Menu
▾
▴
#4051 IP-Access-Control Bug
Since upgrade to version 1.580, Webmin can't resolve the hostname in the IP-Access-Control Module ... If I say: allow only *.dip.blah.net (which is the resolve of my actual ip), webmin tells me it won't work cause I'm getting blocked!
So, this function is uselss now. In Usermin everythings working and BEFORE the upgrade to 1.580 it worked (over years!!!) in webmin too. No other OS related things changed.
error
This could happen if your IP doesn't reverse-resolve to a hostname that matches this regexp, or if the hostname that it does resolve to doesn't forward-resolve to the same IP ?
I'm on it since the update and tried it on/with different connections from several locations. Also, I was in contact with our provider (Telekom Germany) to make sure it's not a problem related to their system.
If i trace my connection to " *.dip.t-online.de " and set this to webmin, I get the message that I will be blocked. Same if I'm online on other connections. The same happens if I use it without wildcards. " FULLIDENT.dip.t-online.de " gets me blocked too. (and that should be a full match!) Only the clear IP is working :/
As I said, it only happens to webmin module. If I use the same regexp in Usermin - it work as it should!
What about this here ? (the regexp was: *.dip0.t-ipconnect.de )
Argument "*" isn't numeric in left bitshift (<<) at ./webmin-lib.pl line 1428.
Argument "ipconnect" isn't numeric in left bitshift (<<) at ./webmin-lib.pl line 1429.
Argument "dip0" isn't numeric in left bitshift (<<) at ./webmin-lib.pl line 1428.
Argument "de" isn't numeric in left bitshift (<<) at ./webmin-lib.pl line 1429.
Argument "t" isn't numeric in left bitshift (<<) at ./webmin-lib.pl line 1428.
Use of uninitialized value in left bitshift (<<) at ./webmin-lib.pl line 1429.
Use of uninitialized value in left bitshift (<<) at ./webmin-lib.pl line 1428.
Use of uninitialized value in left bitshift (<<) at ./webmin-lib.pl line 1429.
Error: Ihrer aktuellen IP-Adresse (84.162.205.72) würde der Zugriff verweigert
Can you tell me what your IP is, and what wildcard you actually entered? That way I can debug why Webmin thinks you would be blocked ..
My IP is dynamic like " p5AF152BD.dip.t-dialin.net or p5AF152BD.dip0.t-ipconnect.de " so I will use " *.dip.t-dialin.net or *.dip0.t-ipconnect.de " Yesterday I tested it on a new clean debian system with the latest webmin release, same error :-(
Here's the problem - p5AF152BD.dip.t-dialin.net resolves to IP 90.241.82.189 , but 90.241.82.189 cannot be reverse-resolved. And Webmin depends on reverse-resolution to check if an IP matches some pattern, like *.dip.t-dialin.net
Your ISP typically controls reverse resolution for IPs it assigns.
Stop Stop Stop ... The posted IP was only an example (my ip changes every 24h due my provider, thats why I only posted an fictive IP). Sorry, I thougt you need it only to check the wildcard.
Anyway ... the reverse lookup WORKS as it should be ..
My IP at the moment: 93.193.82.189
Trace from my rootserver:
# nslookup 93.193.82.189
# 189.82.193.93.in-addr.arpa name = p5DC152BD.dip.t-dialin.net.
Thats why I told you that only the webmin module is affected. In Usermin the reverse lookup works very well, but not in the webmin module. So, thats why I think the error must be on webmin.
You can try manually configuring Webmin to allow only IPs matching *.dip.t-dialin.net by editing /etc/webmin/miniserv.conf , and at the end adding the line :
allow=*.dip.t-dialin.net
then run /etc/webmin/restart
Let me know if that allows you to login to Webmin or not ..
Nope, no changes - I'm still blocked ... I already tried this, several times.
(after the update I also was forced to remove the host from miniserv.conf cause I was blocked.)
Last night we setup a new clean debian install with the latest webmin release on a friends rootserver. Same error :-(
PS: Thank you for your patience. Hope you/we can fix it
If you login to the system running Webmin and run the command
host x.x.x.x
where x.x.x.x is the IP you are connecting from (it should also appear in the error message), what does it output exactly?
Also, if you run
host x.y.foo.com
where x.y.foo.com is the hostname that the previous host command returned, what does that output?
$ host 93.193.83.107
107.83.193.93.in-addr.arpa domain name pointer p5DC1536B.dip.t-dialin.net.
$ host p5DC1536B.dip.t-dialin.net
p5DC1536B.dip.t-dialin.net has address 93.193.83.107
That looks OK, assuming you are trying to allow *.dip.t-dialin.net ?
In some cases, I've seen issues where the running Webmin process is caching an invalid DNS client confguration, causing DNS lookups to fail. Try running /etc/webmin/restart as root from the shell, and see if that helps..
Nope, still the same ...
Game over, don't know what to do now :-(
At this point, I'd suggest using IP network-based access control instead. You should be able to find the IP ranges that your ISP assigns, and grant access to all of them. This is actually more reliable, as wildcard-based access control can fail if DNS resolution is temporarily down..
To disable reverse lookup, in
/etc/webmin/miniserv.conf
set
alwaysresolve=0
no change at all ...
Did you restart webmin after making the change to the config file?
/etc/webmin/stop
and
/etc/webmin/start