200] "GET /session_login.cgi?logout=1 HTTP/1.1" 401 4900 Y.Y.Y - - [02/May/2024:06:38:34 +0200] "GET /session_login.cgi?logout=1 HTTP/1.1" 401 4900 Y.Y.Y - SOMEONE [02/May/2024:06:39:17 +0200] "GET /webmin/ HTTP/1.1" 200 10819 Y.Y.Y - SOMEONE [02/May/2024:08:48:07 +0200] "POST /session_login.cgi HTTP/1.1" 302 0 Y.Y.Y - - [02/May/2024:10:01:35 +0200] "GET /session_login.cgi?logout=1 HTTP/1.1" 401 4900 Before the last one I changed Webmin update check to local file, but still continues. Because SuSe was always a pain to setup a static dual stack without having any GUI (I managed it only once in 11 years, that Webmin allowed me to setup IPv6 in Network config), there might be some resolution confict, whatever. To solve it, tzhere might be a switch to turn off the requests to webmin.com on 80 and 443. Then I have to take care of updates by myself. Perhaps Tumbleweed is not 100% compatible. As I said before, with SuSe 13.something to 15.4 and Debian were not such requests. ,,,^..^(") |
|
|
XXX is the server IP, IPv6 (not the IPv4, why ever)
The default .php4-8 are commented out. All of the years I followed the rule, that you should not use your own Apache, let webmin do anything, and anything was ok. ,,,^..^(") |
|
I'm not sure what's a cause of those requests, and I highly doubt they're coming from Webmin. You'll need to dig into this issue deeper! |
|
Fresh install of TW and Webmin, already the second time. There must be something, that creates a HTTP-request with that useragent. Is there a way for me to disable the "talk-back" to webmin to test, if it will go away? Plain TW, MariaDB, Apache and PHP freshly installed, should be unable to craft a request to the outside world. ,,,^..^(") |
|
I checked around with tcpflow. Webmin connects to 216.105.38.11:80 and 44.217.106.106:443 at login (else login script or status page). A handcrafted request there for the index.txt brings up a login form. Booth IPs are blocked incomming via ipset because of the usual badness of AS14618 and a route mismatch of AS11320, that might create that issue. I dont want to dig into 150 MB of Webmin source code. If Webmin creates that requests, then I can live with that. ,,,^..^(") |
|
I should have looked up earlier into a different security wrapper: The request was sent to announce.webmin.com. Somehow that is resolved to myself. The url announce.webmin.com is hardcoded in system_info.pl. The file system_info.pl seems to deal only with fetching and computing the answer of that server only. ,,,^..^(") |
Have not seen that on other OSses: Webmin checks sometimes with loading systeminformation on Apache2.
Apache-log:
My_own_server_IPv6 - - [01/May/2024:05:52:40 +0200] "GET /index.txt HTTP/1.0" 406 3511 "-" "Webmin"
Poking around for a file is not nice, it is the same level like all of the wp(?:admin|login|register)-bots and such from outside. Because the result of that request is not shown anywhere, it is a little bit useless. If people want to check for something on Apache, then tools->filemanager->/srv/www/htdocs is the way to go.
I havent seen it on SuSe 15.3 and earlier and Debian Bookworm.
If it is needed for something, then it should get a switch to turn it off.
,,,^..^(")
The text was updated successfully, but these errors were encountered: